From 6e477bc29615903b83f8e09acb48426bdf9b4029 Mon Sep 17 00:00:00 2001 From: Carlos Polop Date: Sat, 15 Feb 2025 16:23:48 +0100 Subject: [PATCH] update container services az --- src/SUMMARY.md | 4 +- ...-container-instances-apps-jobs-privesc.md} | 4 +- .../az-container-instances-apps-jobs.md | 112 ++++++++++++++++++ .../az-services/az-container-instances.md | 45 ------- 4 files changed, 116 insertions(+), 49 deletions(-) rename src/pentesting-cloud/azure-security/az-privilege-escalation/{az-container-instances-privesc.md => az-container-instances-apps-jobs-privesc.md} (97%) create mode 100644 src/pentesting-cloud/azure-security/az-services/az-container-instances-apps-jobs.md delete mode 100644 src/pentesting-cloud/azure-security/az-services/az-container-instances.md diff --git a/src/SUMMARY.md b/src/SUMMARY.md index 478e28676..3cd74bd86 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -415,7 +415,7 @@ - [Az - Azure App Services](pentesting-cloud/azure-security/az-services/az-app-services.md) - [Az - Cloud Shell](pentesting-cloud/azure-security/az-services/az-cloud-shell.md) - [Az - Container Registry](pentesting-cloud/azure-security/az-services/az-container-registry.md) - - [Az - Container Instances](pentesting-cloud/azure-security/az-services/az-container-instances.md) + - [Az - Container Instances](pentesting-cloud/azure-security/az-services/az-container-instances-apps-jobs.md) - [Az - CosmosDB](pentesting-cloud/azure-security/az-services/az-cosmosDB.md) - [Az - Intune](pentesting-cloud/azure-security/az-services/intune.md) - [Az - File Shares](pentesting-cloud/azure-security/az-services/az-file-shares.md) @@ -470,7 +470,7 @@ - [Az - App Services Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-app-services-privesc.md) - [Az - Automation Accounts Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-automation-accounts-privesc.md) - [Az - Container Registry Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-container-registry-privesc.md) - - [Az - Container Instances Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-container-instances-privesc.md) + - [Az - Container Instances Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-container-instances-apps-jobs-privesc.md) - [Az - CosmosDB Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-cosmosDB-privesc.md) - [Az - EntraID Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/README.md) - [Az - Conditional Access Policies & MFA Bypass](pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md) diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-container-instances-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-container-instances-apps-jobs-privesc.md similarity index 97% rename from src/pentesting-cloud/azure-security/az-privilege-escalation/az-container-instances-privesc.md rename to src/pentesting-cloud/azure-security/az-privilege-escalation/az-container-instances-apps-jobs-privesc.md index daf64d5c9..8f554c7c6 100644 --- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-container-instances-privesc.md +++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-container-instances-apps-jobs-privesc.md @@ -7,7 +7,7 @@ Fore more information check: {{#ref}} -../az-services/az-container-instances.md +../az-services/az-container-instances-apps-jobs.md {{#endref}} ### `Microsoft.ContainerInstance/containerGroups/read`, `Microsoft.ContainerInstance/containerGroups/containers/exec/action` @@ -59,7 +59,7 @@ These permission allows to **create or update a container group** with a **user ```bash az container create \ - --resource-group > \ + --resource-group \ --name nginx2 \ --image mcr.microsoft.com/oss/nginx/nginx:1.9.15-alpine \ --assign-identity "/subscriptions//resourceGroups//providers/Microsoft.ManagedIdentity/userAssignedIdentities/" \ diff --git a/src/pentesting-cloud/azure-security/az-services/az-container-instances-apps-jobs.md b/src/pentesting-cloud/azure-security/az-services/az-container-instances-apps-jobs.md new file mode 100644 index 000000000..ef2755ebe --- /dev/null +++ b/src/pentesting-cloud/azure-security/az-services/az-container-instances-apps-jobs.md @@ -0,0 +1,112 @@ +# Az - Container Instances + +{{#include ../../../banners/hacktricks-training.md}} + +## Basic Information + +**Azure Container Instances (ACI)** is a serverless container service that lets you run individual containers quickly without managing any underlying infrastructure. **Azure Container Apps (ACA)** extends this by offering a fully managed environment for running microservices and web apps with features like event-driven autoscaling, built-in Dapr integration, and support for complex orchestration scenarios. **Container App Jobs** are a specialized feature within ACA designed for running short-lived, batch, or scheduled tasks that execute for a finite period and then exit. + +Differences: +- ACI is ideal for **simple**, standalone container workloads where minimal orchestration is needed. +- ACA is best suited for building scalable, interconnected microservices with advanced features like autoscaling and service discovery. +- Container App Jobs focus on **one-off or scheduled tasks**, providing a streamlined way to run background or batch jobs within the ACA environment. + + +### Configurations + +Special options for ACI: +- Regarding networking it can also have a **public IP** or be **private endpoints**. + +Special options for ACA: +- It's possible to **restrict the trafic** to the container to the container app environment or leave it public. +- It’s possible to use an **external identity provider** (Microsoft, Facebook, Google, and Twitter) for