Az - Storage Accounts & Blobs

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!

Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.

Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Maelezo ya Msingi

Azure Storage Accounts ni huduma za msingi katika Microsoft Azure zinazotoa inayoweza kupanuka, salama, na inayopatikana kwa urahisi kwa wingu kwa storage kwa aina mbalimbali za data, ikijumuisha blobs (binary large objects), files, queues, na tables. Zinatumika kama makontena yanayokusanya huduma hizi tofauti za storage pamoja chini ya namespace moja kwa usimamizi rahisi.

Chaguzi kuu za usanidi:

Kila storage account lazima iwe na jina la kipekee kote Azure.
Kila storage account inawekwa katika mkoa (region) au katika Azure extended zone
Inawezekana kuchagua toleo la premium la storage account kwa utendaji bora
Inawezekana kuchagua miongoni mwa aina 4 za redundancy ili kulinda dhidi ya rack, drive na datacenter mashindwa.

Chaguzi za usanidi wa usalama:

Require secure transfer for REST API operations: Inahitaji TLS katika mawasiliano yoyote na storage
Allows enabling anonymous access on individual containers: Iwapo haitumiki, haitakuwa inawezekana kuwezesha anonymous access baadaye
Enable storage account key access: Iwapo haitumiki, ufikiaji kwa Shared Keys utafungiwa
Minimum TLS version
Permitted scope for copy operations: Ruhusu kutoka kwa storage account yoyote, kutoka kwa storage account yoyote kutoka Entra tenant ile ile au kutoka storage account zilizo na private endpoints katika virtual network ile ile.

Chaguzi za Blob Storage:

Allow cross-tenant replication
Access tier: Hot (data zinazofikiwa mara kwa mara), Cool na Cold (data zinazofikiwa nadra)

Chaguzi za mtandao:

Network access:
Ruhusu kutoka mitandao yote
Ruhusu kutoka virtual networks na anwani za IP zilizochaguliwa
Zima public access na tumia private access
Private endpoints: Inaruhusu muunganisho wa kibinafsi kwenda storage account kutoka virtual network

Chaguzi za ulinzi wa data:

Point-in-time restore for containers: Inaruhusu kurejesha containers hadi hali ya awali
Inahitaji versioning, change feed, na blob soft delete ziwe zimewezeshwa.
Enable soft delete for blobs: Inawezesha kipindi cha retention kwa siku kwa blobs zilizofutwa (hata zilizofunikwa)
Enable soft delete for containers: Inawezesha kipindi cha retention kwa siku kwa containers zilizofutwa
Enable soft delete for file shares: Inawezesha kipindi cha retention kwa siku kwa file shares zilizofutwa
Enable versioning for blobs: Hifadhi matoleo yaliyotangulia ya blobs zako
Enable blob change feed: Hifadhi logs za kuunda, kuhariri, na kufuta mabadiliko ya blobs
Enable version-level immutability support: Inakuwezesha kuweka sera ya retention kwa msingi wa muda kwenye ngazi ya account ambayo itahusisha matoleo yote ya blob.
Version-level immutability support na point-in-time restore for containers haiwezi kuwezeshwa wakati mmoja.

Chaguzi za usanidi wa encryption:

Encryption type: Inawezekana kutumia Microsoft-managed keys (MMK) au Customer-managed keys (CMK)
Enable infrastructure encryption: Inaruhusu ku-encrypt mara mbili data “kwa usalama zaidi”

Storage endpoints

Storage Service Endpoint

Blob storage https://.blob.core.windows.net https://.blob.core.windows.net/?restype=container&comp=list

Data Lake Storage https://.dfs.core.windows.net

Azure Files https://.file.core.windows.net

Queue storage https://.queue.core.windows.net

Table storage

https://.table.core.windows.net
Ufunuliwa kwa Umma
Iwapo “Allow Blob public access” iko enabled (imezimwa kwa default), wakati wa kuunda container inawezekana:

Kutoa ufikiaji wa umma wa kusoma blobs (unahitaji kujua jina).
Orodhesha blobs za container na zisome.
Kufanya iwe kabisa private


Ufichuzi wa tovuti static ($web) & leaked secrets

Static websites hutolewa kutoka kwenye container maalum $web kupitia endpoint ya eneo kama https://<account>.z13.web.core.windows.net/.
Container ya $web inaweza kuripoti publicAccess: null kupitia blob API, lakini faili bado zinapatikana kupitia static site endpoint, hivyo kuacha artifacts za config/IaC huko kunaweza leak secrets.
Mchakato wa ukaguzi wa haraka:

