From ee37fbe3ebbfae86294bb6ea8c7a02786c545fd2 Mon Sep 17 00:00:00 2001
From: SirBroccoli <carlospolop@gmail.com>
Date: Thu, 26 Dec 2024 01:57:00 +0000
Subject: [PATCH] GITBOOK-742: No subject

---
 SUMMARY.md                                    |   3 +-
 .../az-app-services-privesc.md                |  67 ++++++++
 ...zure-app-service.md => az-app-services.md} | 144 +++++++++++++-----
 .../az-services/az-function-apps.md           |  12 ++
 .../azure-security/az-services/az-sql.md      |   2 +-
 .../azure-security/az-services/vms/README.md  |  18 +--
 6 files changed, 196 insertions(+), 50 deletions(-)
 create mode 100644 pentesting-cloud/azure-security/az-privilege-escalation/az-app-services-privesc.md
 rename pentesting-cloud/azure-security/az-services/{az-azure-app-service.md => az-app-services.md} (54%)

diff --git a/SUMMARY.md b/SUMMARY.md
index 211dec980c..0b55216c4d 100644
--- a/SUMMARY.md
+++ b/SUMMARY.md
@@ -408,7 +408,7 @@
     * [Az - ARM Templates / Deployments](pentesting-cloud/azure-security/az-services/az-arm-templates.md)
     * [Az - Automation Account](pentesting-cloud/azure-security/az-services/az-automation-account/README.md)
       * [Az - State Configuration RCE](pentesting-cloud/azure-security/az-services/az-automation-account/az-state-configuration-rce.md)
-    * [Az - Azure App Service & Function Apps](pentesting-cloud/azure-security/az-services/az-azure-app-service.md)
+    * [Az - App Services](pentesting-cloud/azure-security/az-services/az-app-services.md)
     * [Az - Intune](pentesting-cloud/azure-security/az-services/intune.md)
     * [Az - File Shares](pentesting-cloud/azure-security/az-services/az-file-shares.md)
     * [Az - Function Apps](pentesting-cloud/azure-security/az-services/az-function-apps.md)
@@ -451,6 +451,7 @@
     * [Az - VMs & Network Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-vms-and-network-post-exploitation.md)
   * [Az - Privilege Escalation](pentesting-cloud/azure-security/az-privilege-escalation/README.md)
     * [Az - Azure IAM Privesc (Authorization)](pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md)
+    * [Az - App Services Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-app-services-privesc.md)
     * [Az - EntraID Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/README.md)
       * [Az - Conditional Access Policies & MFA Bypass](pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md)
       * [Az - Dynamic Groups Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/dynamic-groups.md)
diff --git a/pentesting-cloud/azure-security/az-privilege-escalation/az-app-services-privesc.md b/pentesting-cloud/azure-security/az-privilege-escalation/az-app-services-privesc.md
new file mode 100644
index 0000000000..92ecc5e14d
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-privilege-escalation/az-app-services-privesc.md
@@ -0,0 +1,67 @@
+# Az - App Services Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## App Services
+
+For more information about Azure App services check:
+
+{% content-ref url="../az-services/az-app-services.md" %}
+[az-app-services.md](../az-services/az-app-services.md)
+{% endcontent-ref %}
+
+### Microsoft.Web/sites/publish/Action, Microsoft.Web/sites/basicPublishingCredentialsPolicies/read, Microsoft.Web/sites/config/read, Microsoft.Web/sites/read,&#x20;
+
+These permissions allows to call the following commands to get a **SSH shell** inside a web app
+
+* Direct option:
+
+```bash
+# Direct option
+az webapp ssh --name <name> --resource-group <res-group>
+```
+
+* Create tunnel and then connect to SSH:
+
+{% code overflow="wrap" %}
+```bash
+az webapp create-remote-connection --name <name> --resource-group <res-group>
+
+## If successfull you will get a message such as:
+#Verifying if app is running....
+#App is running. Trying to establish tunnel connection...
+#Opening tunnel on port: 39895
+#SSH is available { username: root, password: Docker! }
+
+## So from that machine ssh into that port (you might need generate a new ssh session to the jump host)
+ssh root@127.0.0.1 -p 39895
+```
+{% endcode %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-services/az-azure-app-service.md b/pentesting-cloud/azure-security/az-services/az-app-services.md
similarity index 54%
rename from pentesting-cloud/azure-security/az-services/az-azure-app-service.md
rename to pentesting-cloud/azure-security/az-services/az-app-services.md
index 4f5d822c82..c8d1139dc1 100644
--- a/pentesting-cloud/azure-security/az-services/az-azure-app-service.md
+++ b/pentesting-cloud/azure-security/az-services/az-app-services.md
@@ -1,4 +1,4 @@
-# Az - Azure App Service & Function Apps
+# Az - App Services
 
