Automation Accounts & Function Apps
Last updated
Last updated
Azure's automation service that allows to automate tasks for Azure resources, on-prem infra and other cloud providers. (Like a cronjob in Azure).
• Supports Process Automation using Runbooks, Configuration Management (supports DSC), update management and shared resources (credentials, certificates, connections etc) for both Windows and Linux resources hosted on Azure and on-prem.
• Some common scenarios for automation as per Microsoft:
– Deploy VMs across a hybrid environment using run books.
– Identify configuration changes
– Configure VMs
– Retrieve Inventory
When you get access to a automation account, it will almost for sure get you access to credentials/secrets to escalate your privileges!
When you want to automate things, you will probably need to store secrets somewhere. In Azure, we can save these in Shared Resources:
Automation Accounts also allow managed identity
Runbook contains the automation logic and the code that you want to execute. Azure provides both graphical and textual runbooks. You can use the shared resources and the privileges of the Run As account from a runbook.
Always checkout runbooks, they often have credentials that are not stored in the shared resources
You can run a runbook on a Azure sandbox OR on a Hybrid Worker. This is used when a runbook is to be run on a non-azure machine. The hybrid worker job run as SYSTEM on Windows and nxautomation account on Linux.
If you have a shell on a Windows machine that is connected to a Azure user, list the objects. Run az ad signed-in-user list-owned-objects
and see what this access_token has access to:
Next, get a ms-graph token:
And in a new local powershell session (preferably), connect to ms-graph:
Get-Since our user is only the owner of the Automation Admins
group, we need to add the user as a member to get permissions.
Next, back on the revshell check for automation accounts:
Next, request a access-token for ARM (because we would like to interact with the automation account):
Now, using both the access-token and mg-graphtoken we can connect using Connect-AzAccount:
And list the role assignment:
The contributor role for on HybridAutomation can create an runbook
. But before we do that let's check if we can get command execution on a hybrid worker (e.g. a cloud to on-prem lateral movement). We will use Get-AzAutomationHybridWorkerGroup
to check if there are any hybrid workers.
Next we will create a runbook on hybridautomation with a Powershell reverse shell:
And publish it:
Finally, run it:
If everything went well, you will have a reverse shell inside the Hybrid Worker!
Function Apps (Azure Functions), support continuous deployment. A source code update triggers a deployment to Azure. The following source code locations are supported:
Azure Repos
GitHub
Bitbucket
When we find a Github account that is directly pushing on main when we make a commit, and is starting a action, we can for example copy and paste the following Python script:
This gets the access token for the managed identity. To know trigger this code, we will need a endpoint.