gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-05 20:40:18 -08:00
Code Issues Packages Projects Releases Wiki Activity

f

Browse Source
This commit is contained in:
carlospolop
2025-11-30 13:15:11 +01:00
parent 55afbe81c4
commit e5b25a908b
1 changed files with 19 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
src/pentesting-cloud/azure-security/az-privilege-escalation/az-functions-app-privesc.md
View File

@@ -66,11 +66,11 @@ This config will usually contain a **SAS URL to download** the code from the Sto
> [!CAUTION]
> With enough permission to connect to the blob container that **contains the code in zip** it's possible to execute arbitrary code in the Function and escalate privileges.
- **`github-actions-deploy`** (`WEBSITE_RUN_FROM_PACKAGE)`
- **`github-actions-deploy`** (`WEBSITE_RUN_FROM_PACKAGE`)
Just like in the previous case, if the deployment is done via Github Actions it's possible to find the folder **`github-actions-deploy`** in the Storage Account containing a zip of the code and a SAS URL to the zip in the setting `WEBSITE_RUN_FROM_PACKAGE`.
- **`scm-releases`**`(WEBSITE_CONTENTAZUREFILECONNECTIONSTRING` and `WEBSITE_CONTENTSHARE`)
- **`scm-releases`**(`WEBSITE_CONTENTAZUREFILECONNECTIONSTRING` and `WEBSITE_CONTENTSHARE`)
With permissions to read the containers inside the Storage Account that stores the function data it's possible to find the container **`scm-releases`**. In there it's possible to find the latest release in **Squashfs filesystem file format** and therefore it's possible to read the code of the function:
@@ -170,12 +170,18 @@ curl -X PUT "https://consumptionexample.azurewebsites.net/admin/vfs/site/wwwroot
### `Microsoft.Web/sites/functions/listKeys/action`
This permission allows to get the host key, of the specified function with:
This permission allows to get the default key, of the specified function with:
```bash
az rest --method POST --uri "https://management.azure.com/subscriptions/<subsription-id>/resourceGroups/<resource-group>/providers/Microsoft.Web/sites/<func-name>/functions/<func-endpoint-name>/listKeys?api-version=2022-03-01"
```
Invoke the function using the default key obtained:
```bash
curl "https://<app-name>.azurewebsites.net/api/<func-endpoint-name>?code=<default-key>"
```
### `Microsoft.Web/sites/host/functionKeys/write`
This permission allows to create/update a function key of the specified function with:
@@ -203,6 +209,16 @@ This permission allows to create/update a system function key to the specified f
az functionapp keys set --resource-group <res_group> --key-name <key-name> --key-type masterKey --name <func-key> --key-value q_8ILAoJaSp_wxpyHzGm4RVMPDKnjM_vpEb7z123yRvjAzFuo6wkIQ==
```
Use the key:
```bash
# Ejemplo: Acceso a endpoints de Durable Functions
curl "https://<app-name>.azurewebsites.net/runtime/webhooks/durabletask/instances?code=<system-key>"
# Ejemplo: Acceso a Event Grid webhooks
curl "https://<app-name>.azurewebsites.net/runtime/webhooks/eventgrid?code=<system-key>"
```
### `Microsoft.Web/sites/config/list/action`
This permission allows to get the settings of a function. Inside these configurations it might be possible to find the default values **`AzureWebJobsStorage`** or **`WEBSITE_CONTENTAZUREFILECONNECTIONSTRING`** which contains an **account key to access the blob storage of the function with FULL permissions**.