gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-05 20:40:18 -08:00
Code Issues Packages Projects Releases Wiki Activity

GITBOOK-741: No subject

Browse Source
This commit is contained in:
SirBroccoli
2024-12-25 02:39:59 +00:00
committed by gitbook-bot
parent 6406a5e945
commit 5e029648f5
5 changed files with 101 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
SUMMARY.md
View File

@@ -443,6 +443,7 @@
* [Az - Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/README.md)
* [Az - Blob Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-blob-storage-post-exploitation.md)
* [Az - File Share Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-file-share-post-exploitation.md)
* [Az - Function Apps Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-function-apps-post-exploitation.md)
* [Az - Key Vault Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-key-vault-post-exploitation.md)
* [Az - Queue Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-queue-post-exploitation.md)
* [Az - Service Bus Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-servicebus-post-exploitation.md)

2
pentesting-cloud/azure-security/az-post-exploitation/az-file-share-post-exploitation.md
View File

@@ -15,7 +15,7 @@ Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).p
</details>
{% endhint %}
## File Share Privesc
## File Share Post Exploitation
For more information about file shares check:

47
pentesting-cloud/azure-security/az-post-exploitation/az-function-apps-post-exploitation.md Normal file
View File

@@ -0,0 +1,47 @@
# Az - Function Apps Post Exploitation
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Funciton Apps Post Exploitaiton
For more information about function apps check:
{% content-ref url="../az-services/az-function-apps.md" %}
[az-function-apps.md](../az-services/az-function-apps.md)
{% endcontent-ref %}
{% hint style="danger" %}
**Function Apps post exploitation tricks are very related to the privilege escalation tricks** so you can find all of them there:
{% endhint %}
{% content-ref url="../az-privilege-escalation/az-functions-app-privesc.md" %}
[az-functions-app-privesc.md](../az-privilege-escalation/az-functions-app-privesc.md)
{% endcontent-ref %}
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

41
pentesting-cloud/azure-security/az-privilege-escalation/az-functions-app-privesc.md
View File

@@ -65,7 +65,7 @@ open "smb://<STORAGE-ACCOUNT>.file.core.windows.net/<FILE-SHARE-NAME>"
```
{% endcode %}
* **`function-releases`** (`WEBSITE_RUN_FROM_PACKAGE)`
* **`function-releases`** (`WEBSITE_RUN_FROM_PACKAGE`)
It's also common to find the **zip releases** inside the folder `function-releases` of the Storage Account container that the function app is using in a container **usually called `function-releases`**.
@@ -195,7 +195,7 @@ az rest --method POST --uri "https://management.azure.com/subscriptions/<subsrip
### Microsoft.Web/sites/host/functionKeys/write
This permission allows to create/update a function key to the specified function with:
This permission allows to create/update a function key of the specified function with:
{% code overflow="wrap" %}
```bash
@@ -213,6 +213,10 @@ az functionapp keys set --resource-group <res_group> --key-name <key-name> --key
```
{% endcode %}
{% hint style="danger" %}
Remember that with this key you can also access the source code and modify it as explained before!
{% endhint %}
### Microsoft.Web/sites/host/systemKeys/write
This permission allows to create/update a system function key to the specified function with:
@@ -225,7 +229,7 @@ az functionapp keys set --resource-group <res_group> --key-name <key-name> --key
### Microsoft.Web/sites/config/list/action
This permission allows to get the settings of a function. Inside these configurations it might be possible to find the default values **`AzureWebJobsStorage`** or **`WEBSITE_CONTENTAZUREFILECONNECTIONSTRING`** which actually contains an **account key to access the blob storage of the function with FULL permissions**.
This permission allows to get the settings of a function. Inside these configurations it might be possible to find the default values **`AzureWebJobsStorage`** or **`WEBSITE_CONTENTAZUREFILECONNECTIONSTRING`** which contains an **account key to access the blob storage of the function with FULL permissions**.
{% code overflow="wrap" %}
```bash
@@ -246,7 +250,7 @@ az rest --method POST \
These permissions allows to list the config values of a function as we have seen before plus **modify these values**. This is useful because these settings indicate where the code to execute inside the function is located.&#x20;
It's therefore possible to set the value of the setting **`WEBSITE_RUN_FROM_PACKAGE`** pointing to a zip file containing the new code to execute inside a web application:
It's therefore possible to set the value of the setting **`WEBSITE_RUN_FROM_PACKAGE`** pointing to an URL zip file containing the new code to execute inside a web application:
* Start by getting the current config
@@ -256,7 +260,7 @@ az functionapp config appsettings list \
--resource-group <res-name>
```
* Create the code you want the funciton to run and host it publicly
* Create the code you want the function to run and host it publicly
```bash
# Write inside /tmp/web/function_app.py the code of the function
@@ -297,7 +301,7 @@ az rest --method PUT \
```
{% endcode %}
### `Microsoft.Web/sites/publishxml/action, (Microsoft.Web/sites/basicPublishingCredentialsPolicies/write)`
### Microsoft.Web/sites/publishxml/action, (Microsoft.Web/sites/basicPublishingCredentialsPolicies/write)
This permissions allows to list all the publishing profiles which basically contains **basic auth credentials**:
@@ -309,7 +313,7 @@ az functionapp deployment list-publishing-profiles \
--output json
```
Aonther option would be to set you own creds and use them using:
Another option would be to set you own creds and use them using:
```bash
az functionapp deployment user set \
@@ -445,6 +449,29 @@ az rest --url "https://management.azure.com/subscriptions/<subscripntion-id>/res
```
{% endcode %}
### Microsoft.Web/sites/config/write, Microsoft.Web/sites/config/list/action, (Microsoft.Web/sites/read, Microsoft.Web/sites/config/list/action, Microsoft.Web/sites/config/read)
With these permissions it's possible to **modify the container run by a function app** configured to run a container. This would allow an attacker to upload a malicious azure function container app to docker hub (for example) and make the function execute it.
```bash
az functionapp config container set --name <app-name> \
--resource-group <res-group> \
--image "mcr.microsoft.com/azure-functions/dotnet8-quickstart-demo:1.0"
```
### Microsoft.Web/sites/write, Microsoft.ManagedIdentity/userAssignedIdentities/assign/action, Microsoft.App/managedEnvironments/join/action, (Microsoft.Web/sites/read, Microsoft.Web/sites/operationresults/read)
With these permissions it's possible to **attach a new user managed identity to a function**. If the function was compromised this would allow to escalate privileges to any user managed identity.
{% code overflow="wrap" %}
```bash
az functionapp identity assign \
--name <app-name> \
--resource-group <res-group> \
--identities /subscriptions/<subs-id>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<mi-name>
```
{% endcode %}
### Remote Debugging
It's also possible to connect to debug a running Azure function as [**explained in the docs**](https://learn.microsoft.com/en-us/azure/azure-functions/functions-develop-vs). However, by default Azure will turn this option to off in 2 days in case the developer forgets to avoid leaving vulnerable configurations.

