From 5f1752dfd6b876791486570a5e86d5c957a972ef Mon Sep 17 00:00:00 2001 From: Jaime Polop <117489620+JaimePolop@users.noreply.github.com> Date: Fri, 10 Jan 2025 11:01:45 +0100 Subject: [PATCH 1/8] Add files via upload --- .../azure-security/az-services/az-cosmosDB.md | 360 ++++++++++++++++++ .../azure-security/az-services/az-mysql.md | 194 ++++++++++ .../az-services/az-postgresql.md | 173 +++++++++ 3 files changed, 727 insertions(+) create mode 100644 src/pentesting-cloud/azure-security/az-services/az-cosmosDB.md create mode 100644 src/pentesting-cloud/azure-security/az-services/az-mysql.md create mode 100644 src/pentesting-cloud/azure-security/az-services/az-postgresql.md diff --git a/src/pentesting-cloud/azure-security/az-services/az-cosmosDB.md b/src/pentesting-cloud/azure-security/az-services/az-cosmosDB.md new file mode 100644 index 0000000000..08e5e2fe6e --- /dev/null +++ b/src/pentesting-cloud/azure-security/az-services/az-cosmosDB.md @@ -0,0 +1,360 @@ +# Az - CosmosDB + +{% hint style="success" %} +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Support HackTricks + +* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** +* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+{% endhint %} + +## Azure CosmosDB + +**Azure Cosmos DB** is a fully **managed NoSQL, relational, and vector database** offering single-digit millisecond response times, automatic scalability, and SLA-backed availability with enterprise-grade security. It enables faster app development through turnkey multi-region data distribution, open-source APIs, SDKs for popular languages, and AI database features like integrated vector support and seamless Azure AI integration. + +Azure Cosmos DB provides multiple database APIs to model real-world data using documents, relational, key-value, graph, and column-family data models, being this APIs NoSQL, MongoDB, PostgreSQL, Cassandra, Gremlin and Table. + +One key aspect of CosmosDB is Azure Cosmos Account. **Azure Cosmos Account**, acts as the entry point to the databases. The account determines key settings such as global distribution, consistency levels, and the specific API to be used, such as NoSQL. Through the account, you can configure global replication to ensure data is available across multiple regions for low-latency access. Additionally, you can choose a consistency level that balances between performance and data accuracy, with options ranging from Strong to Eventual consistency. + +### NoSQL (sql) +The Azure Cosmos DB NoSQL API is a document-based API that uses JSON as its data format. It provides a SQL-like query syntax for querying JSON objects, making it suitable for working with structured and semi-structured data. The endpoint of the service is: + +{% code overflow="wrap" %} +```bash +https://.documents.azure.com:443/ +``` +{% endcode %} + +#### Databases +Within an account, you can create one or more databases, which serve as logical groupings of containers. A database acts as a boundary for resource management and user permissions. Databases can either share provisioned throughput across their containers or allocate dedicated throughput to individual containers. + +#### Containers +The core unit of data storage is the container, which holds JSON documents and is automatically indexed for efficient querying. Containers are elastically scalable and distributed across partitions, which are determined by a user-defined partition key. The partition key is critical for ensuring optimal performance and even data distribution. For example, a container might store customer data, with "customerId" as the partition key. + + +#### Enumeration + +{% tabs %} +{% tab title="az cli" %} +{% code overflow="wrap" %} +```bash +# CosmoDB Account +## List Azure Cosmos DB database accounts. +az cosmosdb list --resource-group +az cosmosdb show --resource-group --name + +## Lists the virtual network accounts associated with a Cosmos DB account +az cosmosdb network-rule list --resource-group --name +## List the access keys or connection strings for a Azure Cosmos DB +az cosmosdb keys list --name --resource-group +## List all the database accounts that can be restored. +az cosmosdb restorable-database-account list --account-name +## Show the identities for a Azure Cosmos DB database account. +az cosmosdb identity show --resource-group --name + + +# CosmoDB (NoSQL) +## List the SQL databases under an Azure Cosmos DB account. +az cosmosdb sql database list --resource-group --account-name +## List the SQL containers under an Azure Cosmos DB SQL database. +az cosmosdb sql container list --account-name --database-name --resource-group + +## List all SQL role assignments under an Azure Cosmos DB +az cosmosdb sql role assignment list --resource-group --account-name +## List all SQL role definitions under an Azure Cosmos DB +az cosmosdb sql role definition list --resource-group --account-name + +## List the SQL stored procedures under an Azure Cosmos DB +az cosmosdb sql stored-procedure list --account-name --container-name --database-name --resource-group +## List the SQL triggers under an Azure Cosmos DB SQL container. +az cosmosdb sql trigger list --account-name --container-name --database-name --resource-group +## List the SQL user defined functions under an Azure Cosmos DB SQL container +az cosmosdb sql user-defined-function list --account-name --container-name --database-name --resource-group + +``` +{% endcode %} +{% endtab %} + +{% tab title="Az PowerShell" %} +{% code overflow="wrap" %} +```powershell +Get-Command -Module Az.CosmosD + +# List all Cosmos DB accounts in a specified resource group. +Get-AzCosmosDBAccount -ResourceGroupName "" + +# Get the access keys for a specific Cosmos DB account. +Get-AzCosmosDBAccountKey -ResourceGroupName "" -Name "" + +# Retrieve the client encryption keys for a specific Cosmos DB account. +Get-AzCosmosDbClientEncryptionKey -ResourceGroupName "" -AccountName "" -DatabaseName "" + +# List all SQL containers in a specific Cosmos DB SQL database. +Get-AzCosmosDBSqlContainer -ResourceGroupName "" -AccountName "" -DatabaseName "" + +# Get backup information for a specific Cosmos DB SQL container. +Get-AzCosmosDBSqlContainerBackupInformation -ResourceGroupName "" -AccountName "" -DatabaseName "" -Name "" -Location "" + +# Get the throughput (RU/s) settings for a specific Cosmos DB SQL container. +Get-AzCosmosDBSqlContainerThroughput -ResourceGroupName "" -AccountName "" -DatabaseName "" -Name "" + +# List all SQL databases under a specific Cosmos DB account. +Get-AzCosmosDBSqlDatabase -ResourceGroupName "" -AccountName "" + +# Get the throughput (RU/s) settings for a specific Cosmos DB SQL database. +Get-AzCosmosDBSqlDatabaseThroughput -ResourceGroupName "" -AccountName "" -Name "" + +# List all SQL role assignments for a specific Cosmos DB account. +Get-AzCosmosDBSqlRoleAssignment -ResourceGroupName "" -AccountName "" + +# List all SQL role definitions for a specific Cosmos DB account. +Get-AzCosmosDBSqlRoleDefinition -ResourceGroupName "" -AccountName "" + +# List all stored procedures in a specific Cosmos DB SQL container. +Get-AzCosmosDBSqlStoredProcedure -ResourceGroupName "" -AccountName "" -DatabaseName "" -ContainerName "" + +# List all triggers in a specific Cosmos DB SQL container. +Get-AzCosmosDBSqlTrigger -ResourceGroupName "" -AccountName "" -DatabaseName "" -ContainerName "" + +# List all user-defined functions (UDFs) in a specific Cosmos DB SQL container. +Get-AzCosmosDBSqlUserDefinedFunction -ResourceGroupName "" -AccountName "" -DatabaseName "" -ContainerName "" +``` +{% endcode %} +{% endtab %} +{% endtabs %} + +#### Connection + +To connect the azure-cosmosDB (pip install azure-cosmos) library is needed. Additionally the endpoint and the key are crutial components to make the connection. +{% code overflow="wrap" %} +```python +from azure.cosmos import CosmosClient, PartitionKey + +# Connection details +endpoint = "" +key = "" + +# Initialize Cosmos Client +client = CosmosClient(endpoint, key) + +# Access existing database and container +database_name = '' +container_name = '' +database = client.get_database_client(database_name) +container = database.get_container_client(container_name) + +# Insert multiple documents +items_to_insert = [ + {"id": "1", "name": "Sample Item", "description": "This is a sample document."}, + {"id": "2", "name": "Another Sample Item", "description": "This is another sample document."}, + {"id": "3", "name": "Sample Item", "description": "This is a duplicate name sample document."}, +] + +for item in items_to_insert: + container.upsert_item(item) + +# Query all documents +query = "SELECT * FROM c" +all_items = list(container.query_items( + query=query, + enable_cross_partition_query=True +)) + +# Print all queried items +print("All items in the container:") +for item in all_items: + print(item) +``` +{% endcode %} + +Another way of stablishing a connection is to use the **DefaultAzureCredential()**. Just need to login (az login) with the account that has the permissions and execute it. For this case a role assigment must be done, giving the necesary permissions (see for mor) + +{% code overflow="wrap" %} +```python +from azure.identity import DefaultAzureCredential +from azure.cosmos import CosmosClient + +# Use Azure AD for authentication +credential = DefaultAzureCredential() +endpoint = "" +client = CosmosClient(endpoint, credential) + +# Access database and container +database_name = "" +container_name = "" +database = client.get_database_client(database_name) +container = database.get_container_client(container_name) + +# Insert a document +item = { + "id": "1", + "name": "Sample Item", + "description": "This is a test item." +} +container.create_item(item) +print("Document inserted.") +``` +{% endcode %} + +### MongoDB +The MongoDB NoSQL API is a document-based API that uses JSON-like BSON (Binary JSON) as its data format. It provides a query language with aggregation capabilities, making it suitable for working with structured, semi-structured, and unstructured data. The endpoint of the service typically follows this format: + +{% code overflow="wrap" %} +```bash +mongodb://:/ +``` +{% endcode %} + +#### Databases +In MongoDB, you can create one or more databases within an instance. Each database serves as a logical grouping of collections and provides a boundary for resource organization and management. Databases help separate and manage data logically, such as for different applications or projects. + +#### Collections +The core unit of data storage in MongoDB is the collection, which holds documents and is designed for efficient querying and flexible schema design. Collections are elastically scalable and can support high-throughput operations across multiple nodes in a distributed setup. + +#### Enumeration + +{% tabs %} +{% tab title="az cli" %} +{% code overflow="wrap" %} +```bash +# CosmoDB Account +## List Azure Cosmos DB database accounts. +az cosmosdb list --resource-group +az cosmosdb show --resource-group --name + +## Lists the virtual network accounts associated with a Cosmos DB account +az cosmosdb network-rule list --resource-group --name +## List the access keys or connection strings for a Azure Cosmos DB +az cosmosdb keys list --name --resource-group +## List all the database accounts that can be restored. +az cosmosdb restorable-database-account list --account-name +## Show the identities for a Azure Cosmos DB database account. +az cosmosdb identity show --resource-group --name + +``` +{% endcode %} +{% endtab %} + +{% tab title="Az PowerShell" %} +{% code overflow="wrap" %} +```powershell +Get-Command -Module Az.CosmosDB + +# List all Cosmos DB accounts in a specified resource group. +Get-AzCosmosDBAccount -ResourceGroupName "" + +# Get the access keys for a specific Cosmos DB account. +Get-AzCosmosDBAccountKey -ResourceGroupName "" -Name "" + +# Retrieve the client encryption keys for a specific Cosmos DB account. +Get-AzCosmosDbClientEncryptionKey -ResourceGroupName "" -AccountName "" -DatabaseName "" + +# List all MongoDB collections in a specific database. +Get-AzCosmosDBMongoDBCollection -AccountName -ResourceGroupName -DatabaseName + +# Retrieve backup information for a specific MongoDB collection in a database. +Get-AzCosmosDBMongoDBCollectionBackupInformation -AccountName -ResourceGroupName -DatabaseName -Name -Location + +# Get the throughput (RU/s) of a specific MongoDB collection in a database. +Get-AzCosmosDBMongoDBCollectionThroughput -AccountName -ResourceGroupName -DatabaseName -Name + +# List all MongoDB databases in a specified Cosmos DB account. +Get-AzCosmosDBMongoDBDatabase -AccountName -ResourceGroupName + +# Get the throughput (RU/s) of a specific MongoDB database. +Get-AzCosmosDBMongoDBDatabaseThroughput -AccountName -ResourceGroupName -DatabaseName + +# Retrieve the role definitions for MongoDB users in a specified Cosmos DB account. +Get-AzCosmosDBMongoDBRoleDefinition -AccountName -ResourceGroupName + +``` +{% endcode %} +{% endtab %} +{% endtabs %} + +#### Connection + +Here the password you can find them with the keys or with the method decribed in the privesc section. +{% code overflow="wrap" %} +```python +from pymongo import MongoClient + +# Updated connection string with retryWrites=false +connection_string = "mongodb://.mongo.cosmos.azure.com:10255/?ssl=true&replicaSet=globaldb&retryWrites=false" + +# Create the client +client = MongoClient(connection_string, username="", password="") + +# Access the database +db = client[''] + +# Access a collection +collection = db[''] + +# Insert a single document +document = { + "name": "John Doe", + "email": "johndoe@example.com", + "age": 30, + "address": { + "street": "123 Main St", + "city": "Somewhere", + "state": "CA", + "zip": "90210" + } +} + +# Insert document +result = collection.insert_one(document) +print(f"Inserted document with ID: {result.inserted_id}") +``` +{% endcode %} + +## References + +* [https://learn.microsoft.com/en-us/azure/cosmos-db/choose-api](https://learn.microsoft.com/en-us/azure/cosmos-db/choose-api) +* [https://learn.microsoft.com/en-us/azure/cosmos-db/](https://learn.microsoft.com/en-us/azure/cosmos-db/) +* [https://learn.microsoft.com/en-us/azure/cosmos-db/introduction](https://learn.microsoft.com/en-us/azure/cosmos-db/introduction) +* [https://learn.microsoft.com/en-us/azure/cosmos-db/nosql/security/how-to-grant-data-plane-role-based-access?tabs=built-in-definition%2Ccsharp&pivots=azure-interface-cli](https://learn.microsoft.com/en-us/azure/cosmos-db/nosql/security/how-to-grant-data-plane-role-based-access?tabs=built-in-definition%2Ccsharp&pivots=azure-interface-cli) + +## Privilege Escalation + +{% content-ref url="../az-privilege-escalation/az-sql-privesc.md" %} +[az-sql-privesc.md](../az-privilege-escalation/az-sql-privesc.md) +{% endcontent-ref %} + +## Post Exploitation + +{% content-ref url="../az-post-exploitation/az-sql-post-exploitation.md" %} +[az-sql-post-exploitation.md](../az-post-exploitation/az-sql-post-exploitation.md) +{% endcontent-ref %} + +## ToDo + +* The rest of the DB here, tables, cassandra, gremlin... +* Take a look to the post exploitation "Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/write" && "Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/read" and role definitions cause here might be a privesc +* Take a look to restores + + + +{% hint style="success" %} +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Support HackTricks + +* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** +* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+{% endhint %} diff --git a/src/pentesting-cloud/azure-security/az-services/az-mysql.md b/src/pentesting-cloud/azure-security/az-services/az-mysql.md new file mode 100644 index 0000000000..f36154a372 --- /dev/null +++ b/src/pentesting-cloud/azure-security/az-services/az-mysql.md @@ -0,0 +1,194 @@ +# Az - MySQL Databases + +{% hint style="success" %} +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Support HackTricks + +* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** +* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+{% endhint %} + +## Azure MySQL +Azure Database for MySQL is a fully managed relational database service based on the MySQL Community Edition, designed to provide scalability, security, and flexibility for various application needs. It has two different deployment models: + +* **Single Server** (is on the retirement path): + - Optimized for cost-effective and easy-to-manage MySQL deployments. + - Features include automated backups, high availability, and basic monitoring. + - Ideal for applications with predictable workloads. +* **Flexible Server**: + - Provides more control over database management and configuration. + - Supports high availability (same-zone and zone-redundant). + - Features elastic scaling, patch management, and workload optimization. + - Offers stop/start functionality for cost savings. + +### Key Features +* **Server Management**: The **ad-admin** feature allows managing Azure Active Directory (AAD) administrators for MySQL servers, providing control over administrative access via AAD credentials, while the **identity** feature enables the assignment and management of Azure Managed Identities, offering secure, credential-free authentication for accessing Azure resources. +* **Lifecycle Management**: options to start or stop a server, delete a flexible server instance, restart a server to quickly apply configuration changes, and wait to ensure a server meets specific conditions before proceeding with automation scripts. +* **Security and Networking**: can manage server firewall rules for secure database access and detach virtual network configurations as needed. +* **Data Protection and Backup**: includes options to manage flexible server backups for data recovery, perform geo-restore to recover a server in a different region, export server backups for external use (in Preview), and restore a server from backup to a specific point in time. + +### Enumeration + +{% tabs %} +{% tab title="az cli" %} +{% code overflow="wrap" %} +```bash +# List all flexible-servers +az mysql flexible-server db list --resource-group +# List databases in a flexible-server +az mysql flexible-server db list --resource-group --server-name +# Show specific details of a MySQL database +az mysql flexible-server db show --resource-group --server-name --database-name + +# List firewall rules of the a server +az mysql flexible-server firewall-rule list --resource-group --name + +# List all ad-admin in a server +az mysql flexible-server ad-admin list --resource-group --server-name +# List all user assigned managed identities from the server +az mysql flexible-server identity list --resource-group --server-name + +# List the server backups +az mysql flexible-server backup list --resource-group --name +# List all read replicas for a given server +az mysql flexible-server replica list --resource-group --name + +# Get the server's advanced threat protection setting +az mysql flexible-server advanced-threat-protection-setting show --resource-group --name +# List all of the maintenances of a flexible server +az mysql flexible-server maintenance list --resource-group --server-name +# List log files for a server. +az mysql flexible-server server-logs list --resource-group --server-name + +``` +{% endcode %} +{% endtab %} + +{% tab title="Az PowerShell" %} +{% code overflow="wrap" %} +```powershell +Get-Command -Module Az.MySql + +# Get all flexible servers in a resource group +Get-AzMySqlFlexibleServer -ResourceGroupName + +# List databases in a specific flexible server +Get-AzMySqlFlexibleServerDatabase -ResourceGroupName -ServerName + +# Get details of a specific database in a flexible server +Get-AzMySqlFlexibleServerDatabase -ResourceGroupName -ServerName -DatabaseName + +# List all firewall rules for a flexible server +Get-AzMySqlFlexibleServerFirewallRule -ResourceGroupName -ServerName + +# Get the identity information of a flexible server +Get-AzMySqlFlexibleServerIdentity -ResourceGroupName -ServerName + +# Get the server's advanced threat protection setting +Get-AzMySqlFlexibleServerAdvancedThreatProtection -ResourceGroupName -ServerName + +# List configuration settings of a flexible server +Get-AzMySqlFlexibleServerConfiguration -ResourceGroupName -ServerName +# Get the connection string for a flexible server +Get-AzMySqlFlexibleServerConnectionString -ResourceGroupName -ServerName -Client + +# List all read replicas for a given server +Get-AzMySqlFlexibleServerReplica -ResourceGroupName -ServerName + +# Get the maintenance window details for a flexible server +Get-AzMySqlFlexibleServerMaintenanceWindow -ResourceGroupName -ServerName + +# List log files for a server +Get-AzMySqlFlexibleServerLog -ResourceGroupName -ServerName +``` +{% endcode %} +{% endtab %} +{% endtabs %} + +### Connection + +With the extension rdbms-connect you can access the database with: + +{% code overflow="wrap" %} +```bash +az mysql flexible-server connect -n -u -p --interactive + +#or execute commands +az mysql flexible-server execute \ + -n \ + -u \ + -p "" \ + -d \ + --querytext "SELECT * FROM ;" + +``` +{% endcode %} + +Or with the MySQL native extension plugin +{% code overflow="wrap" %} +```bash +mysql -h .mysql.database.azure.com -P 3306 -u -p +``` +{% endcode %} + +Also you can execute queries with github but the password and user are also needed. You need to set up a sql file with the query to run and then: +{% code overflow="wrap" %} +```bash +# Setup +az mysql flexible-server deploy setup \ + -s \ + -g \ + -u \ + -p "" \ + --sql-file \ + --repo \ + --branch \ + --action-name \ + --allow-push + +# Run it +az mysql flexible-server deploy run \ + --action-name \ + --branch +``` +{% endcode %} + +## Privilege Escalation + +{% content-ref url="../az-privilege-escalation/az-mysql-privesc.md" %} +[az-mysql-privesc.md](../az-privilege-escalation/az-mysql-privesc.md) +{% endcontent-ref %} + +## Post Exploitation + +{% content-ref url="../az-post-exploitation/az-mysql-post-exploitation.md" %} +[az-sql-mysql-exploitation.md](../az-post-exploitation/az-mysql-post-exploitation.md) +{% endcontent-ref %} + +## ToDo + +* Look a way to access with mysql flexible-server ad-admin to verify its a privesc method + + + +{% hint style="success" %} +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Support HackTricks + +* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** +* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+{% endhint %} diff --git a/src/pentesting-cloud/azure-security/az-services/az-postgresql.md b/src/pentesting-cloud/azure-security/az-services/az-postgresql.md new file mode 100644 index 0000000000..701ed0bf8d --- /dev/null +++ b/src/pentesting-cloud/azure-security/az-services/az-postgresql.md @@ -0,0 +1,173 @@ +# Az - PostgreSQL Databases + +{% hint style="success" %} +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Support HackTricks + +* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** +* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+{% endhint %} + +## Azure PostgreSQL +**Azure Database for PostgreSQL** is a fully managed **relational database service based on the PostgreSQL** Community Edition. It is designed to provide scalability, security, and flexibility for diverse application needs. Similar to Azure MySQL, PostgreSQL offers two deployment models: + +* **Single Server** (on the retirement path): + - Optimized for straightforward, cost-effective PostgreSQL deployments. + - Features automated backups, basic monitoring, and high availability. + - Ideal for applications with predictable workloads. +* **Flexible Server**: + - Provides greater control over database management and configuration. + - Supports high availability, both in the same zone and across zones. + - Features elastic scaling, automated maintenance, and cost-saving functionality. + - Allows starting and stopping the server to optimize costs. + +### Key Features + +* **Custom Maintenance Windows**: Schedule updates to minimize disruption. +* **Active Monitoring**: Access detailed metrics and logs to track and improve database performance. +* **Stop/Start Server**: Users can stop and start the server. +* **Automatic Backups**: Built-in daily backups with retention periods configurable up to 35 days. +* **Role-Based Access**: Control user permissions and administrative access through Azure Active Directory. +* **Security and Networking**: can manage server firewall rules for secure database access and detach virtual network configurations as needed. + +### Enumeration + +{% tabs %} +{% tab title="az cli" %} +{% code overflow="wrap" %} +```bash +# List servers in a resource group +az postgres flexible-server list --resource-group +# List databases in a flexible-server +az postgres flexible-server db list --resource-group --server-name +# Show specific details of a Postgre database +az postgres flexible-server db show --resource-group --server-name --database-name + +# List firewall rules of the a server +az postgres flexible-server firewall-rule list --resource-group --name +# List parameter values for a felxible server +az postgres flexible-server parameter list --resource-group --server-name +# List private link +az postgres flexible-server private-link-resource list --resource-group --server-name + +# List all ad-admin in a server +az postgres flexible-server ad-admin list --resource-group --server-name +# List all user assigned managed identities from the server +az postgres flexible-server identity list --resource-group --server-name + +# List the server backups +az postgres flexible-server backup list --resource-group --name +# List all read replicas for a given server +az postgres flexible-server replica list --resource-group --name +# List migrations +az postgres flexible-server migration list --resource-group --name + +# Get the server's advanced threat protection setting +az postgres flexible-server advanced-threat-protection-setting show --resource-group --name +# List all of the maintenances of a flexible server +az postgres flexible-server maintenance list --resource-group --server-name +# List log files for a server. +az postgres flexible-server server-logs list --resource-group --server-name + +``` +{% endcode %} +{% endtab %} + +{% tab title="Az PowerShell" %} +{% code overflow="wrap" %} +```powershell +Get-Command -Module Az.PostgreSql + +# List flexible-servers in a resource group +Get-AzPostgreSqlFlexibleServer -ResourceGroupName +# List databases in a flexible-server +Get-AzPostgreSqlFlexibleServerDatabase -ResourceGroupName -ServerName + +# List firewall rules of the a flexible-server +Get-AzPostgreSqlFlexibleServerFirewallRule -ResourceGroupName -ServerName + +# List configuration settings of a flexible server +Get-AzPostgreSqlFlexibleServerConfiguration -ResourceGroupName -ServerName +# Get the connection string for a flexible server +Get-AzPostgreSqlFlexibleServerConnectionString -ResourceGroupName -ServerName -Client + +Get-AzPostgreSqlFlexibleServerLocationBasedCapability -Location + +# List servers in a resource group +Get-AzPostgreSqlServer -ResourceGroupName + +``` +{% endcode %} +{% endtab %} +{% endtabs %} + +### Connection + +With the extension rdbms-connect you can access the database with: + +{% code overflow="wrap" %} +```bash +az postgres flexible-server connect -n -u -p --interactive + +#or execute commands +az postgres flexible-server execute \ + -n \ + -u \ + -p "" \ + -d \ + --querytext "SELECT * FROM ;" + +``` +{% endcode %} + +Or +{% code overflow="wrap" %} +```bash +psql -h testpostgresserver1994.postgres.database.azure.com -p 5432 -U adminuser +``` +{% endcode %} + +## References + +* [https://learn.microsoft.com/en-us/azure/postgresql/](https://learn.microsoft.com/en-us/azure/postgresql/) +* [https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/service-overview](https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/service-overview) +* [https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/overview](https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/overview) + +## Privilege Escalation + +{% content-ref url="../az-privilege-escalation/az-postgresql-privesc.md" %} +[az-postgresql-privesc.md](../az-privilege-escalation/az-postgresql-privesc.md) +{% endcontent-ref %} + +## Post Exploitation + +{% content-ref url="../az-post-exploitation/az-postgresql-post-exploitation.md" %} +[az-postgresql-post-exploitation.md](../az-post-exploitation/az-postgresql-post-exploitation.md) +{% endcontent-ref %} + +## ToDo + +* Look a way to access with ad-admin to verify its a privesc method + + +{% hint style="success" %} +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Support HackTricks + +* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** +* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+{% endhint %} From d01c2aefe4c211de54524f7f8ced37bc370ea427 Mon Sep 17 00:00:00 2001 From: Jaime Polop <117489620+JaimePolop@users.noreply.github.com> Date: Fri, 10 Jan 2025 11:02:38 +0100 Subject: [PATCH 2/8] Add files via upload --- .../az-cosmosDB-post-exploitation.md | 243 ++++++++++++++++++ .../az-mysql-post-exploitation.md | 167 ++++++++++++ .../az-postgresql-post-exploitation.md | 155 +++++++++++ 3 files changed, 565 insertions(+) create mode 100644 src/pentesting-cloud/azure-security/az-post-exploitation/az-cosmosDB-post-exploitation.md create mode 100644 src/pentesting-cloud/azure-security/az-post-exploitation/az-mysql-post-exploitation.md create mode 100644 src/pentesting-cloud/azure-security/az-post-exploitation/az-postgresql-post-exploitation.md diff --git a/src/pentesting-cloud/azure-security/az-post-exploitation/az-cosmosDB-post-exploitation.md b/src/pentesting-cloud/azure-security/az-post-exploitation/az-cosmosDB-post-exploitation.md new file mode 100644 index 0000000000..e2cefc834c --- /dev/null +++ b/src/pentesting-cloud/azure-security/az-post-exploitation/az-cosmosDB-post-exploitation.md @@ -0,0 +1,243 @@ +# Az - CosmosDB Post Exploitation + +{% hint style="success" %} +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Support HackTricks + +* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** +* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+{% endhint %} + +## CosmosDB Post Exploitation +For more information about SQL Database check: + +{% content-ref url="../az-services/az-postgresql.md" %} +[az-postgresql.md](../az-services/az-postgresql.md) +{% endcontent-ref %} + + +### "Microsoft.DocumentDB/databaseAccounts/read" && "Microsoft.DocumentDB/databaseAccounts/write" +With this permission, you can create or update Azure Cosmos DB accounts. This includes modifying account-level settings, adding or removing regions, changing consistency levels, and enabling or disabling features like multi-region writes. + +{% code overflow="wrap" %} +```bash +az cosmosdb update \ + --name \ + --resource-group \ + --public-network-access ENABLED +``` +{% endcode %} + +### "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/read" && "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/write" +With this permission, you can create or modify containers (collections) within a SQL database of an Azure Cosmos DB account. Containers are used to store data, and changes to them can impact the database's structure and access patterns. + +{% code overflow="wrap" %} +```bash +# Create +az cosmosdb sql container create \ + --account-name \ + --resource-group \ + --database-name \ + --name \ + --partition-key-path + +#Update +az cosmosdb sql container update \ + --account-name \ + --resource-group \ + --database-name \ + --name \ + --ttl 3600 +``` +{% endcode %} + +### "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/write" && "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/read" +With this permission, you can create or modify SQL databases within an Azure Cosmos DB account. This allows for managing the database structure and adding new databases to the account. While this permission enables database creation, improper or unauthorized use could result in unnecessary resource consumption, increased costs, or operational inefficiencies. + +{% code overflow="wrap" %} +```bash +az cosmosdb sql database create \ + --account-name \ + --resource-group \ + --name +``` +{% endcode %} + +### "Microsoft.DocumentDB/databaseAccounts/failoverPriorityChange/action" + +With this permission, you can change the failover priority of regions for an Azure Cosmos DB database account. This action determines the order in which regions become primary during a failover event. Improper use of this permission can disrupt the high availability of the database or lead to unintended operational impacts. + +{% code overflow="wrap" %} +```bash +az cosmosdb failover-priority-change \ + --name \ + --resource-group \ + --failover-policies + +``` +{% endcode %} + +### "Microsoft.DocumentDB/databaseAccounts/regenerateKey/action" +With this permission, you can regenerate the primary or secondary keys for an Azure Cosmos DB account. This is typically used to enhance security by replacing old keys, but it can disrupt access for services or applications that rely on the current keys. + +{% code overflow="wrap" %} +```bash +az cosmosdb keys regenerate \ + --name \ + --resource-group \ + --key-kind + +``` +{% endcode %} + +### "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/userDefinedFunctions/write" && "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/userDefinedFunctions/read" + +With this permission, you can create or modify triggers within a container of a SQL database in an Azure Cosmos DB account. Triggers allow you to execute server-side logic in response to operations. + +{% code overflow="wrap" %} +```bash +az cosmosdb sql trigger create \ + --account-name \ + --resource-group \ + --database-name \ + --container-name \ + --name \ + --body 'function trigger() { var context = getContext(); var request = context.getRequest(); request.setBody("Triggered operation!"); }' \ + --type Pre \ + --operation All +``` +{% endcode %} + +### "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/storedProcedures/write" && "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/storedProcedures/read" +With this permission, you can create or modify stored procedures within a container of a SQL database in an Azure Cosmos DB account. Stored procedures in Cosmos DB are server-side JavaScript functions that allow you to encapsulate logic for processing data or performing operations directly within the database. + +{% code overflow="wrap" %} +```bash +az cosmosdb sql stored-procedure create \ + --account-name \ + --resource-group \ + --database-name \ + --container-name \ + --name \ + --body 'function sample() { return "Hello, Cosmos!"; }' +``` +{% endcode %} + +### "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/triggers/write" && "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/triggers/read" +With this permission, you can create or modify triggers within a container of a SQL database in an Azure Cosmos DB account. Triggers allow you to execute server-side logic in response to operations like inserts, updates, or deletes. + +{% code overflow="wrap" %} +```bash +az cosmosdb sql trigger create \ + --account-name \ + --resource-group \ + --database-name \ + --container-name \ + --name \ + --body 'function trigger() { var context = getContext(); var request = context.getRequest(); request.setBody("Triggered operation!"); }' \ + --type Pre \ + --operation All +``` +{% endcode %} + +### "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/read" && "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/write" +With this permission, you can create or modify collections within MongoDB databases in an Azure Cosmos DB account. Collections are used to store documents and define the structure and partitioning for data. + +{% code overflow="wrap" %} +```bash +az cosmosdb mongodb collection create \ + --account-name \ + --resource-group \ + --database-name \ + --name +``` +{% endcode %} + +### "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/write" && "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/read" +With this permission, you can create new MongoDB databases within an Azure Cosmos DB account. This allows for provisioning new databases to store and manage collections and documents. + +{% code overflow="wrap" %} +```bash +az cosmosdb mongodb database create \ + --account-name \ + --resource-group \ + --name +``` +{% endcode %} + +### "Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/write" && "Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/read" +With this permission, you can create new MongoDB role definitions within an Azure Cosmos DB account. This allows defining custom roles with specific permissions for MongoDB users. + +{% code overflow="wrap" %} +```bash +az cosmosdb mongodb role definition create \ + --account-name \ + --resource-group \ + --body '{ + "Id": ".readWriteRole", + "RoleName": "readWriteRole", + "Type": "CustomRole", + "DatabaseName": "", + "Privileges": [ + { + "Resource": { + "Db": "", + "Collection": "mycollection" + }, + "Actions": [ + "insert", + "find", + "update" + ] + } + ], + "Roles": [] + }' +``` +{% endcode %} + +### "Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/write" && "Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/read" +With this permission, you can create new MongoDB user definitions within an Azure Cosmos DB account. This allows the provisioning of users with specific roles and access levels to MongoDB databases. +{% code overflow="wrap" %} +```bash +az cosmosdb mongodb user definition create \ + --account-name \ + --resource-group \ + --body '{ + "Id": ".myUser", + "UserName": "myUser", + "Password": "mySecurePassword", + "DatabaseName": "", + "CustomData": "TestCustomData", + "Mechanisms": "SCRAM-SHA-256", + "Roles": [ + { + "Role": "readWriteRole", + "Db": "" + } + ] + }' +``` +{% endcode %} + +{% hint style="success" %} +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Support HackTricks + +* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** +* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+{% endhint %} diff --git a/src/pentesting-cloud/azure-security/az-post-exploitation/az-mysql-post-exploitation.md b/src/pentesting-cloud/azure-security/az-post-exploitation/az-mysql-post-exploitation.md new file mode 100644 index 0000000000..710e687735 --- /dev/null +++ b/src/pentesting-cloud/azure-security/az-post-exploitation/az-mysql-post-exploitation.md @@ -0,0 +1,167 @@ +# Az - MySQL Post Exploitation + +{% hint style="success" %} +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Support HackTricks + +* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** +* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+{% endhint %} + +## MySQL Database Post Exploitation +For more information about MySQL Database check: + +{% content-ref url="../az-services/az-mysql.md" %} +[az-mysql.md](../az-services/az-mysql.md) +{% endcontent-ref %} + +### "Microsoft.DBforMySQL/flexibleServers/databases/write" && "Microsoft.DBforMySQL/flexibleServers/databases/read" + +With this permission, you can create new databases within a MySQL Flexible Server instance on Azure. While this action itself does not modify existing resources, excessive or unauthorized creation of databases could lead to resource consumption, or potential misuse of the server. + +{% code overflow="wrap" %} +```bash +az mysql flexible-server db create \ + --server-name \ + --resource-group \ + --database-name +``` +{% endcode %} + +### "Microsoft.DBforMySQL/flexibleServers/backups/write" + +With this permission, you can initiate the creation of backups for a MySQL Flexible Server instance on Azure. This allows users to generate on-demand backups, which can be useful for preserving data at specific points in time. + +{% code overflow="wrap" %} +```bash +az mysql flexible-server backup create \ + --name \ + --resource-group + --backup-name +``` +{% endcode %} + +### "Microsoft.DBforMySQL/flexibleServers/advancedThreatProtectionSettings/write" + +With this permission, you can configure or update the Advanced Threat Protection (ATP) settings for a MySQL Flexible Server instance on Azure. This allows enabling or diabling security features designed to detect and respond to anomalous activities and potential threats. + +{% code overflow="wrap" %} +```bash +az mysql flexible-server threat-protection-policy update \ + --name \ + --resource-group \ + --state +``` +{% endcode %} + +### "Microsoft.DBforMySQL/flexibleServers/firewallRules/write" + +With this permission, you can create or modify firewall rules for a MySQL Flexible Server instance on Azure. This allows control over which IP addresses or ranges can access the server. Unauthorized or improper use of this permission could expose the server to unwanted or malicious access. + +{% code overflow="wrap" %} +```bash +# Create Rule +az mysql flexible-server firewall-rule create \ + --name \ + --resource-group \ + --rule-name \ + --start-ip-address \ + --end-ip-address + +# Update Rule +az mysql flexible-server firewall-rule update \ + --name \ + --resource-group \ + --rule-name \ + --start-ip-address \ + --end-ip-address +``` +{% endcode %} + +### "Microsoft.DBforMySQL/flexibleServers/resetGtid/action" + +With this permission, you can reset the GTID (Global Transaction Identifier) for a MySQL Flexible Server instance on Azure. Resetting GTID will invalidate all the automated, on-demand backups and geo-backups that were taken before the reset action. After GTID reset, you will not be able to perform PITR (point-in-time-restore) using fastest restore point or by custom restore point if the selected restore time is before the GTID reset time. And successful geo-restore will be possible only after 5 days. + +{% code overflow="wrap" %} +```bash +az mysql flexible-server reset-gtid \ + --name \ + --resource-group \ + --gtid-set +``` +{% endcode %} + +### "Microsoft.DBforMySQL/flexibleServers/updateConfigurations/action" + +With this permission, you can update the configuration settings of a MySQL Flexible Server instance on Azure. This allows customization of server parameters such as performance tuning, security configurations, or operational settings. You can update the following parameters together in a batch: audit_log_enabled, audit_log_events, binlog_expire_logs_seconds, binlog_row_image, character_set_server, collation_server, connect_timeout, enforce_gtid_consistency, gtid_mode, init_connect, innodb_buffer_pool_size, innodb_io_capacity, innodb_io_capacity_max, innodb_purge_threads, innodb_read_io_threads, innodb_thread_concurrency, innodb_write_io_threads, long_query_time, max_connect_errors, and max_connections. + +{% code overflow="wrap" %} +```bash +az mysql flexible-server parameter set-batch \ + --resource-group \ + --server-name \ + --args max_connections= +``` +{% endcode %} + +### "Microsoft.DBforMySQL/flexibleServers/read", "Microsoft.DBforMySQL/flexibleServers/write" && "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action" + +With this permission, you can assign a user-assigned managed identity to MySQL flexible servers. + +{% code overflow="wrap" %} +```bash +az mysql flexible-server identity assign \ + --resource-group \ + --server-name \ + --identity +``` +{% endcode %} + +### "Microsoft.DBforMySQL/flexibleServers/stop/action" + +With this permission, you can stop a PostgreSQL Flexible Server instance on Azure. Stopping a server can lead to temporary service disruption, affecting applications and users dependent on the database. + +{% code overflow="wrap" %} +```bash +az mysql flexible-server stop \ + --name \ + --resource-group + ``` +{% endcode %} + +### "Microsoft.DBforMySQL/flexibleServers/start/action" +With this permission, you can start a stopped PostgreSQL Flexible Server instance on Azure. Starting a server restores its availability, enabling applications and users to reconnect and access the database. + +{% code overflow="wrap" %} +```bash +az mysql flexible-server start \ + --name \ + --resource-group +``` +{% endcode %} + +### "*/delete" + +With this permissions you can delete resources related to mysql server in Azure such as server, firewalls, managed identities or configurations + +{% hint style="success" %} +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Support HackTricks + +* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** +* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+{% endhint %} diff --git a/src/pentesting-cloud/azure-security/az-post-exploitation/az-postgresql-post-exploitation.md b/src/pentesting-cloud/azure-security/az-post-exploitation/az-postgresql-post-exploitation.md new file mode 100644 index 0000000000..82e8e594be --- /dev/null +++ b/src/pentesting-cloud/azure-security/az-post-exploitation/az-postgresql-post-exploitation.md @@ -0,0 +1,155 @@ +# Az - PostgreSQL Post Exploitation + +{% hint style="success" %} +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Support HackTricks + +* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** +* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+{% endhint %} + +## PostgreSQL Database Post Exploitation +For more information about PostgreSQL Database check: + +{% content-ref url="../az-services/az-postgresql.md" %} +[az-postgresql.md](../az-services/az-postgresql.md) +{% endcontent-ref %} + +### "Microsoft.DBforPostgreSQL/flexibleServers/databases/write" && "Microsoft.DBforPostgreSQL/flexibleServers/databases/read" + +With this permission, you can create new databases within a Postgres Flexible Server instance on Azure. While this action itself does not modify existing resources, excessive or unauthorized creation of databases could lead to resource consumption, or potential misuse of the server. + +{% code overflow="wrap" %} +```bash +az postgres flexible-server db create \ + --server-name \ + --resource-group \ + --database-name +``` +{% endcode %} + +### "Microsoft.DBforPostgreSQL/flexibleServers/backups/write" + +With this permission, you can initiate the creation of backups for a Postgres Flexible Server instance on Azure. This allows users to generate on-demand backups, which can be useful for preserving data at specific points in time. + +{% code overflow="wrap" %} +```bash +az postgres flexible-server backup create \ + --name \ + --resource-group + --backup-name +``` +{% endcode %} + +### "Microsoft.DBforPostgreSQL/flexibleServers/advancedThreatProtectionSettings/write" && "Microsoft.DBforPostgreSQL/flexibleServers/advancedThreatProtectionSettings/read" + +With this permission, you can configure or update the Advanced Threat Protection (ATP) settings for a Postgres Flexible Server instance on Azure. This allows enabling or diabling security features designed to detect and respond to anomalous activities and potential threats. + +{% code overflow="wrap" %} +```bash +az postgres flexible-server threat-protection-policy update \ + --name \ + --resource-group \ + --state +``` +{% endcode %} + +### "Microsoft.DBforPostgreSQL/flexibleServers/firewallRules/write", "Microsoft.DBforPostgreSQL/flexibleServers/read" && "Microsoft.DBforPostgreSQL/flexibleServers/firewallRules/read" + +With this permission, you can create or modify firewall rules for a Postgres Flexible Server instance on Azure. This allows control over which IP addresses or ranges can access the server. Unauthorized or improper use of this permission could expose the server to unwanted or malicious access. + +{% code overflow="wrap" %} +```bash +# Create Rule +az postgres flexible-server firewall-rule create \ + --name \ + --resource-group \ + --rule-name \ + --start-ip-address \ + --end-ip-address + +# Update Rule +az postgres flexible-server firewall-rule update \ + --name \ + --resource-group \ + --rule-name \ + --start-ip-address \ + --end-ip-address +``` +{% endcode %} + +### "Microsoft.DBforPostgreSQL/flexibleServers/configurations/write" && "Microsoft.DBforPostgreSQL/flexibleServers/configurations/read" + +With this permission, you can update the configuration settings of a Postgres Flexible Server instance on Azure. This allows customization of server parameters such as performance tuning, security configurations, or operational settings. + +{% code overflow="wrap" %} +```bash +az postgres flexible-server parameter set \ + --resource-group \ + --server-name \ + --name \ + --value +``` +{% endcode %} + +### "Microsoft.DBforPostgreSQL/flexibleServers/stop/action" + +With this permission, you can stop a PostgreSQL Flexible Server instance on Azure. Stopping a server can lead to temporary service disruption, affecting applications and users dependent on the database. + +{% code overflow="wrap" %} +```bash +az postgres flexible-server stop \ + --name \ + --resource-group + ``` +{% endcode %} + +### "Microsoft.DBforPostgreSQL/flexibleServers/start/action" +With this permission, you can start a stopped PostgreSQL Flexible Server instance on Azure. Starting a server restores its availability, enabling applications and users to reconnect and access the database. + +{% code overflow="wrap" %} +```bash +az postgres flexible-server start \ + --name \ + --resource-group +``` +{% endcode %} + +### "Microsoft.DBforPostgreSQL/flexibleServers/read", "Microsoft.DBforPostgreSQL/flexibleServers/write" && "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action" + +With this permission, you can assign a user-assigned managed identity to postgres flexible servers. + +{% code overflow="wrap" %} +```bash +az postgres flexible-server identity assign \ + --resource-group \ + --server-name \ + --identity +``` +{% endcode %} + +### "*/delete" +With this permissions you can delete resources related to postgres server in Azure such as server, firewalls, managed identities or configurations + + +{% hint style="success" %} +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Support HackTricks + +* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** +* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+{% endhint %} From ef42000f0ecf3a4564bc6a950393cd02e17b9cd6 Mon Sep 17 00:00:00 2001 From: Jaime Polop <117489620+JaimePolop@users.noreply.github.com> Date: Fri, 10 Jan 2025 11:06:35 +0100 Subject: [PATCH 3/8] Add files via upload --- .../az-cosmosDB-privesc.md | 93 +++++++++++++++++++ .../az-mysql-privesc.md | 91 ++++++++++++++++++ .../az-postgresql-privesc.md | 93 +++++++++++++++++++ 3 files changed, 277 insertions(+) create mode 100644 src/pentesting-cloud/azure-security/az-privilege-escalation/az-cosmosDB-privesc.md create mode 100644 src/pentesting-cloud/azure-security/az-privilege-escalation/az-mysql-privesc.md create mode 100644 src/pentesting-cloud/azure-security/az-privilege-escalation/az-postgresql-privesc.md diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-cosmosDB-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-cosmosDB-privesc.md new file mode 100644 index 0000000000..071b9aff02 --- /dev/null +++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-cosmosDB-privesc.md @@ -0,0 +1,93 @@ +# Az - CosmosDB Privesc + +{% hint style="success" %} +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Support HackTricks + +* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** +* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+{% endhint %} + +## CosmosDB Privesc +For more information about SQL Database check: + +{% content-ref url="../az-services/az-cosmosDB.md" %} +[az-cosmosDB.md](../az-services/az-cosmosDB.md) +{% endcontent-ref %} + +### ("Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/write", "Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/read") & ("Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/write", "Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/read") + +With this permissions you can priviledge scalate giving a user the pemrissions to execute queries and connect to the database. First a definition role is created giving the necesary permissions and scopes. + +{% code