GITBOOK-741: No subject

SUMMARY.md

@@ -443,6 +443,7 @@
   * [Az - Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/README.md)
     * [Az - Blob Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-blob-storage-post-exploitation.md)
     * [Az - File Share Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-file-share-post-exploitation.md)
+    * [Az - Function Apps Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-function-apps-post-exploitation.md)
     * [Az - Key Vault Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-key-vault-post-exploitation.md)
     * [Az - Queue Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-queue-post-exploitation.md)
     * [Az - Service Bus Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-servicebus-post-exploitation.md)

pentesting-cloud/azure-security/az-post-exploitation/az-file-share-post-exploitation.md

@@ -15,7 +15,7 @@ Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).p
 </details>
 {% endhint %}
 
-## File Share Privesc
+## File Share Post Exploitation
 
 For more information about file shares check:
 

pentesting-cloud/azure-security/az-post-exploitation/az-function-apps-post-exploitation.md

@@ -0,0 +1,47 @@
+# Az - Function Apps Post Exploitation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## Funciton Apps Post Exploitaiton
+
+For more information about function apps check:
+
+{% content-ref url="../az-services/az-function-apps.md" %}
+[az-function-apps.md](../az-services/az-function-apps.md)
+{% endcontent-ref %}
+
+{% hint style="danger" %}
+**Function Apps post exploitation tricks are very related to the privilege escalation tricks** so you can find all of them there:
+{% endhint %}
+
+{% content-ref url="../az-privilege-escalation/az-functions-app-privesc.md" %}
+[az-functions-app-privesc.md](../az-privilege-escalation/az-functions-app-privesc.md)
+{% endcontent-ref %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}

pentesting-cloud/azure-security/az-privilege-escalation/az-functions-app-privesc.md

@@ -65,7 +65,7 @@ open "smb://<STORAGE-ACCOUNT>.file.core.windows.net/<FILE-SHARE-NAME>"
 ```
 {% endcode %}
 
-* **`function-releases`** (`WEBSITE_RUN_FROM_PACKAGE)`
+* **`function-releases`** (`WEBSITE_RUN_FROM_PACKAGE`)
 
 It's also common to find the **zip releases** inside the folder `function-releases` of the Storage Account container that the function app is using in a container **usually called `function-releases`**.
 
@@ -195,7 +195,7 @@ az rest --method POST --uri "https://management.azure.com/subscriptions/<subsrip
 
 ### Microsoft.Web/sites/host/functionKeys/write
 
-This permission allows to create/update a function key to the specified function with:
+This permission allows to create/update a function key of the specified function with:
 
 {% code overflow="wrap" %}
 ```bash
@@ -213,6 +213,10 @@ az functionapp keys set --resource-group <res_group> --key-name <key-name> --key
 ```
 {% endcode %}
 
+{% hint style="danger" %}
+Remember that with this key you can also access the source code and modify it as explained before!
+{% endhint %}
+
 ### Microsoft.Web/sites/host/systemKeys/write
 
 This permission allows to create/update a system function key to the specified function with:
@@ -225,7 +229,7 @@ az functionapp keys set --resource-group <res_group> --key-name <key-name> --key
 
 ### Microsoft.Web/sites/config/list/action
 
-This permission allows to get the settings of a function. Inside these configurations it might be possible to find the default values **`AzureWebJobsStorage`** or **`WEBSITE_CONTENTAZUREFILECONNECTIONSTRING`** which actually contains an **account key to access the blob storage of the function with FULL permissions**.
+This permission allows to get the settings of a function. Inside these configurations it might be possible to find the default values **`AzureWebJobsStorage`** or **`WEBSITE_CONTENTAZUREFILECONNECTIONSTRING`** which contains an **account key to access the blob storage of the function with FULL permissions**.
 
 {% code overflow="wrap" %}
 ```bash
@@ -246,7 +250,7 @@ az rest --method POST \
 
 These permissions allows to list the config values of a function as we have seen before plus **modify these values**. This is useful because these settings indicate where the code to execute inside the function is located.&#x20;
 
-It's therefore possible to set the value of the setting **`WEBSITE_RUN_FROM_PACKAGE`** pointing to a zip file containing the new code to execute inside a web application:
+It's therefore possible to set the value of the setting **`WEBSITE_RUN_FROM_PACKAGE`** pointing to an URL zip file containing the new code to execute inside a web application:
 
 * Start by getting the current config
 
@@ -256,7 +260,7 @@ az functionapp config appsettings list \
   --resource-group <res-name>
 ```
 
-* Create the code you want the funciton to run and host it publicly
+* Create the code you want the function to run and host it publicly
 
