Translated ['src/pentesting-cloud/azure-security/az-privilege-escalation

2026-02-05 11:26:11 -08:00 · 2025-01-09 01:06:01 +00:00
parent 0e78d8b132
commit 4d1f1bc5a3
2 changed files with 64 additions and 47 deletions
--- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md
+++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md
@@ -1,10 +1,10 @@
-# Az - Azure IAM Privesc (授权)
+# Az - Azure IAM Privesc (Authorization)

 {{#include ../../../banners/hacktricks-training.md}}

 ## Azure IAM

-更多信息请查看：
+Fore more information check:

 {{#ref}}
 ../az-services/az-azuread.md
@@ -12,38 +12,45 @@

 ### Microsoft.Authorization/roleAssignments/write

-此权限允许在特定范围内将角色分配给主体，使攻击者能够通过为自己分配更高权限的角色来提升权限：
+This permission allows to assign roles to principals over a specific scope, allowing an attacker to escalate privileges by assigning himself a more privileged role:
+
 ```bash
 # Example
 az role assignment create --role Owner --assignee "24efe8cf-c59e-45c2-a5c7-c7e552a07170" --scope "/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.KeyVault/vaults/testing-1231234"
 ```
+
 ### Microsoft.Authorization/roleDefinitions/Write

-此权限允许修改角色授予的权限，使攻击者能够通过向其分配的角色授予更多权限来提升特权。
+This permission allows to modify the permissions granted by a role, allowing an attacker to escalate privileges by granting more permissions to a role he has assigned.
+
+Create the file `role.json` with the following **content**:

-创建文件 `role.json`，内容如下：
 ```json
 {
-"Name": "<name of the role>",
-"IsCustom": true,
-"Description": "Custom role with elevated privileges",
-"Actions": ["*"],
-"NotActions": [],
-"DataActions": ["*"],
-"NotDataActions": [],
-"AssignableScopes": ["/subscriptions/<subscription-id>"]
+  "Name": "<name of the role>",
+  "IsCustom": true,
+  "Description": "Custom role with elevated privileges",
+  "Actions": ["*"],
+  "NotActions": [],
+  "DataActions": ["*"],
+  "NotDataActions": [],
+  "AssignableScopes": ["/subscriptions/<subscription-id>"]
 }
 ```
-然后使用之前的定义更新角色权限，调用：
+
+Then update the role permissions with the previous definition calling:
+
 ```bash
 az role definition update --role-definition role.json
 ```
+
 ### Microsoft.Authorization/elevateAccess/action

-此权限允许提升特权并能够将权限分配给任何主体以访问 Azure 资源。它旨在授予 Entra ID 全局管理员，以便他们也可以管理 Azure 资源的权限。
+This permissions allows to elevate privileges and be able to assign permissions to any principal to Azure resources. It's meant to be given to Entra ID Global Administrators so they can also manage permissions over Azure resources.

 > [!TIP]
-> 我认为用户需要是 Entra ID 的全局管理员，以便提升调用能够正常工作。
+> I think the user need to be Global Administrator in Entrad ID for the elevate call to work.
+
 ```bash
 # Call elevate
 az rest --method POST --uri "https://management.azure.com/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01"
@@ -51,22 +58,27 @@ az rest --method POST --uri "https://management.azure.com/providers/Microsoft.Au
 # Grant a user the Owner role
 az role assignment create --assignee "<obeject-id>" --role "Owner" --scope "/"
 ```
+
 ### Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/write

-此权限允许将联邦凭据添加到托管身份。例如，允许在存储库中将访问权限授予托管身份的Github Actions。然后，它允许**访问任何用户定义的托管身份**。
+This permission allows to add Federated credentials to managed identities. E.g. give access to Github Actions in a repo to a managed identity. Then, it allows to **access any user defined managed identity**.
+
+Example command to give access to a repo in Github to the a managed identity:

