gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-01-27 15:24:32 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/pentesting-cloud/azure-security/az-privilege-escalation

Browse Source
This commit is contained in:
Translator
2025-02-25 21:58:08 +00:00
parent 429392ab1e
commit d6e0904945
3 changed files with 139 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/SUMMARY.md
View File

@@ -431,6 +431,7 @@
- [Az - Static Web Applications](pentesting-cloud/azure-security/az-services/az-static-web-apps.md)
- [Az - Storage Accounts & Blobs](pentesting-cloud/azure-security/az-services/az-storage.md)
- [Az - Table Storage](pentesting-cloud/azure-security/az-services/az-table-storage.md)
- [Az - Virtual Desktop](pentesting-cloud/azure-security/az-services/az-virtual-desktop.md)
- [Az - Virtual Machines & Network](pentesting-cloud/azure-security/az-services/vms/README.md)
- [Az - Azure Network](pentesting-cloud/azure-security/az-services/vms/az-azure-network.md)
- [Az - Permissions for a Pentest](pentesting-cloud/azure-security/az-permissions-for-a-pentest.md)
@@ -485,11 +486,13 @@
- [Az - Static Web App Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-static-web-apps-privesc.md)
- [Az - Storage Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-storage-privesc.md)
- [Az - SQL Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-sql-privesc.md)
- [Az - Virtual Desktop Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-desktop-privesc.md)
- [Az - Virtual Machines & Network Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md)
- [Az - Persistence](pentesting-cloud/azure-security/az-persistence/README.md)
- [Az - Automation Accounts Persistence](pentesting-cloud/azure-security/az-persistence/az-automation-accounts-persistence.md)
- [Az - Cloud Shell Persistence](pentesting-cloud/azure-security/az-persistence/az-cloud-shell-persistence.md)
- [Az - Queue SQL Persistence](pentesting-cloud/azure-security/az-persistence/az-sql-persistence.md)
- [Az - Logic Apps Persistence](pentesting-cloud/azure-security/az-persistence/az-logic-apps-persistence.md)
- [Az - SQL Persistence](pentesting-cloud/azure-security/az-persistence/az-sql-persistence.md)
- [Az - Queue Storage Persistence](pentesting-cloud/azure-security/az-persistence/az-queue-persistence.md)
- [Az - VMs Persistence](pentesting-cloud/azure-security/az-persistence/az-vms-persistence.md)
- [Az - Storage Persistence](pentesting-cloud/azure-security/az-persistence/az-storage-persistence.md)

33
src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-desktop-privesc.md Normal file
View File

@@ -0,0 +1,33 @@
# Az - Virtual Desktop Privesc
{{#include ../../../banners/hacktricks-training.md}}
## Azure Virtual Desktop Privesc
### `Microsoft.DesktopVirtualization/hostPools/retrieveRegistrationToken/action`
Možete preuzeti registracioni token koji se koristi za registraciju virtuelnih mašina unutar host grupe.
```bash
az desktopvirtualization hostpool retrieve-registration-token -n testhostpool -g Resource_Group_1
```
### ("Microsoft.Authorization/roleAssignments/read", "Microsoft.Authorization/roleAssignments/write") && ("Microsoft.Compute/virtualMachines/read","Microsoft.Compute/virtualMachines/write","Microsoft.Compute/virtualMachines/extensions/read","Microsoft.Compute/virtualMachines/extensions/write")
Sa ovim dozvolama možete dodati korisničku dodelu u grupu aplikacija, što je potrebno za pristup virtuelnoj mašini virtuelnog radnog stola.
```bash
az rest --method PUT \
--uri "https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP_NAME>/providers/Microsoft.DesktopVirtualization/applicationGroups/<APP_GROUP_NAME>/providers/Microsoft.Authorization/roleAssignments/<NEW_ROLE_ASSIGNMENT_GUID>?api-version=2022-04-01" \
--body '{
"properties": {
"roleDefinitionId": "/subscriptions/<SUBSCRIPTION_ID>/providers/Microsoft.Authorization/roleDefinitions/1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63",
"principalId": "<USER_OBJECT_ID>"
}
}'
```
Pored toga, možete promeniti korisnika i lozinku virtuelne mašine da biste joj pristupili.
```bash
az vm user update \
--resource-group <RESOURCE_GROUP_NAME> \
--name <VM_NAME> \
--username <USERNAME> \
--password <NEW_PASSWORD>
```
{{#include ../../../banners/hacktricks-training.md}}

