*Test at your own risk
1.Use the Get-AzPasswords function to perform a dump of credentials for Automation accounts.
Get-AzPassword -AppServices N - StorageAccounts N - Keys N -ACR N -CosmosDB N -Verbose | out-GridView
2.When prompted to select an Azure subscription, select your test Azure subscription and click OK.
3.In the resulting output, you should see credentials that were dumped from the Automation account.
4.Open the current path in File explorer using the following command
explorer .
5.Note that there are now two new files in the directory where the command was run from
6.For POC, run the AuthenticateAs-automation-acct-AzureRunAsConnection.ps1 script to login as the RunAs account.
7.Use the following command to confirm the current user context.
We now have the cleartext credentials from the Automation account and a private certificate that we can use to authenticate as the Run as account. Since the Contributor role is configured for the Run as account by default, this means we will likely have a persistent Contributor account in the subscription.
Additionally, if the Run as account is granted any additional roles beyond the default Contributor role, we may be able to use these credentials to escalate privileges or pivot to other subscription.
While it is less common, we have seen Run as accounts that are give Owner permissions on root management groups. In most cases, this is done to allow the Automation account to automate changes in all of the subscription at once. This allows anyone with Contributor access to that Automation account to inherit the root management group role and take over all of the subscriptions.
Reference
https://github.com/cheahengsoon/Penetration-Testing-Azure-for-Ethical-Hackers
Top comments (0)