-
Notifications
You must be signed in to change notification settings - Fork 255
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
39a48ff
commit 3acfd79
Showing
6 changed files
with
216 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
90 changes: 90 additions & 0 deletions
90
...cloud/azure-security/az-post-exploitation/az-table-storage-post-exploitation.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,90 @@ | ||
| # Az - Table Storage Post Exploitation | ||
|
|
||
| {% hint style="success" %} | ||
| Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="line">\ | ||
| Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte) | ||
|
|
||
| <details> | ||
|
|
||
| <summary>Support HackTricks</summary> | ||
|
|
||
| * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! | ||
| * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** | ||
| * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. | ||
|
|
||
| </details> | ||
| {% endhint %} | ||
|
|
||
| ## Table Storage Privesc | ||
|
|
||
| For more information about table storage check: | ||
|
|
||
| {% content-ref url="../az-services/az-table-storage.md" %} | ||
| [az-table-storage.md](../az-services/az-table-storage.md) | ||
| {% endcontent-ref %} | ||
|
|
||
| ### Microsoft.Storage/storageAccounts/tableServices/tables/entities/read | ||
|
|
||
| A principal with this permission will be able to **list** the tables inside a table storage and **read the info** which might contain **sensitive information**. | ||
|
|
||
| ```bash | ||
| # List tables | ||
| az storage table list --auth-mode login --account-name <name> | ||
|
|
||
| # Read table (top 10) | ||
| az storage entity query \ | ||
| --account-name <name> \ | ||
| --table-name <t-name> \ | ||
| --auth-mode login \ | ||
| --top 10 | ||
| ``` | ||
|
|
||
| ### Microsoft.Storage/storageAccounts/tableServices/tables/entities/write | Microsoft.Storage/storageAccounts/tableServices/tables/entities/add/action | Microsoft.Storage/storageAccounts/tableServices/tables/entities/update/action | ||
|
|
||
| A principal with this permission will be able to **write and overwrite entries in tables** which might allow him to cause some damage or even escalate privileges (e.g. overwrite some trusted data that could abuse some injection vulnerability in the app using it). | ||
|
|
||
| * The permission `Microsoft.Storage/storageAccounts/tableServices/tables/entities/write` allows all the actions. | ||
| * The permission `Microsoft.Storage/storageAccounts/tableServices/tables/entities/add/action` allows to **add** entries | ||
| * The permission `Microsoft.Storage/storageAccounts/tableServices/tables/entities/update/action` allows to **update** existing entries | ||
|
|
||
| ```bash | ||
| # Add | ||
| az storage entity insert \ | ||
| --account-name <acc-name> \ | ||
| --table-name <t-name> \ | ||
| --auth-mode login \ | ||
| --entity PartitionKey=HR RowKey=12345 Name="John Doe" Age=30 Title="Manager" | ||
|
|
||
| # Replace | ||
| az storage entity replace \ | ||
| --account-name <acc-name> \ | ||
| --table-name <t-name> \ | ||
| --auth-mode login \ | ||
| --entity PartitionKey=HR RowKey=12345 Name="John Doe" Age=30 Title="Manager" | ||
|
|
||
| # Update | ||
| az storage entity merge \ | ||
| --account-name <acc-name> \ | ||
| --table-name <t-name> \ | ||
| --auth-mode login \ | ||
| --entity PartitionKey=HR RowKey=12345 Name="John Doe" Age=30 Title="Manager" | ||
| ``` | ||
|
|
||
| ### \*/delete | ||
|
|
||
| This would allow to delete file inside the shared filesystem which might **interrupt some services** or make the client **lose valuable information**. | ||
|
|
||
| {% hint style="success" %} | ||
| Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="line">\ | ||
| Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte) | ||
|
|
||
| <details> | ||
|
|
||
| <summary>Support HackTricks</summary> | ||
|
|
||
| * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! | ||
| * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** | ||
| * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. | ||
|
|
||
| </details> | ||
| {% endhint %} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
120 changes: 120 additions & 0 deletions
120
pentesting-cloud/azure-security/az-services/az-table-storage.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,120 @@ | ||
| # Az - Table Storage | ||
|
|
||
| {% hint style="success" %} | ||
| Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="line">\ | ||
| Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte) | ||
|
|
||
| <details> | ||
|
|
||
| <summary>Support HackTricks</summary> | ||
|
|
||
| * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! | ||
| * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** | ||
| * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. | ||
|
|
||
| </details> | ||
| {% endhint %} | ||
|
|
||
| ## Basic Information | ||
|
|
||
| **Azure Table Storage** is a NoSQL key-value store designed for storing large volumes of structured, non-relational data. It offers high availability, low latency, and scalability to handle large datasets efficiently. Data is organized into tables, with each entity identified by a partition key and row key, enabling fast lookups. It supports features like encryption at rest, role-based access control, and shared access signatures for secure, managed storage suitable for a wide range of applications. | ||
|
|
||
| There **isn't built-in backup mechanism** for table storage. | ||
|
|
||
| ### Keys | ||
|
|
||
| #### **PartitionKey** | ||
|
|
||
| * The **PartitionKey groups entities into logical partitions**. Entities with the same PartitionKey are stored together, which improves query performance and scalability. | ||
| * Example: In a table storing employee data, `PartitionKey` might represent a department, e.g., `"HR"` or `"IT"`. | ||
|
|
||
| #### **RowKey** | ||
|
|
||
| * The **RowKey is the unique identifier** for an entity within a partition. When combined with the PartitionKey, it ensures that each entity in the table has a globally unique identifier. | ||
| * Example: For the `"HR"` partition, `RowKey` might be an employee ID, e.g., `"12345"`. | ||
|
|
||
| #### **Other Properties (Custom Properties)** | ||
|
|
||
| * Besides the PartitionKey and RowKey, an entity can have additional **custom properties to store data**. These are user-defined and act like columns in a traditional database. | ||
| * Properties are stored as **key-value pairs**. | ||
| * Example: `Name`, `Age`, `Title` could be custom properties for an employee. | ||
|
|
||
| ## Enumeration | ||
|
|
||
| ```bash | ||
| # Get storage accounts | ||
| az storage account list | ||
|
|
||
| # List tables | ||
| az storage table list --account-name <name> | ||
|
|
||
| # Read table | ||
| az storage entity query \ | ||
| --account-name <name> \ | ||
| --table-name <t-name> \ | ||
| --top 10 | ||
|
|
||
| # Write table | ||
| az storage entity insert \ | ||
| --account-name <STORAGE_ACCOUNT_NAME> \ | ||
| --table-name <TABLE_NAME> \ | ||
| --entity PartitionKey=<PARTITION_KEY> RowKey=<ROW_KEY> <PROPERTY_KEY>=<PROPERTY_VALUE> | ||
|
|
||
| # Write example | ||
| az storage entity insert \ | ||
| --account-name mystorageaccount \ | ||
| --table-name mytable \ | ||
| --entity PartitionKey=HR RowKey=12345 Name="John Doe" Age=30 Title="Manager" | ||
|
|
||
| # Update row | ||
| az storage entity merge \ | ||
| --account-name mystorageaccount \ | ||
| --table-name mytable \ | ||
| --entity PartitionKey=pk1 RowKey=rk1 Age=31 | ||
| ``` | ||
|
|
||
| {% hint style="info" %} | ||
| By default `az` cli will use an account key to sign a key and perform the action. To use the Entra ID principal privileges use the parameters `--auth-mode login`. | ||
| {% endhint %} | ||
|
|
||
| {% hint style="success" %} | ||
| Use the param `--account-key` to indicate the account key to use\ | ||
| Use the param `--sas-token` with the SAS token to access via a SAS token | ||
| {% endhint %} | ||
|
|
||
| ## Privilege Escalation | ||
|
|
||
| Same as storage privesc: | ||
|
|
||
| {% content-ref url="../az-privilege-escalation/az-storage-privesc.md" %} | ||
| [az-storage-privesc.md](../az-privilege-escalation/az-storage-privesc.md) | ||
| {% endcontent-ref %} | ||
|
|
||
| ## Post Exploitation | ||
|
|
||
| {% content-ref url="../az-post-exploitation/az-table-storage-post-exploitation.md" %} | ||
| [az-table-storage-post-exploitation.md](../az-post-exploitation/az-table-storage-post-exploitation.md) | ||
| {% endcontent-ref %} | ||
|
|
||
| ## Persistence | ||
|
|
||
| Same as storage persistence: | ||
|
|
||
| {% content-ref url="../az-persistence/az-storage-persistence.md" %} | ||
| [az-storage-persistence.md](../az-persistence/az-storage-persistence.md) | ||
| {% endcontent-ref %} | ||
|
|
||
| {% hint style="success" %} | ||
| Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="line">\ | ||
| Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte) | ||
|
|
||
| <details> | ||
|
|
||
| <summary>Support HackTricks</summary> | ||
|
|
||
| * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! | ||
| * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** | ||
| * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. | ||
|
|
||
| </details> | ||
| {% endhint %} |