asd

2026-01-19 08:00:45 -08:00 · 2025-02-20 00:55:53 +01:00
parent 4313cc72bc
commit e3ca81040e
8 changed files with 187 additions and 18 deletions
--- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-mysql-privesc.md
+++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-mysql-privesc.md
@@ -41,6 +41,18 @@ Additionally it is necesary to have the public access enabled if you want to acc
 az mysql flexible-server update --resource-group <resource_group_name> --server-name <server_name> --public-access Enabled
 ```

+### `Microsoft.DBforMySQL/flexibleServers/read`, `Microsoft.DBforMySQL/flexibleServers/write`, `Microsoft.DBforMySQL/flexibleServers/backups/read`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`
+
+With this permissions you can restore a MySQL server from a backup:
+
+```bash
+az mysql flexible-server restore \
+    --resource-group <resource_group_name> \
+    --name <restore_server_name> \
+    --source-server <server_name> \
+    --yes
+```
+
 ### `Microsoft.DBforMySQL/flexibleServers/read`, `Microsoft.DBforMySQL/flexibleServers/write`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`, `Microsoft.DBforMySQL/flexibleServers/administrators/write` && `Microsoft.DBforMySQL/flexibleServers/administrators/read`

 With this permission, you can configure Azure Active Directory (AD) administrators for a MySQL Flexible Server. This can be exploited by setting oneself or another account as the AD administrator, granting full administrative control over the MySQL server. It's important that the flexible-server has a user assigned managed identities to use.
--- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-postgresql-privesc.md
+++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-postgresql-privesc.md
@@ -35,12 +35,60 @@ az postgres flexible-server update \
    --admin-password <password_to_update>
 ```

+Furthermore, with the permissions you can enalbe the assign identity, an opertate with the managed identity attached to the server. Here you can find all the extensions that Azure PostgreSQL flexible server supports [https://learn.microsoft.com/en-us/azure/cosmos-db/postgresql/reference-extensions](https://learn.microsoft.com/en-us/azure/cosmos-db/postgresql/reference-extensions). To be able to use these extensions some server parameters (azure.extensions) need to be changed. For example here with a managed identity that can access Azure Storage:
+
+First we change the parameters and be sure the assigned identity is enabled:
+```bash
+az postgres flexible-server parameter set \
+  --resource-group <YourResourceGroupName> \
+  --server-name <YourServerName> \
+  --name azure.extensions \
+  --value "AZURE_STORAGE"
+
+az postgres flexible-server identity update \
+    --resource-group <YourResourceGroupName> \
+    --server-name <YourServerName> \
+    --system-assigned Enabled
+```
+```sql 
+
+CREATE EXTENSION IF NOT EXISTS azure_storage;
+
+CREATE EXTERNAL DATA SOURCE ManagedIdentity
+
+SELECT azure_storage.account_add('<storage-account>', '<storage-key>');
+
+SELECT *
+FROM azure_storage.blob_get(
+    '<storage-account>',
+    '<container>',
+    'message.txt',
+    decoder := 'text'
+) AS t(content text)
+LIMIT 1;
+
+```
+
 Additionally it is necesary to have the public access enabled if you want to access from a non private endpoint, to enable it:

 ```bash
 az postgres flexible-server update --resource-group <resource_group_name> --server-name <server_name> --public-access Enabled
 ```

+### `Microsoft.DBforPostgreSQL/flexibleServers/read`, `Microsoft.DBforPostgreSQL/flexibleServers/write`, `Microsoft.DBforPostgreSQL/flexibleServers/backups/read`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`
+
+With this permissions you can restore a server from a backup with:
+
+```bash
+az postgres flexible-server restore \
+  --resource-group <RESOURCE_GROUP> \
+  --name <NEW_SERVER_NAME> \
+  --source-server <SOURCE_SERVER_NAME> \
+  --restore-time "<ISO8601_TIMESTAMP>" \
+  --yes
+
+```
+
 ### `Microsoft.DBforPostgreSQL/flexibleServers/read`, `Microsoft.DBforPostgreSQL/flexibleServers/write`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`, `Microsoft.DBforPostgreSQL/flexibleServers/administrators/write` && `Microsoft.DBforPostgreSQL/flexibleServers/administrators/read`

 With this permission, you can configure Azure Active Directory (AD) administrators for a PostgreSQL Flexible Server. This can be exploited by setting oneself or another account as the AD administrator, granting full administrative control over the PostgreSQL server. Updating existing principal is not supported yet so if there is one created you must delete it first.
--- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-sql-privesc.md
+++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-sql-privesc.md
@@ -48,6 +48,11 @@ az sql server update \
    --assign_identity
 ```
 ```sql 
+CREATE DATABASE SCOPED CREDENTIAL [ManagedIdentityCredential]
+WITH IDENTITY = 'Managed Identity';
+GO
+
+
 CREATE EXTERNAL DATA SOURCE ManagedIdentity
 WITH (
    TYPE = BLOB_STORAGE,
@@ -134,6 +139,27 @@ az sql server azure-ad-only-auth disable \
  --resource-group <resource_group_name>
 ```

+### Microsoft.Sql/servers/databases/dataMaskingPolicies/write
+Modify (or disable) the data masking policies on your SQL databases.
+
+```bash
+az rest --method put \
+  --uri "https://management.azure.com/subscriptions/<your-subscription-id>/resourceGroups/<your-resource-group>/providers/Microsoft.Sql/servers/<your-server>/databases/<your-database>/dataMaskingPolicies/Default?api-version=2021-11-01" \
+  --body '{
+    "properties": {
+      "dataMaskingState": "Disable"
+    }
+  }'
+```
+
+### Remove Row Level Security
+If you loggin as admin, you can remove the policies of the admin itself and other users.
+
+```sql
+DROP SECURITY POLICY [Name_of_policy];
+```
+
+
 {{#include ../../../banners/hacktricks-training.md}}