gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-28 13:43:24 -08:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'HackTricks-wiki:master' into master

Browse Source
This commit is contained in:
Jaime Polop
2025-01-10 18:50:57 +01:00
committed by GitHub
parent 5d6efaa6a6 73e6fee408
commit 8ec34fc329
2 changed files with 8 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/pentesting-cloud/azure-security/az-privilege-escalation/az-automation-accounts-privesc.md
View File

@@ -10,7 +10,7 @@ Fore more information check:
../az-services/az-automation-accounts.md
{{#endref}}
### Hybrid Workers
### Hybrid Workers Group
Remember that if somehow an attacker can execute an arbitrary runbook (arbitrary code) in a hybrid worker, he will **pivot to the location of the VM**. This could be an on-premise machine, a VPC of a different cloud or even an Azure VM.
@@ -66,7 +66,7 @@ az rest --method GET \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automation-account-name>/jobs/<job-name>/output?api-version=2023-11-01"
```
If there aren't Runbooks created, or ou want to create a new one, you will need the **permissions `Microsoft.Resources/subscriptions/resourcegroups/read` and `Microsoft.Automation/automationAccounts/runbooks/write`** to do it using:
If there aren't Runbooks created, or you want to create a new one, you will need the **permissions `Microsoft.Resources/subscriptions/resourcegroups/read` and `Microsoft.Automation/automationAccounts/runbooks/write`** to do it using:
```bash
az automation runbook create --automation-account-name <account-name> --resource-group <res-group> --name <runbook-name> --type PowerShell

14
src/pentesting-cloud/azure-security/az-services/az-automation-accounts.md
View File

@@ -14,14 +14,12 @@ Azure Automation Accounts are cloud-based services in Microsoft Azure that help
- **Connections**: Used to store **connection information** to external services. This could contain **sensitive information**.
- **Network Access**: It can be set to **public** or **private**.
## Runbooks & Jobs
### Runbooks & Jobs
A Runbook in Azure Automation is a **script that performs tasks automatically** within your cloud environment. Runbooks can be written in PowerShell, Python, or Graphical editors. They help automate administrative tasks like VM management, patching, or compliance checks.
In the **code** located inside **Runbooks** could contains **sensitive info** (such as creds).
Go to `Automation Accounts` --> `<Select Automation Account>` --> `Runbooks/Jobs/Hybrid worker groups/Watcher tasks/credentials/variables/certificates/connections`
A **Job is an instance of a Runbook execution**. When you run a Runbook, a Job is created to track that execution. Each job includes:
- **Status**: Queued, Running, Completed, Failed, Suspended.
@@ -42,15 +40,15 @@ There are 3 main ways to execute a Runbook:
It allows to import Runbooks from **Github, Azure Devops (Git) and Azure Devops (TFVC)**. It's possible to indicate it to publish the Runbooks of the repo to Azure Automation account and it's also possible to indicate to **sync the changes from the repo** to the Azure Automation account.
When the sync is enabled, in the **Github repository a webhook is created** to trigger the sync everytime a push event ocurs. Example of a webhook URL: `https://f931b47b-18c8-45a2-9d6d-0211545d8c02.webhook.eus.azure-automation.net/webhooks?token=DRjQyFiOrUtz%2fw7o23XbDpOlTe1%2bUqPQm4pQH2WBfJg%3d`
When the sync is enabled, in the **Github repository a webhook is created** to trigger the sync every time a push event occurs. Example of a webhook URL: `https://f931b47b-18c8-45a2-9d6d-0211545d8c02.webhook.eus.azure-automation.net/webhooks?token=DRjQyFiOrUtz%2fw7o23XbDpOlTe1%2bUqPQm4pQH2WBfJg%3d`
Note that these webhooks **won't be visible** when listing webhooks in the associated runbooks to the Github repo. Also note that it's **not possible to change the repo URL** of a source control once it's created.
In order for the configured source control to work, the **Azure Automation Account** needs to have a managed identity (system or user) with the **`Contributor`** role. Moreover, to assing a user managed identity to the Automation Account, it's needed to indicate the client ID of the user MI in the variable **`AUTOMATION_SC_USER_ASSIGNED_IDENTITY_ID`**.
In order for the configured source control to work, the **Azure Automation Account** needs to have a managed identity (system or user) with the **`Contributor`** role. Moreover, to assign a user managed identity to the Automation Account, it's needed to indicate the client ID of the user MI in the variable **`AUTOMATION_SC_USER_ASSIGNED_IDENTITY_ID`**.
### Runtime Environments
When creating a Runbook it'spossible to select the runtime environment. By default, the following runtime environments are available:
When creating a Runbook it's possible to select the runtime environment. By default, the following runtime environments are available:
- **Powershell 5.1**
- **Powershell 7.1**
@@ -71,7 +69,7 @@ When a hybrid worker group is created it's needed to indicate the **credentials*
- **Default credentials**: You don't need to provide the credentials and the runbooks will be executed inside the VMs as **System**.
- **Specific credentials**: You need to provide the name of the credentials object inside the automation account, which will be used to execute the **runbooks inside the VMs**. Therefore, in this case, it could be possible to **steal valid credentials** for the VMs.
Therefore, if you can choose to run a **Runbook** in a **Windows Hybrid Worker**, you will execute **arbitrary commands** inside an external machine as **System** (nice pivot technique).
Therefore, if you can choose to run a **Runbook** in a **Hybrid Worker**, you will execute **arbitrary commands** inside an external machine as **System** (nice pivot technique).
Moreover, if the hybrid worker is running in Azure with other Managed Identities attached, the runbook will be able to access the **managed identity of the runbook and all the managed identities of the VM from the metadata service**.
@@ -173,7 +171,7 @@ az rest --method GET \
# Get the source control setting of an automation account (if any)
## inside the output it's possible to see if the autoSync is enabled, if the publishRunbook is enabled and the repo URL
aaz automation source-control list --automation-account-name <AUTOMATION-ACCOUNT> --resource-group <RG-NAME>
az automation source-control list --automation-account-name <AUTOMATION-ACCOUNT> --resource-group <RG-NAME>
# Get custom runtime environments
## Check in defaultPackages for custom ones, by default Python envs won't have anything here and PS1 envs will have "az" and "azure cli"