gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-10 23:00:49 -08:00
Code Issues Packages Projects Releases Wiki Activity

GITBOOK-742: No subject

Browse Source
This commit is contained in:
SirBroccoli
2024-12-26 01:57:00 +00:00
committed by gitbook-bot
parent 5e029648f5
commit cdbf41fbf3
6 changed files with 196 additions and 50 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
SUMMARY.md
View File

@@ -408,7 +408,7 @@
* [Az - ARM Templates / Deployments](pentesting-cloud/azure-security/az-services/az-arm-templates.md)
* [Az - Automation Account](pentesting-cloud/azure-security/az-services/az-automation-account/README.md)
* [Az - State Configuration RCE](pentesting-cloud/azure-security/az-services/az-automation-account/az-state-configuration-rce.md)
* [Az - Azure App Service & Function Apps](pentesting-cloud/azure-security/az-services/az-azure-app-service.md)
* [Az - App Services](pentesting-cloud/azure-security/az-services/az-app-services.md)
* [Az - Intune](pentesting-cloud/azure-security/az-services/intune.md)
* [Az - File Shares](pentesting-cloud/azure-security/az-services/az-file-shares.md)
* [Az - Function Apps](pentesting-cloud/azure-security/az-services/az-function-apps.md)
@@ -451,6 +451,7 @@
* [Az - VMs & Network Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-vms-and-network-post-exploitation.md)
* [Az - Privilege Escalation](pentesting-cloud/azure-security/az-privilege-escalation/README.md)
* [Az - Azure IAM Privesc (Authorization)](pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md)
* [Az - App Services Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-app-services-privesc.md)
* [Az - EntraID Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/README.md)
* [Az - Conditional Access Policies & MFA Bypass](pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md)
* [Az - Dynamic Groups Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/dynamic-groups.md)

67
pentesting-cloud/azure-security/az-privilege-escalation/az-app-services-privesc.md Normal file
View File

@@ -0,0 +1,67 @@
# Az - App Services Privesc
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## App Services
For more information about Azure App services check:
{% content-ref url="../az-services/az-app-services.md" %}
[az-app-services.md](../az-services/az-app-services.md)
{% endcontent-ref %}
### Microsoft.Web/sites/publish/Action, Microsoft.Web/sites/basicPublishingCredentialsPolicies/read, Microsoft.Web/sites/config/read, Microsoft.Web/sites/read,&#x20;
These permissions allows to call the following commands to get a **SSH shell** inside a web app
* Direct option:
```bash
# Direct option
az webapp ssh --name <name> --resource-group <res-group>
```
* Create tunnel and then connect to SSH:
{% code overflow="wrap" %}
```bash
az webapp create-remote-connection --name <name> --resource-group <res-group>
## If successfull you will get a message such as:
#Verifying if app is running....
#App is running. Trying to establish tunnel connection...
#Opening tunnel on port: 39895
#SSH is available { username: root, password: Docker! }
## So from that machine ssh into that port (you might need generate a new ssh session to the jump host)
ssh root@127.0.0.1 -p 39895
```
{% endcode %}
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}

144
pentesting-cloud/azure-security/az-services/az-azure-app-service.md → pentesting-cloud/azure-security/az-services/az-app-services.md
View File