overflow="wrap" %} +```bash +az cosmosdb sql role definition create \ + --account-name \ + --resource-group \ + --body '{ + "Id": "", # For example 12345678-1234-1234-1234-123456789az + "RoleName": "CustomReadRole", + "Type": "CustomRole", + "AssignableScopes": [ + "/subscriptions//resourceGroups/sqldatabase/providers/Microsoft.DocumentDB/databaseAccounts/" + ], + "Permissions": [ + { + "DataActions": [ + "Microsoft.DocumentDB/databaseAccounts/readMetadata", + "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/read", + "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/*" + ] + } + ] + }' +``` +{% endcode %} + +After that the assigment of the definition is given to a user. After this that user can use the DefaultAzureCredential() connection method to execute queries. + +{% code overflow="wrap" %} +```bash +az cosmosdb sql role assignment create \ + --account-name \ + --resource-group \ + --role-definition-id \ + --principal-id \ + --scope "/" +``` +{% endcode %} + +### "Microsoft.DocumentDB/databaseAccounts/listKeys/action" +With this permission, you can retrieve the primary and secondary keys for an Azure Cosmos DB account. These keys provide full access to the database account and its resources, enabling actions such as data reads, writes, and configuration changes. + +{% code overflow="wrap" %} +```bash +az cosmosdb keys list \ + --name \ + --resource-group + +``` +{% endcode %} + + +{% hint style="success" %} +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Support HackTricks + +* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** +* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+{% endhint %} diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-mysql-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-mysql-privesc.md new file mode 100644 index 0000000000..f9214381b5 --- /dev/null +++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-mysql-privesc.md @@ -0,0 +1,91 @@ +# Az - MySQL Database Privesc + +{% hint style="success" %} +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Support HackTricks + +* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** +* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+{% endhint %} + +## MySQL Database Privesc +For more information about SQL Database check: + +{% content-ref url="../az-services/az-mysql.md" %} +[az-mysql.md](../az-services/az-mysql.md) +{% endcontent-ref %} + +### ""Microsoft.DBforMySQL/flexibleServers/read" && "Microsoft.DBforMySQL/flexibleServers/write" + +With this permission, you can create, update, or delete MySQL Flexible Server instances on Azure. This includes provisioning new servers, modifying existing server configurations, or decommissioning servers. + +{% code overflow="wrap" %} +```bash +az mysql flexible-server create \ + --name \ + --resource-group \ + --location \ + --admin-user \ + --admin-password \ + --sku-name \ + --storage-size \ + --tier \ + --version +``` +{% endcode %} + +For example, this permissions allow changing the MySQL password, usefull of course in case that MySQL authentication is enabled. + +{% code overflow="wrap" %} +```bash +az mysql flexible-server update \ + --resource-group \ + --name \ + --admin-password +``` +{% endcode %} + +Additionally it is necesary to have the public access enabled if you want to access from a non private endpoint, to enable it: + +{% code overflow="wrap" %} +```bash +az mysql flexible-server update --resource-group --server-name --public-access Enabled +``` +{% endcode %} + +### ""Microsoft.DBforMySQL/flexibleServers/read", "Microsoft.DBforMySQL/flexibleServers/write", "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action", "Microsoft.DBforMySQL/flexibleServers/administrators/write" && "Microsoft.DBforMySQL/flexibleServers/administrators/read"" + +With this permission, you can configure Azure Active Directory (AD) administrators for a MySQL Flexible Server. This can be exploited by setting oneself or another account as the AD administrator, granting full administrative control over the MySQL server. It's important that the flexible-server has a user assigned managed identities to use. + +{% code overflow="wrap" %} +```bash +az mysql flexible-server ad-admin create \ + --resource-group \ + --server-name \ + --display-name \ + --identity \ + --object-id +``` +{% endcode %} + +{% hint style="success" %} +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Support HackTricks + +* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** +* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+{% endhint %} diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-postgresql-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-postgresql-privesc.md new file mode 100644 index 0000000000..055b416244 --- /dev/null +++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-postgresql-privesc.md @@ -0,0 +1,93 @@ +# Az - PostgreSQL Privesc + +{% hint style="success" %} +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Support HackTricks + +* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** +* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+{% endhint %} + +## PostgreSQL Privesc +For more information about SQL Database check: + +{% content-ref url="../az-services/az-postgresql.md" %} +[az-postgresql.md](../az-services/az-postgresql.md) +{% endcontent-ref %} + +### "Microsoft.DBforPostgreSQL/flexibleServers/read" && "Microsoft.DBforPostgreSQL/flexibleServers/write" + +With this permission, you can create, update, or delete PostgreSQL Flexible Server instances on Azure. This includes provisioning new servers, modifying existing server configurations, or decommissioning servers. + +{% code overflow="wrap" %} +```bash +az postgres flexible-server create \ + --name \ + --resource-group \ + --location \ + --admin-user \ + --admin-password \ + --sku-name \ + --storage-size \ + --tier \ + --version +``` +{% endcode %} + +For example, this permissions allow changing the PostgreSQL password, usefull of course in case that PostgreSQL authentication is enabled. + +{% code overflow="wrap" %} +```bash +az postgres flexible-server update \ + --resource-group \ + --name \ + --admin-password +``` +{% endcode %} + +Additionally it is necesary to have the public access enabled if you want to access from a non private endpoint, to enable it: + +{% code overflow="wrap" %} +```bash +az postgres flexible-server update --resource-group --server-name --public-access Enabled +``` +{% endcode %} + +### "Microsoft.DBforPostgreSQL/flexibleServers/read", "Microsoft.DBforPostgreSQL/flexibleServers/write", "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action", "Microsoft.DBforPostgreSQL/flexibleServers/administrators/write" && "Microsoft.DBforPostgreSQL/flexibleServers/administrators/read" + +With this permission, you can configure Azure Active Directory (AD) administrators for a PostgreSQL Flexible Server. This can be exploited by setting oneself or another account as the AD administrator, granting full administrative control over the PostgreSQL server. Updating existing principal is not supported yet so if there is one created you must delete it first. + +It's important that the flexible-server has a user assigned managed identities to use. + +{% code overflow="wrap" %} +```bash +az postgres flexible-server ad-admin create \ + --resource-group \ + --server-name \ + --display-name \ + --identity \ + --object-id +``` +{% endcode %} + +{% hint style="success" %} +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Support HackTricks + +* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! +* **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** +* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+{% endhint %} From b4d98e91e1fc065da8c4bd26dfb6e6026b477fd4 Mon Sep 17 00:00:00 2001 From: Jaime Polop <117489620+JaimePolop@users.noreply.github.com> Date: Fri, 10 Jan 2025 11:26:58 +0100 Subject: [PATCH 4/8] Update az-cosmosDB.md --- .../azure-security/az-services/az-cosmosDB.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/pentesting-cloud/azure-security/az-services/az-cosmosDB.md b/src/pentesting-cloud/azure-security/az-services/az-cosmosDB.md index 08e5e2fe6e..c32406c283 100644 --- a/src/pentesting-cloud/azure-security/az-services/az-cosmosDB.md +++ b/src/pentesting-cloud/azure-security/az-services/az-cosmosDB.md @@ -326,14 +326,14 @@ print(f"Inserted document with ID: {result.inserted_id}") ## Privilege Escalation -{% content-ref url="../az-privilege-escalation/az-sql-privesc.md" %} -[az-sql-privesc.md](../az-privilege-escalation/az-sql-privesc.md) +{% content-ref url="../az-privilege-escalation/az-cosmosDB-privesc.md" %} +[az-cosmosDB-privesc.md](../az-privilege-escalation/az-cosmosDB-privesc.md) {% endcontent-ref %} ## Post Exploitation -{% content-ref url="../az-post-exploitation/az-sql-post-exploitation.md" %} -[az-sql-post-exploitation.md](../az-post-exploitation/az-sql-post-exploitation.md) +{% content-ref url="../az-post-exploitation/az-cosmosDB-post-exploitation.md" %} +[az-cosmosDB-post-exploitation.md](../az-post-exploitation/az-sql-post-exploitation.md) {% endcontent-ref %} ## ToDo From 504147d1ab2cef25c7bd722cc1227eea418553e2 Mon Sep 17 00:00:00 2001 From: Jaime Polop <117489620+JaimePolop@users.noreply.github.com> Date: Fri, 10 Jan 2025 11:28:42 +0100 Subject: [PATCH 5/8] Update az-cosmosDB-post-exploitation.md --- .../az-post-exploitation/az-cosmosDB-post-exploitation.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/pentesting-cloud/azure-security/az-post-exploitation/az-cosmosDB-post-exploitation.md b/src/pentesting-cloud/azure-security/az-post-exploitation/az-cosmosDB-post-exploitation.md index e2cefc834c..0c64abc058 100644 --- a/src/pentesting-cloud/azure-security/az-post-exploitation/az-cosmosDB-post-exploitation.md +++ b/src/pentesting-cloud/azure-security/az-post-exploitation/az-cosmosDB-post-exploitation.md @@ -18,8 +18,8 @@ Learn & practice GCP Hacking: Date: Fri, 10 Jan 2025 11:32:04 +0100 Subject: [PATCH 6/8] Update SUMMARY.md --- src/SUMMARY.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/SUMMARY.md b/src/SUMMARY.md index 42681ba623..b7d50def28 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -418,6 +418,9 @@ - [Az - Queue Storage](pentesting-cloud/azure-security/az-services/az-queue-enum.md) - [Az - Service Bus](pentesting-cloud/azure-security/az-services/az-servicebus-enum.md) - [Az - SQL](pentesting-cloud/azure-security/az-services/az-sql.md) + - [Az - MySQL](pentesting-cloud/azure-security/az-services/az-mysql.md) + - [Az - PostgreSQL](pentesting-cloud/azure-security/az-services/az-postgresql.md) + - [Az - CosmosDB](pentesting-cloud/azure-security/az-services/az-cosmosDB.md) - [Az - Static Web Applications](pentesting-cloud/azure-security/az-services/az-static-web-apps.md) - [Az - Storage Accounts & Blobs](pentesting-cloud/azure-security/az-services/az-storage.md) - [Az - Table Storage](pentesting-cloud/azure-security/az-services/az-table-storage.md) @@ -450,6 +453,9 @@ - [Az - Service Bus Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-servicebus-post-exploitation.md) - [Az - Table Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-table-storage-post-exploitation.md) - [Az - SQL Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-sql-post-exploitation.md) + - [Az - MySQL](pentesting-cloud/azure-security/az-services/az-mysql-post-exploitation.md) + - [Az - PostgreSQL](pentesting-cloud/azure-security/az-services/az-postgresql-post-exploitation.md) + - [Az - CosmosDB](pentesting-cloud/azure-security/az-services/az-cosmosDB-post-exploitation.md) - [Az - VMs & Network Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-vms-and-network-post-exploitation.md) - [Az - Privilege Escalation](pentesting-cloud/azure-security/az-privilege-escalation/README.md) - [Az - Azure IAM Privesc (Authorization)](pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md) @@ -465,6 +471,9 @@ - [Az - Static Web App Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-static-web-apps-privesc.md) - [Az - Storage Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-storage-privesc.md) - [Az - SQL Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-sql-privesc.md) + - [Az - MySQL](pentesting-cloud/azure-security/az-services/az-mysql-privesc.md) + - [Az - PostgreSQL](pentesting-cloud/azure-security/az-services/az-postgresql-privesc.md) + - [Az - CosmosDB](pentesting-cloud/azure-security/az-services/az-cosmosDB-privesc.md) - [Az - Persistence](pentesting-cloud/azure-security/az-persistence/README.md) - [Az - Queue Storage Persistence](pentesting-cloud/azure-security/az-persistence/az-queue-persistance.md) - [Az - VMs Persistence](pentesting-cloud/azure-security/az-persistence/az-vms-persistence.md) From 586a3813e42d11de83f6a698575fb75525045862 Mon Sep 17 00:00:00 2001 From: Jimmy Date: Fri, 10 Jan 2025 16:34:21 +0100 Subject: [PATCH 7/8] Update URLs --- src/SUMMARY.md | 8 ++++---- .../cloudflare-security/cloudflare-domains.md | 2 +- .../github-security/abusing-github-actions/README.md | 2 +- src/pentesting-cloud/aws-security/README.md | 6 +++--- .../aws-basic-information/aws-federation-abuse.md | 2 +- .../aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md | 2 +- .../aws-post-exploitation/aws-ecr-post-exploitation.md | 2 +- .../aws-post-exploitation/aws-ecs-post-exploitation.md | 2 +- .../aws-privilege-escalation/aws-lambda-privesc.md | 2 +- .../aws-security/aws-services/aws-documentdb-enum.md | 2 +- .../aws-security/aws-services/aws-dynamodb-enum.md | 4 ++-- .../aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/README.md | 2 +- .../aws-services/aws-relational-database-rds-enum.md | 2 +- .../aws-cloudtrail-enum.md | 2 +- .../aws-ec2-unauthenticated-enum.md | 4 ++-- src/pentesting-cloud/azure-security/README.md | 6 +++--- .../az-pass-the-cookie.md | 6 +++--- .../azure-ad-connect-hybrid-identity/federation.md | 4 ++-- .../az-lateral-movement-cloud-on-prem/pass-the-prt.md | 2 +- .../azure-security/az-persistence/az-vms-persistence.md | 2 +- .../az-virtual-machines-and-network-privesc.md | 2 +- .../azure-security/az-services/az-function-apps.md | 2 +- .../azure-security/az-services/vms/README.md | 2 +- .../az-unauthenticated-enum-and-initial-entry/README.md | 2 +- src/pentesting-cloud/digital-ocean-pentesting/README.md | 2 +- src/pentesting-cloud/gcp-security/README.md | 6 +++--- .../gcp-persistence/gcp-artifact-registry-persistence.md | 2 +- .../gcp-persistence/gcp-non-svc-persistance.md | 2 +- .../gcp-local-privilege-escalation-ssh-pivoting.md | 2 +- .../gcp-compute-instances-enum/gcp-compute-instance.md | 2 +- .../gcp-cloud-sql-unauthenticated-enum.md | 2 +- .../gcp-compute-unauthenticated-enum.md | 2 +- src/pentesting-cloud/ibm-cloud-pentesting/README.md | 2 +- .../attacking-kubernetes-from-inside-a-pod.md | 4 ++-- .../gws-google-platforms-phishing/README.md | 4 ++-- 35 files changed, 51 insertions(+), 51 deletions(-) diff --git a/src/SUMMARY.md b/src/SUMMARY.md index e38960b3a8..98c93db10b 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -3,8 +3,8 @@ # πŸ‘½ Welcome! - [HackTricks Cloud](README.md) -- [About the Author$$external:https://book.hacktricks.xyz/welcome/about-the-author$$]() -- [HackTricks Values & faq$$external:https://book.hacktricks.xyz/welcome/hacktricks-values-and-faq$$]() +- [About the Author$$external:https://book.hacktricks.wiki/en/welcome/about-the-author.html$$]() +- [HackTricks Values & faq$$external:https://book.hacktricks.wiki/en/welcome/hacktricks-values-and-faq.html$$]() # 🏭 Pentesting CI/CD @@ -510,8 +510,8 @@ # πŸ›« Pentesting Network Services -- [HackTricks Pentesting Network$$external:https://book.hacktricks.xyz/generic-methodologies-and-resources/pentesting-network$$]() -- [HackTricks Pentesting Services$$external:https://book.hacktricks.xyz/network-services-pentesting/pentesting-ssh$$]() +- [HackTricks Pentesting Network$$external:https://book.hacktricks.wiki/en/generic-methodologies-and-resources/pentesting-network/index.html$$]() +- [HackTricks Pentesting Services$$external:https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-ssh.html$$]() diff --git a/src/pentesting-ci-cd/cloudflare-security/cloudflare-domains.md b/src/pentesting-ci-cd/cloudflare-security/cloudflare-domains.md index d11fb1b191..a62d62e26d 100644 --- a/src/pentesting-ci-cd/cloudflare-security/cloudflare-domains.md +++ b/src/pentesting-ci-cd/cloudflare-security/cloudflare-domains.md @@ -24,7 +24,7 @@ In each TLD configured in Cloudflare there are some **general settings and servi - [ ] Check that **DNSSEC** is **enabled** - [ ] Check that **CNAME Flattening** is **used** in **all CNAMEs** - This is could be useful to **hide subdomain takeover vulnerabilities** and improve load timings -- [ ] Check that the domains [**aren't vulnerable to spoofing**](https://book.hacktricks.xyz/network-services-pentesting/pentesting-smtp#mail-spoofing) +- [ ] Check that the domains [**aren't vulnerable to spoofing**](https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-smtp/index.html#mail-spoofing) ### **Email** diff --git a/src/pentesting-ci-cd/github-security/abusing-github-actions/README.md b/src/pentesting-ci-cd/github-security/abusing-github-actions/README.md index b9b7a2152f..80e01d81b5 100644 --- a/src/pentesting-ci-cd/github-security/abusing-github-actions/README.md +++ b/src/pentesting-ci-cd/github-security/abusing-github-actions/README.md @@ -553,7 +553,7 @@ docker pull ghcr.io//: Then, the user could search for **leaked secrets in the Docker image layers:** {{#ref}} -https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/docker-forensics +https://book.hacktricks.wiki/en/generic-methodologies-and-resources/basic-forensic-methodology/docker-forensics.html {{#endref}} ### Sensitive info in Github Actions logs diff --git a/src/pentesting-cloud/aws-security/README.md b/src/pentesting-cloud/aws-security/README.md index 2b5321f9fc..989e3df9bb 100644 --- a/src/pentesting-cloud/aws-security/README.md +++ b/src/pentesting-cloud/aws-security/README.md @@ -37,7 +37,7 @@ From a Red Team point of view, the **first step to compromise an AWS environment - **Social** Engineering - **Password** reuse (password leaks) - Vulnerabilities in AWS-Hosted Applications - - [**Server Side Request Forgery**](https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf) with access to metadata endpoint + - [**Server Side Request Forgery**](https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html) with access to metadata endpoint - **Local File Read** - `/home/USERNAME/.aws/credentials` - `C:\Users\USERNAME\.aws\credentials` @@ -67,7 +67,7 @@ aws-permissions-for-a-pentest.md If you found a SSRF in a machine inside AWS check this page for tricks: {{#ref}} -https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf +https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html {{#endref}} ### Whoami @@ -147,7 +147,7 @@ As pentester/red teamer you should always check if you can find **sensitive info In this book you should find **information** about how to find **exposed AWS services and how to check them**. About how to find **vulnerabilities in exposed network services** I would recommend you to **search** for the specific **service** in: {{#ref}} -https://book.hacktricks.xyz/ +https://book.hacktricks.wiki/ {{#endref}} ## Compromising the Organization diff --git a/src/pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md b/src/pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md index 73ae6b448e..2b246f5f05 100644 --- a/src/pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md +++ b/src/pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md @@ -7,7 +7,7 @@ For info about SAML please check: {{#ref}} -https://book.hacktricks.xyz/pentesting-web/saml-attacks +https://book.hacktricks.wiki/en/pentesting-web/saml-attacks/index.html {{#endref}} In order to configure an **Identity Federation through SAML** you just need to provide a **name** and the **metadata XML** containing all the SAML configuration (**endpoints**, **certificate** with public key) diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md index 9ae6a0a4f2..bfd300c700 100644 --- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md @@ -113,7 +113,7 @@ One of the scenarios where this is useful is pivoting from a [Bastion Host](http aws ssm start-session --target "$INSTANCE_ID" ``` -3. Get the Bastion EC2 AWS temporary credentials with the [Abusing SSRF in AWS EC2 environment](https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#abusing-ssrf-in-aws-ec2-environment) script +3. Get the Bastion EC2 AWS temporary credentials with the [Abusing SSRF in AWS EC2 environment](https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#abusing-ssrf-in-aws-ec2-environment) script 4. Transfer the credentials to your own machine in the `$HOME/.aws/credentials` file as `[bastion-ec2]` profile 5. Log in to EKS as the Bastion EC2: diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecr-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecr-post-exploitation.md index a971ea769f..04d0f88340 100644 --- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecr-post-exploitation.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecr-post-exploitation.md @@ -51,7 +51,7 @@ aws ecr get-download-url-for-layer \ After downloading the images you should **check them for sensitive info**: {{#ref}} -https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/docker-forensics +https://book.hacktricks.wiki/en/generic-methodologies-and-resources/basic-forensic-methodology/docker-forensics.html {{#endref}} ### `ecr:PutLifecyclePolicy` | `ecr:DeleteRepository` | `ecr-public:DeleteRepository` | `ecr:BatchDeleteImage` | `ecr-public:BatchDeleteImage` diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecs-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecs-post-exploitation.md index 1d2fd80a55..f099d67086 100644 --- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecs-post-exploitation.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecs-post-exploitation.md @@ -16,7 +16,7 @@ In ECS an **IAM role can be assigned to the task** running inside the container. Which means that if you manage to **compromise** an ECS instance you can potentially **obtain the IAM role associated to the ECR and to the EC2 instance**. For more info about how to get those credentials check: {{#ref}} -https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf +https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html {{#endref}} > [!CAUTION] diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc.md index 8fcba3182b..e0c5ce1dc5 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc.md @@ -194,7 +194,7 @@ aws --profile none-priv lambda update-function-configuration --function-name --master-user-password There are ways to access DynamoDB data with **SQL syntax**, therefore, typical **SQL injections are also possible**. {{#ref}} -https://book.hacktricks.xyz/pentesting-web/sql-injection +https://book.hacktricks.wiki/en/pentesting-web/sql-injection/index.html {{#endref}} {{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudtrail-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudtrail-enum.md index 780f52f6e8..0f666a6207 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudtrail-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudtrail-enum.md @@ -145,7 +145,7 @@ print(response) For more information about CSV Injections check the page: {{#ref}} -https://book.hacktricks.xyz/pentesting-web/formula-injection +https://book.hacktricks.wiki/en/pentesting-web/formula-csv-doc-latex-ghostscript-injection.html {{#endref}} For more information about this specific technique check [https://rhinosecuritylabs.com/aws/cloud-security-csv-injection-aws-cloudtrail/](https://rhinosecuritylabs.com/aws/cloud-security-csv-injection-aws-cloudtrail/) diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ec2-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ec2-unauthenticated-enum.md index 657bf7f3a2..33843df5f8 100644 --- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ec2-unauthenticated-enum.md +++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ec2-unauthenticated-enum.md @@ -17,7 +17,7 @@ It's possible to expose the **any port of the virtual machines to the internet** #### SSRF {{#ref}} -https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf +https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html {{#endref}} ### Public AMIs & EBS Snapshots @@ -39,7 +39,7 @@ aws ec2 describe-snapshots --restorable-by-user-ids all aws ec2 describe-snapshots --restorable-by-user-ids all | jq '.Snapshots[] | select(.OwnerId == "099720109477")' ``` -If you find a snapshot that is restorable by anyone, make sure to check [AWS - EBS Snapshot Dump](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump) for directions on downloading and looting the snapshot. +If you find a snapshot that is restorable by anyone, make sure to check [AWS - EBS Snapshot Dump](https://cloud.hacktricks.wiki/en/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/index.html#ebs-snapshot-dump) for directions on downloading and looting the snapshot. #### Public URL template diff --git a/src/pentesting-cloud/azure-security/README.md b/src/pentesting-cloud/azure-security/README.md index fc7b3fd91e..1767f09b00 100644 --- a/src/pentesting-cloud/azure-security/README.md +++ b/src/pentesting-cloud/azure-security/README.md @@ -18,7 +18,7 @@ From a Red Team point of view, the **first step to compromise an Azure environme - **Social** Engineering - **Password** reuse (password leaks) - Vulnerabilities in Azure-Hosted Applications - - [**Server Side Request Forgery**](https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf) with access to metadata endpoint + - [**Server Side Request Forgery**](https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html) with access to metadata endpoint - **Local File Read** - `/home/USERNAME/.azure` - `C:\Users\USERNAME\.azure` @@ -29,7 +29,7 @@ From a Red Team point of view, the **first step to compromise an Azure environme Use `Disconnect-AzAccount` to remove them. - 3rd parties **breached** - **Internal** Employee -- [**Common Phishing**](https://book.hacktricks.xyz/generic-methodologies-and-resources/phishing-methodology) (credentials or Oauth App) +- [**Common Phishing**](https://book.hacktricks.wiki/en/generic-methodologies-and-resources/phishing-methodology/index.html) (credentials or Oauth App) - [Device Code Authentication Phishing](az-unauthenticated-enum-and-initial-entry/az-device-code-authentication-phishing.md) - [Azure **Password Spraying**](az-unauthenticated-enum-and-initial-entry/az-password-spraying.md) @@ -52,7 +52,7 @@ az-unauthenticated-enum-and-initial-entry/ If you found a SSRF in a machine inside Azure check this page for tricks: {{#ref}} -https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf +https://book.hacktricks.wiki/en/generic-methodologies-and-resources/phishing-methodology/index.html {{#endref}} ### Bypass Login Conditions diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-cookie.