HackTricks CloudAz - Akaunti za Uendeshaji
Reading time: 12 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Taarifa za Msingi
Akaunti za Uendeshaji za Azure ni huduma za msingi wa wingu katika Microsoft Azure ambazo husaidia kuendesha kazi kama usimamizi wa rasilimali, usanidi, na masasisho katika Azure na mazingira ya ndani. Zinatoa Runbooks (scripts za uendeshaji zinazotekelezwa), ratiba, na vikundi vya wafanyakazi wa mseto ili kuendesha kazi za uendeshaji, kuwezesha miundombinu kama msimbo (IaC) na uendeshaji wa mchakato kwa ufanisi na uthabiti katika usimamizi wa rasilimali za wingu.
Mipangilio
- Hati: Nenosiri linaweza kupatikana tu ndani ya runbook ndani ya akaunti ya uendeshaji, zinatumika kuhifadhi majina ya watumiaji na nenosiri kwa usalama.
- Mabadiliko: Yanatumika kuhifadhi data za usanidi ambazo zinaweza kutumika katika runbooks. Hii inaweza pia kuwa habari nyeti kama funguo za API. Ikiwa mabadiliko yana hifadhiwa kwa usimbuaji, yanapatikana tu ndani ya runbook ndani ya akaunti ya uendeshaji.
- Vyeti: Vinatumika kuhifadhi vyeti ambavyo vinaweza kutumika katika runbooks.
- Mawasiliano: Yanatumika kuhifadhi habari za mawasiliano na huduma za nje. Hii inaweza kuwa na habari nyeti.
- Upatikanaji wa Mtandao: Inaweza kuwekwa kuwa ya umma au ya kibinafsi.
Runbooks & Kazi
Runbook katika Azure Automation ni script inayofanya kazi kiotomatiki ndani ya mazingira yako ya wingu. Runbooks zinaweza kuandikwa kwa PowerShell, Python, au wahariri wa picha. Zinasaidia kuendesha kazi za kiutawala kama usimamizi wa VM, urekebishaji, au ukaguzi wa kufuata.
Katika msimbo ulio ndani ya Runbooks unaweza kuwa na habari nyeti (kama vile hati).
Kazi ni mfano wa utekelezaji wa Runbook. Unapokimbia Runbook, kazi inaundwa kufuatilia utekelezaji huo. Kila kazi inajumuisha:
- Hali: Imeorodheshwa, Inaendelea, Imekamilika, Imefeli, Imeahirishwa.
- Matokeo: Matokeo ya utekelezaji wa Runbook.
- Wakati wa Kuanzia na Kumaliza: Wakati kazi ilianza na kukamilika.
Kazi ina matokeo ya utekelezaji wa Runbook. Ikiwa unaweza kusoma kazi, fanya hivyo kwani zina matokeo ya kukimbia (potenshiali habari nyeti).
Ratiba & Webhooks
Kuna njia 3 kuu za kutekeleza Runbook:
- Ratiba: Hizi zinatumika kuanzisha Runbooks kwa wakati maalum au kipindi.
- Webhooks: Hizi ni nukta za HTTP ambazo zinaweza kutumika kuanzisha Runbooks kutoka huduma za nje. Kumbuka kwamba URL ya webhook haionekani baada ya kuundwa.
- Kuanza kwa Mikono: Unaweza kuanzisha kwa mikono Runbook kutoka kwenye Azure Portal na kutoka kwa cli.
Udhibiti wa Chanzo
Inaruhusu kuagiza Runbooks kutoka Github, Azure Devops (Git) na Azure Devops (TFVC). Inawezekana kuashiria kuchapisha Runbooks za repo kwenye akaunti ya Azure Automation na pia inawezekana kuashiria kuunganisha mabadiliko kutoka kwa repo hadi akaunti ya Azure Automation.
