Merge pull request #123 from JaimePolop/master

Update Storage
HackTricks-wiki · Dec 7, 2024 · 2e92909 · 2e92909
2 parents 983de9d + 6274d97
commit 2e92909
Show file tree

Hide file tree

Showing 3 changed files with 181 additions and 1 deletion.
diff --git a/pentesting-cloud/azure-security/az-persistence/az-storage-persistence.md b/pentesting-cloud/azure-security/az-persistence/az-storage-persistence.md
@@ -29,6 +29,32 @@ For more information about storage check:
 * Generate SAS
   * User delegated are 7 days max
 
+### Microsoft.Storage/storageAccounts/blobServices/containers/update && Microsoft.Storage/storageAccounts/blobServices/deletePolicy/write
+
+These permissions allows the user to modify blob service properties for the container delete retention feature, which enables or configures the retention period for deleted containers. These permissions can be used for maintaining persistence to provide a window of opportunity for the attacker to recover or manipulate deleted containers that should have been permanently removed and accessing sensitive information.
+
+{% code overflow="wrap" %}
+```bash
+az storage account blob-service-properties update \
+  --account-name <STORAGE_ACCOUNT_NAME> \
+  --enable-container-delete-retention true \
+  --container-delete-retention-days 100
+```
+{% endcode %}
+
+### Microsoft.Storage/storageAccounts/read && Microsoft.Storage/storageAccounts/listKeys/action
+
+These permissions can lead to the attacker to modify the retention policies, restoring deleted data, and accessing sensitive information.
+
+{% code overflow="wrap" %}
+```bash
+az storage blob service-properties delete-policy update \
+  --account-name <STORAGE_ACCOUNT_NAME> \
+  --enable true \
+  --days-retained 100
+```
+{% endcode %}
+
 {% hint style="success" %}
 Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
 Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
@@ -44,4 +70,3 @@ Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).p
 </details>
 {% endhint %}
 
-## Storage Privesc
diff --git a/pentesting-cloud/azure-security/az-privilege-escalation/az-storage-privesc.md b/pentesting-cloud/azure-security/az-privilege-escalation/az-storage-privesc.md
@@ -92,6 +92,65 @@ This should allow a user having this permission to be able to modify the permiss
 
 This should allow a user having this permission to be able to perform actions inside a file system as a superuser.
 
+### Microsoft.Storage/storageAccounts/localusers/write (Microsoft.Storage/storageAccounts/localusers/read)
+
+With this permission, an attacker can create and update (if has ```Microsoft.Storage/storageAccounts/localusers/read``` permission) a new local user for an Azure Storage account (configured with hierarchical namespace), including specifying the user’s permissions and home directory. This permission is significant because it allows the attacker to grant themselves to a storage account with specific permissions such as read (r), write (w), delete (d), and list (l) and more. Additionaly the authentication methods that this uses can be Azure-generated passwords and SSH key pairs. There is no check if a user already exists, so you can overwrite other users that are already there. The attacker could escalate their privileges and gain SSH access to the storage account, potentially exposing or compromising sensitive data.
+
+{% code overflow="wrap" %}
+```bash
+az storage account local-user create \
+  --account-name <STORAGE_ACCOUNT_NAME> \
+  --resource-group <RESOURCE_GROUP_NAME> \
+  --name <LOCAL_USER_NAME> \
+  --permission-scope permissions=rwdl service=blob resource-name=<CONTAINER_NAME> \
+  --home-directory <HOME_DIRECTORY> \
+  --has-ssh-key false/true # Depends on the auth method to use
+```
+{% endcode %} 
+
+### Microsoft.Storage/storageAccounts/localusers/regeneratePassword/action
+
+With this permission, an attacker can regenerate the password for a local user in an Azure Storage account. This grants the attacker the ability to obtain new authentication credentials (such as an SSH or SFTP password) for the user. By leveraging these credentials, the attacker could gain unauthorized access to the storage account, perform file transfers, or manipulate data within the storage containers. This could result in data leakage, corruption, or malicious modification of the storage account content.
+
+{% code overflow="wrap" %}
+```bash
+az storage account local-user regenerate-password \
+  --account-name <STORAGE_ACCOUNT_NAME> \
+  --resource-group <RESOURCE_GROUP_NAME> \
+  --name <LOCAL_USER_NAME>
+```
+{% endcode %}
+
+To access Azure Blob Storage via SFTP using a local user via SFTP you can (you can also use ssh key to connect):
+
+{% code overflow="wrap" %}
+```bash
+sftp <local-user-name>@<storage-account-name>.blob.core.windows.net
+#regenerated-password
+```
+{% endcode %}
+
+### Microsoft.Storage/storageAccounts/restoreBlobRanges/action, Microsoft.Storage/storageAccounts/blobServices/containers/read, Microsoft.Storage/storageAccounts/read && Microsoft.Storage/storageAccounts/listKeys/action
+
+With this permissions an attacker can restore a deleted container by specifying its deleted version ID or undelete specific blobs within a container, if they were previously soft-deleted. This privilege escalation could allow an attacker to recover sensitive data that was meant to be permanently deleted, potentially leading to unauthorized access.
+
+{% code overflow="wrap" %}
+```bash
+#Restore the soft deleted container
+az storage container restore \
+  --account-name <STORAGE_ACCOUNT_NAME> \
+  --name <CONTAINER_NAME> \
+  --deleted-version <VERSION>
+
+#Restore the soft deleted blob
+az storage blob undelete \
+  --account-name <STORAGE_ACCOUNT_NAME> \
+  --container-name <CONTAINER_NAME> \
+  --name "fileName.txt"
+```
+{% endcode %}
+
+
 ## Other interesting looking permissions (TODO)
 
