Find Privilege Escalation Paths in Microsoft Azure with AzureHound

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
Microsoft Azure environments can be vulnerable to privileged escalations used just like most other Computing systems sometimes there are user accounts and even cloud computing resources themselves that can gain additional privileges that they previously did not have one interesting escalation issue arises when user accounts have the ability to modify attributes on other accounts such as service principles in this video I'll show you how to locate these types of escalation issues and exploit them to help us identify escalation paths in Azure we are going to leverage Azure Hound Azure Hound is a bloodhound data collector for Azure Bloodhound is a tool that we've been using on penetration tests for years now to help us identify and analyze attack paths and active directory environments well with Azure Hound we can now collect data from Azure tenants including both Azure active directory and Azure resource manager so let's dive in and see what kind of attack paths we can find in one of my own Azure tenants now to set this up I deployed some resources to my own Azure account and to do that I leverage the same technique that I described in a video I released a few weeks ago called how to build a cloud hacking lab in that video I showed how you can leverage two different tools one called Azure goat and another one called purplecloud to deploy resources to your own account for this video I deployed some of the same resources that way when we go to leverage Azure Hound to look for Paths of escalation we can potentially identify those attack paths there to start I installed Bloodhound in my Linux VM and to do that I followed the read the docs site that I've got Linked In the description below basically you have to install Java you have to install neo4j and then once you install neo4j you connect to it on your local host and change a password and then you'll be able to download the Bloodhound GUI next and then connect that to the neo4j backend on your on your system so basically follow these instructions install Bloodhound uh and got up and running with the Bloodhound GUI after downloading and installing Bloodhound the next thing we need to do is download the Azure Hound tool itself now with both Azure hound and Bloodhound you have the option of going with pre-compiled binaries or you can compile it yourself and those instructions are in the the Azure on repo which I will link below but either way you will need the Azure Hound binary so that you can launch it against the Azure tenant now to authenticate there are a couple options we have to authenticate to our account after we have downloaded the Azure Hound binary one you can pass credentials directly to it would be the command line however if there's MFA on an account you may need to go through what is known as a device code login process and to do that you can initiate it with a little bit of Powershell within the Azure on repo they include some examples on doing the device code login I'll also include a link to my cloud pen test cheat sheets where I'm going to have these as well but the gist of it is that it initiates a process where you have a code now that you can take to a browser and you can perform a device code login so if you go to microsoft.com device login at that page you can enter the code that or the code from where you initiated that device code login process so what this allows you to do though it allows you to authenticate to an account in one place in the browser uh you can go through the entire MFA process and then acknowledge that you are authenticating another tool um in another location such as a command line tool in this case we're going to use Janet Johnson here um this was one of the users that was the initial starting point for the purple Cloud deployment that I utilized to launch a scenario within my account so all right we have authenticated as Janet Johnson so now back in the Powershell window there's a second piece we have to run a second Powershell uh script we need to run to actually retrieve our tokens so we'll copy this in and we should get a result back that looks something similar to this where we have an access token a refresh token and an ID token now leveraging that refresh token that we see here we were able to take that and use it with Azure Hound so it might need a little bit a little bit of cleanup because it does have some extra Returns on the end so we can throw that in you know a text editor of choice and then go and remove any of those extra lines from it and then now we have a clean token we can copy that and what we're going to do is take it over to the Linux VM where I've got Azure on right so I'll run dot slash Azure hound and then we're going to specify Dash R for the refresh token so we can paste in that refresh token right there and then we need to run the list command which will enumerate information from our tenant then we need to give it the tenant name this could be either the tenant ID or the domain associated with that tenant in my case I'm going to run it against against glitchcloud.com and then finally um I'm going to specify a higher verbosity of level two and then we're going to Output Dash o to Output dot Json and we'll run that and it should because we have authenticated uh via the device code login that refresh token is then utilized by Azure Hound to go and enumerate a ton of information from our account so this is everything from the Azure active directory side