gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-31 23:15:48 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/pentesting-cloud/azure-security/az-privilege-escalation

Browse Source
This commit is contained in:
Translator
2025-01-09 01:06:20 +00:00
parent 8a710da10f
commit 5d106c406b
2 changed files with 63 additions and 46 deletions
Download Patch File Download Diff File Expand all files Collapse all files

58
src/pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md
View File

@@ -4,7 +4,7 @@
## Azure IAM
Per ulteriori informazioni controlla:
Fore more information check:
{{#ref}}
../az-services/az-azuread.md
@@ -12,38 +12,45 @@ Per ulteriori informazioni controlla:
### Microsoft.Authorization/roleAssignments/write
Questo permesso consente di assegnare ruoli ai principi su un ambito specifico, consentendo a un attaccante di elevare i privilegi assegnando a se stesso un ruolo più privilegiato:
This permission allows to assign roles to principals over a specific scope, allowing an attacker to escalate privileges by assigning himself a more privileged role:
```bash
# Example
az role assignment create --role Owner --assignee "24efe8cf-c59e-45c2-a5c7-c7e552a07170" --scope "/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.KeyVault/vaults/testing-1231234"
```
### Microsoft.Authorization/roleDefinitions/Write
Questo permesso consente di modificare i permessi concessi da un ruolo, permettendo a un attaccante di elevare i privilegi concedendo più permessi a un ruolo che ha assegnato.
This permission allows to modify the permissions granted by a role, allowing an attacker to escalate privileges by granting more permissions to a role he has assigned.
Create the file `role.json` with the following **content**:
Crea il file `role.json` con il seguente **contenuto**:
```json
{
"Name": "<name of the role>",
"IsCustom": true,
"Description": "Custom role with elevated privileges",
"Actions": ["*"],
"NotActions": [],
"DataActions": ["*"],
"NotDataActions": [],
"AssignableScopes": ["/subscriptions/<subscription-id>"]
"Name": "<name of the role>",
"IsCustom": true,
"Description": "Custom role with elevated privileges",
"Actions": ["*"],
"NotActions": [],
"DataActions": ["*"],
"NotDataActions": [],
"AssignableScopes": ["/subscriptions/<subscription-id>"]
}
```
Quindi aggiorna i permessi del ruolo con la definizione precedente chiamando:
Then update the role permissions with the previous definition calling:
```bash
az role definition update --role-definition role.json
```
### Microsoft.Authorization/elevateAccess/action
Questa autorizzazione consente di elevare i privilegi e di poter assegnare permessi a qualsiasi principale per le risorse Azure. È destinata a essere concessa agli Amministratori Globali di Entra ID in modo che possano gestire anche i permessi sulle risorse Azure.
This permissions allows to elevate privileges and be able to assign permissions to any principal to Azure resources. It's meant to be given to Entra ID Global Administrators so they can also manage permissions over Azure resources.
> [!TIP]
> Penso che l'utente debba essere Amministratore Globale in Entra ID affinché la chiamata di elevazione funzioni.
> I think the user need to be Global Administrator in Entrad ID for the elevate call to work.
```bash
# Call elevate
az rest --method POST --uri "https://management.azure.com/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01"
@@ -51,22 +58,27 @@ az rest --method POST --uri "https://management.azure.com/providers/Microsoft.Au
# Grant a user the Owner role
az role assignment create --assignee "<obeject-id>" --role "Owner" --scope "/"
```
### Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/write
Questo permesso consente di aggiungere credenziali federate alle identità gestite. Ad esempio, consente di dare accesso a Github Actions in un repo a un'identità gestita. Quindi, consente di **accedere a qualsiasi identità gestita definita dall'utente**.
This permission allows to add Federated credentials to managed identities. E.g. give access to Github Actions in a repo to a managed identity. Then, it allows to **access any user defined managed identity**.
Example command to give access to a repo in Github to the a managed identity:
Esempio di comando per dare accesso a un repo in Github a un'identità gestita:
```bash
# Generic example:
az rest --method PUT \
--uri "https://management.azure.com//subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<managed-identity-name>/federatedIdentityCredentials/<name-new-federated-creds>?api-version=2023-01-31" \
--headers "Content-Type=application/json" \
--body '{"properties":{"issuer":"https://token.actions.githubusercontent.com","subject":"repo:<org-name>/<repo-name>:ref:refs/heads/<branch-name>","audiences":["api://AzureADTokenExchange"]}}'
--uri "https://management.azure.com//subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<managed-identity-name>/federatedIdentityCredentials/<name-new-federated-creds>?api-version=2023-01-31" \
--headers "Content-Type=application/json" \
--body '{"properties":{"issuer":"https://token.actions.githubusercontent.com","subject":"repo:<org-name>/<repo-name>:ref:refs/heads/<branch-name>","audiences":["api://AzureADTokenExchange"]}}'
# Example with specific data:
az rest --method PUT \
--uri "https://management.azure.com//subscriptions/92913047-10a6-2376-82a4-6f04b2d03798/resourceGroups/Resource_Group_1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/funcGithub-id-913c/federatedIdentityCredentials/CustomGH2?api-version=2023-01-31" \
--headers "Content-Type=application/json" \
--body '{"properties":{"issuer":"https://token.actions.githubusercontent.com","subject":"repo:carlospolop/azure_func4:ref:refs/heads/main","audiences":["api://AzureADTokenExchange"]}}'
--uri "https://management.azure.com//subscriptions/92913047-10a6-2376-82a4-6f04b2d03798/resourceGroups/Resource_Group_1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/funcGithub-id-913c/federatedIdentityCredentials/CustomGH2?api-version=2023-01-31" \
--headers "Content-Type=application/json" \
--body '{"properties":{"issuer":"https://token.actions.githubusercontent.com","subject":"repo:carlospolop/azure_func4:ref:refs/heads/main","audiences":["api://AzureADTokenExchange"]}}'
```
{{#include ../../../banners/hacktricks-training.md}}

