Azure: Can you GA?
Premium roomAzure challenge for cloud pentesters: find the attack path and escalate to Global Admin.
To access material, start machines and answer questions login.
Scenario: In this challenge, as a cloud pentester, you will recon and attack an Azure tenant to see if you can manage to own it.
High-Level Guidance
- Perform Entra ID reconnaissance (Recon).
- Identify attack paths (AP).
- Determine your Course of Action (COA).
- Develop your scripts.
- Attack!
- Own the tenant!
Rules of Engagement ()
Even if you can after successful privilege escalation:
- Do NOT create additional users
- Do NOT modify existing users
- Do NOT temper with this Azure tenant by any means
- This is a shared training tenant and hence respect the of the environment
- Leave it as you found it
Start the Lab
To start the challenge, click the Cloud Details button below. On the pop-up, click Join Lab. Find your credentials in the Credentials tab, click on Open Lab and log in to the Azure Portal (opens in new tab) with the Username and the Temporary Access Pass. (make sure you first logged out of any previous lab account).
Initiated challenge deployment.
Lay of the Land
We already have a compromised Azure account, potentially by means of:
- attacks
- Unsecured network
- Weak passwords
- Vulnerabilities in applications
Log in to the tenant and do some initial recon to see what else is up.
What is theTenant ID?
What is the Primary Domain?
How many App Registrations are there in this tenant?
Have you checked out administrators and their roles yet?
Which user (UPN) has the Application Administrator role assignment?
Which application (app registration) could be a potential target for privilege escalation?
Which administrator role assignment of the target app can be abused for privilege escalation?
Attack path analysis is mainly the visual representation of the path an attacker could take to exploit vulnerabilities. Following recon, now you must have chosen your attack path.
How can you utilize the existing:
- App Registrations
- Enterprise Applications (Service Principals)
- Administrators
- Users
in order to find an attack path to Global Administrator (GA)?
Which user (display name) is the obvious candidate, i.e., target user, for a Global Administrator?
What's the role assignment for this user?
Which application is the obvious candidate, i.e. target app, to abuse for privilege escalation?
What's the role assignment for this application?
I think I got the idea now. The question is, can I GA?
Time to put your scripting skills to test. Can you generate a new client secret for the target app?
Done. What will I do with it?
There are many ways to generate a new secret. When using a PowerShell script to do it, you will need to create an object. Which object did you have to use to create a new client secret?
Can you authenticate to the tenant as the target app?
Oh, I see what you are after. All roads lead to GA!
Remember! You are not you anymore. You are the target app. Can you promote your own lab user to Global Administrator? Yet to be seen, indeed. But beware, once you are up there, you don't have much time.
Now, prove that you are a GA by creating an Administrative Unit, with name au-<yourlabid>, so that everyone knows that you GA'ed, indeed.
Ready to learn Cyber Security?
The Azure: Can you GA? room is only available for premium users. Signup now to access more than 500 free rooms and learn cyber security through a fun, interactive learning environment.
Already have an account? Log in