and Azure uh resource manager site as well and it throws it in a Json file for us that we can then take and upload to the Bloodhound GUI all right so to analyze attack paths we will go ahead and log into the Bloodhound GUI and then after logging in we will upload the output from Azure Hound so we log in the first time we shouldn't see any data currently but if you're on the right we can click upload data and then click our output.json file and then that file will begin to upload and enable us to parse it in the Bloodhound GUI now depending on how large the environment is this could take a while however uh for our testing purposes our tenant's pretty small and it's already done so let's go and close that and now once the data has been uploaded if you click the drop down for the database info over here we can see uh we've got a number of azure objects now so we can see that we have a number of applications so AZ app server or 11 1100 of them um we've got three devices we've got a couple groups we've got 97 roles we've got over 500 service principles in our account and 35 user accounts now the thing that's kind of interesting is each one of the service principles can have different permissions and so that's kind of the the angle that we're going to attempt to exploit here so first let's go ahead and just search for our user account that we're running as so Janet Johnson now let's say we wanted to try to find Paths of escalation from Janet Johnson to a more privileged group such as Global admins for that for example now we can click on on her node and see a little bit more information about that user specifically but if we want to find a path we can click the little road drop down here and we can actually click or type in something like Global admins right so we can search for Global administrator and try to identify a path from Janet Johnson to Global admins and we see uh something like this where we've got Global administrator group on the right we've got Janet Johnson on the left here but in between it we've got a number of what appear to be service principles so if we look at some of these we have like uh the marketing app at glitch Cloud basically what Bloodhound is telling us is that Janet Johnson has the AZ ad secret permission for that service principle which is a member or has the the role of global administrator so there's a global administrative service principle that we can change the password form so theoretically if we change the password for that service principle that that that account has more privileges than we have and therefore we have escalated privileges so let's see if we can exploit that now caveat you know changing passwords for any account whether it be a standard user account service principle can't break things so be very very careful if you try to do anything like this because there's a high likelihood that you may break something but keep in mind that it is possible all right so first up let's go ahead and log in to the Janet Johnson account from the AZ CLI so I'm going to log into this account because this is the one we're we're operating as that we want to escalate privileges with cool so if you throw that Dash allow no subscriptions on the end then you you can authenticate with an account that isn't actually attached to subscriptions which is a nice little feature of the azcli there so once that's logged in should see something like this where now we can go ahead and set a new credential for that service principle now we have to pick a service principle to modify right so if we go back to the Bloodhound GUI we can go through here and select one of these right so for example let's take this uh glitchcloud.com marketing app so the object ID here is what we can utilize with uh the azcli to create a new service principle credential so if we if we run a z a d SP credential reset and then we got to give it the ID for that uh service principle that we want to change and what will happen if we have permissions to reset a credential for a service principle then we should see an output similar to this where we are now presented with a new application ID the password for that new service principle and a tenant ID okay so we now have a credential for a service principle that is in the global admins group in this Azure tenant so how do we use that let's go ahead and log in with the azcli again but this time we're going to run AZ login we've got to specify that it's a service principle service principle then we need the username which is the application ID in this case we need a password Dash p and then we give the password field from the second output there and then uh we need the tenant which is here and then finally we can specify allow node subscriptions so that we can log in to this account even if it doesn't have a subscription attached to it and we should see something like this if it's successful authenticating okay so at this point we've escalated within the Azure tenant from an application administrator up to a global admin now what else can we do let's see how far we could take this right so you know one thing we could do we could create new users that might be a little noisy we could add roles to user credit credentials we already have so for example Janet Johnson right we could try to add additional rules let's like for example let's say what if we made her a global admin now that might throw up a lot of alerts in a lot of different environments however to demonstrate how that's possible let's walk through it so first up let's get the information associated with