update container services az

2026-01-23 01:38:55 -08:00 · 2025-02-15 16:23:48 +01:00
parent e6644e6caa
commit 6e477bc296
4 changed files with 116 additions and 49 deletions
--- a/src/SUMMARY.md
+++ b/src/SUMMARY.md
@@ -415,7 +415,7 @@
    - [Az - Azure App Services](pentesting-cloud/azure-security/az-services/az-app-services.md)
    - [Az - Cloud Shell](pentesting-cloud/azure-security/az-services/az-cloud-shell.md)
    - [Az - Container Registry](pentesting-cloud/azure-security/az-services/az-container-registry.md)
-    - [Az - Container Instances](pentesting-cloud/azure-security/az-services/az-container-instances.md)
+    - [Az - Container Instances](pentesting-cloud/azure-security/az-services/az-container-instances-apps-jobs.md)
    - [Az - CosmosDB](pentesting-cloud/azure-security/az-services/az-cosmosDB.md)
    - [Az - Intune](pentesting-cloud/azure-security/az-services/intune.md)
    - [Az - File Shares](pentesting-cloud/azure-security/az-services/az-file-shares.md)
@@ -470,7 +470,7 @@
    - [Az - App Services Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-app-services-privesc.md)
    - [Az - Automation Accounts Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-automation-accounts-privesc.md)
    - [Az - Container Registry Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-container-registry-privesc.md)
-    - [Az - Container Instances Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-container-instances-privesc.md)
+    - [Az - Container Instances Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-container-instances-apps-jobs-privesc.md)
    - [Az - CosmosDB Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-cosmosDB-privesc.md)
    - [Az - EntraID Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/README.md)
      - [Az - Conditional Access Policies & MFA Bypass](pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md)
--- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-container-instances-apps-jobs-privesc.md
+++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-container-instances-apps-jobs-privesc.md
@@ -7,7 +7,7 @@
 Fore more information check:

 {{#ref}}
-../az-services/az-container-instances.md
+../az-services/az-container-instances-apps-jobs.md
 {{#endref}}