102
src/pentesting-cloud/azure-security/az-services/az-virtual-desktop.md Normal file
View File

@@ -0,0 +1,102 @@
# Az - Virtual Desktop
{{#include ../../../banners/hacktricks-training.md}}
## Azure Virtual Desktop
Virtual Desktop je **usluga virtualizacije desktopa i aplikacija**. Omogućava isporuku punih Windows desktopa, uključujući Windows 11, Windows 10 ili Windows Server korisnicima na daljinu, bilo kao pojedinačne desktop jedinice ili kroz pojedinačne aplikacije. Podržava postavke sa jednom sesijom za ličnu upotrebu i višeslojne okruženja. Korisnici se mogu povezati sa praktično bilo kog uređaja koristeći nativne aplikacije ili web pretraživač.
### Host Pools
Host pool-ovi u Azure Virtual Desktop su kolekcije Azure virtuelnih mašina konfigurisanih kao hostovi sesija, pružajući virtuelne desktopove i aplikacije korisnicima. Postoje dve glavne vrste:
- **Personal host pools**, gde je svaka virtuelna mašina posvećena jednom korisniku, sa svojim okruženjima
- **Pooled host pools**, gde više korisnika deli resurse na bilo kojem dostupnom hostu sesije. Ima konfigurabilan limit sesija, a konfiguracija hosta sesije omogućava Azure Virtual Desktop-u da automatizuje kreiranje hostova sesija na osnovu konfiguracije.
Svaki host pool ima **registracioni token** koji se koristi za registraciju virtuelnih mašina unutar host pool-a.
### Application groups & Workspace
Application groups **kontrolišu pristup korisnika** bilo punom desktopu ili specifičnim setovima aplikacija dostupnim na hostovima sesija unutar host pool-a. Postoje dve vrste:
- **Desktop application groups**, koje daju korisnicima pristup kompletnom Windows desktopu (dostupno sa ličnim i pooled host pool-ovima)
- **RemoteApp groups**, koje omogućavaju korisnicima pristup pojedinačnim objavljenim aplikacijama (dostupno samo sa pooled host pool-ovima).
Host pool može imati jednu Desktop application group, ali više RemoteApp groups. Korisnici mogu biti dodeljeni više application groups u različitim host pool-ovima. Ako je korisniku dodeljeno i desktop i RemoteApp groups unutar istog host pool-a, vide samo resurse iz preferirane vrste grupe koju su postavili administratori.
**Workspace** je **kolekcija application groups**, omogućavajući korisnicima pristup desktopima i application groups koje su im dodeljene. Svaka application group mora biti povezana sa workspace-om, i može pripadati samo jednom workspace-u u isto vreme.
### Key Features
- **Flexible VM Creation**: Kreirajte Azure virtuelne mašine direktno ili dodajte Azure Local virtuelne mašine kasnije.
- **Security Features**: Omogućite Trusted Launch (sigurno pokretanje, vTPM, monitoring integriteta) za naprednu sigurnost VM-a (potrebna je virtuelna mreža). Može se integrisati Azure Firewall i kontrolisati saobraćaj putem Network Security Groups.
- **Domain Join**: Podrška za Active Directory domain joins sa prilagodljivim konfiguracijama.
- **Diagnostics & Monitoring**: Omogućite Diagnostic Settings za strimovanje logova i metrika u Log Analytics, skladišne račune ili event hubs za monitoring.
- **Custom image templates**: Kreirajte i upravljajte njima za korišćenje prilikom dodavanja hostova sesija. Lako dodajte uobičajene prilagodbe ili svoje vlastite skripte.
- **Workspace Registration**: Lako registrujte podrazumevane desktop application groups za nove ili postojeće workspaces radi pojednostavljenog upravljanja pristupom korisnicima.
### Enumeration
```bash
az extension add --name desktopvirtualization
# List HostPool of a Resource group
az desktopvirtualization hostpool list --resource-group <Resource_Group>
# List Application Groups
az desktopvirtualization applicationgroup list --resource-group <Resource_Group>
