gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-27 13:13:06 -08:00
Code Issues Packages Projects Releases Wiki Activity

asd

Browse Source
This commit is contained in:
Jimmy
2025-02-20 00:55:53 +01:00
parent 4313cc72bc
commit e3ca81040e
8 changed files with 187 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
src/pentesting-cloud/azure-security/az-privilege-escalation/az-mysql-privesc.md
View File

@@ -41,6 +41,18 @@ Additionally it is necesary to have the public access enabled if you want to acc
az mysql flexible-server update --resource-group <resource_group_name> --server-name <server_name> --public-access Enabled
```
### `Microsoft.DBforMySQL/flexibleServers/read`, `Microsoft.DBforMySQL/flexibleServers/write`, `Microsoft.DBforMySQL/flexibleServers/backups/read`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`
With this permissions you can restore a MySQL server from a backup:
```bash
az mysql flexible-server restore \
--resource-group <resource_group_name> \
--name <restore_server_name> \
--source-server <server_name> \
--yes
```
### `Microsoft.DBforMySQL/flexibleServers/read`, `Microsoft.DBforMySQL/flexibleServers/write`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`, `Microsoft.DBforMySQL/flexibleServers/administrators/write` && `Microsoft.DBforMySQL/flexibleServers/administrators/read`
With this permission, you can configure Azure Active Directory (AD) administrators for a MySQL Flexible Server. This can be exploited by setting oneself or another account as the AD administrator, granting full administrative control over the MySQL server. It's important that the flexible-server has a user assigned managed identities to use.

48
src/pentesting-cloud/azure-security/az-privilege-escalation/az-postgresql-privesc.md
View File

@@ -35,12 +35,60 @@ az postgres flexible-server update \
--admin-password <password_to_update>
```
Furthermore, with the permissions you can enalbe the assign identity, an opertate with the managed identity attached to the server. Here you can find all the extensions that Azure PostgreSQL flexible server supports [https://learn.microsoft.com/en-us/azure/cosmos-db/postgresql/reference-extensions](https://learn.microsoft.com/en-us/azure/cosmos-db/postgresql/reference-extensions). To be able to use these extensions some server parameters (azure.extensions) need to be changed. For example here with a managed identity that can access Azure Storage:
First we change the parameters and be sure the assigned identity is enabled:
```bash
az postgres flexible-server parameter set \
--resource-group <YourResourceGroupName> \
--server-name <YourServerName> \
--name azure.extensions \
--value "AZURE_STORAGE"
az postgres flexible-server identity update \
--resource-group <YourResourceGroupName> \
--server-name <YourServerName> \
--system-assigned Enabled
```
```sql
CREATE EXTENSION IF NOT EXISTS azure_storage;
CREATE EXTERNAL DATA SOURCE ManagedIdentity
SELECT azure_storage.account_add('<storage-account>', '<storage-key>');
SELECT *
FROM azure_storage.blob_get(
'<storage-account>',
'<container>',
'message.txt',
decoder := 'text'
) AS t(content text)
LIMIT 1;
```
Additionally it is necesary to have the public access enabled if you want to access from a non private endpoint, to enable it:
```bash
az postgres flexible-server update --resource-group <resource_group_name> --server-name <server_name> --public-access Enabled
```
### `Microsoft.DBforPostgreSQL/flexibleServers/read`, `Microsoft.DBforPostgreSQL/flexibleServers/write`, `Microsoft.DBforPostgreSQL/flexibleServers/backups/read`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`
With this permissions you can restore a server from a backup with:
```bash
az postgres flexible-server restore \
--resource-group <RESOURCE_GROUP> \
--name <NEW_SERVER_NAME> \
--source-server <SOURCE_SERVER_NAME> \
--restore-time "<ISO8601_TIMESTAMP>" \
--yes
```
### `Microsoft.DBforPostgreSQL/flexibleServers/read`, `Microsoft.DBforPostgreSQL/flexibleServers/write`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`, `Microsoft.DBforPostgreSQL/flexibleServers/administrators/write` && `Microsoft.DBforPostgreSQL/flexibleServers/administrators/read`
With this permission, you can configure Azure Active Directory (AD) administrators for a PostgreSQL Flexible Server. This can be exploited by setting oneself or another account as the AD administrator, granting full administrative control over the PostgreSQL server. Updating existing principal is not supported yet so if there is one created you must delete it first.

