Az - Virtual Desktop Privesx

Tip

学习并练习 AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
学习并练习 GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
学习并练习 Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks

Azure Virtual Desktop Privesc

有关 Azure Virtual Desktop 的更多信息,请查看:

Az - Virtual Desktop

Microsoft.DesktopVirtualization/hostPools/retrieveRegistrationToken/action

您可以检索用于在主机池中注册虚拟机的注册令牌。

az desktopvirtualization hostpool retrieve-registration-token -n testhostpool -g Resource_Group_1

Microsoft.Authorization/roleAssignments/read, Microsoft.Authorization/roleAssignments/write

Warning

拥有这些权限的攻击者可以做比这更危险的事情。

拥有这些权限后,您可以将用户分配添加到应用程序组,这对于访问虚拟桌面的虚拟机是必需的:

az rest --method PUT \
--uri "https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP_NAME>/providers/Microsoft.DesktopVirtualization/applicationGroups/<APP_GROUP_NAME>/providers/Microsoft.Authorization/roleAssignments/<NEW_ROLE_ASSIGNMENT_GUID>?api-version=2022-04-01" \
--body '{
"properties": {
"roleDefinitionId": "/subscriptions/<SUBSCRIPTION_ID>/providers/Microsoft.Authorization/roleDefinitions/1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63",
"principalId": "<USER_OBJECT_ID>"
}
}'

请注意,为了让用户能够访问桌面或应用程序,他还需要在虚拟机上拥有 Virtual Machine User LoginVirtual Machine Administrator Login 角色。

Tip

学习并练习 AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
学习并练习 GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
学习并练习 Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks