gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-28 05:33:10 -08:00
Code Issues Packages Projects Releases Wiki Activity
Files
f258a13eeffcaec74936fb374708fa22724cd5ca
hacktricks-cloud/src/pentesting-cloud/azure-security/az-privilege-escalation/az-postgresql-privesc.md
Jimmy 3757efbd43 Y
2025-02-10 12:22:24 +01:00

2.5 KiB
Raw Blame History

Az - PostgreSQL Privesc

{{#include ../../../banners/hacktricks-training.md}}

PostgreSQL Privesc

For more information about SQL Database check:

{{#ref}} az-postgresql.md {{#endref}}

Microsoft.DBforPostgreSQL/flexibleServers/read && Microsoft.DBforPostgreSQL/flexibleServers/write

With this permission, you can create, update, or delete PostgreSQL Flexible Server instances on Azure. This includes provisioning new servers, modifying existing server configurations, or decommissioning servers.

az postgres flexible-server create \
    --name <ServerName> \
    --resource-group <ResourceGroupName> \
    --location <Location> \
    --admin-user <AdminUsername> \
    --admin-password <AdminPassword> \
    --sku-name <SkuName> \
    --storage-size <StorageSizeInGB> \
    --tier <PricingTier> \
    --version <PostgreSQLVersion>

For example, this permissions allow changing the PostgreSQL password, usefull of course in case that PostgreSQL authentication is enabled.

az postgres flexible-server update \
    --resource-group <resource_group_name> \
    --name <server_name> \
    --admin-password <password_to_update>

Additionally it is necesary to have the public access enabled if you want to access from a non private endpoint, to enable it:

az postgres flexible-server update --resource-group <resource_group_name> --server-name <server_name> --public-access Enabled

Microsoft.DBforPostgreSQL/flexibleServers/read, Microsoft.DBforPostgreSQL/flexibleServers/write, Microsoft.ManagedIdentity/userAssignedIdentities/assign/action, Microsoft.DBforPostgreSQL/flexibleServers/administrators/write && Microsoft.DBforPostgreSQL/flexibleServers/administrators/read

With this permission, you can configure Azure Active Directory (AD) administrators for a PostgreSQL Flexible Server. This can be exploited by setting oneself or another account as the AD administrator, granting full administrative control over the PostgreSQL server. Updating existing principal is not supported yet so if there is one created you must delete it first.

It's important that the flexible-server has a user assigned managed identities to use.

az postgres flexible-server ad-admin create \
    --resource-group <ResourceGroupName> \
    --server-name <ServerName> \
    --display-name <ADAdminDisplayName> \
    --identity <IdentityNameOrID> \
    --object-id <ObjectID>

{{#include ../../../banners/hacktricks-training.md}}

Reference in New Issue View Git Blame Copy Permalink