 {% hint style="success" %}
 Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
@@ -17,7 +17,7 @@ Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).p
 
 ## App Service Basic Information
 
-[From the docs:](https://learn.microsoft.com/en-us/azure/app-service/overview) _Azure App Service_ is an HTTP-based service for hosting web applications, REST APIs, and mobile back ends. You can develop in your favourite language, be it .NET, .NET Core, Java, Ruby, Node.js, PHP, or Python. Applications run and scale with ease on both Windows and Linux-based environments.
+Azure App Services enables developers to **build, deploy, and scale web applications, mobile app backends, and APIs seamlessly**. It supports multiple programming languages and integrates with various Azure tools and services for enhanced functionality and management.
 
 Each app runs inside a sandbox but isolation depends upon App Service plans
 
@@ -25,9 +25,28 @@ Each app runs inside a sandbox but isolation depends upon App Service plans
 * Apps in Standard and Premium tiers run on dedicated VMs
 
 {% hint style="warning" %}
-Note that **none** of those isolations **prevents** other common **web vulnerabilities** (such as file upload, or injections). And if a **management identity** is used, it could be able to **compromise its permissions**.
+Note that **none** of those isolations **prevents** other common **web vulnerabilities** (such as file upload, or injections). And if a **management identity** is used, it could be able to **esalate privileges to them**.
 {% endhint %}
 
+### Azure Function Apps
+
+Basically **Azure Function apps are a subset of Azure App Service** in the web and if you go to the web console and list all the app services or execute `az webapp list` in az cli you will be able to **see the Function apps also listed here**.
+
+Actually some of the **security related features** App services use (`webapp` in the az cli), are **also used by Function apps**.
+
+## Basic Authentication
+
+When creating a web app (and a Azure function usually) it's possible to indicate if you want Basic Authentication to be enabled. This basically **enables SCM and FTP** for the application so it'll be possible to deploy the application using those technologies.\
+Moreover in order to connect to them, Azure provides an **API that allows to get the username, password and URL** to connect to the SCM and FTP servers.
+
+* Authentication: az webapp auth show --name lol --resource-group lol\_group
+
+SSH
+
+Always On
+
+Debugging
+
 ### Enumeration
 
 {% tabs %}
@@ -40,20 +59,96 @@ az webapp list
 ## Less information
 az webapp list --query "[].{hostName: defaultHostName, state: state, name: name, resourcegroup: resourceGroup}"
 
-# Get access restrictions
-az webapp config access-restriction show --resource-group <res-group> -n <name>
+# Get info about 1 app
+az webapp show --name <name> --resource-group <res-group>
+
+# Get instances of a webapp
+az webapp list-instances --name <name> --resource-group <res-group>
+## If you have enough perm you can go to the "consoleUrl" and access a shell inside the instance form the web
+
+# Get configured Auth information
+az webapp auth show --name <app-name> --resource-group <res-group>
+
+# Get access restrictions of an app
+az webapp config access-restriction show --name <name> --resource-group <res-group>
 
 # Remove access restrictions
 az webapp config access-restriction remove --resource-group <res-group> -n <name> --rule-name <rule-name>
 