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-cookie.md index 4b4242d471..194e997ef1 100644 --- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-cookie.md +++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-cookie.md @@ -9,15 +9,15 @@ Browser **cookies** are a great mechanism to **bypass authentication and MFA**. You can see where are **browser cookies located** in: {{#ref}} -https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts?q=browse#google-chrome +https://book.hacktricks.wiki/en/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.html#google-chrome {{#endref}} ## Attack -The challenging part is that those **cookies are encrypted** for the **user** via the Microsoft Data Protection API (**DPAPI**). This is encrypted using cryptographic [keys tied to the user](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords) the cookies belong to. You can find more information about this in: +The challenging part is that those **cookies are encrypted** for the **user** via the Microsoft Data Protection API (**DPAPI**). This is encrypted using cryptographic [keys tied to the user](https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.html) the cookies belong to. You can find more information about this in: {{#ref}} -https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords +https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.html {{#endref}} With Mimikatz in hand, I am able to **extract a user’s cookies** even though they are encrypted with this command: diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/federation.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/federation.md index 95a3ceff1f..446a0dddba 100644 --- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/federation.md +++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/federation.md @@ -32,7 +32,7 @@ In any federation setup there are three parties: **If you want to learn more about SAML authentication and common attacks go to:** {{#ref}} -https://book.hacktricks.xyz/pentesting-web/saml-attacks +https://book.hacktricks.wiki/en/pentesting-web/saml-attacks/index.html {{#endref}} ## Pivoting @@ -56,7 +56,7 @@ https://book.hacktricks.xyz/pentesting-web/saml-attacks The process where an **Identity Provider (IdP)** produces a **SAMLResponse** to authorize user sign-in is paramount. Depending on the IdP's specific implementation, the **response** might be **signed** or **encrypted** using the **IdP's private key**. This procedure enables the **Service Provider (SP)** to confirm the authenticity of the SAMLResponse, ensuring it was indeed issued by a trusted IdP. -A parallel can be drawn with the [golden ticket attack](https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/golden-ticket), where the key authenticating the user’s identity and permissions (KRBTGT for golden tickets, token-signing private key for golden SAML) can be manipulated to **forge an authentication object** (TGT or SAMLResponse). This allows impersonation of any user, granting unauthorized access to the SP. +A parallel can be drawn with the [golden ticket attack](https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/index.html#golden-ticket), where the key authenticating the user’s identity and permissions (KRBTGT for golden tickets, token-signing private key for golden SAML) can be manipulated to **forge an authentication object** (TGT or SAMLResponse). This allows impersonation of any user, granting unauthorized access to the SP. Golden SAMLs offer certain advantages: diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/pass-the-prt.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/pass-the-prt.md index 70d00d7497..1440fb4857 100644 --- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/pass-the-prt.md +++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/pass-the-prt.md @@ -173,7 +173,7 @@ Then go to [https://portal.azure.com](https://portal.azure.com) #### Steps 1. The **PRT (Primary Refresh Token) is extracted from LSASS** (Local Security Authority Subsystem Service) and stored for subsequent use. -2. The **Session Key is extracted next**. Given that this key is initially issued and then re-encrypted by the local device, it necessitates decryption using a DPAPI masterkey. Detailed information about DPAPI (Data Protection API) can be found in these resources: [HackTricks](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords) and for an understanding of its application, refer to [Pass-the-cookie attack](az-pass-the-cookie.md). +2. The **Session Key is extracted next**. Given that this key is initially issued and then re-encrypted by the local device, it necessitates decryption using a DPAPI masterkey. Detailed information about DPAPI (Data Protection API) can be found in these resources: [HackTricks](https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.html) and for an understanding of its application, refer to [Pass-the-cookie attack](az-pass-the-cookie.md). 3. Post decryption of the Session Key, the **derived key and context for the PRT are obtained**. These are crucial for the **creation of the PRT cookie**. Specifically, the derived key is employed for signing the JWT (JSON Web Token) that constitutes the cookie. A comprehensive explanation of this process has been provided by Dirk-jan, accessible [here](https://dirkjanm.io/digging-further-into-the-primary-refresh-token/). > [!CAUTION] diff --git a/src/pentesting-cloud/azure-security/az-persistence/az-vms-persistence.md b/src/pentesting-cloud/azure-security/az-persistence/az-vms-persistence.md index cd1a0c3f3a..795fcfaf5d 100644 --- a/src/pentesting-cloud/azure-security/az-persistence/az-vms-persistence.md +++ b/src/pentesting-cloud/azure-security/az-persistence/az-vms-persistence.md @@ -19,7 +19,7 @@ An attacker identifies applications, extensions or images being frequently used An attacker could get access to the instances and backdoor them: - Using a traditional **rootkit** for example -- Adding a new **public SSH key** (check [EC2 privesc options](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc)) +- Adding a new **public SSH key** (check [EC2 privesc options](https://cloud.hacktricks.wiki/en/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc.html)) - Backdooring the **User Data** {{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md index c89d074e37..2152ca10c0 100644 --- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md +++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md @@ -372,7 +372,7 @@ az vm identity assign \ Then the attacker needs to have **compromised somehow the VM** to steal tokens from the assigned managed identities. Check **more info in**: {{#ref}} -https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#azure-vm +https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#azure-vm {{#endref}} ### TODO: Microsoft.Compute/virtualMachines/WACloginAsAdmin/action diff --git a/src/pentesting-cloud/azure-security/az-services/az-function-apps.md b/src/pentesting-cloud/azure-security/az-services/az-function-apps.md index b36ea065b0..1c37462efb 100644 --- a/src/pentesting-cloud/azure-security/az-services/az-function-apps.md +++ b/src/pentesting-cloud/azure-security/az-services/az-function-apps.md @@ -67,7 +67,7 @@ The **system assigned** one will be a managed identity that **only the function* It's possible to use the [**PEASS scripts**](https://github.com/peass-ng/PEASS-ng) to get tokens from the default managed identity from the metadata endpoint. Or you could get them **manually** as explained in: -{% embed url="https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#azure-vm" %} +{% embed url="https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#azure-vm" %} Note that you need to find out a way to **check all the Managed Identities a function has attached** as if you don't indicate it, the metadata endpoint will **only use the default one** (check the previous link for more info). diff --git a/src/pentesting-cloud/azure-security/az-services/vms/README.md b/src/pentesting-cloud/azure-security/az-services/vms/README.md index d1d3f229eb..201de3b376 100644 --- a/src/pentesting-cloud/azure-security/az-services/vms/README.md +++ b/src/pentesting-cloud/azure-security/az-services/vms/README.md @@ -208,7 +208,7 @@ Moreover, to contact the metadata endpoint, the HTTP request must have the heade Check how to enumerate it in: {{#ref}} -https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#azure-vm +https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#azure-vm {{#endref}} ## VM Enumeration diff --git a/src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/README.md b/src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/README.md index 073730cf1f..ffb6fcedca 100644 --- a/src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/README.md +++ b/src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/README.md @@ -231,7 +231,7 @@ Use [**Storage Explorer**](https://azure.microsoft.com/en-us/features/storage-ex ### Phishing -- [**Common Phishing**](https://book.hacktricks.xyz/generic-methodologies-and-resources/phishing-methodology) (credentials or OAuth App -[Illicit Consent Grant Attack](az-oauth-apps-phishing.md)-) +- [**Common Phishing**](https://book.hacktricks.wiki/en/generic-methodologies-and-resources/phishing-methodology/index.html) (credentials or OAuth App -[Illicit Consent Grant Attack](az-oauth-apps-phishing.md)-) - [**Device Code Authentication** Phishing](az-device-code-authentication-phishing.md) ### Password Spraying / Brute-Force diff --git a/src/pentesting-cloud/digital-ocean-pentesting/README.md b/src/pentesting-cloud/digital-ocean-pentesting/README.md index ec0ec19887..0089bc6262 100644 --- a/src/pentesting-cloud/digital-ocean-pentesting/README.md +++ b/src/pentesting-cloud/digital-ocean-pentesting/README.md @@ -17,7 +17,7 @@ do-basic-information.md ### SSRF {{#ref}} -https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf +https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html {{#endref}} ### Projects diff --git a/src/pentesting-cloud/gcp-security/README.md b/src/pentesting-cloud/gcp-security/README.md index e242a8d4bd..d08e4bd0c8 100644 --- a/src/pentesting-cloud/gcp-security/README.md +++ b/src/pentesting-cloud/gcp-security/README.md @@ -29,7 +29,7 @@ From a Red Team point of view, the **first step to compromise a GCP environment* - **Social** Engineering (Check the page [**Workspace Security**](../workspace-security/index.html)) - **Password** reuse (password leaks) - Vulnerabilities in GCP-Hosted Applications - - [**Server Side Request Forgery**](https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf) with access to metadata endpoint + - [**Server Side Request Forgery**](https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html) with access to metadata endpoint - **Local File Read** - `/home/USERNAME/.config/gcloud/*` - `C:\Users\USERNAME\.config\gcloud\*` @@ -58,7 +58,7 @@ gcp-permissions-for-a-pentest.md For more information about how to **enumerate GCP metadata** check the following hacktricks page: {{#ref}} -https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#6440 +https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html {{#endref}} ### Whoami @@ -149,7 +149,7 @@ As pentester/red teamer you should always check if you can find **sensitive info In this book you should find **information** about how to find **exposed GCP services and how to check them**. About how to find **vulnerabilities in exposed network services** I would recommend you to **search** for the specific **service** in: {{#ref}} -https://book.hacktricks.xyz/ +https://book.hacktricks.wiki/ {{#endref}} ## GCP <--> Workspace Pivoting diff --git a/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-artifact-registry-persistence.md b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-artifact-registry-persistence.md index 592e3449d3..6596b66c35 100644 --- a/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-artifact-registry-persistence.md +++ b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-artifact-registry-persistence.md @@ -36,7 +36,7 @@ For persistence these are the steps you need to follow: For more information about dependency confusion check: {{#ref}} -https://book.hacktricks.xyz/pentesting-web/dependency-confusion +https://book.hacktricks.wiki/en/pentesting-web/dependency-confusion.html {{#endref}} {{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-non-svc-persistance.md b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-non-svc-persistance.md index 11141d5435..3bcff09c07 100644 --- a/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-non-svc-persistance.md +++ b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-non-svc-persistance.md @@ -13,7 +13,7 @@ sqlite3 $HOME/.config/gcloud/access_tokens.db "select access_token from access_t Check in this page how to **directly use this token using gcloud**: {{#ref}} -https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#id-6440-1 +https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#gcp {{#endref}} To get the details to **generate a new access token** run: diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-local-privilege-escalation-ssh-pivoting.