Az - Storage Privesc

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Storage Privesc

For more information about storage check:

Az - Storage Accounts & Blobs

Microsoft.Storage/storageAccounts/listkeys/action

A principal with this permission will be able to list (and the secret values) of the access keys of the storage accounts. Allowing the principal to escalate its privileges over the storage accounts.

az storage account keys list --account-name <acc-name>

Microsoft.Storage/storageAccounts/regenerateKey/action

A principal with this permission will be able to renew and get the new secret value of the access keys of the storage accounts. Allowing the principal to escalate its privileges over the storage accounts.

Moreover, in the response, the user will get the value of the renewed key and also of the not renewed one:

az storage account keys renew --account-name <acc-name> --key key2

Microsoft.Storage/storageAccounts/write

A principal with this permission will be able to create or update an existing storage account updating any setting like network rules or policies.

# e.g. set default action to allow so network restrictions are avoided
az storage account update --name <acc-name> --default-action Allow

# e.g. allow an IP address
az storage account update --name <acc-name> --add networkRuleSet.ipRules value=<ip-address>

Blobs Specific privesc

Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies/write | Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies/delete

The first permission allows to modify immutability policies in containers and the second to delete them.

Note that if an immutability policy is in lock state, you cannot do neither of both

az storage container immutability-policy delete \
  --account-name <STORAGE_ACCOUNT_NAME> \
  --container-name <CONTAINER_NAME> \
  --resource-group <RESOURCE_GROUP>

az storage container immutability-policy update \
  --account-name <STORAGE_ACCOUNT_NAME> \
  --container-name <CONTAINER_NAME> \
  --resource-group <RESOURCE_GROUP> \
  --period <NEW_RETENTION_PERIOD_IN_DAYS>

File shares specific privesc

Microsoft.Storage/storageAccounts/fileServices/takeOwnership/action

This should allow a user having this permission to be able to take the ownership of files inside the shared filesystem.

Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action

This should allow a user having this permission to be able to modify the permissions files inside the shared filesystem.

Microsoft.Storage/storageAccounts/fileServices/fileshares/files/actassuperuser/action

This should allow a user having this permission to be able to perform actions inside a file system as a superuser.

Other interesting looking permissions (TODO)

Microsoft.Storage/storageAccounts/blobServices/containers/blobs/manageOwnership/action: Changes ownership of the blob
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/modifyPermissions/action: Modifies permissions of the blob
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action: Returns the result of the blob command
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/immutableStorage/runAsSuperUser/action

References

https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/storage#microsoftstorage

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousAz - Authorization Privesc NextAz - Key Vault Privesc

Last updated 11 hours ago