gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-01-04 16:57:26 -08:00
Code Issues Packages Projects Releases Wiki Activity

impr

Browse Source
This commit is contained in:
Carlos Polop
2025-02-21 00:13:14 +01:00
parent 4c9c8c10ac
commit fea4bb8938
2 changed files with 55 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
src/pentesting-cloud/azure-security/az-privilege-escalation/az-cosmosDB-privesc.md
View File

@@ -11,7 +11,7 @@ For more information about SQL Database check:
### (`Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/write`, `Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/read`) & (`Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/write`, `Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/read`)
With this permissions you can priviledge scalate giving a user the pemrissions to execute queries and connect to the database. First a definition role is created giving the necesary permissions and scopes.
With this permissions you can priviledgeescalate giving a user the pemrissions to execute queries and connect to the database. First a definition role is created giving the necesary permissions and scopes.
```bash
az cosmosdb sql role definition create \
@@ -48,6 +48,7 @@ az cosmosdb sql role assignment create \
```
### `Microsoft.DocumentDB/databaseAccounts/listKeys/action`
With this permission, you can retrieve the primary and secondary keys for an Azure Cosmos DB account. These keys provide full access to the database account and its resources, enabling actions such as data reads, writes, and configuration changes.
```bash
@@ -57,5 +58,42 @@ az cosmosdb keys list \
```
### `Microsoft.DocumentDB/mongoClusters/read` , `Microsoft.DocumentDB/mongoClusters/write`
With this permission, you can create, update, or delete MongoDB clusters on Azure Cosmos DB. This includes provisioning new clusters, modifying existing cluster configurations, decommissioning clusters, or **changing the admin user's password**.
```bash
az cosmosdb mongocluster update \
--cluster-name <cluster-name> \
--resource-group <res-group> \
--administrator-login "<username>" \
--administrator-login-password "<password>"
```
### `Microsoft.DocumentDB/mongoClusters/read` , `Microsoft.DocumentDB/mongoClusters/firewallRules/write`
With this permission, you can create or modify firewall rules for a MongoDB cluster on Azure Cosmos DB. This allows control over which IP addresses or ranges can access the cluster. Unauthorized or improper use of this permission could expose the cluster to unwanted or malicious access.
```bash
# Create Rule
az cosmosdb mongocluster firewall-rule create \
--cluster-name <cluster-name> \
--resource-group <res-group> \
--rule-name <rule-name> \
--start-ip-address <start_ip> \
--end-ip-address <end_ip>
```
Note that by the time of the writing, MongoDB vCore doesn't support to create users internally, which would be great for persistence purposes:
```bash
mongos] test> db.createUser({
user: "adminUser",
pwd: "securePassword",
roles: [ { role: "root", db: "admin" } ]
})
MongoServerError[CommandNotSupported]: CreateUser command is not supported
```
{{#include ../../../banners/hacktricks-training.md}}