diff --git a/src/pentesting-cloud/azure-security/az-post-exploitation/az-key-vault-post-exploitation.md b/src/pentesting-cloud/azure-security/az-post-exploitation/az-key-vault-post-exploitation.md index 39a601d0c9..5ab6a601f1 100644 --- a/src/pentesting-cloud/azure-security/az-post-exploitation/az-key-vault-post-exploitation.md +++ b/src/pentesting-cloud/azure-security/az-post-exploitation/az-key-vault-post-exploitation.md @@ -108,6 +108,13 @@ This permission allows a principal to restore a secret from a backup. az keyvault secret restore --vault-name --file ``` +### Microsoft.KeyVault/vaults/keys/recover/action +Allows recovery of a previously deleted key from an Azure Key Vault + +```bash +az keyvault secret recover --vault-name --name + +``` {{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-container-instances-apps-jobs-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-container-instances-apps-jobs-privesc.md index a2082744c5..e52f6cf818 100644 --- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-container-instances-apps-jobs-privesc.md +++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-container-instances-apps-jobs-privesc.md @@ -201,6 +201,14 @@ It looks like with these permissions it should be possibel to start a job. This I haven't managed to make it work but according to the allowed parameters it should be possible. +### Microsoft.ContainerInstance/containerGroups/restart/action + +Allows restarting a specific container group within Azure Container Instances. + +```bash +az container restart --resource-group --name +``` + {{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-static-web-apps-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-static-web-apps-privesc.md index c923b4dfa4..a6a056ed82 100644 --- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-static-web-apps-privesc.md +++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-static-web-apps-privesc.md @@ -106,7 +106,7 @@ curl -X PUT "https://functions.azure.com/api/github/updateGitHubContent" \ ``` -### `Microsoft.Web/staticSites/config/write` +### Microsoft.Web/staticSites/config/write With this permission, it's possible to **modify the password** protecting a static web app or even unprotect every environment by sending a request such as the following: @@ -125,6 +125,8 @@ az rest --method put \ } }' + + # Remove the need of a password az rest --method put \ --url "/subscriptions//resourceGroups//providers/Microsoft.Web/staticSites//config/basicAuth?api-version=2021-03-01" \ diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md index 183f60a8f3..4a2bfb9179 100644 --- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md +++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md @@ -387,6 +387,23 @@ az vm user update \ --password ``` +### Microsoft.Compute/virtualMachines/write, "Microsoft.Compute/virtualMachines/read", "Microsoft.Compute/disks/read", "Microsoft.Network/networkInterfaces/read", "Microsoft.Network/networkInterfaces/join/action", "Microsoft.Compute/disks/write". + +These permissions allow you to manage, disks, and network interfaces, and, they enable you to attach a disk to a virtual machine. +```bash +# Update the disk's network access policy +az disk update \ + --name \ + --resource-group \ + --network-access-policy AllowAll + +# Attach the disk to a virtual machine +az vm disk attach \ + --vm-name \ + --resource-group \ + --name +``` + ### TODO: Microsoft.Compute/virtualMachines/WACloginAsAdmin/action According to the [**docs**](https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/compute#microsoftcompute), this permission lets you manage the OS of your resource via Windows Admin Center as an administrator. So it looks like this gives access to the WAC to control the VMs...