# List Application Groups By Subscription
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.DesktopVirtualization/applicationGroups?api-version=2024-04-03"
# List Applications in a Application Group
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/applicationGroups/{applicationGroupName}/applications?api-version=2024-04-03"
# List Assigned Users to the Application Group
az rest \
--method GET \
--url "https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP_NAME>/providers/Microsoft.DesktopVirtualization/applicationGroups/<APP_GROUP_NAME>/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01" \
| jq '.value[] | select((.properties.scope | ascii_downcase) == "/subscriptions/<subscription_id_in_lowercase>/resourcegroups/<resource_group_name_in_lowercase>/providers/microsoft.desktopvirtualization/applicationgroups/<app_group_name_in_lowercase>")'
# List Workspace in a resource group
az desktopvirtualization workspace list --resource-group <Resource_Group>
# List Workspace in a subscription
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.DesktopVirtualization/workspaces?api-version=2024-04-03"
# List App Attach Package By Resource Group
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/appAttachPackages?api-version=2024-04-03"
# List App Attach Package By Subscription
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.DesktopVirtualization/appAttachPackages?api-version=2024-04-03"
# List Desktops
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/applicationGroups/{applicationGroupName}/desktops?api-version=2024-04-03"
# List MSIX Packages
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/hostPools/{hostPoolName}/msixPackages?api-version=2024-04-03"
# List private endpoint connections associated with hostpool.
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/hostPools/{hostPoolName}/privateEndpointConnections?api-version=2024-04-03"
# List private endpoint connections associated By Workspace.
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/workspaces/{workspaceName}/privateEndpointConnections?api-version=2024-04-03"
# List the private link resources available for a hostpool.
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/hostPools/{hostPoolName}/privateLinkResources?api-version=2024-04-03"
# List the private link resources available for this workspace.
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/workspaces/{workspaceName}/privateLinkResources?api-version=2024-04-03"
# List sessionHosts/virtual machines.
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/hostPools/{hostPoolName}/sessionHosts?api-version=2024-04-03"
# List start menu items in the given application group.
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/applicationGroups/{applicationGroupName}/startMenuItems?api-version=2024-04-03"
# List userSessions.
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/hostPools/{hostPoolName}/sessionHosts/{sessionHostName}/userSessions?api-version=2024-04-03"
# List userSessions By Host Pool
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/hostPools/{hostPoolName}/userSessions?api-version=2024-04-03"
```
### Povezivanje
Da biste se povezali na virtuelni desktop putem veba, možete pristupiti preko https://client.wvd.microsoft.com/arm/webclient/ (najčešće), ili https://client.wvd.microsoft.com/webclient/index.html (klasično)
Postoje i druge metode koje su opisane ovde [https://learn.microsoft.com/en-us/azure/virtual-desktop/users/connect-remote-desktop-client?tabs=windows](https://learn.microsoft.com/en-us/azure/virtual-desktop/users/connect-remote-desktop-client?tabs=windows)
## Privesc
{{#ref}}
../az-privilege-escalation/az-virtual-desktop-privesc.md
{{#endref}}
{{#include ../../../banners/hacktricks-training.md}}