diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-cosmosDB-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-cosmosDB-privesc.md index 9fa0cf4e0..9cfb9fbea 100644 --- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-cosmosDB-privesc.md +++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-cosmosDB-privesc.md @@ -11,7 +11,7 @@ For more information about SQL Database check: ### (`Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/write`, `Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/read`) & (`Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/write`, `Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/read`) -With this permissions you can priviledge scalate giving a user the pemrissions to execute queries and connect to the database. First a definition role is created giving the necesary permissions and scopes. +With this permissions you can priviledgeescalate giving a user the pemrissions to execute queries and connect to the database. First a definition role is created giving the necesary permissions and scopes. ```bash az cosmosdb sql role definition create \ @@ -48,6 +48,7 @@ az cosmosdb sql role assignment create \ ``` ### `Microsoft.DocumentDB/databaseAccounts/listKeys/action` + With this permission, you can retrieve the primary and secondary keys for an Azure Cosmos DB account. These keys provide full access to the database account and its resources, enabling actions such as data reads, writes, and configuration changes. ```bash @@ -57,5 +58,42 @@ az cosmosdb keys list \ ``` +### `Microsoft.DocumentDB/mongoClusters/read` , `Microsoft.DocumentDB/mongoClusters/write` + +With this permission, you can create, update, or delete MongoDB clusters on Azure Cosmos DB. This includes provisioning new clusters, modifying existing cluster configurations, decommissioning clusters, or **changing the admin user's password**. + +```bash +az cosmosdb mongocluster update \ + --cluster-name \ + --resource-group \ + --administrator-login "" \ + --administrator-login-password "" +``` + +### `Microsoft.DocumentDB/mongoClusters/read` , `Microsoft.DocumentDB/mongoClusters/firewallRules/write` + +With this permission, you can create or modify firewall rules for a MongoDB cluster on Azure Cosmos DB. This allows control over which IP addresses or ranges can access the cluster. Unauthorized or improper use of this permission could expose the cluster to unwanted or malicious access. + +```bash +# Create Rule +az cosmosdb mongocluster firewall-rule create \ + --cluster-name \ + --resource-group \ + --rule-name \ + --start-ip-address \ + --end-ip-address +``` + +Note that by the time of the writing, MongoDB vCore doesn't support to create users internally, which would be great for persistence purposes: + +```bash +mongos] test> db.createUser({ + user: "adminUser", + pwd: "securePassword", + roles: [ { role: "root", db: "admin" } ] +}) +MongoServerError[CommandNotSupported]: CreateUser command is not supported +``` + {{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/azure-security/az-services/az-cosmosDB.md b/src/pentesting-cloud/azure-security/az-services/az-cosmosDB.md index 8ab2b0744..57730f1c1 100644 --- a/src/pentesting-cloud/azure-security/az-services/az-cosmosDB.md +++ b/src/pentesting-cloud/azure-security/az-services/az-cosmosDB.md @@ -69,6 +69,22 @@ az cosmosdb sql trigger list --account-name --container-name --container-name --database-name --resource-group + +## MongoDB (vCore) +# Install az cli extension +az extension add --name cosmosdb-preview +# List all MongoDB databases in a specified Azure Cosmos DB account +az cosmosdb mongocluster list +az cosmosdb mongocluster show --cluster-name --resource-group +# Get firewall rules +az cosmosdb mongocluster firewall rule list --cluster-name --resource-group +# Connect to in +brew install mongosh +mongosh "mongodb://:@.mongo.cosmos.azure.com:10255/?ssl=true&replicaSet=globaldb&retryWrites=false" --username --password +``` +{{#endtab }} + +{{#tab name="Az Powershell" }} ``` {{#endtab }}