 ### `Microsoft.ContainerInstance/containerGroups/read`, `Microsoft.ContainerInstance/containerGroups/containers/exec/action`
@@ -59,7 +59,7 @@ These permission allows to **create or update a container group** with a **user

 ```bash
 az container create \
-  --resource-group <res-group>> \
+  --resource-group <res-group> \
  --name nginx2 \
  --image mcr.microsoft.com/oss/nginx/nginx:1.9.15-alpine \
  --assign-identity "/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<user-namaged-identity-name>" \
--- a/src/pentesting-cloud/azure-security/az-services/az-container-instances-apps-jobs.md
+++ b/src/pentesting-cloud/azure-security/az-services/az-container-instances-apps-jobs.md
@@ -0,0 +1,112 @@
+# Az - Container Instances
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Basic Information
+
+**Azure Container Instances (ACI)** is a serverless container service that lets you run individual containers quickly without managing any underlying infrastructure. **Azure Container Apps (ACA)** extends this by offering a fully managed environment for running microservices and web apps with features like event-driven autoscaling, built-in Dapr integration, and support for complex orchestration scenarios. **Container App Jobs** are a specialized feature within ACA designed for running short-lived, batch, or scheduled tasks that execute for a finite period and then exit.
+
+Differences:
+- ACI is ideal for **simple**, standalone container workloads where minimal orchestration is needed.
+- ACA is best suited for building scalable, interconnected microservices with advanced features like autoscaling and service discovery.
+- Container App Jobs focus on **one-off or scheduled tasks**, providing a streamlined way to run background or batch jobs within the ACA environment.
+
+
+### Configurations
+
+Special options for ACI:
+- Regarding networking it can also have a **public IP** or be **private endpoints**.
+
+Special options for ACA:
+- It's possible to **restrict the trafic** to the container to the container app environment or leave it public.
+- It’s possible to use an **external identity provider** (Microsoft, Facebook, Google, and Twitter) for authentication
+- It's possible to **store App secrets** (in clear text the app or as links to a vault assigning a MI with access over it)
+- It’s possible to have **revisions and replicas of the app**
+
+Special options for jobs:
+- The trigger type can be **manual, scheduled or event-based** (like a message arriving in a queue).
+
+Common options:
+- In order to create a container it's possible to use a public image, a container image from an Azure Container Registry or an external repository, which might **require to configure a password** to access it.
+  - This means that the configuration of the container might contain sensitive information.
+- It's also possible to configure common docker settings like:
+  - **Environment variables** (check for sensitive information)
+  - **Volumes** (even from Azure Files)
+  - **Ports** to expose
+  - **CPU and memory limits**
+  - **Restart policy**
+  - **Run as privileged**
+  - Overwrite containers **command line to run and arguments** (can be modified in existing containers also)
+  - ...
+
+## Enumeration
+
+> [!WARNING]
+> When enumerating, you could reveal sensitive configurations such as **environment variables**, **network details**, or **managed identities**.
+
+```bash
+# ACI
+## List all container instances in the subscription
+az container list
+
+## Show detailed information about a specific container instance
+az container show --name <container-name> --resource-group <res-group>
+
+## Fetch logs from a container
+az container logs --name <container-name> --resource-group <res-group>
+
+## Execute a command in a running container and get the output
+az container exec --name <container-name> --resource-group <res-group> --exec-command "ls"
+
+## Get yaml configuration of the container group
+az container export  --name <container-name> --resource-group <res-group>
+
+# ACA
+## List all container apps in the subscription
+az containerapp list
+
+## Show detailed information about a specific container app
+az containerapp show --name <app-name> --resource-group <res-group>
+
+## Fetch logs from a container app
+az containerapp logs show --name <app-name> --resource-group <res-group>
+
+## Get configured secrets
+az containerapp secret list --name <app-name> --resource-group <res-group>
+### Get value
+az containerapp secret show --name <app-name> --resource-group <res-group> --secret-name <secret-name>
+
+## Get authentication options
+az containerapp auth  show --name <app-name> --resource-group <res-group>
+
+## Get a shell
+az containerapp exec --name <app-name> --resource-group <res-group> --command "sh"
+
+## Get debugging shell
+az containerapp debug --name <app-name> --resource-group <res-group>
+
+# Jobs
+## List all container apps jobs in a resource group
+az containerapp job list --resource-group <res-group>
+
+## Show detailed information about a specific container app job
+az containerapp job show --name <job-name> --resource-group <res-group>
+
+## Fetch logs from a container app job
+az containerapp job logs show --name <job-name> --resource-group <res-group>
+
+## Fetch executions from a container app job
+az containerapp job execution list --name <job-name> --resource-group <res-group>
+az containerapp job execution show --name <job-name> --resource-group <res-group> --job-execution-name <job-execution>
+
+## Start a job execution (for manual jobs)
+az containerapp job start --name <job-name> --resource-group <res-group>
+```
+
+## Privilege Escalation & Post Exploitation
+
+{{#ref}}
+../az-privilege-escalation/az-container-instances-apps-jobs-privesc.md
+{{#endref}}
+
+{{#include ../../../banners/hacktricks-training.md}}
--- a/src/pentesting-cloud/azure-security/az-services/az-container-instances.md
+++ b/src/pentesting-cloud/azure-security/az-services/az-container-instances.md
@@ -1,45 +0,0 @@
-# Az - Container Instances
-
-{{#include ../../../banners/hacktricks-training.md}}
-
-## Basic Information
-
-Azure Container Instances (ACI) provide a **serverless, on-demand way** to run **containers** in the Azure cloud. You can **deploy** single or multiple containers in a group with **scalable compute**, **networking options**, and the flexibility to connect to **other Azure services** (like Storage, Virtual Networks, or Container Registries).
-
-As they are **ephemeral** workloads, you don't need to manage the underlying VM infrastructure — Azure handles that for you. However, from an **offensive security perspective**, it's crucial to understand how **permissions**, **identities**, **network configurations**, and **logs** can reveal attack surfaces and potential misconfigurations.
-
-### Configurations
-
- In order to create a container it's possible to use a public image, a container image from an Azure Container Registry or an external repository, which might **require to configure a password** to access it.
- Regarding networking it can also have a **public IP** or be **private endpoints**.
- It's also possible to configure common docker settings like:
-  - **Environment variables**
-  - **Volumes** (even from Azure Files)
-  - **Ports**
-  - **CPU and memory limits**
-  - **Restart policy**
-  - **Run as privileged**
-  - **Command line to run**
-  - ...
-
-## Enumeration
-
-> [!WARNING]
-> When enumerating ACI, you can reveal sensitive configurations such as **environment variables**, **network details**, or **managed identities**. Be cautious with logging or displaying them.
-
-```bash
-# List all container instances in the subscription
-az container list
-
-# Show detailed information about a specific container instance
-az container show --name <container-name> --resource-group <res-group>
-
-# Fetch logs from a container
-az container logs --name <container-name> --resource-group <res-group>
-
-# Execute a command in a running container and get the output
-az container exec --name <container-name> --resource-group <res-group> --exec-command "ls"
-
-# Get yaml configuration of the container group
-az container export  --name <container-name> --resource-group <res-group>
-```