diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-functions-app-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-functions-app-privesc.md index 0a951171a..401adfe4d 100644 --- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-functions-app-privesc.md +++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-functions-app-privesc.md @@ -66,11 +66,11 @@ This config will usually contain a **SAS URL to download** the code from the Sto > [!CAUTION] > With enough permission to connect to the blob container that **contains the code in zip** it's possible to execute arbitrary code in the Function and escalate privileges. -- **`github-actions-deploy`** (`WEBSITE_RUN_FROM_PACKAGE)` +- **`github-actions-deploy`** (`WEBSITE_RUN_FROM_PACKAGE`) Just like in the previous case, if the deployment is done via Github Actions it's possible to find the folder **`github-actions-deploy`** in the Storage Account containing a zip of the code and a SAS URL to the zip in the setting `WEBSITE_RUN_FROM_PACKAGE`. -- **`scm-releases`**`(WEBSITE_CONTENTAZUREFILECONNECTIONSTRING` and `WEBSITE_CONTENTSHARE`) +- **`scm-releases`**(`WEBSITE_CONTENTAZUREFILECONNECTIONSTRING` and `WEBSITE_CONTENTSHARE`) With permissions to read the containers inside the Storage Account that stores the function data it's possible to find the container **`scm-releases`**. In there it's possible to find the latest release in **Squashfs filesystem file format** and therefore it's possible to read the code of the function: @@ -170,12 +170,18 @@ curl -X PUT "https://consumptionexample.azurewebsites.net/admin/vfs/site/wwwroot ### `Microsoft.Web/sites/functions/listKeys/action` -This permission allows to get the host key, of the specified function with: +This permission allows to get the default key, of the specified function with: ```bash az rest --method POST --uri "https://management.azure.com/subscriptions//resourceGroups//providers/Microsoft.Web/sites//functions//listKeys?api-version=2022-03-01" ``` +Invoke the function using the default key obtained: + +```bash +curl "https://.azurewebsites.net/api/?code=" +``` + ### `Microsoft.Web/sites/host/functionKeys/write` This permission allows to create/update a function key of the specified function with: @@ -203,6 +209,16 @@ This permission allows to create/update a system function key to the specified f az functionapp keys set --resource-group --key-name --key-type masterKey --name --key-value q_8ILAoJaSp_wxpyHzGm4RVMPDKnjM_vpEb7z123yRvjAzFuo6wkIQ== ``` +Use the key: + +```bash +# Ejemplo: Acceso a endpoints de Durable Functions +curl "https://.azurewebsites.net/runtime/webhooks/durabletask/instances?code=" + +# Ejemplo: Acceso a Event Grid webhooks +curl "https://.azurewebsites.net/runtime/webhooks/eventgrid?code=" +``` + ### `Microsoft.Web/sites/config/list/action` This permission allows to get the settings of a function. Inside these configurations it might be possible to find the default values **`AzureWebJobsStorage`** or **`WEBSITE_CONTENTAZUREFILECONNECTIONSTRING`** which contains an **account key to access the blob storage of the function with FULL permissions**.