+# Get appsettings of an app
+az webapp config appsettings list --name <name> --resource-group <res-group>
+
+# Get backups of a webapp
+az webapp config backup list --webapp-name <name> --resource-group <res-group>
+
+# Get backups scheduled for a webapp
+az webapp config backup show --webapp-name <name> --resource-group <res-group>  
+
 # Get snapshots
 az webapp config snapshot list --resource-group <res-group> -n <name>
 
 # Restore snapshot
 az webapp config snapshot restore -g <res-group> -n <name> --time 2018-12-11T23:34:16.8388367
 
-# Restart webapp
-az webapp restart --name <name> --resource-group <res-group>
+# Get connection strings of a webapp
+az webapp config connection-string list --name <name> --resource-group <res-group>
+
+# Get used container by the app
+az webapp config container show --name <name> --resource-group <res-group>
+
+# Get storage account configurations of a webapp
+az webapp config storage-account list --name <name> --resource-gl_group
+
+
+
+
+
+
+
+
+# List all the functions
+az functionapp list
+
+# Get info of 1 funciton (although in the list you already get this info)
+az functionapp show --name <app-name> --resource-group <res-group>
+## If "linuxFxVersion" has something like: "DOCKER|mcr.microsoft.com/..."
+## This is using a container
+
+# Get details about the source of the function code
+az functionapp deployment source show \
+  --name <app-name> \
+  --resource-group <res-group>
+## If error like "This is currently not supported."
+## Then, this is probalby using a container
+
+# Get more info if a container is being used
+az functionapp config container show \
+  --name <name> \
+  --resource-group <res-group>
+  
+# Get settings (and privesc to the sorage account)
+az functionapp config appsettings list --name <app-name> --resource-group <res-group>
+
+# Check if a domain was assigned to a function app
+az functionapp config hostname list --webapp-name <app-name> --resource-group <res-group>
+
+# Get SSL certificates
+az functionapp config ssl list --resource-group <res-group>
+
+# Get network restrictions
+az functionapp config access-restriction show --name <app-name> --resource-group <res-group>
+
+# Get more info about a function (invoke_url_template is the URL to invoke and script_href allows to see the code)
+az rest --method GET \
+  --url "https://management.azure.com/subscriptions/<subscription>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/functions?api-version=2024-04-01"
+
+# Get source code with Master Key of the function
+curl "<script_href>?code=<master-key>"
+## Python example
+curl "https://newfuncttest123.azurewebsites.net/admin/vfs/home/site/wwwroot/function_app.py?code=<master-key>" -v
+  
+# Get source code
+az rest --url "https://management.azure.com/<subscription>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/hostruntime/admin/vfs/function_app.py?relativePath=1&api-version=2022-03-01"
 ```
 {% endcode %}
 {% endtab %}
@@ -121,44 +216,17 @@ git clone 'https://<username>:<password>@name.scm.azurewebsites.net/repo-name.gi
 ## If you change the code and do a push, the app is automatically redeployed
 ```
 
-#### Access to the Docker container with the webapp via ssh:
 
-```bash
-# Get ssh session
-az webapp create-remote-connection --subscription <SUBSCRIPTION-ID> --resource-group <RG-NAME> -n <APP-SERVICE-NAME>
 
-## If successfull you will get a message such as:
-#Verifying if app is running....
-#App is running. Trying to establish tunnel connection...
-#Opening tunnel on port: 39895
-#SSH is available { username: root, password: Docker! }
+## Privilege Escalation
 
-## So from that machine ssh into that port (you might need generate a new ssh session to the jump host)
-ssh root@127.0.0.1 -p 39895
-```
-
-## Function Apps Basic Information
-
-Azure Functions is a **serverless** solution that allows you to write less code, maintain less infrastructure, and save on costs. Instead of worrying about deploying and maintaining servers, the cloud infrastructure provides all the up-to-date resources needed to keep your applications running.
-
-In the Azure portal, integration between Azure Functions and Azure API Management is facilitated, allowing **HTTP trigger function endpoints to be exposed as REST APIs**. The APIs exposed in this manner are described using an OpenAPI definition, providing a standard, language-agnostic interface to RESTful APIs.
-
-**Function Apps support Managed Identities.**
-
-Moreover Function App might have certain endpoints that require a certain level of authentication, such as "admin" or "anonymous".\
-An attacker could try to access the **anonymous allowed endpoints** to bypass the restrictions and gain access to sensitive data or functionality.
-
-### Enumeration
-
-```powershell
-# Get only Function Apps
-Get-AzFunctionApp
-```
+{% content-ref url="../az-privilege-escalation/az-app-services-privesc.md" %}
+[az-app-services-privesc.md](../az-privilege-escalation/az-app-services-privesc.md)
+{% endcontent-ref %}
 