# Identify storage accounts with static website hosting enabled
az storage blob service-properties show --account-name <acc-name> --auth-mode login
# Enumerate containers (including $web) and their public flags
az storage container list --account-name <acc-name> --auth-mode login
# List files served by the static site even when publicAccess is null
az storage blob list --container-name '$web' --account-name <acc-name> --auth-mode login
# Pull suspicious files directly (e.g., IaC tfvars containing secrets/SAS)
az storage blob download -c '$web' --name iac/terraform.tfvars --file /dev/stdout --account-name <acc-name> --auth-mode login

Ukaguzi wa kufichuliwa kwa blob isiyojulikana

Tafuta storage accounts ambazo zinaweza kufichua data: az storage account list | jq -r '.[] | select(.properties.allowBlobPublicAccess==true) | .name'. Kama allowBlobPublicAccess ni false huwezi kufanya containers kuwa za umma.
Kagua accounts zenye hatari ili kuthibitisha alama na mipangilio mingine dhaifu: az storage account show --name <acc> --query '{allow:properties.allowBlobPublicAccess, minTls:properties.minimumTlsVersion}'.
Orodhesha kufichuliwa kwa ngazi ya container ambapo alama imewezeshwa:

az storage container list --account-name <acc> \
--query '[].{name:name, access:properties.publicAccess}'


“Blob”: anonymous reads kuruhusiwa tu wakati jina la blob linajulikana (hakuna listing).
“Container”: anonymous list + read ya kila blob.
null: binafsi; uthibitisho unahitajika.
Thibitisha ufikiaji bila credentials:
Ikiwa publicAccess ni Container, anonymous listing inafanya kazi: curl "https://<acc>.blob.core.windows.net/<container>?restype=container&comp=list".
Kwa Blob na Container, anonymous blob download inafanya kazi wakati jina linajulikana:

az storage blob download -c <container> -n <blob> --account-name <acc> --file /dev/stdout
# or via raw HTTP
curl "https://<acc>.blob.core.windows.net/<container>/<blob>"

Unganisha kwenye Storage
Ikiwa utakutana na storage unayoweza kuunganishwa, unaweza kutumia zana Microsoft Azure Storage Explorer kufanya hivyo.
Upatikanaji wa Storage 
RBAC
Inawezekana kutumia Entra ID principals pamoja na RBAC roles kufikia storage accounts; hii ndiyo njia inayopendekezwa.
Access Keys
Storage accounts zina access keys zinazoweza kutumika kuzipata. Hii inatoa full access to the storage account.

Shared Keys & Lite Shared Keys
Inawezekana generate Shared Keys zilisainiwa na access keys ili kuidhinisha upatikanaji kwa rasilimali fulani kupitia signed URL.

Note
Kumbuka kwamba sehemu ya CanonicalizedResource inawakilisha rasilimali ya storage services (URI). Na ikiwa sehemu yoyote ya URL imekodishwa, inapaswa pia kukodishwa ndani ya CanonicalizedResource.


Note
Hii inatumika kwa chaguo-msingi na az cli kuthibitisha maombi. Ili kuitumia kwa credentials za Entra ID principal, taja param --auth-mode login.


Inawezekana kuunda shared key for blob, queue and file services kwa kusaini taarifa zifuatazo:

StringToSign = VERB + "\n" +
Content-Encoding + "\n" +
Content-Language + "\n" +
Content-Length + "\n" +
Content-MD5 + "\n" +
Content-Type + "\n" +
Date + "\n" +
If-Modified-Since + "\n" +
If-Match + "\n" +
If-None-Match + "\n" +
If-Unmodified-Since + "\n" +
Range + "\n" +
CanonicalizedHeaders +
CanonicalizedResource;


Inawezekana kuunda shared key for table services kwa kusaini taarifa zifuatazo:

StringToSign = VERB + "\n" +
Content-MD5 + "\n" +
Content-Type + "\n" +
Date + "\n" +
CanonicalizedResource;


Inawezekana kuzalisha lite shared key for blob, queue and file services kwa kusaini taarifa zifuatazo:

StringToSign = VERB + "\n" +
Content-MD5 + "\n" +
Content-Type + "\n" +
Date + "\n" +
CanonicalizedHeaders +
CanonicalizedResource;