 * Microsoft.Storage/storageAccounts/blobServices/containers/blobs/manageOwnership/action: Changes ownership of the blob
@@ -102,6 +161,8 @@ This should allow a user having this permission to be able to perform actions in
 ## References
 
 * [https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/storage#microsoftstorage](https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/storage#microsoftstorage)
+* [https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support](https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support)
+
 
 {% hint style="success" %}
 Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\

diff --git a/pentesting-cloud/azure-security/az-services/az-storage.md b/pentesting-cloud/azure-security/az-services/az-storage.md
@@ -198,6 +198,40 @@ When generating a SAS it's needed to indicate the permissions that it should be
 
 * (a)dd, (c)reate, (d)elete, (e)xecute, (f)ilter\_by\_tags, (i)set\_immutability\_policy, (l)ist, (m)ove, (r)ead, (t)ag, (w)rite, (x)delete\_previous\_version, (y)permanent\_delete
 
+## SFTP Support for Azure Blob Storage
+
+Azure Blob Storage now supports the SSH File Transfer Protocol (SFTP), enabling secure file transfer and management directly to Blob Storage without requiring custom solutions or third-party products.
+
+### Key Features
+
+- Protocol Support: SFTP works with Blob Storage accounts configured with hierarchical namespace (HNS). This organizes blobs into directories and subdirectories for easier navigation.
+- Security: SFTP uses local user identities for authentication and does not integrate with RBAC or ABAC. Each local user can authenticate via:
+    - Azure-generated passwords
+    - Public-private SSH key pairs
+- Granular Permissions: Permissions such as Read, Write, Delete, and List can be assigned to local users for up to 100 containers.
+- Networking Considerations: SFTP connections are made through port 22. Azure supports network configurations like firewalls, private endpoints, or virtual networks to secure SFTP traffic.
+
+### Setup Requirements
+
+- Hierarchical Namespace: HNS must be enabled when creating the storage account.
+- Supported Encryption: Requires Microsoft Security Development Lifecycle (SDL)-approved cryptographic algorithms (e.g., rsa-sha2-256, ecdsa-sha2-nistp256).
+- SFTP Configuration:
+    - Enable SFTP on the storage account.
+    - Create local user identities with appropriate permissions.
+    - Configure home directories for users to define their starting location within the container.
+
+### Permissions
+
+| Permission       | Symbol | Description                                |
+|-------------------|--------|--------------------------------------------|
+| **Read**         | `r`    | Read file content.                         |
+| **Write**        | `w`    | Upload files and create directories.       |
+| **List**         | `l`    | List contents of directories.              |
+| **Delete**       | `d`    | Delete files or directories.               |
+| **Create**       | `c`    | Create files or directories.               |
+| **Modify Ownership** | `o` | Change the owning user or group.           |
+| **Modify Permissions** | `p` | Change ACLs on files or directories.      |
+
 ## Enumeration
 