authentication +- It's possible to **store App secrets** (in clear text the app or as links to a vault assigning a MI with access over it) +- It’s possible to have **revisions and replicas of the app** + +Special options for jobs: +- The trigger type can be **manual, scheduled or event-based** (like a message arriving in a queue). + +Common options: +- In order to create a container it's possible to use a public image, a container image from an Azure Container Registry or an external repository, which might **require to configure a password** to access it. + - This means that the configuration of the container might contain sensitive information. +- It's also possible to configure common docker settings like: + - **Environment variables** (check for sensitive information) + - **Volumes** (even from Azure Files) + - **Ports** to expose + - **CPU and memory limits** + - **Restart policy** + - **Run as privileged** + - Overwrite containers **command line to run and arguments** (can be modified in existing containers also) + - ... + +## Enumeration + +> [!WARNING] +> When enumerating, you could reveal sensitive configurations such as **environment variables**, **network details**, or **managed identities**. + +```bash +# ACI +## List all container instances in the subscription +az container list + +## Show detailed information about a specific container instance +az container show --name --resource-group + +## Fetch logs from a container +az container logs --name --resource-group + +## Execute a command in a running container and get the output +az container exec --name --resource-group --exec-command "ls" + +## Get yaml configuration of the container group +az container export --name --resource-group + +# ACA +## List all container apps in the subscription +az containerapp list + +## Show detailed information about a specific container app +az containerapp show --name --resource-group + +## Fetch logs from a container app +az containerapp logs show --name --resource-group + +## Get configured secrets +az containerapp secret list --name --resource-group +### Get value +az containerapp secret show --name --resource-group --secret-name + +## Get authentication options +az containerapp auth show --name --resource-group + +## Get a shell +az containerapp exec --name --resource-group --command "sh" + +## Get debugging shell +az containerapp debug --name --resource-group + +# Jobs +## List all container apps jobs in a resource group +az containerapp job list --resource-group + +## Show detailed information about a specific container app job +az containerapp job show --name --resource-group + +## Fetch logs from a container app job +az containerapp job logs show --name --resource-group + +## Fetch executions from a container app job +az containerapp job execution list --name --resource-group +az containerapp job execution show --name --resource-group --job-execution-name + +## Start a job execution (for manual jobs) +az containerapp job start --name --resource-group +``` + +## Privilege Escalation & Post Exploitation + +{{#ref}} +../az-privilege-escalation/az-container-instances-apps-jobs-privesc.md +{{#endref}} + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/azure-security/az-services/az-container-instances.md b/src/pentesting-cloud/azure-security/az-services/az-container-instances.md deleted file mode 100644 index 212feac3c..000000000 --- a/src/pentesting-cloud/azure-security/az-services/az-container-instances.md +++ /dev/null @@ -1,45 +0,0 @@ -# Az - Container Instances - -{{#include ../../../banners/hacktricks-training.md}} - -## Basic Information - -Azure Container Instances (ACI) provide a **serverless, on-demand way** to run **containers** in the Azure cloud. You can **deploy** single or multiple containers in a group with **scalable compute**, **networking options**, and the flexibility to connect to **other Azure services** (like Storage, Virtual Networks, or Container Registries). - -As they are **ephemeral** workloads, you don't need to manage the underlying VM infrastructure — Azure handles that for you. However, from an **offensive security perspective**, it's crucial to understand how **permissions**, **identities**, **network configurations**, and **logs** can reveal attack surfaces and potential misconfigurations. - -### Configurations - -- In order to create a container it's possible to use a public image, a container image from an Azure Container Registry or an external repository, which might **require to configure a password** to access it. -- Regarding networking it can also have a **public IP** or be **private endpoints**. -- It's also possible to configure common docker settings like: - - **Environment variables** - - **Volumes** (even from Azure Files) - - **Ports** - - **CPU and memory limits** - - **Restart policy** - - **Run as privileged** - - **Command line to run** - - ... - -## Enumeration - -> [!WARNING] -> When enumerating ACI, you can reveal sensitive configurations such as **environment variables**, **network details**, or **managed identities**. Be cautious with logging or displaying them. - -```bash -# List all container instances in the subscription -az container list - -# Show detailed information about a specific container instance -az container show --name --resource-group - -# Fetch logs from a container -az container logs --name --resource-group - -# Execute a command in a running container and get the output -az container exec --name --resource-group --exec-command "ls" - -# Get yaml configuration of the container group -az container export --name --resource-group -```