Translated ['src/pentesting-cloud/azure-security/az-privilege-escalation

2025-12-27 05:03:31 -08:00 · 2025-02-25 21:58:05 +00:00
parent 97e50b6930
commit 7b3ed57fd4
3 changed files with 139 additions and 1 deletions
--- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-desktop-privesc.md
+++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-desktop-privesc.md
@@ -0,0 +1,33 @@
+# Az - Virtual Desktop Privesc
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Azure Virtual Desktop Privesc
+
+### `Microsoft.DesktopVirtualization/hostPools/retrieveRegistrationToken/action`
+Jy kan die registrasietoken wat gebruik word om virtuele masjiene binne 'n gasheerpoel te registreer, verkry.
+```bash
+az desktopvirtualization hostpool retrieve-registration-token -n testhostpool -g Resource_Group_1
+```
+### ("Microsoft.Authorization/roleAssignments/read", "Microsoft.Authorization/roleAssignments/write") && ("Microsoft.Compute/virtualMachines/read","Microsoft.Compute/virtualMachines/write","Microsoft.Compute/virtualMachines/extensions/read","Microsoft.Compute/virtualMachines/extensions/write")
+
+Met hierdie toestemmings kan jy 'n gebruikersopdrag by die Toepassing groep voeg, wat nodig is om toegang tot die virtuele masjien van die virtuele desktop te verkry.
+```bash
+az rest --method PUT \
+--uri "https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP_NAME>/providers/Microsoft.DesktopVirtualization/applicationGroups/<APP_GROUP_NAME>/providers/Microsoft.Authorization/roleAssignments/<NEW_ROLE_ASSIGNMENT_GUID>?api-version=2022-04-01" \
+--body '{
+"properties": {
+"roleDefinitionId": "/subscriptions/<SUBSCRIPTION_ID>/providers/Microsoft.Authorization/roleDefinitions/1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63",
+"principalId": "<USER_OBJECT_ID>"
+}
+}'
+```
+Boonop kan jy die virtuele masjien gebruiker en wagwoord verander om toegang te verkry.
+```bash
+az vm user update \
+--resource-group <RESOURCE_GROUP_NAME> \
+--name <VM_NAME> \
+--username <USERNAME> \
+--password <NEW_PASSWORD>
+```
+{{#include ../../../banners/hacktricks-training.md}}
--- a/src/pentesting-cloud/azure-security/az-services/az-virtual-desktop.md
+++ b/src/pentesting-cloud/azure-security/az-services/az-virtual-desktop.md
@@ -0,0 +1,102 @@
+# Az - Virtuele Desktop
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Azure Virtuele Desktop
+
+Virtuele Desktop is 'n **desktop en app virtualiseringsdiens**. Dit stel in staat om volledige Windows-desktops, insluitend Windows 11, Windows 10, of Windows Server aan gebruikers op afstand te lewer, hetsy as individuele desktops of deur individuele toepassings. Dit ondersteun enkel-sessie opstellings vir persoonlike gebruik en multi-sessie omgewings. Gebruikers kan van feitlik enige toestel af aansluit met behulp van inheemse toepassings of 'n webblaaier.
+
+### Gasheerpoele
+
+Gasheerpoele in Azure Virtuele Desktop is versamelings van Azure virtuele masjiene wat as sessiegashere geconfigureer is, wat virtuele desktops en toepassings aan gebruikers bied. Daar is twee hoof tipes:
+- **Persoonlike gasheerpoele**, waar elke virtuele masjien aan 'n enkele gebruiker toegewy is, met sy omgewings
+- **Gedeelde gasheerpoele**, waar verskeie gebruikers hulpbronne op enige beskikbare sessiegasheer deel. Dit het 'n konfigureerbare sessiegrens en 'n sessiegasheer konfigurasie laat Azure Virtuele Desktop toe om die skepping van sessiegashere outomaties te hanteer op grond van 'n konfigurasie.
+
+Elke gasheerpoel het 'n **registrasietoken** wat gebruik word om virtuele masjiene binne 'n gasheerpoel te registreer.
+
+### Toepassing groepe & Werkruimte
+Toepassing groepe **beheer gebruikers toegang** tot óf 'n volledige desktop óf spesifieke stelle toepassings wat beskikbaar is op sessiegashere binne 'n gasheerpoel. Daar is twee tipes:
+- **Desktop toepassing groepe**, wat gebruikers toegang gee tot 'n volledige Windows desktop (beskikbaar met beide persoonlike en gedeelde gasheerpoele)
+- **RemoteApp groepe**, wat gebruikers toelaat om toegang te verkry tot individuele gepubliseerde toepassings (slegs beskikbaar met gedeelde gasheerpoele).
+'n Gasheerpoel kan een Desktop toepassing groep hê, maar verskeie RemoteApp groepe. Gebruikers kan aan verskeie toepassing groepe oor verskillende gasheerpoele toegeken word. As 'n gebruiker aan beide desktop en RemoteApp groepe binne dieselfde gasheerpoel toegeken word, sien hulle slegs hulpbronne van die voorkeur groep tipe wat deur administrateurs gestel is.