26
src/pentesting-cloud/azure-security/az-privilege-escalation/az-sql-privesc.md
View File

@@ -48,6 +48,11 @@ az sql server update \
--assign_identity
```
```sql
CREATE DATABASE SCOPED CREDENTIAL [ManagedIdentityCredential]
WITH IDENTITY = 'Managed Identity';
GO
CREATE EXTERNAL DATA SOURCE ManagedIdentity
WITH (
TYPE = BLOB_STORAGE,
@@ -134,6 +139,27 @@ az sql server azure-ad-only-auth disable \
--resource-group <resource_group_name>
```
### Microsoft.Sql/servers/databases/dataMaskingPolicies/write
Modify (or disable) the data masking policies on your SQL databases.
```bash
az rest --method put \
--uri "https://management.azure.com/subscriptions/<your-subscription-id>/resourceGroups/<your-resource-group>/providers/Microsoft.Sql/servers/<your-server>/databases/<your-database>/dataMaskingPolicies/Default?api-version=2021-11-01" \
--body '{
"properties": {
"dataMaskingState": "Disable"
}
}'
```
### Remove Row Level Security
If you loggin as admin, you can remove the policies of the admin itself and other users.
```sql
DROP SECURITY POLICY [Name_of_policy];
```
{{#include ../../../banners/hacktricks-training.md}}

35
src/pentesting-cloud/azure-security/az-services/az-cosmosDB.md
View File

@@ -10,7 +10,9 @@ Azure Cosmos DB provides multiple database APIs to model real-world data using d
One key aspect of CosmosDB is Azure Cosmos Account. **Azure Cosmos Account**, acts as the entry point to the databases. The account determines key settings such as global distribution, consistency levels, and the specific API to be used, such as NoSQL. Through the account, you can configure global replication to ensure data is available across multiple regions for low-latency access. Additionally, you can choose a consistency level that balances between performance and data accuracy, with options ranging from Strong to Eventual consistency.
### NoSQL (sql)
Azure Cosmos DB supports **user-assigned identities** and **system-assigned managed identities** that are automatically created and tied to the resource's lifecycle, allowing for secure, token-based authentication when connecting to other services—provided those services have the appropriate role assignments. However, Cosmos DB doesn't have a builtin mechanism to directly query external data sources like Azure Blob Storage. Unlike SQL Server's external table features, Cosmos DB requires data to be ingested into its containers using external tools such as Azure Data Factory, the Data Migration Tool, or custom scripts before it can be queried with its native query capabilities.
### NoSQL
The Azure Cosmos DB NoSQL API is a document-based API that uses JSON as its data format. It provides a SQL-like query syntax for querying JSON objects, making it suitable for working with structured and semi-structured data. The endpoint of the service is:
```bash
@@ -23,6 +25,11 @@ Within an account, you can create one or more databases, which serve as logical
#### Containers
The core unit of data storage is the container, which holds JSON documents and is automatically indexed for efficient querying. Containers are elastically scalable and distributed across partitions, which are determined by a user-defined partition key. The partition key is critical for ensuring optimal performance and even data distribution. For example, a container might store customer data, with "customerId" as the partition key.
#### Key Features
**Global Distribution**: Enable or disable Geo-Redundancy for cross-region replication and Multi-region Writes for improved availability.
**Networking & Security**: between public (all/select networks) or private endpoints for connectivity. Secure connections with TLS 1.2 encryption. Supports CORS (Cross-Origin Resource Sharing) for controlled access to resources.
**Backup & Recovery**: from Periodic, Continuous (7 days), or Continuous (30 days) backup policies with configurable intervals and retention.
**Data Encryption**: Default service-managed keys or customer-managed keys (CMK) for encryption (CMK selection is irreversible).
#### Enumeration
@@ -45,21 +52,21 @@ az cosmosdb identity show --resource-group <ResourceGroupName> --name <AccountNa
# CosmoDB (NoSQL)
## List the SQL databases under an Azure Cosmos DB account.
## List the NoSQL databases under an Azure Cosmos DB account.
az cosmosdb sql database list --resource-group <ResourceGroupName> --account-name <AccountName>