Wakati kuunganisha kunapoanzishwa, katika hifadhi ya Github webhook inaundwa ili kuanzisha kuunganisha kila wakati tukio la kusukuma linapotokea. Mfano wa URL ya webhook: https://f931b47b-18c8-45a2-9d6d-0211545d8c02.webhook.eus.azure-automation.net/webhooks?token=DRjQyFiOrUtz%2fw7o23XbDpOlTe1%2bUqPQm4pQH2WBfJg%3d
Kumbuka kwamba hizi webhooks hazitaonekana unapoorodhesha webhooks katika runbooks zinazohusiana na repo ya Github. Pia kumbuka kwamba haiwezekani kubadilisha URL ya repo ya udhibiti wa chanzo mara tu inapoandikwa.
Ili udhibiti wa chanzo uliowekwa ufanye kazi, Akaunti ya Uendeshaji ya Azure inahitaji kuwa na kitambulisho kinachodhibitiwa (sistimu au mtumiaji) chenye jukumu la Mchango. Zaidi ya hayo, ili kupeana kitambulisho kinachodhibitiwa na mtumiaji kwa Akaunti ya Uendeshaji, inahitajika kuashiria kitambulisho cha mteja wa MI ya mtumiaji katika mabadiliko AUTOMATION_SC_USER_ASSIGNED_IDENTITY_ID.
Mazingira ya Uendeshaji
Unapounda Runbook inawezekana kuchagua mazingira ya uendeshaji. Kwa kawaida, mazingira yafuatayo yanapatikana:
- Powershell 5.1
- Powershell 7.1
- PowerShell 7.2
- Python 3.10
- Python 3.8
- Python 2.7
Hata hivyo, pia inawezekana kuunda mazingira yako mwenyewe, ukitumia moja ya hizi kama msingi. Katika kesi ya python, inawezekana kupakia pakiti za .whl kwenye mazingira ambayo yatatumika. Katika kesi ya PowerShell, inawezekana kupakia pakiti za .zip zenye moduli za kuwa nazo katika uendeshaji.
Vikundi vya Wafanyakazi wa Mseto
Katika Azure Automation, mazingira ya kawaida ya utekelezaji wa runbooks ni Azure Sandbox, jukwaa la msingi wa wingu linalosimamiwa na Azure, linalofaa kwa kazi zinazohusisha rasilimali za Azure. Hata hivyo, sandbox hii ina mipaka, kama vile upatikanaji wa rasilimali za ndani na vizuizi vya muda wa utekelezaji na matumizi ya rasilimali. Ili kushinda mipaka hii, Vikundi vya Wafanyakazi wa Mseto vinatumika. Kikundi cha Wafanyakazi wa Mseto kinajumuisha mfanyakazi mmoja au zaidi wa Runbook wa Mseto waliowekwa kwenye mashine zako, iwe ndani, katika mazingira mengine ya wingu au VM za Azure. Mpangilio huu unaruhusu runbooks kutekelezwa moja kwa moja kwenye mashine hizi, ukitoa upatikanaji wa moja kwa moja kwa rasilimali za ndani, uwezo wa kuendesha kazi ndefu na zenye matumizi makubwa ya rasilimali, na kubadilika kuingiliana na mazingira zaidi ya ufikiaji wa moja kwa moja wa Azure.
Wakati kikundi cha mfanyakazi wa mseto kinaundwa inahitajika kuashiria hati za kutumia. Kuna chaguzi 2:
- Hati za kawaida: Huhitaji kutoa hati na runbooks zitatekelezwa ndani ya VMs kama Mfumo.
- Hati maalum: Unahitaji kutoa jina la kitu cha hati ndani ya akaunti ya uendeshaji, ambacho kitatumika kutekeleza runbooks ndani ya VMs. Kwa hivyo, katika kesi hii, inaweza kuwa na uwezo wa kuiba hati halali za VMs.
Kwa hivyo, ikiwa unaweza kuchagua kuendesha Runbook katika Mfanyakazi wa Mseto, utaendesha amri zisizo na mipaka ndani ya mashine ya nje kama Mfumo (mbinu nzuri ya pivot).
Zaidi ya hayo, ikiwa mfanyakazi wa mseto anafanya kazi katika Azure na kitambulisho kingine kinachodhibitiwa kimeunganishwa, runbook itakuwa na uwezo wa kufikia kitambulisho kinachodhibitiwa cha runbook na vitambulisho vyote vilivyodhibitiwa vya VM kutoka kwa huduma ya metadata.
tip
Kumbuka kwamba huduma ya metadata ina URL tofauti (http://169.254.169.254) kuliko huduma ambayo inapata token ya vitambulisho vilivyodhibitiwa vya akaunti ya uendeshaji (IDENTITY_ENDPOINT).
