Skip to content

Commit

Permalink
GITBOOK-709: No subject
Browse files Browse the repository at this point in the history
  • Loading branch information
@carlospolop @gitbook-bot
carlospolop authored and gitbook-bot committed Nov 22, 2024
1 parent 28581ff commit 787a041
Show file tree
Hide file tree
Showing 7 changed files with 335 additions and 10 deletions.
5 changes: 5 additions & 0 deletions SUMMARY.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -430,6 +430,11 @@
* [Az - Phishing Primary Refresh Token (Microsoft Entra)](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md)
* [Az - Processes Memory Access Token](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-processes-memory-access-token.md)
* [Az - Primary Refresh Token (PRT)](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md)
* [Az - Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/README.md)
* [Az - Key Vault Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-key-vault-post-exploitation.md)
* [Az - Privilege Escalation](pentesting-cloud/azure-security/az-privilege-escalation/README.md)
* [Az - Authorization Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md)
* [Az - Key Vault Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-key-vault-privesc.md)
* [Az - Persistence](pentesting-cloud/azure-security/az-persistence.md)
* [Az - Device Registration](pentesting-cloud/azure-security/az-device-registration.md)
* [Az - Entra ID (formerly AzureAD - AAD)](pentesting-cloud/azure-security/az-azuread/README.md)
Expand Down
2 changes: 2 additions & 0 deletions pentesting-cloud/azure-security/az-post-exploitation/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
# Az - Post Exploitation

147 changes: 147 additions & 0 deletions ...ing-cloud/azure-security/az-post-exploitation/az-key-vault-post-exploitation.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,147 @@
# Az - Key Vault Post Exploitation

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

## Azure Key Vault

For more information about this service check:

{% content-ref url="../az-services/keyvault.md" %}
[keyvault.md](../az-services/keyvault.md)
{% endcontent-ref %}

### Microsoft.KeyVault/vaults/secrets/getSecret/action

This permission will allow a principal to read the secret value of secrets:

{% code overflow="wrap" %}
```bash
az keyvault secret show --vault-name <vault name> --name <secret name>

# Get old version secret value
az keyvault secret show --id https://<KeyVaultName>.vault.azure.net/secrets/<KeyVaultName>/<idOldVersion>
```
{% endcode %}

### **Microsoft.KeyVault/vaults/certificates/purge/action**

This permission allows a principal to permanently delete a certificate from the vault.

```bash
az keyvault certificate purge --vault-name <vault name> --name <certificate name>
```

### **Microsoft.KeyVault/vaults/keys/encrypt/action**

This permission allows a principal to encrypt data using a key stored in the vault.

{% code overflow="wrap" %}
```bash
az keyvault key encrypt --vault-name <vault name> --name <key name> --algorithm <algorithm> --value <value>

# Example
echo "HackTricks" | base64 # SGFja1RyaWNrcwo=
az keyvault key encrypt --vault-name testing-1231234 --name testing --algorithm RSA-OAEP-256 --value SGFja1RyaWNrcwo=
```
{% endcode %}

### **Microsoft.KeyVault/vaults/keys/decrypt/action**

This permission allows a principal to decrypt data using a key stored in the vault.

{% code overflow="wrap" %}
```bash
az keyvault key decrypt --vault-name <vault name> --name <key name> --algorithm <algorithm> --value <value>

# Example
az keyvault key decrypt --vault-name testing-1231234 --name testing --algorithm RSA-OAEP-256 --value "ISZ+7dNcDJXLPR5MkdjNvGbtYK3a6Rg0ph/+3g1IoUrCwXnF791xSF0O4rcdVyyBnKRu0cbucqQ/+0fk2QyAZP/aWo/gaxUH55pubS8Zjyw/tBhC5BRJiCtFX4tzUtgTjg8lv3S4SXpYUPxev9t/9UwUixUlJoqu0BgQoXQhyhP7PfgAGsxayyqxQ8EMdkx9DIR/t9jSjv+6q8GW9NFQjOh70FCjEOpYKy9pEGdLtPTrirp3fZXgkYfIIV77TXuHHdR9Z9GG/6ge7xc9XT6X9ciE7nIXNMQGGVCcu3JAn9BZolb3uL7PBCEq+k2rH4tY0jwkxinM45tg38Re2D6CEA==" # This is the result from the previous encryption
```
{% endcode %}

### **Microsoft.KeyVault/vaults/keys/purge/action**

This permission allows a principal to permanently delete a key from the vault.

```bash
az keyvault key purge --vault-name <vault name> --name <key name>
```

### **Microsoft.KeyVault/vaults/secrets/purge/action**

This permission allows a principal to permanently delete a secret from the vault.

```bash
az keyvault secret purge --vault-name <vault name> --name <secret name>
```

### **Microsoft.KeyVault/vaults/secrets/setSecret/action**

This permission allows a principal to create or update a secret in the vault.

{% code overflow="wrap" %}
```bash
az keyvault secret set --vault-name <vault name> --name <secret name> --value <secret value>
```
{% endcode %}

### **Microsoft.KeyVault/vaults/certificates/delete**

This permission allows a principal to delete a certificate from the vault. The certificate is moved to the "soft-delete" state, where it can be recovered unless purged.

{% code overflow="wrap" %}
```bash
az keyvault certificate delete --vault-name <vault name> --name <certificate name>
```
{% endcode %}

### **Microsoft.KeyVault/vaults/keys/delete**

This permission allows a principal to delete a key from the vault. The key is moved to the "soft-delete" state, where it can be recovered unless purged.

```bash
az keyvault key delete --vault-name <vault name> --name <key name>
```

### **Microsoft.KeyVault/vaults/secrets/delete**

This permission allows a principal to delete a secret from the vault. The secret is moved to the "soft-delete" state, where it can be recovered unless purged.

```bash
az keyvault secret delete --vault-name <vault name> --name <secret name>
```

### Microsoft.KeyVault/vaults/secrets/restore/action

This permission allows a principal to restore a secret from a backup.

```bash
az keyvault secret restore --vault-name <vault-name> --file <backup-file-path>
```

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}
2 changes: 2 additions & 0 deletions pentesting-cloud/azure-security/az-privilege-escalation/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
# Az - Privilege Escalation

42 changes: 42 additions & 0 deletions ...esting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
# Az - Authorization Privesc

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

### Microsoft.Authorization/roleAssignments/write

This permission allows to assign roles to principals over a specific scope:

{% code overflow="wrap" %}
```bash
# Example
az role assignment create --role Owner --assignee "24efe8cf-c59e-45c2-a5c7-c7e552a07170" --scope "/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.KeyVault/vaults/testing-1231234"
```
{% endcode %}

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}
60 changes: 60 additions & 0 deletions pentesting-cloud/azure-security/az-privilege-escalation/az-key-vault-privesc.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
# Az - Key Vault Privesc

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

## Azure Key Vault

For more information about this service check:

{% content-ref url="../az-services/keyvault.md" %}
[keyvault.md](../az-services/keyvault.md)
{% endcontent-ref %}

### Microsoft.KeyVault/vaults/write

An attacker with this permission will be able to modify the policy of a key vault (the key vault must be using access policies instead of RBAC).

```bash
# If access policies in the output, then you can abuse it
az keyvault show --name <vault-name>

# Get current principal ID
az ad signed-in-user show --query id --output tsv

# Assign all permissions
az keyvault set-policy \
--name <vault-name> \
--object-id <your-object-id> \
--key-permissions all \
--secret-permissions all \
--certificate-permissions all \
--storage-permissions all
```

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}
Loading

0 comments on commit 787a041

Please sign in to comment.