gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-28 13:43:24 -08:00
Code Issues Packages Projects Releases Wiki Activity

fixes

Browse Source
This commit is contained in:
Carlos Polop
2025-02-15 18:48:56 +01:00
parent 5537bfe63d
commit 9cd2ef8e2f
3 changed files with 78 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

67
src/pentesting-cloud/azure-security/az-privilege-escalation/az-container-instances-apps-jobs-privesc.md
View File

@@ -1,8 +1,8 @@
# Az - Azure Container Instances Privesc
# Az - Azure Container Instances, Apps & Jobs Privesc
{{#include ../../../banners/hacktricks-training.md}}
## Azure Container Instances
## Azure Container Instances, Apps & Jobs
Fore more information check:
@@ -10,14 +10,16 @@ Fore more information check:
../az-services/az-container-instances-apps-jobs.md
{{#endref}}
## ACI
### `Microsoft.ContainerInstance/containerGroups/read`, `Microsoft.ContainerInstance/containerGroups/containers/exec/action`
These permissions allow the user to **execute a command** in a running container. This can be used to **escalate privileges** in the container if it has any managed identity attached. Ofc, it's also possible to access the source code and any other sentitive information storeed inside the container.
To execute a `ls` and get the output is as simple as:
To get a shell is as simple as:
```bash
az container exec --name <container-name> --resource-group <res-group> --exec-command 'ls'
az container exec --name <container-name> --resource-group <res-group> --exec-command '/bin/sh'
```
It's also possible to **read the output** of the container with:
@@ -71,6 +73,63 @@ az container create \
Moreover, it's also possible to update an existing container group adding for example the **`--command-line` argument** with a reverse shell.
## ACA
### `Microsoft.App/containerApps/read`, `Microsoft.App/managedEnvironments/read`, `microsoft.app/containerapps/revisions/replicas`, `Microsoft.App/containerApps/revisions/read`, `Microsoft.App/containerApps/getAuthToken/action`
These permissions allow the user to **get a shell** in a runningapplication container. This can be used to **escalate privileges** in the container if it has any managed identity attached. Ofc, it's also possible to access the source code and any other sentitive information storeed inside the container.
```bash
az containerapp exec --name <app-name> --resource-group <res-group> --command "sh"
az containerapp debug --name <app-name> --resource-group <res-group>
```
### `Microsoft.App/containerApps/listSecrets/action`
This permission allows to get the **clear text of the secrets** configured inside a container app. Note that secrets can be configured with the clear text of with a link to a key vault (in such case the app will have assigned a managed identity with access over the secrets).
```bash
az containerapp secret list --name <app-name> --resource-group <res-group>
az containerapp secret show --name <app-name> --resource-group <res-group> --secret-name <scret-name>
```
### `Microsoft.App/containerApps/write`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`
These permissions allows to **attach a user managed identity** to a container app. This is very useful to escalate privileges in the container. Executing this action from the az cli also requires the permission `Microsoft.App/containerApps/listSecrets/action`.
To attach a user managed identity to a container group:
```bash
az containerapp identity assign -n <app-name> -g <res-group> --user-assigned myUserIdentityName
```
### `Microsoft.App/containerApps/write`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`, `Microsoft.App/managedEnvironments/join/action`
These permission allows to **create or update an application container** with a **user managed identity** attached to it. This is very useful to escalate privileges in the container.
```bash
# Get environments
az containerapp env list --resource-group Resource_Group_1
# Create app in a an environment
az containerapp create \
--name <app-name> \
--resource-group <res-group> \
--image mcr.microsoft.com/oss/nginx/nginx:1.9.15-alpine \
--cpu 1 --memory 1.0 \
--user-assigned <user-asigned-identity-name> \
--min-replicas 1 \
--command "<reserse shell>"
```
> [!TIP]
> Note that with these permisions **other configurations of the app** can be modified which could allow to perform other privesc and post explaoitation attacks depending on the configuration of existing apps.
## Jobs
{{#include ../../../banners/hacktricks-training.md}}

19
src/pentesting-cloud/azure-security/az-services/az-container-instances-apps-jobs.md
View File

@@ -14,16 +14,20 @@ Differences:
### Configurations
Special options for ACI:
- Regarding networking it can also have a **public IP** or be **private endpoints**.
Special options for **ACI**:
- Regarding networking it's possible to select one of these 3 options:
- **Public** (default)
- **Private** (only accessible from the VNet)
- **None** (no network access)
Special options for ACA:
Special options for **ACA**:
- It's possible to **restrict the trafic** to the container to the container app environment or leave it public.
- Its possible to use an **external identity provider** (Microsoft, Facebook, Google, and Twitter) for authentication
- It's possible to **store App secrets** (in clear text the app or as links to a vault assigning a MI with access over it)
- Its possible to have **revisions and replicas of the app**
- It's possible to deploy from a specific **source code or artifact** instead of using a container. For the source code, access to Gihub must be given. For artifacts, it's possible to upload it after creating the app.
Special options for jobs:
Special options for **jobs**:
- The trigger type can be **manual, scheduled or event-based** (like a message arriving in a queue).
Common options:
@@ -56,10 +60,10 @@ az container show --name <container-name> --resource-group <res-group>
az container logs --name <container-name> --resource-group <res-group>
## Execute a command in a running container and get the output
az container exec --name <container-name> --resource-group <res-group> --exec-command "ls"
az container exec --name <container-name> --resource-group <res-group> --exec-command "/bin/sh" # Get a shell
## Get yaml configuration of the container group
az container export --name <container-name> --resource-group <res-group>
az container export --name <container-name> --resource-group <res-group> --file </path/local/file.yml>
# ACA
## List all container apps in the subscription
@@ -68,6 +72,9 @@ az containerapp list
## Show detailed information about a specific container app
az containerapp show --name <app-name> --resource-group <res-group>
## List app environments
az containerapp env list --resource-group <res-group>
## Fetch logs from a container app
az containerapp logs show --name <app-name> --resource-group <res-group>