Inawezekana kuunda lite shared key for table services kwa kusaini taarifa zifuatazo:

StringToSign = Date + "\n"
CanonicalizedResource

Kisha, ili kutumia key, inaweza kuwekwa katika kichwa cha Authorization kwa kufuata sintaksia:
Authorization="[SharedKey|SharedKeyLite] <AccountName>:<Signature>"
#e.g.
Authorization: SharedKey myaccount:ctzMq410TV3wS7upTBcunJTDLEJwMAZuFPfr0mrrA08=

PUT http://myaccount/mycontainer?restype=container&timeout=30 HTTP/1.1
x-ms-version: 2014-02-14
x-ms-date: Fri, 26 Jun 2015 23:39:12 GMT
Authorization: SharedKey myaccount:ctzMq410TV3wS7upTBcunJTDLEJwMAZuFPfr0mrrA08=
Content-Length: 0

Shared Access Signature (SAS)
Shared Access Signatures (SAS) ni URL salama, zenye muda mdogo ambazo zinatoa ruhusa maalum za kufikia rasilimali katika akaunti ya Azure Storage bila kufichua access keys za akaunti. Wakati access keys zinatoa ufikiaji kamili wa kiutawala kwa rasilimali zote, SAS inaruhusu udhibiti wa kina kwa kubainisha ruhusa (kama read au write) na kuweka wakati wa kuisha.
SAS Types

User delegation SAS: Hii inaundwa kutoka kwa Entra ID principal ambayo itasaini SAS na kupeana ruhusa kutoka kwa mtumiaji kwenda kwa SAS. Inaweza kutumika tu na blob and data lake storage (docs). Inawezekana ku-revoke SAS zote zilizotengenezwa kwa user delegation.
Hata ikiwa inawezekana kuunda delegation SAS yenye ruhusa “za ziada” kuliko zile mtumiaji anazomiliki. Hata hivyo, ikiwa principal hana ruhusa hizo, haitafanya kazi (hakuna privesc).
Service SAS: Hii inasainiwa kwa kutumia moja ya storage account access keys. Inaweza kutumika kutoa ufikiaji kwa rasilimali maalum katika huduma moja ya storage. Ikiwa key inabadilishwa, SAS itasimama kufanya kazi.
Account SAS: Pia inasainiwa kwa mojawapo ya storage account access keys. Inatoa ufikiaji kwa rasilimali kupitia huduma za storage account (Blob, Queue, Table, File) na inaweza kujumuisha operesheni za ngazi ya service.

A SAS URL iliyosainiwa na access key inaonekana hivi:

https://<container_name>.blob.core.windows.net/newcontainer?sp=r&st=2021-09-26T18:15:21Z&se=2021-10-27T02:14:21Z&spr=https&sv=2021-07-08&sr=c&sig=7S%2BZySOgy4aA3Dk0V1cJyTSIf1cW%2Fu3WFkhHV32%2B4PE%3D

A SAS URL iliyosainiwa kama user delegation inaonekana hivi:

https://<container_name>.blob.core.windows.net/testing-container?sp=r&st=2024-11-22T15:07:40Z&se=2024-11-22T23:07:40Z&skoid=d77c71a1-96e7-483d-bd51-bd753aa66e62&sktid=fdd066e1-ee37-49bc-b08f-d0e152119b04&skt=2024-11-22T15:07:40Z&ske=2024-11-22T23:07:40Z&sks=b&skv=2022-11-02&spr=https&sv=2022-11-02&sr=c&sig=7s5dJyeE6klUNRulUj9TNL0tMj2K7mtxyRc97xbYDqs%3D

Tazama baadhi ya http params:

Parametri ya se inaonyesha tarehe ya kumalizika ya SAS
Parametri ya sp inaonyesha ruhusa za SAS
sig ni saini inayothibitisha SAS

SAS permissions
Unapotengeneza SAS inahitajika kuonyesha ruhusa ambazo inapaswa kutoa. Kulingana na kitu ambacho SAS inaundwa juu yake, ruhusa tofauti zinaweza kujumuishwa. Kwa mfano:

(a)dd, (c)reate, (d)elete, (e)xecute, (f)ilter_by_tags, (i)set_immutability_policy, (l)ist, (m)ove, (r)ead, (t)ag, (w)rite, (x)delete_previous_version, (y)permanent_delete