@@ -1,4 +1,4 @@
# Az - Azure App Service & Function Apps
# Az - App Services
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
@@ -17,7 +17,7 @@ Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).p
## App Service Basic Information
[From the docs:](https://learn.microsoft.com/en-us/azure/app-service/overview) _Azure App Service_ is an HTTP-based service for hosting web applications, REST APIs, and mobile back ends. You can develop in your favourite language, be it .NET, .NET Core, Java, Ruby, Node.js, PHP, or Python. Applications run and scale with ease on both Windows and Linux-based environments.
Azure App Services enables developers to **build, deploy, and scale web applications, mobile app backends, and APIs seamlessly**. It supports multiple programming languages and integrates with various Azure tools and services for enhanced functionality and management.
Each app runs inside a sandbox but isolation depends upon App Service plans
@@ -25,9 +25,28 @@ Each app runs inside a sandbox but isolation depends upon App Service plans
* Apps in Standard and Premium tiers run on dedicated VMs
{% hint style="warning" %}
Note that **none** of those isolations **prevents** other common **web vulnerabilities** (such as file upload, or injections). And if a **management identity** is used, it could be able to **compromise its permissions**.
Note that **none** of those isolations **prevents** other common **web vulnerabilities** (such as file upload, or injections). And if a **management identity** is used, it could be able to **esalate privileges to them**.
{% endhint %}
### Azure Function Apps
Basically **Azure Function apps are a subset of Azure App Service** in the web and if you go to the web console and list all the app services or execute `az webapp list` in az cli you will be able to **see the Function apps also listed here**.
Actually some of the **security related features** App services use (`webapp` in the az cli), are **also used by Function apps**.
## Basic Authentication
When creating a web app (and a Azure function usually) it's possible to indicate if you want Basic Authentication to be enabled. This basically **enables SCM and FTP** for the application so it'll be possible to deploy the application using those technologies.\
Moreover in order to connect to them, Azure provides an **API that allows to get the username, password and URL** to connect to the SCM and FTP servers.
* Authentication: az webapp auth show --name lol --resource-group lol\_group
SSH
Always On
Debugging
### Enumeration
{% tabs %}
@@ -40,20 +59,96 @@ az webapp list
## Less information
az webapp list --query "[].{hostName: defaultHostName, state: state, name: name, resourcegroup: resourceGroup}"
# Get access restrictions
az webapp config access-restriction show --resource-group <res-group> -n <name>
# Get info about 1 app
az webapp show --name <name> --resource-group <res-group>
# Get instances of a webapp
az webapp list-instances --name <name> --resource-group <res-group>
## If you have enough perm you can go to the "consoleUrl" and access a shell inside the instance form the web
# Get configured Auth information
az webapp auth show --name <app-name> --resource-group <res-group>
# Get access restrictions of an app
az webapp config access-restriction show --name <name> --resource-group <res-group>
# Remove access restrictions
az webapp config access-restriction remove --resource-group <res-group> -n <name> --rule-name <rule-name>
# Get appsettings of an app
az webapp config appsettings list --name <name> --resource-group <res-group>
# Get backups of a webapp
az webapp config backup list --webapp-name <name> --resource-group <res-group>
# Get backups scheduled for a webapp
az webapp config backup show --webapp-name <name> --resource-group <res-group>
# Get snapshots
az webapp config snapshot list --resource-group <res-group> -n <name>
# Restore snapshot
az webapp config snapshot restore -g <res-group> -n <name> --time 2018-12-11T23:34:16.8388367
# Restart webapp
az webapp restart --name <name> --resource-group <res-group>
# Get connection strings of a webapp
az webapp config connection-string list --name <name> --resource-group <res-group>
# Get used container by the app
az webapp config container show --name <name> --resource-group <res-group>
# Get storage account configurations of a webapp
az webapp config storage-account list --name <name> --resource-gl_group
# List all the functions
az functionapp list
# Get info of 1 funciton (although in the list you already get this info)
az functionapp show --name <app-name> --resource-group <res-group>
## If "linuxFxVersion" has something like: "DOCKER|mcr.microsoft.com/..."
## This is using a container
# Get details about the source of the function code
az functionapp deployment source show \
--name <app-name> \
--resource-group <res-group>
## If error like "This is currently not supported."
## Then, this is probalby using a container
# Get more info if a container is being used
az functionapp config container show \
--name <name> \
--resource-group <res-group>
# Get settings (and privesc to the sorage account)
az functionapp config appsettings list --name <app-name> --resource-group <res-group>
# Check if a domain was assigned to a function app
az functionapp config hostname list --webapp-name <app-name> --resource-group <res-group>
# Get SSL certificates
az functionapp config ssl list --resource-group <res-group>
# Get network restrictions
az functionapp config access-restriction show --name <app-name> --resource-group <res-group>
# Get more info about a function (invoke_url_template is the URL to invoke and script_href allows to see the code)
az rest --method GET \
--url "https://management.azure.com/subscriptions/<subscription>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/functions?api-version=2024-04-01"
# Get source code with Master Key of the function
curl "<script_href>?code=<master-key>"
## Python example
curl "https://newfuncttest123.azurewebsites.net/admin/vfs/home/site/wwwroot/function_app.py?code=<master-key>" -v
# Get source code
az rest --url "https://management.azure.com/<subscription>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/hostruntime/admin/vfs/function_app.py?relativePath=1&api-version=2022-03-01"
```
{% endcode %}
{% endtab %}
@@ -121,44 +216,17 @@ git clone 'https://<username>:<password>@name.scm.azurewebsites.net/repo-name.gi
## If you change the code and do a push, the app is automatically redeployed
```
#### Access to the Docker container with the webapp via ssh:
```bash
# Get ssh session
az webapp create-remote-connection --subscription <SUBSCRIPTION-ID> --resource-group <RG-NAME> -n <APP-SERVICE-NAME>
## If successfull you will get a message such as:
#Verifying if app is running....
#App is running. Trying to establish tunnel connection...
#Opening tunnel on port: 39895
#SSH is available { username: root, password: Docker! }
## Privilege Escalation
## So from that machine ssh into that port (you might need generate a new ssh session to the jump host)
ssh root@127.0.0.1 -p 39895
```
## Function Apps Basic Information
Azure Functions is a **serverless** solution that allows you to write less code, maintain less infrastructure, and save on costs. Instead of worrying about deploying and maintaining servers, the cloud infrastructure provides all the up-to-date resources needed to keep your applications running.
In the Azure portal, integration between Azure Functions and Azure API Management is facilitated, allowing **HTTP trigger function endpoints to be exposed as REST APIs**. The APIs exposed in this manner are described using an OpenAPI definition, providing a standard, language-agnostic interface to RESTful APIs.
**Function Apps support Managed Identities.**
Moreover Function App might have certain endpoints that require a certain level of authentication, such as "admin" or "anonymous".\
An attacker could try to access the **anonymous allowed endpoints** to bypass the restrictions and gain access to sensitive data or functionality.
### Enumeration
```powershell
# Get only Function Apps
Get-AzFunctionApp
```
{% content-ref url="../az-privilege-escalation/az-app-services-privesc.md" %}
[az-app-services-privesc.md](../az-privilege-escalation/az-app-services-privesc.md)
{% endcontent-ref %}
## References
* [https://learn.microsoft.com/en-in/azure/app-service/overview](https://learn.microsoft.com/en-in/azure/app-service/overview)
* [https://learn.microsoft.com/en-us/azure/azure-functions/functions-openapi-definition](https://learn.microsoft.com/en-us/azure/azure-functions/functions-openapi-definition)
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\