the Janet Johnson account with the AZ 80 user list command we're going to pass the display name for Janet Johnson here and what we want is this this ID field here because what we're going to do is we're going to submit a request that will actually give Janet Johnson the role of a global admin so in my cloud pen test cheat sheets I've got a few commands here that we're going to walk through so the first one here we're going to create the body of a web request and in that web request there's a couple fields we need so the first one is the principal ID so that's this uh the ID associated with that user in the Azure tenant and then the second thing is this role definition ID so you can see I've got a preset here with a 62e90394 so what that is that's the ID associated with global admin so how do we know that that ID is associated with the global admins so in the Azure portal if we navigate to roles and administrators and then we scroll down you can see all the different roles in the tenant here we will look for Global administrator right so if we click Global administrator and then over here on the left click description we should see a template ID so we see that 62e90394 there so that's that idea is associated with this Global admin now let's say that you wanted to add a user to a different group you could go through here and find a specific group that you wanted to add them to like for example SharePoint administrator user administrator same thing if you click description you've got the ID here so that's what you would change in the the body field here so we're gonna go ahead and set that so we've got the principal ID we've got the global admin ID set now all we have to do is submit a post request to the Microsoft graph API and to do that we can use the AZ rest command that's part of the azcli that will leverage our authenticated session as the uh the user we authenticated to the azcli with to authenticate and submit this post request from an authenticated perspective as that service principle so azrest we're going to give it a post method we're going to point it at the graph API which is graph.microsoft.com specifically the role assignments yeah URL and then we're going to give it that body that we just set with Janet Johnson's ID and then hit enter and then that should utilize our service presentable credential to add Janet Johnson to the global administrators group so now if we go back over to the Azure portal and navigate to where Global administrator is we should see that Janet Johnson is now in there so another interesting Quirk around how Azure handles permissions is in regard to how it handles subscription access for Global admins so if I log in with the Janet Johnson account which we just made a global admin right and we navigate to subscriptions we can see that that user doesn't have any subscription access currently and even says your current access does not include permissions to to view any subscriptions well one interesting thing about Azure is that you can as a global admin give yourself access to subscription so we navigate to Azure active directory and then we're on the left and navigate down to properties then scroll down uh there's this checkbox that says access management for Azure resources uh it says you know my Janet Johnson account can manage access to all Azure subscriptions and management groups in this tenant and by clicking yes here what happens is azure will add that Janet Johnson user as a user access administrator for all these subscriptions so if I click save and then now if we go back to subscriptions we should see that we've got some subscriptions there after refreshing we do indeed have access to a subscription now you know in in tenants that are large with like 30 subscription 100 subscriptions uh you will see all the subscriptions here when you click that checkbox so just kind of a weird interesting Quirk I kind of think it's a little bit of a privilege escalation because you are giving yourself access from just Global admin who did not have read permission sending the subscriptions to now having access as a user access administrator to all subscriptions within that same tenant so to wrap things up Azure Hound is an extremely powerful tool to help us find those privilege escalation opportunities as an attacker in Azure so you know just demonstrate one last thing real quick you can go into Bloodhound and search for things like VMS you know if you have the permissions to read um like for example I can read this developer VM and you know you can set a path to that like you can you can you can go into Bloodhound and sit shortest pass to here and I try to identify other paths to specific resources it doesn't just have to be the global admin you can identify paths to any resource and if there's a path botan will tell you so as we saw in this video there are times that privileged escalation scenarios can manifest themselves due to users having the ability to manage other attributes and resources in Azure this is just one example though and there are other potential privilege escalation opportunities out there as well so I'd recommend that both red and blue teams are leveraging Azure Hound to identify those attack paths and address them accordingly thanks so much for watching and make sure to subscribe and I will catch you in the next episode
Info
Channel: Beau Bullock
Views: 10,340
Rating: undefined out of 5
Keywords:
Id: m33VeLRUi4w
Channel Id: undefined
Length: 16min 14sec (974 seconds)
Published: Thu Dec 15 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.