## List the SQL containers under an Azure Cosmos DB SQL database.
## List the NoSQL containers under an Azure Cosmos DB NoSQL database.
az cosmosdb sql container list --account-name <AccountName> --database-name <DatabaseName> --resource-group <ResourceGroupName>
## List all SQL role assignments under an Azure Cosmos DB
## List all NoSQL role assignments under an Azure Cosmos DB
az cosmosdb sql role assignment list --resource-group <ResourceGroupName> --account-name <AccountName>
## List all SQL role definitions under an Azure Cosmos DB
## List all NoSQL role definitions under an Azure Cosmos DB
az cosmosdb sql role definition list --resource-group <ResourceGroupName> --account-name <AccountName>
## List the SQL stored procedures under an Azure Cosmos DB
## List the NoSQL stored procedures under an Azure Cosmos DB
az cosmosdb sql stored-procedure list --account-name <AccountName> --container-name <ContainerName> --database-name <DatabaseName> --resource-group <ResourceGroupName>
## List the SQL triggers under an Azure Cosmos DB SQL container.
## List the NoSQL triggers under an Azure Cosmos DB NoSQL container.
az cosmosdb sql trigger list --account-name <AccountName> --container-name <ContainerName> --database-name <DatabaseName> --resource-group <ResourceGroupName>
## List the SQL user defined functions under an Azure Cosmos DB SQL container
## List the NoSQL user defined functions under an Azure Cosmos DB NoSQL container
az cosmosdb sql user-defined-function list --account-name <AccountName> --container-name <ContainerName> --database-name <DatabaseName> --resource-group <ResourceGroupName>
```
@@ -193,6 +200,18 @@ In MongoDB, you can create one or more databases within an instance. Each databa
#### Collections
The core unit of data storage in MongoDB is the collection, which holds documents and is designed for efficient querying and flexible schema design. Collections are elastically scalable and can support high-throughput operations across multiple nodes in a distributed setup.
#### Key Features of Request unit (RU) type
**Global Distribution**: Enable or disable Geo-Redundancy for cross-region replication and Multi-region Writes for improved availability.
**Networking & Security**: between public (all/select networks) or private endpoints for connectivity. Secure connections with TLS 1.2 encryption. Supports CORS (Cross-Origin Resource Sharing) for controlled access to resources.
**Backup & Recovery**: from Periodic, Continuous (7 days, free), or Continuous (30 days, paid) backup policies with configurable intervals and retention.
**Data Encryption**: Default service-managed keys or customer-managed keys (CMK) for encryption (CMK selection is irreversible).
#### Key Features of vCore cluster type
**Global Distribution**: Enable a read replica in another Azure region for high availability and failover support. Configure the replica name, region, and storage per shard.
**Networking & Security**: Supports public access with assigned public IPs and private access. Restrict connections using firewall rules—by default, no public IPs are allowed.
**Encrypted Connections**: Enforces TLS encryption for secure data transmission.
#### Enumeration
{{#tabs }}

9
src/pentesting-cloud/azure-security/az-services/az-logic-apps.md
View File

@@ -8,6 +8,11 @@ Azure Logic Apps is a cloud-based service provided by Microsoft Azure that enabl
Logic Apps provides a visual designer to create workflows with a **wide range of pre-built connectors**, which makes it easy to connect to and interact with various services, such as Office 365, Dynamics CRM, Salesforce, and many others. You can also create custom connectors for your specific needs.
When creating a Logic App, you must either create or link an external storage account that stores the workflow state, run history, and artifacts. This storage can be configured with diagnostic settings for monitoring and can be secured with network access restrictions or integrated into a virtual network to control inbound and outbound traffic.
### Managed Identities
Logic Apps has **system-assigned managed identity** tied to its lifecycle. When enabled, it receives a unique Object (principal) ID that can be used with Azure RBAC to grant the necessary permissions to access other Azure services securely. This eliminates the need to store credentials in code because the identity is authenticated through Microsoft Entra ID. Additionally, you can also use **user-assigned managed identities**, which can be shared across multiple resources. These identities allow workflows and Logic Apps to interact securely with external systems, ensuring that the necessary access controls and permissions are managed centrally through Azure's security framework.
### Examples
- **Automating Data Pipelines**: Logic Apps can automate **data transfer and transformation processes** in combination with Azure Data Factory. This is useful for creating scalable and reliable data pipelines that move and transform data between various data stores, like Azure SQL Database and Azure Blob Storage, aiding in analytics and business intelligence operations.
@@ -43,6 +48,10 @@ There are several hosting options:
- **App Service Environment V3** dedicated compute resources with full isolation and scalability. It also integrates with VNET for networking and uses a pricing model based on App Service instances within the environment. This is ideal for enterprise-scale applications needing high isolation.
- **Hybrid** designed for local processing and multi-cloud support. It allows customer-managed compute resources with local network access and utilizes Kubernetes Event-Driven Autoscaling (KEDA).
