diff --git a/SUMMARY.md b/SUMMARY.md index 62d0f7298f..211dec980c 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -443,6 +443,7 @@ * [Az - Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/README.md) * [Az - Blob Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-blob-storage-post-exploitation.md) * [Az - File Share Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-file-share-post-exploitation.md) + * [Az - Function Apps Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-function-apps-post-exploitation.md) * [Az - Key Vault Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-key-vault-post-exploitation.md) * [Az - Queue Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-queue-post-exploitation.md) * [Az - Service Bus Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-servicebus-post-exploitation.md) diff --git a/pentesting-cloud/azure-security/az-post-exploitation/az-file-share-post-exploitation.md b/pentesting-cloud/azure-security/az-post-exploitation/az-file-share-post-exploitation.md index 6176807e12..648443c172 100644 --- a/pentesting-cloud/azure-security/az-post-exploitation/az-file-share-post-exploitation.md +++ b/pentesting-cloud/azure-security/az-post-exploitation/az-file-share-post-exploitation.md @@ -15,7 +15,7 @@ Learn & practice GCP Hacking: [**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Support HackTricks + +* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** +* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+{% endhint %} + +## Funciton Apps Post Exploitaiton + +For more information about function apps check: + +{% content-ref url="../az-services/az-function-apps.md" %} +[az-function-apps.md](../az-services/az-function-apps.md) +{% endcontent-ref %} + +{% hint style="danger" %} +**Function Apps post exploitation tricks are very related to the privilege escalation tricks** so you can find all of them there: +{% endhint %} + +{% content-ref url="../az-privilege-escalation/az-functions-app-privesc.md" %} +[az-functions-app-privesc.md](../az-privilege-escalation/az-functions-app-privesc.md) +{% endcontent-ref %} + +{% hint style="success" %} +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Support HackTricks + +* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** +* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+{% endhint %} diff --git a/pentesting-cloud/azure-security/az-privilege-escalation/az-functions-app-privesc.md b/pentesting-cloud/azure-security/az-privilege-escalation/az-functions-app-privesc.md index f23d00ffbe..c2b691c2cb 100644 --- a/pentesting-cloud/azure-security/az-privilege-escalation/az-functions-app-privesc.md +++ b/pentesting-cloud/azure-security/az-privilege-escalation/az-functions-app-privesc.md @@ -65,7 +65,7 @@ open "smb://.file.core.windows.net/" ``` {% endcode %} -* **`function-releases`** (`WEBSITE_RUN_FROM_PACKAGE)` +* **`function-releases`** (`WEBSITE_RUN_FROM_PACKAGE`) It's also common to find the **zip releases** inside the folder `function-releases` of the Storage Account container that the function app is using in a container **usually called `function-releases`**. @@ -195,7 +195,7 @@ az rest --method POST --uri "https://management.azure.com/subscriptions/ --key-name --key ``` {% endcode %} +{% hint style="danger" %} +Remember that with this key you can also access the source code and modify it as explained before! +{% endhint %} + ### Microsoft.Web/sites/host/systemKeys/write This permission allows to create/update a system function key to the specified function with: @@ -225,7 +229,7 @@ az functionapp keys set --resource-group --key-name --key ### Microsoft.Web/sites/config/list/action -This permission allows to get the settings of a function. Inside these configurations it might be possible to find the default values **`AzureWebJobsStorage`** or **`WEBSITE_CONTENTAZUREFILECONNECTIONSTRING`** which actually contains an **account key to access the blob storage of the function with FULL permissions**. +This permission allows to get the settings of a function. Inside these configurations it might be possible to find the default values **`AzureWebJobsStorage`** or **`WEBSITE_CONTENTAZUREFILECONNECTIONSTRING`** which contains an **account key to access the blob storage of the function with FULL permissions**. {% code overflow="wrap" %} ```bash @@ -246,7 +250,7 @@ az rest --method POST \ These permissions allows to list the config values of a function as we have seen before plus **modify these values**. This is useful because these settings indicate where the code to execute inside the function is located. -It's therefore possible to set the value of the setting **`WEBSITE_RUN_FROM_PACKAGE`** pointing to a zip file containing the new code to execute inside a web application: +It's therefore possible to set the value of the setting **`WEBSITE_RUN_FROM_PACKAGE`** pointing to an URL zip file containing the new code to execute inside a web application: * Start by getting the current config @@ -256,7 +260,7 @@ az functionapp config appsettings list \ --resource-group ``` -* Create the code you want the funciton to run and host it publicly +* Create the code you want the function to run and host it publicly ```bash # Write inside /tmp/web/function_app.py