 {% tabs %}
@@ -302,6 +336,22 @@ az storage blob show \
   --container-name <container name> \
   --sas-token 'se=2024-12-31T23%3A59%3A00Z&sp=racwdxyltfmei&sv=2022-11-02&sr=c&sig=ym%2Bu%2BQp5qqrPotIK5/rrm7EMMxZRwF/hMWLfK1VWy6E%3D' \
   --name 'asd.txt'
+
+#Local-Users
+## List users
+az storage account local-user list \
+  --account-name <storage-account-name> \
+  --resource-group <resource-group-name>
+## Get user
+az storage account local-user show \
+  --account-name <storage-account-name> \
+  --resource-group <resource-group-name> \
+  --name <local-user-name>
+
+## List keys
+az storage account local-user list \
+  --account-name <storage-account-name> \
+  --resource-group <resource-group-name>
 ```
 {% endcode %}
 {% endtab %}
@@ -321,6 +371,49 @@ Get-AzStorageContainer -Context (Get-AzStorageAccount -name <NAME> -ResourceGrou
 Get-AzStorageBlob -Container epbackup-planetary -Context (Get-AzStorageAccount -name <name> -ResourceGroupName <name>).context
 # Get a blob from a container
 Get-AzStorageBlobContent -Container <NAME> -Context (Get-AzStorageAccount -name <NAME> -ResourceGroupName <NAME>).context -Blob <blob_name> -Destination .\Desktop\filename.txt
+
+# Create a Container Policy
+New-AzStorageContainerStoredAccessPolicy `
+  -Context (Get-AzStorageAccount -Name <NAME> -ResourceGroupName <NAME>).Context `
+  -Container <container-name> `
+  -Policy <policy-name> `
+  -Permission racwdl `
+  -StartTime (Get-Date "2023-11-22T00:00Z") `
+  -ExpiryTime (Get-Date "2024-11-22T00:00Z")
+#Get Container policy
+Get-AzStorageContainerStoredAccessPolicy `
+  -Context (Get-AzStorageAccount -Name <NAME> -ResourceGroupName <NAME>).Context `
+  -Container "storageaccount1994container"
+
+# Queue Management
+Get-AzStorageQueue -Context (Get-AzStorageAccount -Name <NAME> -ResourceGroupName <NAME>).Context
+(Get-AzStorageQueue -Name <NAME> -Context (Get-AzStorageAccount -name <NAME> -ResourceGroupName <NAME>).Context).QueueClient.PeekMessage().Value
+
+#Blob Container
+Get-AzStorageBlob -Container <container-name> -Context $(Get-AzStorageAccount -name "teststorageaccount1998az" -ResourceGroupName "testStorageGroup").Context
+Get-AzStorageBlobContent `
+  -Container <container-name> `
+  -Blob <blob-name> `
+  -Destination <local-path> `
+  -Context $(Get-AzStorageAccount -name "teststorageaccount1998az" -ResourceGroupName "testStorageGroup").Context
+
+Set-AzStorageBlobContent `
+  -Container <container-name> `
+  -File <local-file-path> `
+  -Blob <blob-name> `
+  -Context $(Get-AzStorageAccount -name "teststorageaccount1998az" -ResourceGroupName "testStorageGroup").Context
+
+# Shared Access Signatures (SAS)
+Get-AzStorageContainerAcl `
+  -Container <container-name> `
+  -Context (Get-AzStorageAccount -Name <NAME> -ResourceGroupName <NAME>).Context
+
+New-AzStorageBlobSASToken `
+  -Context $ctx `
+  -Container <container-name> `
+  -Blob <blob-name> `
+  -Permission racwdl `
+  -ExpiryTime (Get-Date "2024-12-31T23:59:00Z")
 ```
 {% endcode %}
 {% endtab %}
@@ -354,6 +447,7 @@ Get-AzStorageBlobContent -Container <NAME> -Context (Get-AzStorageAccount -name
 
 * [https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction](https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction)
 * [https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview](https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview)
+* [https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support](https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support)
 
 {% hint style="success" %}
 Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\