### Workflows
Workflows in Azure Logic Apps are the core automated processes that orchestrate actions across various services. A workflow starts with a trigger—an event or schedule—and then executes a series of actions, such as calling APIs, processing data, or interacting with other Azure services. Workflows can be defined visually using a designer or via code (JSON definitions) and are managed through commands like az logic workflow create, az logic workflow show, and az logic workflow update. They also support identity management (via the identity subgroup) to securely manage permissions and integrations with external resources.
### Enumeration
{{#tabs }}

4
src/pentesting-cloud/azure-security/az-services/az-mysql.md
View File

@@ -16,9 +16,9 @@ Azure Database for MySQL is a fully managed relational database service based on
- Offers stop/start functionality for cost savings.
### Key Features
* **Server Management**: The **ad-admin** feature allows managing Azure Active Directory (AAD) administrators for MySQL servers, providing control over administrative access via AAD credentials, while the **identity** feature enables the assignment and management of Azure Managed Identities, offering secure, credential-free authentication for accessing Azure resources.
* **Server Management**: The **ad-admin** feature allows managing Azure Entra ID administrators for MySQL servers, providing control over administrative access via Entra ID credentials. Mysql supports User Managed Identities, used to autenticate without the need of credentials, and can be used by other services.
* **Lifecycle Management**: options to start or stop a server, delete a flexible server instance, restart a server to quickly apply configuration changes, and wait to ensure a server meets specific conditions before proceeding with automation scripts.
* **Security and Networking**: can manage server firewall rules for secure database access and detach virtual network configurations as needed.
* **Security and Networking**: Secure your server by restricting connections through firewall rules that only allow specific public IP addresses, or by using private endpoints that integrate your server into a virtual network. All connections are protected with TLS 1.2 encryption. Databases, backups, and logs are encrypted at rest by default using service-managed keys or custom keys.
* **Data Protection and Backup**: includes options to manage flexible server backups for data recovery, perform geo-restore to recover a server in a different region, export server backups for external use (in Preview), and restore a server from backup to a specific point in time.
### Enumeration

1
src/pentesting-cloud/azure-security/az-services/az-postgresql.md
View File

@@ -23,6 +23,7 @@
* **Automatic Backups**: Built-in daily backups with retention periods configurable up to 35 days.
* **Role-Based Access**: Control user permissions and administrative access through Azure Active Directory.
* **Security and Networking**: can manage server firewall rules for secure database access and detach virtual network configurations as needed.
* **Managed Identities**: allow your server to securely authenticate with other Azure services without storing credentials. It allow to access other services which would be System assigned managed identity and be accessed by other services with other identities which is User assigned managed identity.
### Enumeration

70
src/pentesting-cloud/azure-security/az-services/az-sql.md
View File

@@ -4,9 +4,7 @@
## Azure SQL
Azure SQL is a family of managed database products that use the **SQL Server database** engine in the Azure cloud. This means you don't have to worry about the physical administration of your servers, and you can focus on managing your data.
Assigned domain: `<server-name>.database.windows.net`
Azure SQL is a family of managed, secure, and intelligent products that use the **SQL Server database engine in the Azure cloud**. This means you don't have to worry about the physical administration of your servers, and you can focus on managing your data.
Azure SQL consists of four main offerings:
@@ -15,10 +13,6 @@ Azure SQL consists of four main offerings:
3. **Azure SQL Managed Instance**: This is for larger scale, entire SQL Server instance-scoped deployments.
4. **Azure SQL Server on Azure VMs**: This is best for architectures where you want **control over the operating system **and SQL Server instance.
## Azure SQL Server
Azure SQL Server is relational database management system (RDBMS) that uses Transact-SQL for data operations and is built to handle enterprise-level systems. It offers robust features for performance, security, scalability, and integration with various Microsoft applications. Azure SQL databases rely on this server, as these are built on this servers and it is the entrypoint for user to access the databases.
### SQL Server Security Features
**Network access:**
@@ -58,7 +52,6 @@ Note that if any SQL auth is allowed an admin user (username + password) needs t
**Deleted databases:**
- Its possible to restore DBs that have been deleted from existing backups.
## Azure SQL Database
**Azure SQL Database** is a **fully managed database platform as a service (PaaS)** that provides scalable and secure relational database solutions. It's built on the latest SQL Server technologies and eliminates the need for infrastructure management, making it a popular choice for cloud-based applications.