Usanidi wa Jimbo (SC)
warning
Kama ilivyoonyeshwa katika nyaraka, Usanidi wa Jimbo la Azure Automation utaondolewa tarehe 30 Septemba 2027 na kubadilishwa na Usanidi wa Mashine ya Azure.
Akaunti za Uendeshaji pia zinasaidia Usanidi wa Jimbo (SC), ambayo ni kipengele kinachosaidia kuweka na kuhifadhi hali ya VMs zako. Inawezekana kuunda na kutumia usanidi wa DSC kwa Windows na Linux mashine.
Kutoka kwa mtazamo wa washambuliaji hii ilikuwa ya kuvutia kwa sababu iliruhusu kutekeleza msimbo wa PS usio na mipaka katika VMs zote zilizowekwa ikiruhusu kupandisha mamlaka kwa vitambulisho vilivyodhibitiwa vya VMs hizi, kwa uwezekano wa pivoting kwa mitandao mipya... Pia, usanidi unaweza kuwa na habari nyeti.
Uhesabu
# List Automation Accounts
az automation account list --output table
# Get Automation Account details
# Check the network access in `privateEndpointConnections` and `publicNetworkAccess`
# Check the managed identities in `identity`
az automation account show --name <AUTOMATION-ACCOUNT> --resource-group <RG-NAME>
# Get keys of automation account
## These are used for the DSC
az automation account list-keys --automation-account-name <AUTOMATION-ACCOUNT> --resource-group <RG-NAME>
# Get schedules of automation account
az automation schedule list --automation-account-name <AUTOMATION-ACCOUNT> --resource-group <RG-NAME>
# Get connections of automation account
az rest --method GET \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automation-account-name>/connections?api-version=2023-11-01"
# Get connection details
az rest --method GET \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automation-account-name>/connections/<connection-name>?api-version=2023-11-01"
# Get credentials of automation account
az rest --method GET \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automation-account-name>/credentials?api-version=2023-11-01"
# Get credential details
## Note that you will only be able to access the password from inside a Runbook
az rest --method GET \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automation-account-name>/credentials/<credential-name>?api-version=2023-11-01"
# Get certificates of automation account
az rest --method GET \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automation-account-name>/certificates?api-version=2023-11-01"
# Get certificate details
az rest --method GET \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automation-account-name>/certificates/<certificate-name>?api-version=2023-11-01"
# Get variables of automation account
## It's possible to get the value of unencrypted variables but not the encrypted ones
az rest --method GET \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automation-account-name>/variables?api-version=2023-11-01"
# Get variable details
az rest --method GET \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automation-account-name>/variables/<variable-name>?api-version=2023-11-01"
# Get runbooks of an automation account
az automation runbook list --automation-account-name <AUTOMATION-ACCOUNT> --resource-group <RG-NAME>
# Get runbook details
az automation runbook show --automation-account-name <AUTOMATION-ACCOUNT> --resource-group <RG-NAME> --name <RUNBOOK-NAME>
# Get runbook content
az rest --method GET \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automation-account-name>/runbooks/<runbook-name>/content?api-version=2023-11-01"
# Get jobs of an automation account
az automation job list --automation-account-name <AUTOMATION-ACCOUNT> --resource-group <RG-NAME>
# Get job details
az automation job show --automation-account-name <AUTOMATION-ACCOUNT> --resource-group <RG-NAME> --name <JOB-NAME>
# Get job output
az rest --method GET \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automation-account-name>/jobs/<job-name>/output?api-version=2023-11-01"
# Get the Runbook content when the job was executed
az rest --method GET \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automation-account-name>/jobs/<job-name>/runbookContent?api-version=2023-11-01"