SFTP Support for Azure Blob Storage
Azure Blob Storage sasa inasaidia SSH File Transfer Protocol (SFTP), ikiruhusu uhamisho wa faili salama na usimamizi moja kwa moja kwenda Blob Storage bila kuhitaji suluhisho maalum au bidhaa za upande wa tatu.
Key Features

Protocol Support: SFTP inafanya kazi na akaunti za Blob Storage zilizo na hierarchical namespace (HNS). Hii inapanga blobs katika saraka na saraka ndogo kwa urahisi wa urambazaji.
Security: SFTP inatumia vitambulisho vya local user kwa uthibitisho na haijumuishi RBAC au ABAC. Kila local user anaweza kuthibitishwa kupitia:
Azure-generated passwords
Public-private SSH key pairs
Granular Permissions: Ruhusa kama Read, Write, Delete, na List zinaweza kutengwa kwa local users kwa container hadi 100.
Networking Considerations: Muunganisho za SFTP hufanyika kupitia port 22. Azure inaunga mkono usanidi wa mtandao kama firewalls, private endpoints, au virtual networks ili kulinda trafiki ya SFTP.

Setup Requirements

Hierarchical Namespace: HNS lazima iwe imewezeshwa wakati wa kuunda storage account.
Supported Encryption: Inahitaji algorithimu za kriptografia zilizopitishwa na Microsoft Security Development Lifecycle (SDL) (mfano: rsa-sha2-256, ecdsa-sha2-nistp256).
SFTP Configuration:
Wezesha SFTP kwenye storage account.
Unda vitambulisho vya local user na ruhusa zinazofaa.
Sanidi home directories kwa watumiaji ili kubainisha eneo lao la kuanzia ndani ya container.

Permissions



Permission Symbol Description


Read r Soma yaliyomo ya faili.
Write w Pakia faili na unda saraka.
List l Orodhesha yaliyomo ya saraka.
Delete d Futa faili au saraka.
Create c Tengeneza faili au saraka.
Modify Ownership o Badilisha mtumiaji mwenye umiliki au kundi.
Modify Permissions p Badilisha ACLs kwenye faili au saraka.



Enumeration






az cli enumeration
```bash
# Get storage accounts
az storage account list #Get the account name from here
BLOB STORAGE
List containers
az storage container list –account-name 
Check if public access is allowed
az storage container show-permission 
–account-name  
-n 
Make a container public
az storage container set-permission 
–public-access container 
–account-name  
-n 
List blobs in a container
az storage blob list 
–container-name  
–account-name 
Download blob
az storage blob download 
–account-name  
–container-name  
–name  
–file </path/to/local/file>
Create container policy
az storage container policy create 
–account-name mystorageaccount 
–container-name mycontainer 
–name fullaccesspolicy 
–permissions racwdl 
–start 2023-11-22T00:00Z 
–expiry 2024-11-22T00:00Z
QUEUE
az storage queue list –account-name 
az storage message peek –account-name  –queue-name 
ACCESS KEYS
az storage account keys list –account-name 
Check key policies (expiration time?)
az storage account show -n  –query “{KeyPolicy:keyPolicy}”
Once having the key, it’s possible to use it with the argument –account-key
Enum blobs with account key
az storage blob list 
–container-name  
–account-name  
–account-key “ZrF40pkVKvWPUr[…]v7LZw==”
Download a file using an account key
az storage blob download 
–account-name  
–account-key “ZrF40pkVKvWPUr[…]v7LZw==” 
–container-name  
–name  
–file </path/to/local/file>
Upload a file using an account key
az storage blob upload 
–account-name  
–account-key “ZrF40pkVKvWPUr[…]v7LZw==” 
–container-name  
–file </path/to/local/file>
SAS
List access policies
az storage <container|queue|share|table> policy list 
–account-name  
–container-name 
Generate SAS with all permissions using an access key
az storage <container|queue|share|table|blob> generate-sas 
–permissions acdefilmrtwxy 
–expiry 2024-12-31T23:59:00Z 
–account-name  
-n 
Generate SAS with all permissions using via user delegation
az storage <container|queue|share|table|blob> generate-sas 
–permissions acdefilmrtwxy 
–expiry 2024-12-31T23:59:00Z 
–account-name  
–as-user –auth-mode login 
-n 
Generate account SAS
az storage account generate-sas 
–expiry 2024-12-31T23:59:00Z 
–account-name   
–services qt 
–resource-types sco 
–permissions acdfilrtuwxy
Use the returned SAS key with the param –sas-token
e.g.
az storage blob show 
–account-name  
–container-name  
–sas-token ‘se=2024-12-31T23%3A59%3A00Z&sp=racwdxyltfmei&sv=2022-11-02&sr=c&sig=ym%2Bu%2BQp5qqrPotIK5/rrm7EMMxZRwF/hMWLfK1VWy6E%3D’ 
–name ‘asd.txt’
#Local-Users
List users
az storage account local-user list 
–account-name  
–resource-group 
Get user
az storage account local-user show 
–account-name  
–resource-group  
–name 
List keys
az storage account local-user list 
–account-name  
–resource-group 
</details>

{{#endtab }}

{{#tab name="Az PowerShell" }}

<details>
<summary>Kuorodhesha kwa Az PowerShell</summary>
```powershell
# Get storage accounts
Get-AzStorageAccount | fl
# Get rules to access the storage account
Get-AzStorageAccount | select -ExpandProperty NetworkRuleSet
# Get IPs
(Get-AzStorageAccount | select -ExpandProperty NetworkRuleSet).IPRules
# Get containers of a storage account
Get-AzStorageContainer -Context (Get-AzStorageAccount -name <NAME> -ResourceGroupName <NAME>).context
# Get blobs inside container
Get-AzStorageBlob -Container epbackup-planetary -Context (Get-AzStorageAccount -name <name> -ResourceGroupName <name>).context
# Get a blob from a container
Get-AzStorageBlobContent -Container <NAME> -Context (Get-AzStorageAccount -name <NAME> -ResourceGroupName <NAME>).context -Blob <blob_name> -Destination .\Desktop\filename.txt