12
pentesting-cloud/azure-security/az-services/az-function-apps.md
View File

@@ -19,6 +19,10 @@ Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).p
**Azure Function Apps** are a **serverless compute service** that allow you to run small pieces of code, called **functions**, without managing the underlying infrastructure. They are designed to execute code in response to various triggers, such as **HTTP requests, timers, or events from other Azure services** like Blob Storage or Event Hubs. Function Apps support multiple programming languages, including C#, Python, JavaScript, and Java, making them versatile for building **event-driven applications**, automating workflows, or integrating services. They are cost-effective, as you usually only pay for the compute time used when your code runs.
{% hint style="info" %}
Note that **Functions are a subset of the App Services**, therefore, a lot of the features discussed here will be used also by applications created as Azure Apps (`webapp` in cli).
{% endhint %}
### Different Plans
* **Flex Consumption Plan**: Offers **dynamic, event-driven scaling** with pay-as-you-go pricing, adding or removing function instances based on demand. It supports **virtual networking** and **pre-provisioned instances** to reduce cold starts, making it suitable for **variable workloads** that dont require container support.
@@ -109,6 +113,14 @@ Example to access a function API endpoint using a key:
`https://<function_uniq_name>.azurewebsites.net/api/<endpoint_name>?code=<access_key>`
{% endhint %}
### Basic Authentication
Just like in App Services, Functions also support basic authentication to connect to **SCM** and **FTP** to deploy code using a **username and password in a URL** provided by Azure. More information about it in:
{% content-ref url="az-app-services.md" %}
[az-app-services.md](az-app-services.md)
{% endcontent-ref %}
### Github Based Deployments
When a function is generated from a Github repo Azure web console allows to **automatically create a Github Workflow in a specific repository** so whenever this repository is updated the code of the function is updated. Actually the Github Action yaml for a python function looks like this:

2
pentesting-cloud/azure-security/az-services/az-sql.md
View File

@@ -43,7 +43,7 @@ az sql vm show --resource-group <res-grp> --name <name>
### Connect and run SQL queries
You could find a connection string (containing credentials) from example [enumerating an Az WebApp](az-azure-app-service.md):
You could find a connection string (containing credentials) from example [enumerating an Az WebApp](az-app-services.md):
{% code overflow="wrap" %}
```powershell

18
pentesting-cloud/azure-security/az-services/vms/README.md
View File

@@ -78,6 +78,7 @@ az disk show --name <disk-name> --resource-group <rsc-group>
```
{% endcode %}
{% endtab %}
{% tab title="PowerShell" %}
{% code overflow="wrap" %}
```powershell
@@ -91,7 +92,6 @@ Get-AzDisk -Name <DiskName> -ResourceGroupName <ResourceGroupName>
{% endtab %}
{% endtabs %}
## Images, Gallery Images & Restore points
A **VM image** is a template that contains the operating system, application settings and filesystem needed to **create a new virtual machine (VM)**. The difference between an image and a disk snapshot is that a disk snapshot is a read-only, point-in-time copy of a single managed disk, used primarily for backup or troubleshooting, while an image can contain **multiple disks and is designed to serve as a template for creating new VMs**.\
@@ -135,6 +135,7 @@ az restore-point collection show --collection-name <collection-name> --resource-
```
{% endcode %}
{% endtab %}
{% tab title="PowerShell" %}
{% code overflow="wrap" %}
```powershell
@@ -170,7 +171,7 @@ From the [**docs**](https://learn.microsoft.com/en-us/azure/site-recovery/site-r
## Azure Bastion
Azure Bastion enables secure and seamless **Remote Desktop Protocol (RDP)** and **Secure Shell (SSH)** access to your virtual machines (VMs) directly through the Azure Portal or via a jump box. By **eliminating the need for public IP addresses** on your VMs.&#x20;
Azure Bastion enables secure and seamless **Remote Desktop Protocol (RDP)** and **Secure Shell (SSH)** access to your virtual machines (VMs) directly through the Azure Portal or via a jump box. By **eliminating the need for public IP addresses** on your VMs.
The Bastion deploys a subnet called **`AzureBastionSubnet`** with a `/26` netmask in the VNet it needs to work on. Then, it allows to **connect to internal VMs through the browser** using `RDP` and `SSH` avoiding exposing ports of the VMs to the Internet. It can also work as a **jump host**.
@@ -203,6 +204,7 @@ az network bastion rdp \
```
{% endcode %}
{% endtab %}
{% tab title="PowerShell" %}
{% code overflow="wrap" %}
```powershell
@@ -225,8 +227,6 @@ Check how to enumerate it in:
## VM Enumeration
{% tabs %}
{% tab title="Az Cli" %}
{% code overflow="wrap" %}
```bash
# VMs
@@ -364,8 +364,9 @@ az resource list --resource-type "Microsoft.Compute/virtualMachines" --query "[]
az vm run-command list --output table
```
{% endcode %}
{% endtab %}
{% tab title="Az PS" %}
```powershell
# Get readable VMs
Get-AzVM | fl
@@ -455,9 +456,6 @@ Get-AzStorageAccount
## List all custom script extensions on a specific VM
Get-AzVMExtension -VMName <VmName> -ResourceGroupName <ResourceGroupName>
```
{% endcode %}
{% endtab %}
{% endtabs %}
## Code Execution in VMs
@@ -483,6 +481,7 @@ az vm extension image list --publisher "Site24x7" --output table
```
{% endcode %}
{% endtab %}
{% tab title="PowerShell" %}
{% code overflow="wrap" %}
```powershell
@@ -493,7 +492,6 @@ Get-AzVMExtensionImage -Location <Location> -PublisherName <PublisherName> -Type
{% endtab %}
{% endtabs %}
It's possible to **run custom extensions that runs custom code**:
{% tabs %}