51
src/pentesting-cloud/gcp-security/gcp-services/gcp-source-repositories-enum.md
View File

@@ -1,37 +1,38 @@
# GCP - Enumerazione dei Repository Sorgente
# GCP - Source Repositories Enum
{{#include ../../../banners/hacktricks-training.md}}
## Informazioni di Base <a href="#reviewing-cloud-git-repositories" id="reviewing-cloud-git-repositories"></a>
## Basic Information <a href="#reviewing-cloud-git-repositories" id="reviewing-cloud-git-repositories"></a>
Google Cloud Source Repositories è un **servizio di repository Git privato** completamente funzionale e scalabile. È progettato per **ospitare il tuo codice sorgente in un ambiente completamente gestito**, integrandosi perfettamente con altri strumenti e servizi GCP. Offre un luogo collaborativo e sicuro per i team per memorizzare, gestire e monitorare il proprio codice.
Google Cloud Source Repositories is a fully-featured, scalable, **private Git repository service**. It's designed to **host your source code in a fully managed environment**, integrating seamlessly with other GCP tools and services. It offers a collaborative and secure place for teams to store, manage, and track their code.
Le caratteristiche principali di Cloud Source Repositories includono:
Key features of Cloud Source Repositories include:
1. **Hosting Git Completamente Gestito**: Offre la funzionalità familiare di Git, il che significa che puoi utilizzare comandi e flussi di lavoro Git regolari.
2. **Integrazione con i Servizi GCP**: Si integra con altri servizi GCP come Cloud Build, Pub/Sub e App Engine per la tracciabilità end-to-end dal codice al deployment.
3. **Repository Privati**: Garantisce che il tuo codice sia memorizzato in modo sicuro e privato. Puoi controllare l'accesso utilizzando i ruoli di Cloud Identity and Access Management (IAM).
4. **Analisi del Codice Sorgente**: Lavora con altri strumenti GCP per fornire un'analisi automatizzata del tuo codice sorgente, identificando potenziali problemi come bug, vulnerabilità o cattive pratiche di codifica.
5. **Strumenti di Collaborazione**: Supporta la codifica collaborativa con strumenti come richieste di merge, commenti e revisioni.
6. **Supporto per Mirror**: Ti consente di collegare Cloud Source Repositories con repository ospitati su GitHub o Bitbucket, abilitando la sincronizzazione automatica e fornendo una vista unificata di tutti i tuoi repository.
1. **Fully Managed Git Hosting**: Offers the familiar functionality of Git, meaning you can use regular Git commands and workflows.
2. **Integration with GCP Services**: Integrates with other GCP services like Cloud Build, Pub/Sub, and App Engine for end-to-end traceability from code to deployment.
3. **Private Repositories**: Ensures your code is stored securely and privately. You can control access using Cloud Identity and Access Management (IAM) roles.
4. **Source Code Analysis**: Works with other GCP tools to provide automated analysis of your source code, identifying potential issues like bugs, vulnerabilities, or bad coding practices.
5. **Collaboration Tools**: Supports collaborative coding with tools like merge requests, comments, and reviews.
6. **Mirror Support**: Allows you to connect Cloud Source Repositories with repositories hosted on GitHub or Bitbucket, enabling automatic synchronization and providing a unified view of all your repositories.
