gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-01-27 23:34:32 -08:00
Code Issues Packages Projects Releases Wiki Activity

GITBOOK-737: No subject

Browse Source
This commit is contained in:
SirBroccoli
2024-12-21 16:53:47 +00:00
committed by gitbook-bot
parent 735f1f5b66
commit 909a3378c2
2 changed files with 97 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
pentesting-cloud/azure-security/az-services/az-function-apps.md
View File

@@ -48,7 +48,17 @@ This is very interesting from an attackers perspective as **write access over th
This is very interesting from an attackers perspective as it might be possible to **pivot to internal networks** from a vulnerable Lambda function exposed to the Internet.
{% endhint %}
### **Function Apps support Managed Identities.**
### **Environment Variables**
it's possible to configure environment variables inside an app. Moreover, by default the env variables **`AzureWebJobsStorage`** and **`WEBSITE_CONTENTAZUREFILECONNECTIONSTRING`** (among others) are created. These are specially interesting because they **contain the account key to control with FULL permissions the storage account containing the data of the application**.
### **Function Sandbox**
Inside the sandbox the source code is located in **`/home/site/wwwroot`** in the file **`function_app.py`** (if python is used) the user running the code is **`app`** (without sudo permissions).
### **Managed Identities**
Moreover Function App might have certain endpoints that require a certain level of authentication, such as "admin" or "anonymous".\
An attacker could try to access the **anonymous allowed endpoints** to bypass the restrictions and gain access to sensitive data or functionality.
@@ -81,10 +91,27 @@ Example to access a function API endpoint using a key:
## Enumeration
```powershell
# Get only Function Apps
Get-AzFunctionApp
{% code overflow="wrap" %}
```bash
# List all the functions
az functionapp list
# Get info of 1 funciton (although in the list you already get this info)
az functionapp show --name <app-name> --resource-group <res-group>
# Get env variables (and privesc tot he sorage account)
az functionapp config appsettings list --name <app-name> --resource-group <res-group>
# Check if a domain was assigned to a function app
az functionapp config hostname list --webapp-name <app-name> --resource-group <res-group>
# Get SSL certificates
az functionapp config ssl list --resource-group <res-group>
# Get network restrictions
az functionapp config access-restriction show --name <app-name> --resource-group <res-group>
```
{% endcode %}
## Privilege Escalation