the code of the function @@ -297,7 +301,7 @@ az rest --method PUT \ ``` {% endcode %} -### `Microsoft.Web/sites/publishxml/action, (Microsoft.Web/sites/basicPublishingCredentialsPolicies/write)` +### Microsoft.Web/sites/publishxml/action, (Microsoft.Web/sites/basicPublishingCredentialsPolicies/write) This permissions allows to list all the publishing profiles which basically contains **basic auth credentials**: @@ -309,7 +313,7 @@ az functionapp deployment list-publishing-profiles \ --output json ``` -Aonther option would be to set you own creds and use them using: +Another option would be to set you own creds and use them using: ```bash az functionapp deployment user set \ @@ -445,6 +449,29 @@ az rest --url "https://management.azure.com/subscriptions//res ``` {% endcode %} +### Microsoft.Web/sites/config/write, Microsoft.Web/sites/config/list/action, (Microsoft.Web/sites/read, Microsoft.Web/sites/config/list/action, Microsoft.Web/sites/config/read) + +With these permissions it's possible to **modify the container run by a function app** configured to run a container. This would allow an attacker to upload a malicious azure function container app to docker hub (for example) and make the function execute it. + +```bash +az functionapp config container set --name \ + --resource-group \ + --image "mcr.microsoft.com/azure-functions/dotnet8-quickstart-demo:1.0" +``` + +### Microsoft.Web/sites/write, Microsoft.ManagedIdentity/userAssignedIdentities/assign/action, Microsoft.App/managedEnvironments/join/action, (Microsoft.Web/sites/read, Microsoft.Web/sites/operationresults/read) + +With these permissions it's possible to **attach a new user managed identity to a function**. If the function was compromised this would allow to escalate privileges to any user managed identity. + +{% code overflow="wrap" %} +```bash +az functionapp identity assign \ + --name \ + --resource-group \ + --identities /subscriptions//providers/Microsoft.ManagedIdentity/userAssignedIdentities/ +``` +{% endcode %} + ### Remote Debugging It's also possible to connect to debug a running Azure function as [**explained in the docs**](https://learn.microsoft.com/en-us/azure/azure-functions/functions-develop-vs). However, by default Azure will turn this option to off in 2 days in case the developer forgets to avoid leaving vulnerable configurations. diff --git a/pentesting-cloud/azure-security/az-services/az-function-apps.md b/pentesting-cloud/azure-security/az-services/az-function-apps.md index 77497b2900..284e8aeb61 100644 --- a/pentesting-cloud/azure-security/az-services/az-function-apps.md +++ b/pentesting-cloud/azure-security/az-services/az-function-apps.md @@ -74,9 +74,11 @@ The **system assigned** one will be a managed identity that **only the function* {% hint style="info" %} Just like in [**VMs**](vms/), Functions can have **1 system assigned** managed identity and **several user assigned** ones, so it's always important to try to find all of them if you compromise the function because you might be able to escalate privileges to several managed identities from just one Function. + +If a no system managed identity is used but one or more user managed identities are attached to a function, by default you won’t be able to get any token. {% endhint %} -It's possible to use the [**PEASS scripts**](https://github.com/peass-ng/PEASS-ng) to get tokens from the default managed identity from the metadata endpoint. Or you could get them manually as explained in: +It's possible to use the [**PEASS scripts**](https://github.com/peass-ng/PEASS-ng) to get tokens from the default managed identity from the metadata endpoint. Or you could get them **manually** as explained in: {% embed url="https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#azure-vm" %} @@ -206,6 +208,12 @@ Moreover, a **Managed Identity** is also created so the Github Action from the r Therefore, anyone compromising that repo will be able to compromise the function and the Managed Identities attached to it. {% endhint %} +### Container Based Deployments + +Not all the plans allow to deploy containers, but for the ones that do, the configuration will contain the URL of the container. In the API the **`linuxFxVersion`** setting will ha something like: `DOCKER|mcr.microsoft.com/...`, while in the web console, the configuration will show the **image settings**. + +Moreover, **no source code will be stored in the storage** account related to the function as it's not needed. + ## Enumeration {% code overflow="wrap" %} @@ -215,11 +223,20 @@ az functionapp list # Get info of 1 funciton (although in the list you already get this info) az functionapp show --name --resource-group +## If "linuxFxVersion" has something like: "DOCKER|mcr.microsoft.com/..." +## This is using a container # Get details about the source of the function code az functionapp deployment source show \ --name \ --resource-group +## If error like "This is currently not supported." +## Then, this is probalby using a container + +# Get more info if a container is being used +az functionapp config container show \ + --name \ + --resource-group # Get settings (and privesc to the sorage account) az functionapp config appsettings list --name --resource-group