@@ -81,6 +74,14 @@ To create a SQL database its needed to indicate the SQL server where itll
A SQL database could be part of an **elastic Pool**. Elastic pools are a cost-effective solution for managing multiple databases by sharing configurable compute (eDTUs) and storage resources among them, with pricing based solely on the resources allocated rather than the number of databases.
#### Azure SQL Column Level Security (Masking) & Row Level Security
**Azure SQL's dynamic** data masking is a feature that helps **protect sensitive information by hiding it** from unauthorized users. Instead of altering the actual data, it dynamically masks the displayed data, ensuring that sensitive details like credit card numbers are obscured.
The **Dynamic Data Masking** affects to all users except the ones that are unmasked (these users need to be indicated) and administrators. It has the configuration option that specifies which SQL users are exempt from dynamic data masking, with **administrators always excluded**.
**Azure SQL Row Level Security (RLS)** is a feature that **controls which rows a user can view or modify**, ensuring each user only sees the data relevant to them. By creating security policies with filter or block predicates, organizations can enforce fine-grained access at the database level.
### Azure SQL Managed Instance
**Azure SQL Managed Instances** are for larger scale, entire SQL Server instance-scoped deployments. It provides near 100% compatibility with the latest SQL Server on-premises (Enterprise Edition) Database Engine, which provides a native virtual network (VNet) implementation that addresses common security concerns, and a business model favorable for on-premises SQL Server customers.
@@ -165,6 +166,30 @@ az sql midb show --resource-group <res-grp> --name <name>
# Lis all sql VM
az sql vm list
az sql vm show --resource-group <res-grp> --name <name>
# List schema by the database
az rest --method get \
--uri "https://management.azure.com/subscriptions/<subscriptionId>/resourceGroups/<resourceGroupName>/providers/Microsoft.Sql/servers/<serverName>/databases/<databaseName>/schemas?api-version=2021-11-01"
# Get tables of a database with the schema
az rest --method get \
--uri "https://management.azure.com/subscriptions/<subscriptionId>/resourceGroups/<resourceGroupName>/providers/Microsoft.Sql/servers/<serverName>/databases/<databaseName>/schemas/<schemaName>/tables?api-version=2021-11-01"
# Get columns of a database
az rest --method get \
--uri "https://management.azure.com/subscriptions/<subscriptionId>/resourceGroups/<resourceGroupName>/providers/Microsoft.Sql/servers/<serverName>/databases/<databaseName>/columns?api-version=2021-11-01"
# Get columns of a table
az rest --method get \
--uri "https://management.azure.com/subscriptions/<subscriptionId>/resourceGroups/<resourceGroupName>/providers/Microsoft.Sql/servers/<serverName>/databases/<databaseName>/schemas/<schemaName>/tables/<tableName>/columns?api-version=2021-11-01"
# Get DataMaskingPolicies of a database
az rest --method get \
--uri "https://management.azure.com/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.Sql/servers/getstorageserver/databases/masktest/dataMaskingPolicies/Default?api-version=2021-11-01"
az rest --method get \
--uri "https://management.azure.com/subscriptions/<subscriptionId>/resourceGroups/<resourceGroupName>/providers/Microsoft.Sql/servers/<serverName>/databases/<databaseName>/dataMaskingPolicies/Default/rules?api-version=2021-11-01"
```
{{#endtab}}
@@ -212,6 +237,33 @@ Get-AzSqlVM
{{#endtab}}
{{#endtabs}}
Additionally if you want to enumerate the Dynamic Data Masking, and Row Level policies, within the database, you can query:
```sql
--Enumerates the masked columns
SELECT
OBJECT_NAME(mc.object_id) AS TableName,
c.name AS ColumnName,
mc.masking_function AS MaskingFunction
FROM sys.masked_columns AS mc
JOIN sys.columns AS c
ON mc.object_id = c.object_id
AND mc.column_id = c.column_id
--Enumerates Row level policies
SELECT
sp.name AS PolicyName,
sp.is_enabled,
sp.create_date,
sp.modify_date,
OBJECT_NAME(sp.object_id) AS TableName,
sp2.predicate_definition AS PredicateDefinition
FROM sys.security_policies AS sp
JOIN sys.security_predicates AS sp2
ON sp.object_id = sp2.object_id;
```
### Connect and run SQL queries
You could find a connection string (containing credentials) from example [enumerating an Az WebApp](az-app-services.md):
@@ -264,3 +316,5 @@ sqlcmd -S <sql-server>.database.windows.net -U <server-user> -P <server-passwork