 ## References
 
 * [https://learn.microsoft.com/en-in/azure/app-service/overview](https://learn.microsoft.com/en-in/azure/app-service/overview)
-* [https://learn.microsoft.com/en-us/azure/azure-functions/functions-openapi-definition](https://learn.microsoft.com/en-us/azure/azure-functions/functions-openapi-definition)
 
 {% hint style="success" %}
 Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
diff --git a/pentesting-cloud/azure-security/az-services/az-function-apps.md b/pentesting-cloud/azure-security/az-services/az-function-apps.md
index 284e8aeb61..a446ab37d6 100644
--- a/pentesting-cloud/azure-security/az-services/az-function-apps.md
+++ b/pentesting-cloud/azure-security/az-services/az-function-apps.md
@@ -19,6 +19,10 @@ Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).p
 
 **Azure Function Apps** are a **serverless compute service** that allow you to run small pieces of code, called **functions**, without managing the underlying infrastructure. They are designed to execute code in response to various triggers, such as **HTTP requests, timers, or events from other Azure services** like Blob Storage or Event Hubs. Function Apps support multiple programming languages, including C#, Python, JavaScript, and Java, making them versatile for building **event-driven applications**, automating workflows, or integrating services. They are cost-effective, as you usually only pay for the compute time used when your code runs.
 
+{% hint style="info" %}
+Note that **Functions are a subset of the App Services**, therefore, a lot of the features discussed here will be used also by applications created as Azure Apps (`webapp` in cli).
+{% endhint %}
+
 ### Different Plans
 
 * **Flex Consumption Plan**: Offers **dynamic, event-driven scaling** with pay-as-you-go pricing, adding or removing function instances based on demand. It supports **virtual networking** and **pre-provisioned instances** to reduce cold starts, making it suitable for **variable workloads** that don’t require container support.
@@ -109,6 +113,14 @@ Example to access a function API endpoint using a key:
 `https://<function_uniq_name>.azurewebsites.net/api/<endpoint_name>?code=<access_key>`
 {% endhint %}
 
+### Basic Authentication
+
+Just like in App Services, Functions also support basic authentication to connect to **SCM** and **FTP** to deploy code using a **username and password in a URL** provided by Azure. More information about it in:
+
+{% content-ref url="az-app-services.md" %}
+[az-app-services.md](az-app-services.md)
+{% endcontent-ref %}
+
 ### Github Based Deployments
 
 When a function is generated from a Github repo Azure web console allows to **automatically create a Github Workflow in a specific repository** so whenever this repository is updated the code of the function is updated. Actually the Github Action yaml for a python function looks like this:
diff --git a/pentesting-cloud/azure-security/az-services/az-sql.md b/pentesting-cloud/azure-security/az-services/az-sql.md
index cf63f9c56b..34d0ff9ed3 100644
--- a/pentesting-cloud/azure-security/az-services/az-sql.md
+++ b/pentesting-cloud/azure-security/az-services/az-sql.md
@@ -43,7 +43,7 @@ az sql vm show --resource-group <res-grp> --name <name>
 
 ### Connect and run SQL queries
 
-You could find a connection string (containing credentials) from example [enumerating an Az WebApp](az-azure-app-service.md):
+You could find a connection string (containing credentials) from example [enumerating an Az WebApp](az-app-services.md):
 