19
pentesting-cloud/azure-security/az-services/az-function-apps.md
View File

@@ -74,9 +74,11 @@ The **system assigned** one will be a managed identity that **only the function*
{% hint style="info" %}
Just like in [**VMs**](vms/), Functions can have **1 system assigned** managed identity and **several user assigned** ones, so it's always important to try to find all of them if you compromise the function because you might be able to escalate privileges to several managed identities from just one Function.
If a no system managed identity is used but one or more user managed identities are attached to a function, by default you wont be able to get any token.
{% endhint %}
It's possible to use the [**PEASS scripts**](https://github.com/peass-ng/PEASS-ng) to get tokens from the default managed identity from the metadata endpoint. Or you could get them manually as explained in:
It's possible to use the [**PEASS scripts**](https://github.com/peass-ng/PEASS-ng) to get tokens from the default managed identity from the metadata endpoint. Or you could get them **manually** as explained in:
{% embed url="https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#azure-vm" %}
@@ -206,6 +208,12 @@ Moreover, a **Managed Identity** is also created so the Github Action from the r
Therefore, anyone compromising that repo will be able to compromise the function and the Managed Identities attached to it.
{% endhint %}
### Container Based Deployments
Not all the plans allow to deploy containers, but for the ones that do, the configuration will contain the URL of the container. In the API the **`linuxFxVersion`** setting will ha something like: `DOCKER|mcr.microsoft.com/...`, while in the web console, the configuration will show the **image settings**.
Moreover, **no source code will be stored in the storage** account related to the function as it's not needed.
## Enumeration
{% code overflow="wrap" %}
@@ -215,11 +223,20 @@ az functionapp list
# Get info of 1 funciton (although in the list you already get this info)
az functionapp show --name <app-name> --resource-group <res-group>
## If "linuxFxVersion" has something like: "DOCKER|mcr.microsoft.com/..."
## This is using a container
# Get details about the source of the function code
az functionapp deployment source show \
--name <app-name> \
--resource-group <res-group>
## If error like "This is currently not supported."
## Then, this is probalby using a container
# Get more info if a container is being used
az functionapp config container show \
--name <name> \
--resource-group <res-group>
# Get settings (and privesc to the sorage account)
az functionapp config appsettings list --name <app-name> --resource-group <res-group>