gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-27 21:23:07 -08:00
Code Issues Packages Projects Releases Wiki Activity

impr

Browse Source
This commit is contained in:
Carlos Polop
2025-01-26 11:42:59 +01:00
parent 416e7cf699
commit 569f2be7c9
3 changed files with 27 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
src/pentesting-cloud/azure-security/README.md
View File

@@ -38,6 +38,7 @@ With this information the most common ways to try to get a foothold are:
- Vulnerabilities in Azure-Hosted Applications
- [**Server Side Request Forgery**](https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html) with access to metadata endpoint
- **Subdomain takeovers** like in [https://godiego.co/posts/STO-Azure/](https://godiego.co/posts/STO-Azure/)
- **Other azure services misconfigurations**
- If some developer laptop is compromised ([WinPEAS and LinPEAS](https://github.com/peass-ng/PEASS-ng) can find this info):
- Inside **`<HOME>/.Azure`**
- **`azureProfile.json`** contains info about logged in users from the past
@@ -54,6 +55,11 @@ With this information the most common ways to try to get a foothold are:
- In Windows this just generates id tokens.
- Possible to see if Az PowerShell was used in Linux and macSO checking is `$HOME/.local/share/.IdentityService/` exists (although the contained files are empty and useless)
Find **other Azure Services misconfigurations** that cal lead to a foothold in the following page:
{{#ref}}
az-unauthenticated-enum-and-initial-entry/
{{#endref}}
> [!NOTE]
> Remember that usually the **noisiest** part of the enumeration is the **login**, not the enumeration itself.
@@ -159,13 +165,32 @@ az-enumeration-tools.md#automated-post-exploitation-tools
Once you know who you are, you can start enumerating the **Azure services you have access to**.
You should start finding out the **permissions you have** over the resources. For this:
1. **Find the resource you have some acecss to**:
The Az PoswerShell command **`Get-AzResource`** lets you **know the resources your current user has visibility over**.
Moreover, you can get the same info in the **web console** going to [https://portal.azure.com/#view/HubsExtension/BrowseAll](https://portal.azure.com/#view/HubsExtension/BrowseAll) or searching for "All resources" or executing: `az rest --method GET --url "https://management.azure.com/subscriptions/<subscription-id>/resources?api-version=2021-04-01"`
Furthermore, with enough permissions, the role **`Get-AzRoleAssignment`** can be used to **enumerate all the roles** in the subscription or the permission over a specific resource indicatig it like in: **`Get-AzRoleAssignment -Scope /subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.RecoveryServices/vaults/vault-m3ww8ut4`**
2. **Find the permissions you have over the resources you have access to and find the roles assigned to you**:
In the following section you can find information about the most common Azure services and how to enumerate them:
Note that you need the permission **`Microsoft.Authorization/roleAssignments/read`** to execute this action.
Furthermore, with enough permissions, the role **`Get-AzRoleAssignment`** can be used to **enumerate all the roles** in the subscription or the permission over a specific resource indicatig it like in: **`Get-AzRoleAssignment -Scope /subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.RecoveryServices/vaults/vault-m3ww8ut4`**.
It's also possible to get this information running **`az rest --method GET --uri "https://management.azure.com/<Scope>/providers/Microsoft.Authorization/roleAssignments?api-version=2020-08-01-preview" | jq ".value"`** like in:
- **`az rest --method GET --uri "https://management.azure.com//subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.KeyVault/vaults/vault-m3ww8ut4/providers/Microsoft.Authorization/roleAssignments?api-version=2020-08-01-preview" | jq ".value"`**
3. **Find the granular permissions of the roles attached to you **:
Then, to get the granular permission you could run **`(Get-AzRoleDefinition -Id "<RoleDefinitionId>").Actions`**.
Or call the API directly with **`az rest --method GET --uri "https://management.azure.com//subscriptions/<subscription-id>/providers/Microsoft.Authorization/roleDefinitions/<RoleDefinitionId>?api-version=2020-08-01-preview" | jq ".properties"`**.
In the following section you can find **information about the most common Azure services and how to enumerate them**:
{{#ref}}
az-services/

5
src/pentesting-cloud/azure-security/az-privilege-escalation/README.md
View File

@@ -1,5 +0,0 @@
# Az - Privilege Escalation

1
src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-storage-unauth.md
View File

@@ -46,4 +46,3 @@ Use [**Storage Explorer**](https://azure.microsoft.com/en-us/features/storage-ex
{{#include ../../../banners/hacktricks-training.md}}