 {% code overflow="wrap" %}
 ```powershell
diff --git a/pentesting-cloud/azure-security/az-services/vms/README.md b/pentesting-cloud/azure-security/az-services/vms/README.md
index e664d118d3..ad081b59a0 100644
--- a/pentesting-cloud/azure-security/az-services/vms/README.md
+++ b/pentesting-cloud/azure-security/az-services/vms/README.md
@@ -78,6 +78,7 @@ az disk show --name <disk-name> --resource-group <rsc-group>
 ```
 {% endcode %}
 {% endtab %}
+
 {% tab title="PowerShell" %}
 {% code overflow="wrap" %}
 ```powershell
@@ -91,7 +92,6 @@ Get-AzDisk -Name <DiskName> -ResourceGroupName <ResourceGroupName>
 {% endtab %}
 {% endtabs %}
 
-
 ## Images, Gallery Images & Restore points
 
 A **VM image** is a template that contains the operating system, application settings and filesystem needed to **create a new virtual machine (VM)**. The difference between an image and a disk snapshot is that a disk snapshot is a read-only, point-in-time copy of a single managed disk, used primarily for backup or troubleshooting, while an image can contain **multiple disks and is designed to serve as a template for creating new VMs**.\
@@ -135,6 +135,7 @@ az restore-point collection show --collection-name <collection-name> --resource-
 ```
 {% endcode %}
 {% endtab %}
+
 {% tab title="PowerShell" %}
 {% code overflow="wrap" %}
 ```powershell
@@ -170,7 +171,7 @@ From the [**docs**](https://learn.microsoft.com/en-us/azure/site-recovery/site-r
 
 ## Azure Bastion
 
-Azure Bastion enables secure and seamless **Remote Desktop Protocol (RDP)** and **Secure Shell (SSH)** access to your virtual machines (VMs) directly through the Azure Portal or via a jump box. By **eliminating the need for public IP addresses** on your VMs.&#x20;
+Azure Bastion enables secure and seamless **Remote Desktop Protocol (RDP)** and **Secure Shell (SSH)** access to your virtual machines (VMs) directly through the Azure Portal or via a jump box. By **eliminating the need for public IP addresses** on your VMs.
 
 The Bastion deploys a subnet called **`AzureBastionSubnet`** with a `/26` netmask in the VNet it needs to work on. Then, it allows to **connect to internal VMs through the browser** using `RDP` and `SSH` avoiding exposing ports of the VMs to the Internet. It can also work as a **jump host**.
 
@@ -203,6 +204,7 @@ az network bastion rdp \
 ```
 {% endcode %}
 {% endtab %}
+
 {% tab title="PowerShell" %}
 {% code overflow="wrap" %}
 ```powershell
@@ -225,8 +227,6 @@ Check how to enumerate it in:
 
 ## VM Enumeration
 
-{% tabs %}
-{% tab title="Az Cli" %}
 {% code overflow="wrap" %}
 ```bash
 # VMs
@@ -364,8 +364,9 @@ az resource list --resource-type "Microsoft.Compute/virtualMachines" --query "[]
 az vm run-command list --output table
 ```
 {% endcode %}
-{% endtab %}
-{% tab title="Az PS" %}
+
+
+
 ```powershell
 # Get readable VMs
 Get-AzVM | fl
@@ -455,9 +456,6 @@ Get-AzStorageAccount
 ## List all custom script extensions on a specific VM
 Get-AzVMExtension -VMName <VmName> -ResourceGroupName <ResourceGroupName>
 ```
-{% endcode %}
-{% endtab %}
-{% endtabs %}
 
 ## Code Execution in VMs
 
@@ -483,6 +481,7 @@ az vm extension image list --publisher "Site24x7" --output table
 ```
 {% endcode %}
 {% endtab %}
+
 {% tab title="PowerShell" %}
 {% code overflow="wrap" %}
 ```powershell
@@ -493,7 +492,6 @@ Get-AzVMExtensionImage -Location <Location> -PublisherName <PublisherName> -Type
 {% endtab %}
 {% endtabs %}
 
-
 It's possible to **run custom extensions that runs custom code**:
 
 {% tabs %}