### Informazioni OffSec <a href="#reviewing-cloud-git-repositories" id="reviewing-cloud-git-repositories"></a>
### OffSec information <a href="#reviewing-cloud-git-repositories" id="reviewing-cloud-git-repositories"></a>
- La configurazione dei repository sorgente all'interno di un progetto avrà un **Account di Servizio** utilizzato per pubblicare messaggi Cloud Pub/Sub. Quello predefinito utilizzato è il **Compute SA**. Tuttavia, **non penso sia possibile rubare il suo token** dai Repository Sorgente poiché viene eseguito in background.
- Per vedere il codice all'interno della console web di GCP Cloud Source Repositories ([https://source.cloud.google.com/](https://source.cloud.google.com/)), è necessario che il codice sia **all'interno del ramo master per impostazione predefinita**.
- Puoi anche **creare un Mirror Cloud Repository** che punta a un repo di **Github** o **Bitbucket** (dando accesso a quelle piattaforme).
- È possibile **codificare e fare debug dall'interno di GCP**.
- Per impostazione predefinita, i Repository Sorgente **prevengono che le chiavi private vengano caricate nei commit**, ma questo può essere disabilitato.
- The source repositories configuration inside a project will have a **Service Account** used to publishing Cloud Pub/Sub messages. The default one used is the **Compute SA**. However, **I don't think it's possible steal its token** from Source Repositories as it's being executed in the background.
- To see the code inside the GCP Cloud Source Repositories web console ([https://source.cloud.google.com/](https://source.cloud.google.com/)), you need the code to be **inside master branch by default**.
- You can also **create a mirror Cloud Repository** pointing to a repo from **Github** or **Bitbucket** (giving access to those platforms).
- It's possible to **code & debug from inside GCP**.
- By default, Source Repositories **prevents private keys to be pushed in commits**, but this can be disabled.
### Apri in Cloud Shell
### Open In Cloud Shell
È possibile aprire il repository in Cloud Shell, apparirà un prompt come questo:
It's possible to open the repository in Cloud Shell, a prompt like this one will appear:
<figure><img src="../../../images/image (325).png" alt=""><figcaption></figcaption></figure>
Questo ti permetterà di codificare e fare debug in Cloud Shell (che potrebbe compromettere cloudshell).
This will allow you to code and debug in Cloud Shell (which could get cloudshell compromised).
### Enumeration
### Enumerazione
```bash
# Repos enumeration
gcloud source repos list #Get names and URLs
@@ -42,7 +43,7 @@ gcloud source repos get-iam-policy <repo_name>
gcloud source repos clone <REPO NAME>
gcloud source repos get-iam-policy <REPO NAME>
... git add & git commit -m ...
git push --set-upstream origin master
git push --set-upstream origin $BRANCH
git push -u origin master
# Access via git
@@ -50,16 +51,20 @@ git push -u origin master
git clone ssh://username@domain.com@source.developers.google.com:2022/p/<proj-name>/r/<repo-name>
git add, commit, push...
```
### Escalation dei privilegi e Post Exploitation
### Privilege Escalation & Post Exploitation
{{#ref}}
../gcp-privilege-escalation/gcp-sourcerepos-privesc.md
{{#endref}}
### Enum non autenticato
### Unauthenticated Enum
{{#ref}}
../gcp-unauthenticated-enum-and-access/gcp-source-repositories-unauthenticated-enum.md
{{#endref}}
{{#include ../../../banners/hacktricks-training.md}}