+
+'n **Werkruimte** is 'n **versameling van toepassing groepe**, wat gebruikers toelaat om toegang te verkry tot die desktops en toepassing groepe wat aan hulle toegeken is. Elke toepassing groep moet aan 'n werkruimte gekoppel wees, en dit kan slegs aan een werkruimte op 'n slag behoort.
+
+### Sleutelkenmerke
+- **Buigsame VM Skepping**: Skep Azure virtuele masjiene direk of voeg later Azure Plaaslike virtuele masjiene by.
+- **Sekuriteitskenmerke**: Aktiveer Betroubare Begin (veilige opstart, vTPM, integriteitsmonitering) vir gevorderde VM-sekuriteit ('n virtuele netwerk is nodig). Kan Azure Firewall integreer en verkeer via Netwerk Sekuriteitsgroepe beheer.
+- **Domein Verbinding**: Ondersteuning vir Aktiewe Gids domein verbindings met aanpasbare konfigurasies.
+- **Diagnostiek & Monitering**: Aktiveer Diagnostiese Instellings om logs en metrieke na Log Analytics, stoor rekeninge, of gebeurtenis hube te stroom vir monitering.
+- **Pasgemaakte beeld sjablone**: Skep en bestuur hulle om te gebruik wanneer sessiegashere bygevoeg word. Voeg maklik algemene aanpassings of jou eie pasgemaakte skripte by.
+- **Werkruimte Registrasie**: Registreer maklik standaard desktop toepassing groepe aan nuwe of bestaande werkruimtes vir vereenvoudigde gebruikers toegang bestuur.
+
+### Enumerasie
+```bash
+az extension add --name desktopvirtualization
+
+# List HostPool of a Resource group
+az desktopvirtualization hostpool list --resource-group <Resource_Group>
+
+# List Application Groups
+az desktopvirtualization applicationgroup list --resource-group <Resource_Group>
+# List Application Groups By Subscription
+az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.DesktopVirtualization/applicationGroups?api-version=2024-04-03"
+# List Applications in a Application Group
+az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/applicationGroups/{applicationGroupName}/applications?api-version=2024-04-03"
+# List Assigned Users to the Application Group
+az rest \
+--method GET \
+--url "https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP_NAME>/providers/Microsoft.DesktopVirtualization/applicationGroups/<APP_GROUP_NAME>/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01" \
+| jq '.value[] | select((.properties.scope | ascii_downcase) == "/subscriptions/<subscription_id_in_lowercase>/resourcegroups/<resource_group_name_in_lowercase>/providers/microsoft.desktopvirtualization/applicationgroups/<app_group_name_in_lowercase>")'
+
+
+# List Workspace in a resource group
+az desktopvirtualization workspace list --resource-group <Resource_Group>
+# List Workspace in a subscription
+az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.DesktopVirtualization/workspaces?api-version=2024-04-03"
+
+# List App Attach Package By Resource Group
+az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/appAttachPackages?api-version=2024-04-03"
+# List App Attach Package By Subscription
+az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.DesktopVirtualization/appAttachPackages?api-version=2024-04-03"
+
+# List Desktops
+az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/applicationGroups/{applicationGroupName}/desktops?api-version=2024-04-03"
+
+# List MSIX Packages
+az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/hostPools/{hostPoolName}/msixPackages?api-version=2024-04-03"
+
+# List private endpoint connections associated with hostpool.
+az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/hostPools/{hostPoolName}/privateEndpointConnections?api-version=2024-04-03"
+# List private endpoint connections associated By Workspace.
+az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/workspaces/{workspaceName}/privateEndpointConnections?api-version=2024-04-03"
+
+# List the private link resources available for a hostpool.
+az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/hostPools/{hostPoolName}/privateLinkResources?api-version=2024-04-03"
+# List the private link resources available for this workspace.
+az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/workspaces/{workspaceName}/privateLinkResources?api-version=2024-04-03"
+
+# List sessionHosts/virtual machines.
+az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/hostPools/{hostPoolName}/sessionHosts?api-version=2024-04-03"
+
+# List start menu items in the given application group.
+az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/applicationGroups/{applicationGroupName}/startMenuItems?api-version=2024-04-03"
+
+# List userSessions.
+az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/hostPools/{hostPoolName}/sessionHosts/{sessionHostName}/userSessions?api-version=2024-04-03"
+# List userSessions By Host Pool
+az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/hostPools/{hostPoolName}/userSessions?api-version=2024-04-03"
+
+```
+### Verbinding
+
+Om via die web met die virtuele desktop te verbind, kan jy toegang verkry deur https://client.wvd.microsoft.com/arm/webclient/ (meest algemeen), of https://client.wvd.microsoft.com/webclient/index.html (klassiek)  
+Daar is ander metodes wat hier beskryf word [https://learn.microsoft.com/en-us/azure/virtual-desktop/users/connect-remote-desktop-client?tabs=windows](https://learn.microsoft.com/en-us/azure/virtual-desktop/users/connect-remote-desktop-client?tabs=windows)
+
+## Privesc
+
+{{#ref}}  
+../az-privilege-escalation/az-virtual-desktop-privesc.md  
+{{#endref}}
+
+{{#include ../../../banners/hacktricks-training.md}}