Az - Storage Privesc

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Storage Privesc

Kwa maelezo zaidi kuhusu hifadhi angalia:

Microsoft.Storage/storageAccounts/listkeys/action

Mtu mwenye ruhusa hii ataweza kuorodhesha (na thamani za siri) za funguo za ufikiaji za akaunti za hifadhi. Hii inaruhusu mtu huyo kupandisha hadhi yake juu ya akaunti za hifadhi.

az storage account keys list --account-name <acc-name>

Microsoft.Storage/storageAccounts/regenerateKey/action

Mtu mwenye ruhusa hii ataweza kufufua na kupata thamani mpya ya siri ya funguo za ufikiaji za akaunti za hifadhi. Hii inaruhusu mtu huyo kuongeza mamlaka yake juu ya akaunti za hifadhi.

Zaidi ya hayo, katika jibu, mtumiaji atapata thamani ya funguo iliyofufuliwa na pia ya ile isiyofufuliwa:

az storage account keys renew --account-name <acc-name> --key key2

Microsoft.Storage/storageAccounts/write

Mtu mwenye ruhusa hii ataweza kuunda au kuboresha akaunti ya kuhifadhi iliyopo akisasisha mipangilio yoyote kama sheria za mtandao au sera.

# e.g. set default action to allow so network restrictions are avoided
az storage account update --name <acc-name> --default-action Allow

# e.g. allow an IP address
az storage account update --name <acc-name> --add networkRuleSet.ipRules value=<ip-address>

Blobs Specific privesc

Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies/write | Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies/delete

Ruhusa la kwanza linaruhusu kubadilisha sera za kutokuweza kubadilishwa katika kontena na la pili kufuta hizo sera.

Kumbuka kwamba ikiwa sera ya kutokuweza kubadilishwa iko katika hali ya kufungwa, huwezi kufanya mojawapo ya hayo

az storage container immutability-policy delete \
--account-name <STORAGE_ACCOUNT_NAME> \
--container-name <CONTAINER_NAME> \
--resource-group <RESOURCE_GROUP>

az storage container immutability-policy update \
--account-name <STORAGE_ACCOUNT_NAME> \
--container-name <CONTAINER_NAME> \
--resource-group <RESOURCE_GROUP> \
--period <NEW_RETENTION_PERIOD_IN_DAYS>

File shares specific privesc

Microsoft.Storage/storageAccounts/fileServices/takeOwnership/action

Hii inapaswa kumruhusu mtumiaji mwenye ruhusa hii kuwa na uwezo wa kuchukua umiliki wa faili ndani ya mfumo wa faili ulio shiriki.

Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action

Hii inapaswa kumruhusu mtumiaji mwenye ruhusa hii kuwa na uwezo wa kubadilisha ruhusa za faili ndani ya mfumo wa faili ulio shiriki.

Microsoft.Storage/storageAccounts/fileServices/fileshares/files/actassuperuser/action

Hii inapaswa kumruhusu mtumiaji mwenye ruhusa hii kuwa na uwezo wa kutekeleza vitendo ndani ya mfumo wa faili kama superuser.

Other interesting looking permissions (TODO)

Microsoft.Storage/storageAccounts/blobServices/containers/blobs/manageOwnership/action: Hubadilisha umiliki wa blob
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/modifyPermissions/action: Hubadilisha ruhusa za blob
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action: Inarudisha matokeo ya amri ya blob
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/immutableStorage/runAsSuperUser/action

References

https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/storage#microsoftstorage

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousAz - Authorization Privesc NextAz - Key Vault Privesc

Last updated 10 hours ago