a

2025-12-27 13:13:06 -08:00 · 2025-02-20 23:20:59 +01:00
parent 4c9c8c10ac
commit b7dc63cd26
2 changed files with 74 additions and 55 deletions
--- a/src/pentesting-cloud/azure-security/az-post-exploitation/az-cosmosDB-post-exploitation.md
+++ b/src/pentesting-cloud/azure-security/az-post-exploitation/az-cosmosDB-post-exploitation.md
@@ -11,7 +11,7 @@ For more information about SQL Database check:


 ### `Microsoft.DocumentDB/databaseAccounts/read` && `Microsoft.DocumentDB/databaseAccounts/write`
-With this permission, you can create or update Azure Cosmos DB accounts. This includes modifying account-level settings, adding or removing regions, changing consistency levels, and enabling or disabling features like multi-region writes.
+With this permission, you can create or update Azure Cosmos DB accounts. This includes modifying account-level configurations, enabling or disabling automatic failover, managing network access controls, setting backup policies, and adjusting consistency levels. Attackers with this permission could alter settings to weaken security controls, disrupt availability, or exfiltrate data by modifying network rules. 

 ```bash
 az cosmosdb update \
@@ -20,6 +20,22 @@ az cosmosdb update \
  --public-network-access ENABLED
 ```

+```bash
+az cosmosdb update \
+    --account-name <account_name> \
+    --resource-group <resource_group_name> \
+    --capabilities EnableMongoRoleBasedAccessControl
+```
+
+Additionally you can enable managed identities in the account:
+
+```bash
+az cosmosdb identity assign \
+    --name <cosmosdb_account_name> \
+    --resource-group <resource_group_name>
+```
+
+
 ### `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/read` && `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/write`
 With this permission, you can create or modify containers (collections) within a SQL database of an Azure Cosmos DB account. Containers are used to store data, and changes to them can impact the database's structure and access patterns.

@@ -139,57 +155,5 @@ az cosmosdb mongodb database create \
  --name <database_name>
 ```

-### `Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/write` && `Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/read`
-With this permission, you can create new MongoDB role definitions within an Azure Cosmos DB account. This allows defining custom roles with specific permissions for MongoDB users.
-
-```bash
-az cosmosdb mongodb role definition create \
-    --account-name <account_name> \
-    --resource-group <resource_group_name> \
-    --body '{
-        "Id": "<mydatabase>.readWriteRole",
-        "RoleName": "readWriteRole",
-        "Type": "CustomRole",
-        "DatabaseName": "<mydatabase>",
-        "Privileges": [
-            {
-                "Resource": {
-                    "Db": "<mydatabase>",
-                    "Collection": "mycollection"
-                },
-                "Actions": [
-                    "insert",
-                    "find",
-                    "update"
-                ]
-            }
-        ],
-        "Roles": []
-    }'
-```
-
-### `Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/write` && `Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/read`
-With this permission, you can create new MongoDB user definitions within an Azure Cosmos DB account. This allows the provisioning of users with specific roles and access levels to MongoDB databases.
-
-```bash
-az cosmosdb mongodb user definition create \
-    --account-name <account_name> \
-    --resource-group <resource_group_name> \
-    --body '{
-        "Id": "<mydatabase>.myUser",
-        "UserName": "myUser",
-        "Password": "mySecurePassword",
-        "DatabaseName": "<mydatabase>",
-        "CustomData": "TestCustomData",
-        "Mechanisms": "SCRAM-SHA-256",
-        "Roles": [
-            {
-                "Role": "readWriteRole",
-                "Db": "<mydatabase>"
-            }
-        ]
-    }'
-```
-
 {{#include ../../../banners/hacktricks-training.md}}

--- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-cosmosDB-privesc.md
+++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-cosmosDB-privesc.md
@@ -47,6 +47,63 @@ az cosmosdb sql role assignment create \
    --scope "/"
 ```

+### (`Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/write` && `Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/read`)&& (`Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/write` && `Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/read`)
+
+With this permission, you can create new MongoDB role definitions within an Azure Cosmos DB account. This allows defining custom roles with specific permissions for MongoDB users. RBAC functionalities must be enabled to use this.
+
+```bash
+az cosmosdb mongodb role definition create \
+    --account-name <account_name> \
+    --resource-group <resource_group_name> \
+    --body '{
+        "Id": "<mydatabase>.readWriteRole",
+        "RoleName": "readWriteRole",
+        "Type": "CustomRole",
+        "DatabaseName": "<mydatabase>",
+        "Privileges": [
+            {
+                "Resource": {
+                    "Db": "<mydatabase>",
+                    "Collection": "mycollection"
+                },
+                "Actions": [
+                    "insert",
+                    "find",
+                    "update"
+                ]
+            }
+        ],
+        "Roles": []
+    }'
+```
+
+You can create new MongoDB user definitions within an Azure Cosmos DB account. This allows the provisioning of users with specific roles and access to MongoDB databases.
+
+```bash
+az cosmosdb mongodb user definition create \
+    --account-name <account_name> \
+    --resource-group <resource_group_name> \
+    --body '{
+        "Id": "<mydatabase>.myUser",
+        "UserName": "<myUser>",
+        "Password": "<mySecurePassword>",
+        "DatabaseName": "<mydatabase>",
+        "CustomData": "TestCustomData",
+        "Mechanisms": "SCRAM-SHA-256",
+        "Roles": [
+            {
+                "Role": "readWriteRole",
+                "Db": "<mydatabase>"
+            }
+        ]
+    }'
+```
+
+After that a new user is created within the MongoDB, we can access it:
+```bash
+mongosh "mongodb://<myUser>:<mySecurePassword>@<account_name>.mongo.cosmos.azure.com:10255/<mymongodatabase>?ssl=true&replicaSet=globaldb&retrywrites=false"
+```
+
 ### `Microsoft.DocumentDB/databaseAccounts/listKeys/action`
 With this permission, you can retrieve the primary and secondary keys for an Azure Cosmos DB account. These keys provide full access to the database account and its resources, enabling actions such as data reads, writes, and configuration changes.

@@ -54,8 +111,6 @@ With this permission, you can retrieve the primary and secondary keys for an Azu
 az cosmosdb keys list \
  --name <account_name> \
  --resource-group <resource_group_name>
-
 ```

-
 {{#include ../../../banners/hacktricks-training.md}}