gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-01-08 19:30:51 -08:00
Code Issues Packages Projects Releases Wiki Activity

Y

Browse Source
This commit is contained in:
Jimmy
2025-02-10 12:22:24 +01:00
parent 3f01e5e4fa
commit 3757efbd43
34 changed files with 238 additions and 387 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
src/pentesting-cloud/azure-security/az-privilege-escalation/az-postgresql-privesc.md
View File

@@ -5,15 +5,14 @@
## PostgreSQL Privesc
For more information about SQL Database check:
{% content-ref url="../az-services/az-postgresql.md" %}
{{#ref}}
[az-postgresql.md](../az-services/az-postgresql.md)
{% endcontent-ref %}
{{#endref}}
### "Microsoft.DBforPostgreSQL/flexibleServers/read" && "Microsoft.DBforPostgreSQL/flexibleServers/write"
### `Microsoft.DBforPostgreSQL/flexibleServers/read` && `Microsoft.DBforPostgreSQL/flexibleServers/write`
With this permission, you can create, update, or delete PostgreSQL Flexible Server instances on Azure. This includes provisioning new servers, modifying existing server configurations, or decommissioning servers.
{% code overflow="wrap" %}
```bash
az postgres flexible-server create \
--name <ServerName> \
@@ -26,34 +25,28 @@ az postgres flexible-server create \
--tier <PricingTier> \
--version <PostgreSQLVersion>
```
{% endcode %}
For example, this permissions allow changing the PostgreSQL password, usefull of course in case that PostgreSQL authentication is enabled.
{% code overflow="wrap" %}
```bash
az postgres flexible-server update \
--resource-group <resource_group_name> \
--name <server_name> \
--admin-password <password_to_update>
```
{% endcode %}
Additionally it is necesary to have the public access enabled if you want to access from a non private endpoint, to enable it:
{% code overflow="wrap" %}
```bash
az postgres flexible-server update --resource-group <resource_group_name> --server-name <server_name> --public-access Enabled
```
{% endcode %}
### "Microsoft.DBforPostgreSQL/flexibleServers/read", "Microsoft.DBforPostgreSQL/flexibleServers/write", "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action", "Microsoft.DBforPostgreSQL/flexibleServers/administrators/write" && "Microsoft.DBforPostgreSQL/flexibleServers/administrators/read"
### `Microsoft.DBforPostgreSQL/flexibleServers/read`, `Microsoft.DBforPostgreSQL/flexibleServers/write`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`, `Microsoft.DBforPostgreSQL/flexibleServers/administrators/write` && `Microsoft.DBforPostgreSQL/flexibleServers/administrators/read`
With this permission, you can configure Azure Active Directory (AD) administrators for a PostgreSQL Flexible Server. This can be exploited by setting oneself or another account as the AD administrator, granting full administrative control over the PostgreSQL server. Updating existing principal is not supported yet so if there is one created you must delete it first.
It's important that the flexible-server has a user assigned managed identities to use.
{% code overflow="wrap" %}
```bash
az postgres flexible-server ad-admin create \
--resource-group <ResourceGroupName> \
@@ -62,7 +55,6 @@ az postgres flexible-server ad-admin create \
--identity <IdentityNameOrID> \
--object-id <ObjectID>
```
{% endcode %}
{{#include ../../../banners/hacktricks-training.md}}