-示例命令将访问权限授予托管身份在Github中的存储库：
 ```bash
 # Generic example:
 az rest --method PUT \
--uri "https://management.azure.com//subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<managed-identity-name>/federatedIdentityCredentials/<name-new-federated-creds>?api-version=2023-01-31" \
--headers "Content-Type=application/json" \
--body '{"properties":{"issuer":"https://token.actions.githubusercontent.com","subject":"repo:<org-name>/<repo-name>:ref:refs/heads/<branch-name>","audiences":["api://AzureADTokenExchange"]}}'
+  --uri "https://management.azure.com//subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<managed-identity-name>/federatedIdentityCredentials/<name-new-federated-creds>?api-version=2023-01-31" \
+  --headers "Content-Type=application/json" \
+  --body '{"properties":{"issuer":"https://token.actions.githubusercontent.com","subject":"repo:<org-name>/<repo-name>:ref:refs/heads/<branch-name>","audiences":["api://AzureADTokenExchange"]}}'

 # Example with specific data:
 az rest --method PUT \
--uri "https://management.azure.com//subscriptions/92913047-10a6-2376-82a4-6f04b2d03798/resourceGroups/Resource_Group_1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/funcGithub-id-913c/federatedIdentityCredentials/CustomGH2?api-version=2023-01-31" \
--headers "Content-Type=application/json" \
--body '{"properties":{"issuer":"https://token.actions.githubusercontent.com","subject":"repo:carlospolop/azure_func4:ref:refs/heads/main","audiences":["api://AzureADTokenExchange"]}}'
+  --uri "https://management.azure.com//subscriptions/92913047-10a6-2376-82a4-6f04b2d03798/resourceGroups/Resource_Group_1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/funcGithub-id-913c/federatedIdentityCredentials/CustomGH2?api-version=2023-01-31" \
+  --headers "Content-Type=application/json" \
+  --body '{"properties":{"issuer":"https://token.actions.githubusercontent.com","subject":"repo:carlospolop/azure_func4:ref:refs/heads/main","audiences":["api://AzureADTokenExchange"]}}'
 ```
+
 {{#include ../../../banners/hacktricks-training.md}}
+
+
--- a/src/pentesting-cloud/gcp-security/gcp-services/gcp-source-repositories-enum.md
+++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-source-repositories-enum.md
@@ -1,37 +1,38 @@
-# GCP - 源代码库枚举
+# GCP - Source Repositories Enum

 {{#include ../../../banners/hacktricks-training.md}}

-## 基本信息 <a href="#reviewing-cloud-git-repositories" id="reviewing-cloud-git-repositories"></a>
+## Basic Information <a href="#reviewing-cloud-git-repositories" id="reviewing-cloud-git-repositories"></a>

-Google Cloud Source Repositories 是一个功能齐全、可扩展的 **私有 Git 存储库服务**。它旨在 **在完全托管的环境中托管您的源代码**，与其他 GCP 工具和服务无缝集成。它为团队提供了一个协作和安全的地方来存储、管理和跟踪他们的代码。
+Google Cloud Source Repositories is a fully-featured, scalable, **private Git repository service**. It's designed to **host your source code in a fully managed environment**, integrating seamlessly with other GCP tools and services. It offers a collaborative and secure place for teams to store, manage, and track their code.

-Cloud Source Repositories 的主要功能包括：
+Key features of Cloud Source Repositories include:

-1. **完全托管的 Git 托管**：提供熟悉的 Git 功能，意味着您可以使用常规的 Git 命令和工作流程。
-2. **与 GCP 服务的集成**：与 Cloud Build、Pub/Sub 和 App Engine 等其他 GCP 服务集成，实现从代码到部署的端到端可追溯性。
-3. **私有存储库**：确保您的代码安全和私密地存储。您可以使用 Cloud Identity 和访问管理 (IAM) 角色控制访问。
-4. **源代码分析**：与其他 GCP 工具协作，提供对您的源代码的自动分析，识别潜在问题，如错误、漏洞或不良编码实践。
-5. **协作工具**：支持使用合并请求、评论和审查等工具进行协作编码。
-6. **镜像支持**：允许您将 Cloud Source Repositories 连接到托管在 GitHub 或 Bitbucket 上的存储库，实现自动同步并提供所有存储库的统一视图。
+1. **Fully Managed Git Hosting**: Offers the familiar functionality of Git, meaning you can use regular Git commands and workflows.
+2. **Integration with GCP Services**: Integrates with other GCP services like Cloud Build, Pub/Sub, and App Engine for end-to-end traceability from code to deployment.
+3. **Private Repositories**: Ensures your code is stored securely and privately. You can control access using Cloud Identity and Access Management (IAM) roles.
+4. **Source Code Analysis**: Works with other GCP tools to provide automated analysis of your source code, identifying potential issues like bugs, vulnerabilities, or bad coding practices.
+5. **Collaboration Tools**: Supports collaborative coding with tools like merge requests, comments, and reviews.
+6. **Mirror Support**: Allows you to connect Cloud Source Repositories with repositories hosted on GitHub or Bitbucket, enabling automatic synchronization and providing a unified view of all your repositories.