 ```bash
 # Write inside /tmp/web/function_app.py the code of the function 
@@ -297,7 +301,7 @@ az rest --method PUT \
 ```
 {% endcode %}
 
-### `Microsoft.Web/sites/publishxml/action, (Microsoft.Web/sites/basicPublishingCredentialsPolicies/write)`
+### Microsoft.Web/sites/publishxml/action, (Microsoft.Web/sites/basicPublishingCredentialsPolicies/write)
 
 This permissions allows to list all the publishing profiles which basically contains **basic auth credentials**:
 
@@ -309,7 +313,7 @@ az functionapp deployment list-publishing-profiles \
     --output json
 ```
 
-Aonther option would be to set you own creds and use them using:
+Another option would be to set you own creds and use them using:
 
 ```bash
 az functionapp deployment user set \
@@ -445,6 +449,29 @@ az rest --url "https://management.azure.com/subscriptions/<subscripntion-id>/res
 ```
 {% endcode %}
 
+### Microsoft.Web/sites/config/write, Microsoft.Web/sites/config/list/action, (Microsoft.Web/sites/read, Microsoft.Web/sites/config/list/action, Microsoft.Web/sites/config/read)
+
+With these permissions it's possible to **modify the container run by a function app** configured to run a container. This would allow an attacker to upload a malicious azure function container app to docker hub (for example) and make the function execute it.
+
+```bash
+az functionapp config container set --name <app-name> \
+    --resource-group <res-group> \
+    --image "mcr.microsoft.com/azure-functions/dotnet8-quickstart-demo:1.0"
+```
+
+### Microsoft.Web/sites/write, Microsoft.ManagedIdentity/userAssignedIdentities/assign/action, Microsoft.App/managedEnvironments/join/action, (Microsoft.Web/sites/read, Microsoft.Web/sites/operationresults/read)
+
+With these permissions it's possible to **attach a new user managed identity to a function**. If the function was compromised this would allow to escalate privileges to any user managed identity.
+
+{% code overflow="wrap" %}
+```bash
+az functionapp identity assign \
+    --name <app-name> \
+    --resource-group <res-group> \
+    --identities /subscriptions/<subs-id>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<mi-name>
+```
+{% endcode %}
+
 ### Remote Debugging
 
 It's also possible to connect to debug a running Azure function as [**explained in the docs**](https://learn.microsoft.com/en-us/azure/azure-functions/functions-develop-vs). However, by default Azure will turn this option to off in 2 days in case the developer forgets to avoid leaving vulnerable configurations.

pentesting-cloud/azure-security/az-services/az-function-apps.md

@@ -74,9 +74,11 @@ The **system assigned** one will be a managed identity that **only the function*
 
 {% hint style="info" %}
 Just like in [**VMs**](vms/), Functions can have **1 system assigned** managed identity and **several user assigned** ones, so it's always important to try to find all of them if you compromise the function because you might be able to escalate privileges to several managed identities from just one Function.
+
+If a no system managed identity is used but one or more user managed identities are attached to a function, by default you won’t be able to get any token.
 {% endhint %}
 
-It's possible to use the [**PEASS scripts**](https://github.com/peass-ng/PEASS-ng) to get tokens from the default managed identity from the metadata endpoint. Or you could get them manually as explained in:
+It's possible to use the [**PEASS scripts**](https://github.com/peass-ng/PEASS-ng) to get tokens from the default managed identity from the metadata endpoint. Or you could get them **manually** as explained in:
 
 {% embed url="https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#azure-vm" %}
 
@@ -206,6 +208,12 @@ Moreover, a **Managed Identity** is also created so the Github Action from the r
 Therefore, anyone compromising that repo will be able to compromise the function and the Managed Identities attached to it.
 {% endhint %}
 
+### Container Based Deployments
+
+Not all the plans allow to deploy containers, but for the ones that do, the configuration will contain the URL of the container. In the API  the **`linuxFxVersion`** setting will ha something like: `DOCKER|mcr.microsoft.com/...`, while in the web console, the configuration will show the **image settings**.
+
+Moreover, **no source code will be stored in the storage** account related to the function as it's not needed.
+
 ## Enumeration
 
 {% code overflow="wrap" %}
@@ -215,11 +223,20 @@ az functionapp list
 
 # Get info of 1 funciton (although in the list you already get this info)
 az functionapp show --name <app-name> --resource-group <res-group>
+## If "linuxFxVersion" has something like: "DOCKER|mcr.microsoft.com/..."
+## This is using a container
 
 # Get details about the source of the function code
 az functionapp deployment source show \
   --name <app-name> \
   --resource-group <res-group>
+## If error like "This is currently not supported."
+## Then, this is probalby using a container
+
+# Get more info if a container is being used
+az functionapp config container show \
+  --name <name> \
+  --resource-group <res-group>
   
 # Get settings (and privesc to the sorage account)
 az functionapp config appsettings list --name <app-name> --resource-group <res-group>