# Get webhooks inside an automation account
## It's possible to see to which runbook it belongs in the given data
## For security reasons it's not possible to see the URL of the webhook after creating it, here is a URL example: https://f931b47b-18c8-45a2-9d6d-0211545d8c02.webhook.eus.azure-automation.net/webhooks?token=dOdnxk6z7ugAxiuyUMKgPuDMav2Jw5EJediMdiN4jLo%3d
## Generating a webhook can be useful from a persistence perspective
az rest --method GET \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Automation/automationAccounts/<automation-account-name>/webhooks?api-version=2018-06-30"
# Get the source control setting of an automation account (if any)
## inside the output it's possible to see if the autoSync is enabled, if the publishRunbook is enabled and the repo URL
az automation source-control list --automation-account-name <AUTOMATION-ACCOUNT> --resource-group <RG-NAME>
# Get custom runtime environments
## Check in defaultPackages for custom ones, by default Python envs won't have anything here and PS1 envs will have "az" and "azure cli"
az automation runtime-environment list \
--resource-group <res-group>> \
--automation-account-name <account-name> \
--query "[?!(starts_with(description, 'System-generated'))]"
# Get State Configurations (SC) of an automation account
az automation dsc configuration list --automation-account-name <AUTOMATION-ACCOUNT> --resource-group <RG-NAME>
# Get State Configuration details
az automation dsc configuration show --automation-account-name <AUTOMATION-ACCOUNT> --resource-group <RG-NAME> --name <DSC-CONFIG-NAME>
# Get State Configuration content
az automation dsc configuration show-content --automation-account-name <AUTOMATION-ACCOUNT> --resource-group <RG-NAME> --name <DSC-CONFIG-NAME>
# Get hybrid worker groups for an automation account
az automation hrwg list --automation-account-name <AUTOMATION-ACCOUNT> --resource-group <RG-NAME>
# Get hybrid worker group details
az automation hrwg show --automation-account-name <AUTOMATION-ACCOUNT> --resource-group <RG-NAME> --name <HYBRID-WORKER-GROUP>
# Get more details about a hybrid worker group (like VMs inside it)
az rest --method GET --url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>>/providers/Microsoft.Automation/automationAccounts/<automation-account-name>/hybridRunbookWorkerGroups/<hybrid-worker-group-name>/hybridRunbookWorkers?&api-version=2021-06-22"
# Check user right for automation
az extension add --upgrade -n automation
az automation account list # if it doesn't return anything the user is not a part of an Automation group
# Gets Azure Automation accounts in a resource group
Get-AzAutomationAccount
# List & get DSC configs
Get-AzAutomationAccount | Get-AzAutomationDscConfiguration
Get-AzAutomationAccount | Get-AzAutomationDscConfiguration | where {$_.name -match '<name>'} | Export-AzAutomationDscConfiguration -OutputFolder . -Debug
## Automation Accounts named SecurityBaselineConfigurationWS... are there by default (not interesting)
# List & get Run books code
Get-AzAutomationAccount | Get-AzAutomationRunbook
Get-AzAutomationAccount | Get-AzAutomationRunbook | Export-AzAutomationRunbook -OutputFolder /tmp
# List credentials & variables & others
Get-AzAutomationAccount | Get-AzAutomationCredential
Get-AzAutomationAccount | Get-AzAutomationVariable
Get-AzAutomationAccount | Get-AzAutomationConnection
Get-AzAutomationAccount | Get-AzAutomationCertificate
Get-AzAutomationAccount | Get-AzAutomationSchedule
Get-AzAutomationAccount | Get-AzAutomationModule
Get-AzAutomationAccount | Get-AzAutomationPython3Package
## Exfiltrate credentials & variables and the other info loading them in a Runbook and printing them
# List hybrid workers
Get-AzAutomationHybridWorkerGroup -AutomationAccountName <AUTOMATION-ACCOUNT> -ResourceGroupName <RG-NAME>
Kuinua Mamlaka & Baada ya Kutekeleza
Az - Automation Accounts Privesc
Kudumu
Az - Automation Accounts Persistence
Marejeleo
- https://learn.microsoft.com/en-us/azure/automation/overview
- https://learn.microsoft.com/en-us/azure/automation/automation-dsc-overview
- https://github.com/rootsecdev/Azure-Red-Team#runbook-automation
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.