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-local-privilege-escalation-ssh-pivoting.md index 5583b3f9ea..c58d8d0daf 100644 --- a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-local-privilege-escalation-ssh-pivoting.md +++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-local-privilege-escalation-ssh-pivoting.md @@ -27,7 +27,7 @@ Moreover, it's possible to add **userdata**, which is a script that will be **ex For more info check: {{#ref}} -https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf +https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html {{#endref}} ## **Abusing IAM permissions** diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/gcp-compute-instance.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/gcp-compute-instance.md index e023710074..3b0309cc15 100644 --- a/src/pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/gcp-compute-instance.md +++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/gcp-compute-instance.md @@ -91,7 +91,7 @@ curl "http://metadata.google.internal/computeMetadata/v1/instance/attributes/?re Moreover, **auth token for the attached service account** and **general info** about the instance, network and project is also going to be available from the **metadata endpoint**. For more info check: {{#ref}} -https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#6440 +https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#gcp {{#endref}} ### Encryption diff --git a/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-sql-unauthenticated-enum.md b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-sql-unauthenticated-enum.md index 6cd2f8bfca..3103c847e4 100644 --- a/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-sql-unauthenticated-enum.md +++ b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-sql-unauthenticated-enum.md @@ -17,7 +17,7 @@ If you have **access to a Cloud SQL port** because all internet is permitted or Check this page for **different tools to burte-force** different database technologies: {{#ref}} -https://book.hacktricks.xyz/generic-methodologies-and-resources/brute-force +https://book.hacktricks.wiki/en/generic-hacking/brute-force.html {{#endref}} Remember that with some privileges it's possible to **list all the database users** via GCP API. diff --git a/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-compute-unauthenticated-enum.md b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-compute-unauthenticated-enum.md index a5fbc8503f..4ca37c1090 100644 --- a/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-compute-unauthenticated-enum.md +++ b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-compute-unauthenticated-enum.md @@ -15,7 +15,7 @@ For more information about Compute and VPC (Networking) check: If a web is **vulnerable to SSRF** and it's possible to **add the metadata header**, an attacker could abuse it to access the SA OAuth token from the metadata endpoint. For more info about SSRF check: {{#ref}} -https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery +https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/index.html {{#endref}} ### Vulnerable exposed services diff --git a/src/pentesting-cloud/ibm-cloud-pentesting/README.md b/src/pentesting-cloud/ibm-cloud-pentesting/README.md index cdfb9d6886..38f5c3c687 100644 --- a/src/pentesting-cloud/ibm-cloud-pentesting/README.md +++ b/src/pentesting-cloud/ibm-cloud-pentesting/README.md @@ -28,7 +28,7 @@ ibm-basic-information.md Learn how you can access the medata endpoint of IBM in the following page: {{#ref}} -https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#2af0 +https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#ibm-cloud {{#endref}} ## References diff --git a/src/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.md b/src/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.md index 77848086d1..6a96dd2dae 100644 --- a/src/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.md +++ b/src/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.md @@ -13,13 +13,13 @@ In order to try to escape from the pods you might need to **escalate privileges** first, some techniques to do it: {{#ref}} -https://book.hacktricks.xyz/linux-hardening/privilege-escalation +https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html {{#endref}} You can check this **docker breakouts to try to escape** from a pod you have compromised: {{#ref}} -https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout +https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/index.html {{#endref}} ### Abusing Kubernetes Privileges diff --git a/src/pentesting-cloud/workspace-security/gws-google-platforms-phishing/README.md b/src/pentesting-cloud/workspace-security/gws-google-platforms-phishing/README.md index 37de986846..b190a3685b 100644 --- a/src/pentesting-cloud/workspace-security/gws-google-platforms-phishing/README.md +++ b/src/pentesting-cloud/workspace-security/gws-google-platforms-phishing/README.md @@ -5,7 +5,7 @@ ## Generic Phishing Methodology {{#ref}} -https://book.hacktricks.xyz/generic-methodologies-and-resources/phishing-methodology +https://book.hacktricks.wiki/en/generic-methodologies-and-resources/phishing-methodology/index.html {{#endref}} ## Google Groups Phishing @@ -59,7 +59,7 @@ The with some code like the following an attacker could make the script load arb ```javascript function doGet() { return HtmlService.createHtmlOutput( - '' + '' ).setXFrameOptionsMode(HtmlService.XFrameOptionsMode.ALLOWALL) } ``` From 72b80750b5339379519f53fe42a2d438198195a7 Mon Sep 17 00:00:00 2001 From: Jaime Polop <117489620+JaimePolop@users.noreply.github.com> Date: Fri, 10 Jan 2025 18:50:36 +0100 Subject: [PATCH 8/8] Update SUMMARY.md --- src/SUMMARY.md | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/src/SUMMARY.md b/src/SUMMARY.md index 98c93db10b..e3e18e17de 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -408,18 +408,18 @@ - [Az - ARM Templates / Deployments](pentesting-cloud/azure-security/az-services/az-arm-templates.md) - [Az - Automation Accounts](pentesting-cloud/azure-security/az-services/az-automation-accounts.md) - [Az - Azure App Services](pentesting-cloud/azure-security/az-services/az-app-services.md) + - [Az - CosmosDB](pentesting-cloud/azure-security/az-services/az-cosmosDB.md) - [Az - Intune](pentesting-cloud/azure-security/az-services/intune.md) - [Az - File Shares](pentesting-cloud/azure-security/az-services/az-file-shares.md) - [Az - Function Apps](pentesting-cloud/azure-security/az-services/az-function-apps.md) - [Az - Key Vault](pentesting-cloud/azure-security/az-services/az-keyvault.md) - [Az - Logic Apps](pentesting-cloud/azure-security/az-services/az-logic-apps.md) - [Az - Management Groups, Subscriptions & Resource Groups](pentesting-cloud/azure-security/az-services/az-management-groups-subscriptions-and-resource-groups.md) + - [Az - MySQL](pentesting-cloud/azure-security/az-services/az-mysql.md) + - [Az - PostgreSQL](pentesting-cloud/azure-security/az-services/az-postgresql.md) - [Az - Queue Storage](pentesting-cloud/azure-security/az-services/az-queue-enum.md) - [Az - Service Bus](pentesting-cloud/azure-security/az-services/az-servicebus-enum.md) - [Az - SQL](pentesting-cloud/azure-security/az-services/az-sql.md) - - [Az - MySQL](pentesting-cloud/azure-security/az-services/az-mysql.md) - - [Az - PostgreSQL](pentesting-cloud/azure-security/az-services/az-postgresql.md) - - [Az - CosmosDB](pentesting-cloud/azure-security/az-services/az-cosmosDB.md) - [Az - Static Web Applications](pentesting-cloud/azure-security/az-services/az-static-web-apps.md) - [Az - Storage Accounts & Blobs](pentesting-cloud/azure-security/az-services/az-storage.md) - [Az - Table Storage](pentesting-cloud/azure-security/az-services/az-table-storage.md) @@ -445,35 +445,35 @@ - [Az - Primary Refresh Token (PRT)](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md) - [Az - Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/README.md) - [Az - Blob Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-blob-storage-post-exploitation.md) + - [Az - CosmosDB](pentesting-cloud/azure-security/az-services/az-cosmosDB-post-exploitation.md) - [Az - File Share Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-file-share-post-exploitation.md) - [Az - Function Apps Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-function-apps-post-exploitation.md) - [Az - Key Vault Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-key-vault-post-exploitation.md) + - [Az - MySQL](pentesting-cloud/azure-security/az-services/az-mysql-post-exploitation.md) + - [Az - PostgreSQL](pentesting-cloud/azure-security/az-services/az-postgresql-post-exploitation.md) - [Az - Queue Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-queue-post-exploitation.md) - [Az - Service Bus Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-servicebus-post-exploitation.md) - [Az - Table Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-table-storage-post-exploitation.md) - [Az - SQL Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-sql-post-exploitation.md) - - [Az - MySQL](pentesting-cloud/azure-security/az-services/az-mysql-post-exploitation.md) - - [Az - PostgreSQL](pentesting-cloud/azure-security/az-services/az-postgresql-post-exploitation.md) - - [Az - CosmosDB](pentesting-cloud/azure-security/az-services/az-cosmosDB-post-exploitation.md) - [Az - VMs & Network Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-vms-and-network-post-exploitation.md) - [Az - Privilege Escalation](pentesting-cloud/azure-security/az-privilege-escalation/README.md) - [Az - Azure IAM Privesc (Authorization)](pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md) - [Az - App Services Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-app-services-privesc.md) - [Az - Automation Accounts Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-automation-accounts-privesc.md) + - [Az - CosmosDB](pentesting-cloud/azure-security/az-services/az-cosmosDB-privesc.md) - [Az - EntraID Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/README.md) - [Az - Conditional Access Policies & MFA Bypass](pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md) - [Az - Dynamic Groups Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/dynamic-groups.md) - [Az - Functions App Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-functions-app-privesc.md) - [Az - Key Vault Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-key-vault-privesc.md) + - [Az - MySQL](pentesting-cloud/azure-security/az-services/az-mysql-privesc.md) + - [Az - PostgreSQL](pentesting-cloud/azure-security/az-services/az-postgresql-privesc.md) - [Az - Queue Storage Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-queue-privesc.md) - [Az - Service Bus Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-servicebus-privesc.md) - - [Az - Virtual Machines & Network Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md) - [Az - Static Web App Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-static-web-apps-privesc.md) - [Az - Storage Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-storage-privesc.md) - [Az - SQL Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-sql-privesc.md) - - [Az - MySQL](pentesting-cloud/azure-security/az-services/az-mysql-privesc.md) - - [Az - PostgreSQL](pentesting-cloud/azure-security/az-services/az-postgresql-privesc.md) - - [Az - CosmosDB](pentesting-cloud/azure-security/az-services/az-cosmosDB-privesc.md) + - [Az - Virtual Machines & Network Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md) - [Az - Persistence](pentesting-cloud/azure-security/az-persistence/README.md) - [Az - Queue Storage Persistence](pentesting-cloud/azure-security/az-persistence/az-queue-persistance.md) - [Az - VMs Persistence](pentesting-cloud/azure-security/az-persistence/az-vms-persistence.md)