-### OffSec 信息 <a href="#reviewing-cloud-git-repositories" id="reviewing-cloud-git-repositories"></a>
+### OffSec information <a href="#reviewing-cloud-git-repositories" id="reviewing-cloud-git-repositories"></a>

- 项目内的源代码库配置将有一个 **服务账户** 用于发布 Cloud Pub/Sub 消息。默认使用的是 **计算服务账户**。但是，**我认为无法从源代码库中窃取其令牌**，因为它在后台执行。
- 要查看 GCP Cloud Source Repositories 网络控制台中的代码 ([https://source.cloud.google.com/](https://source.cloud.google.com/))，您需要代码 **默认在主分支内**。
- 您还可以 **创建一个指向 GitHub 或 Bitbucket 的镜像 Cloud Repository**（给予对这些平台的访问）。
- 可以 **在 GCP 内部编码和调试**。
- 默认情况下，源代码库 **防止私钥被推送到提交中**，但这可以被禁用。
+- The source repositories configuration inside a project will have a **Service Account** used to publishing Cloud Pub/Sub messages. The default one used is the **Compute SA**. However, **I don't think it's possible steal its token** from Source Repositories as it's being executed in the background.
+- To see the code inside the GCP Cloud Source Repositories web console ([https://source.cloud.google.com/](https://source.cloud.google.com/)), you need the code to be **inside master branch by default**.
+- You can also **create a mirror Cloud Repository** pointing to a repo from **Github** or **Bitbucket** (giving access to those platforms).
+- It's possible to **code & debug from inside GCP**.
+- By default, Source Repositories **prevents private keys to be pushed in commits**, but this can be disabled.

-### 在 Cloud Shell 中打开
+### Open In Cloud Shell

-可以在 Cloud Shell 中打开存储库，类似这样的提示将出现：
+It's possible to open the repository in Cloud Shell, a prompt like this one will appear:

 <figure><img src="../../../images/image (325).png" alt=""><figcaption></figcaption></figure>

-这将允许您在 Cloud Shell 中编码和调试（这可能会导致 cloudshell 被攻破）。
+This will allow you to code and debug in Cloud Shell (which could get cloudshell compromised).
+
+### Enumeration

-### 枚举
 ```bash
 # Repos enumeration
 gcloud source repos list #Get names and URLs
@@ -42,7 +43,7 @@ gcloud source repos get-iam-policy <repo_name>
 gcloud source repos clone <REPO NAME>
 gcloud source repos get-iam-policy <REPO NAME>
 ... git add & git commit -m ...
-git push --set-upstream origin master
+git push --set-upstream origin $BRANCH
 git push -u origin master

 # Access via git
@@ -50,16 +51,20 @@ git push -u origin master
 git clone ssh://username@domain.com@source.developers.google.com:2022/p/<proj-name>/r/<repo-name>
 git add, commit, push...
 ```
-### 权限提升与后期利用
+
+### Privilege Escalation & Post Exploitation

 {{#ref}}
 ../gcp-privilege-escalation/gcp-sourcerepos-privesc.md
 {{#endref}}

-### 未认证枚举
+### Unauthenticated Enum

 {{#ref}}
 ../gcp-unauthenticated-enum-and-access/gcp-source-repositories-unauthenticated-enum.md
 {{#endref}}

 {{#include ../../../banners/hacktricks-training.md}}
+
+
+