gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-01-16 23:01:43 -08:00
Code Issues Packages Projects Releases Wiki Activity

virtual desktops

Browse Source
This commit is contained in:
Carlos Polop
2025-02-26 16:50:45 +01:00
parent c79c359fd2
commit d54cb2b5ff
5 changed files with 135 additions and 57 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-desktop-privesc.md
View File

@@ -4,6 +4,13 @@
## Azure Virtual Desktop Privesc
For more info about Azure Virtual Desktop check:
{{#ref}}
../az-services/az-virtual-desktop.md
{{#endref}}
### `Microsoft.DesktopVirtualization/hostPools/retrieveRegistrationToken/action`
You can retrieve the registration token used to register virtual machines within an host pool.
@@ -11,9 +18,13 @@ You can retrieve the registration token used to register virtual machines within
az desktopvirtualization hostpool retrieve-registration-token -n testhostpool -g Resource_Group_1
```
### ("Microsoft.Authorization/roleAssignments/read", "Microsoft.Authorization/roleAssignments/write") && ("Microsoft.Compute/virtualMachines/read","Microsoft.Compute/virtualMachines/write","Microsoft.Compute/virtualMachines/extensions/read","Microsoft.Compute/virtualMachines/extensions/write")
### Microsoft.Authorization/roleAssignments/read, Microsoft.Authorization/roleAssignments/write
> [!WARNING]
> An attacker with these permissions could do things much more dangerous than this one.
With this permissions you can add a user assignment to the Application group, which is needed to access the virtual machine of the virtual desktop:
With this permissions you can add a user assignment to the Application group, which is needed to access the virtual machine of the virtual desktop.
```bash
az rest --method PUT \
--uri "https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP_NAME>/providers/Microsoft.DesktopVirtualization/applicationGroups/<APP_GROUP_NAME>/providers/Microsoft.Authorization/roleAssignments/<NEW_ROLE_ASSIGNMENT_GUID>?api-version=2022-04-01" \
@@ -25,14 +36,8 @@ az rest --method PUT \
}'
```
Additionally you can change the virtual machine user and password to access it
```bash
az vm user update \
--resource-group <RESOURCE_GROUP_NAME> \
--name <VM_NAME> \
--username <USERNAME> \
--password <NEW_PASSWORD>
```
Note that in order for a user to be able to access a Desktop or an app, he also needs the role `Virtual Machine User Login` or `Virtual Machine Administrator Login` over the VM.
{{#include ../../../banners/hacktricks-training.md}}

12
src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md
View File

@@ -375,6 +375,18 @@ Then the attacker needs to have **compromised somehow the VM** to steal tokens f
https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#azure-vm
{{#endref}}
### "Microsoft.Compute/virtualMachines/read","Microsoft.Compute/virtualMachines/write","Microsoft.Compute/virtualMachines/extensions/read","Microsoft.Compute/virtualMachines/extensions/write"
These permissions allow to change the virtual machine user and password to access it:
```bash
az vm user update \
--resource-group <RESOURCE_GROUP_NAME> \
--name <VM_NAME> \
--username <USERNAME> \
--password <NEW_PASSWORD>
```
### TODO: Microsoft.Compute/virtualMachines/WACloginAsAdmin/action
According to the [**docs**](https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/compute#microsoftcompute), this permission lets you manage the OS of your resource via Windows Admin Center as an administrator. So it looks like this gives access to the WAC to control the VMs...