gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-01-20 16:33:17 -08:00
Code Issues Packages Projects Releases Wiki Activity

vm to aa

Browse Source
This commit is contained in:
Carlos Polop
2025-03-17 04:47:59 +01:00
parent 27d96d81e1
commit 42f78679a2
3 changed files with 30 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
src/pentesting-cloud/azure-security/az-privilege-escalation/az-automation-accounts-privesc.md
View File

@@ -12,6 +12,8 @@ Fore more information check:
### Hybrid Workers Group
- **From the Automation Account to the VM**
Remember that if somehow an attacker can execute an arbitrary runbook (arbitrary code) in a hybrid worker, he will **pivot to the location of the VM**. This could be an on-premise machine, a VPC of a different cloud or even an Azure VM.
Moreover, if the hybrid worker is running in Azure with other Managed Identities attached, the runbook will be able to access the **managed identity of the runbook and all the managed identities of the VM from the metadata service**.
@@ -19,6 +21,15 @@ Moreover, if the hybrid worker is running in Azure with other Managed Identities
> [!TIP]
> Remember that the **metadata service** has a different URL (**`http://169.254.169.254`**) than the service from where get the managed identities token of the automation account (**`IDENTITY_ENDPOINT`**).
- **From the VM to the Automation Account**
Moreover, if someone compromise a VM where an automation account script is running, he will be able to locate the **Automation Account** metadata and access it from the VM to obtain tokens for the **Managed Identities** attached to the Automation Account.
As it's possible to see in the following image, having Administrator access over the VM it's possible to find in the **environment variables of the process** the URL and secret to access the automation account metadata service:
![](</images/vm_to_aa.jpg>)
### `Microsoft.Automation/automationAccounts/jobs/write`, `Microsoft.Automation/automationAccounts/runbooks/draft/write`, `Microsoft.Automation/automationAccounts/jobs/output/read`, `Microsoft.Automation/automationAccounts/runbooks/publish/action` (`Microsoft.Resources/subscriptions/resourcegroups/read`, `Microsoft.Automation/automationAccounts/runbooks/write`)
As summary these permissions allow to **create, modify and run Runbooks** in the Automation Account which you could use to **execute code** in the context of the Automation Account and escalate privileges to the assigned **Managed Identities** and leak **credentials** and **encrypted variables** stored in the Automation Account.