# Create a Container Policy
New-AzStorageContainerStoredAccessPolicy `
-Context (Get-AzStorageAccount -Name <NAME> -ResourceGroupName <NAME>).Context `
-Container <container-name> `
-Policy <policy-name> `
-Permission racwdl `
-StartTime (Get-Date "2023-11-22T00:00Z") `
-ExpiryTime (Get-Date "2024-11-22T00:00Z")
#Get Container policy
Get-AzStorageContainerStoredAccessPolicy `
-Context (Get-AzStorageAccount -Name <NAME> -ResourceGroupName <NAME>).Context `
-Container "storageaccount1994container"

# Queue Management
Get-AzStorageQueue -Context (Get-AzStorageAccount -Name <NAME> -ResourceGroupName <NAME>).Context
(Get-AzStorageQueue -Name <NAME> -Context (Get-AzStorageAccount -name <NAME> -ResourceGroupName <NAME>).Context).QueueClient.PeekMessage().Value

#Blob Container
Get-AzStorageBlob -Container <container-name> -Context $(Get-AzStorageAccount -name "teststorageaccount1998az" -ResourceGroupName "testStorageGroup").Context
Get-AzStorageBlobContent `
-Container <container-name> `
-Blob <blob-name> `
-Destination <local-path> `
-Context $(Get-AzStorageAccount -name "teststorageaccount1998az" -ResourceGroupName "testStorageGroup").Context

Set-AzStorageBlobContent `
-Container <container-name> `
-File <local-file-path> `
-Blob <blob-name> `
-Context $(Get-AzStorageAccount -name "teststorageaccount1998az" -ResourceGroupName "testStorageGroup").Context

# Shared Access Signatures (SAS)
Get-AzStorageContainerAcl `
-Container <container-name> `
-Context (Get-AzStorageAccount -Name <NAME> -ResourceGroupName <NAME>).Context

New-AzStorageBlobSASToken `
-Context $ctx `
-Container <container-name> `
-Blob <blob-name> `
-Permission racwdl `
-ExpiryTime (Get-Date "2024-12-31T23:59:00Z")






Sehemu za Faili
Az - File Shares
Privilege Escalation
Az - Storage Privesc
Post Exploitation
Az - Blob Storage Post Exploitation
Persistence
Az - Storage Persistence
Marejeleo

https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction
https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview
https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support
Holiday Hack Challenge 2025 – Spare Key (Azure static website SAS leak)
Holiday Hack Challenge 2025: Blob Storage (Storage Secrets)
https://learn.microsoft.com/en-us/cli/azure/storage/account
https://learn.microsoft.com/en-us/cli/azure/storage/container
https://learn.microsoft.com/en-us/cli/azure/storage/blob


Tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.