I Hacked The Cloud: Azure Managed Identities
jh.live/alteredsecurity || Altered Security has just released their new "Advanced Azure Attacks" course and "Certified Azure Red Team Expert" certification -- use code HAMMOND20 for 20% off ALL THREE of their Azure courses! jh.live/alteredsecurity
🗨️ "I Hacked The Cloud" -- compromising an Azure website, swiping the access token for the managed identity of the web app, leveraging permissions to gain code execution on a virtual machine, and extracting credentials for further access! 😎 💬
Learn Cybersecurity - Name Your Price Training with John Hammond: nameyourpricetraining.com
📧JOIN MY NEWSLETTER ➡ jh.live/email
🙏SUPPORT THE CHANNEL ➡ jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ jh.live/sponsor
🌎FOLLOW ME EVERYWHERE ➡ jh.live/twitter ↔ jh.live/linkedin ↔ jh.live/discord ↔ jh.live/instagram ↔ jh.live/tiktok
💥 SEND ME MALWARE ➡ jh.live/malware
🔥KZread ALGORITHM ➡ Like, Comment, & Subscribe!
Пікірлер: 68
If this isn't a complete course on why you should disable code or execution of things on an entire directory, or ya know disable direct access to user uploades using an set to call the files in a sanitized way, as clean text only. I have to admit it's cool to see some of these things, but alot of these vulnerablities come off more as Pebuac sorts of the one who setup that web service, and less in 'it's in the cloud'.
I regulary Watch Your Video , But today i wanna say thank you to you man,.. You are doing great job. You Motivate me to work in the cyber security field in interesting way. Thank You John Sir !!🙏🏻🙏🏻
@RajuSingh-pr8ec
Ай бұрын
Pjuup the :-[8-:'(😮
This was great. I understood most of it. Started out with PS and now i'm learning linux OS to understand the basics before I go to networks and further.
very cool writeup! this is something that will get mitigated once CAE (continuous access evaluation) support managed identities.
NICE!! well done and thanks for theat
Very nice demonstration!
probably a dumb question, I'm no cybersecurity engineer, but what sort of website would allow you to just straight up browse /uploads in order to interact with arbitrary data you uploaded?
@Clemens.Gooooo
Ай бұрын
You need directory listing enabled for browsing the /upload folder...
@xCheddarB0b42x
Ай бұрын
This is not a dumb question. "Insecure Design" is a security flaw that appears often enough that it appears on the OWASP Top 10.
@simple-security
Ай бұрын
Not really the point.many lessons here. Improve best practices for dev secops. Use auto code checks when pushing to repos. Use cspm to check configs. Etc
@chris94kennedy
Ай бұрын
@@simple-security I think that's the point I'm making isn't it? Those things would definitely be done by any company worth their salt. This is an unrealistic video and just seems to pick the most lightweight website possible to attack with a vector that should be easily closed. Who deploys a website that takes not only user input but pretty much any file you want in such a ridiculously insecure and open way. This is like the sort of vulnerability you might see when someone is in a bootcamp or right at the start of their career, imo? I just feel like this is one of those videos that sort of 'strawmans' a website that rarely exists in the wild, and certianly not one maintained by a company with anything sensitive to protect. It says in the title that it exploits an Azure website but actually he's exploiting a pathetically secured website that would have a whole bunch of other issues unrelated to Azure. Please correct me if I'm wrong, as I said I'm not an expert, but I do have a little bit of experience with cybersec; I recently implemented an OIDC compliant IdP SaaS prototype for my company which passed external pen test with no advisories to resolve. As a complete non-expert, if I can do that, every other engineer with at least a couple years under their belt could do exactly the same. Basically what I'm saying is no website that behaves and is so insecure like this one would be deployed by anyone with a bit of experience, so this is just a basically useless video because company's with literally anything to hide, i.e. every company lol, aren't going to do this. Happy to be corrected! :)
John's the best there is. These are so Insighful.
@chris94kennedy
Ай бұрын
i mean the website is as secure as an overweight asleep security guard. It's easy to be insightful when the fucking door is left open for you to walk straight through.
Rad stuff. I guess one way to learn Azure AD I mean Entra ID is to learn some attack chains.
I actually wanted to get a blue team cert after the CBBH, but this looks too tempting
As always John the king of security
Really awesome video 🎉.....i also learning cloud security 😀
Boom, another vuln got Hammonded! :D
😊 love how your skills have evolved into beautiful public resources for knowledge, understanding, and wisdom. Thank you for all you time and teachings
I do not understand in 06:31 where did you gather the api-version from
I am literally right now deploying AKS cluster, and also using Managed Identities for internal stuff. Damn, have to watch this :D
another great video!
great demo ... i didnt know it could escalate this far... secure sites are the key to protect cloud env.
Interesting stuff - thanks!
does there is any ctf challenge for demo this attack or something similar to it like azure active directory attacks?
Really cool mate👍
Amazing thanks!
John has 'dirbuster' integrated right into his browser's auto complete suggestions :)
If one needs a name, the initial access of the managed identity endpoint is effectively a case of SSRF - server side request forgery.
Shoulnd't it be Entra ID, instead of Azure AD, in the cert?
if we know that there is the page after uploads and we know page name (like you you create your own sheell and there you spesify the C and then you modify the url c=whoami and its executed if we dont upload this kind of shell) then how we execute commands in url
Hey John, I am a victim of someone hacking my multiple accounts gmail microsoft Facebook twitter etc maybe through my phone or somehow they got access to my Google password manager, Is there any safety steps I can take other than changing password and adding 2 factor authenticator app? Any help is appreciated.
Ah, I see John on the quick side of things. >:D The whole Azure *Tree* with all the Kubernetes Cluster Setups and Managements is beautifully riddled with ... holes. :D
Security is only as good as the person who sets it up.
Sir, its Entra ID sir
@HarmonicaMustang
Ай бұрын
Viva la résistance
Great uses of SAAS tools! These git-flows all lead back home, and with resources beyond 09-01-2017... So working with URI's is similar to working with URL's, but without the universal curl commandeer? Awesome! Who could of think of that? Next up Amazon AWS? Cloudfare? Some other CDN, like fonts for Google?
HI John
Your videos are great. Keep it up, it really helps us all learn. But I admit the conditions for this hack were staged for the hacking adventure, but it shows how multiple vulnerabilities can be used. Thank you.
Isnt all of your attack possible because of the website and code uploaded to the i guess webapp? And not because of Azure, WebApps, Functions or other PaaS in Azure? The Title seems very Clickbaity. Please educate me
@ryandawson1220
Ай бұрын
I agree on this one. When an RCE happens on your server, they will always have access to secrets in one form or fashion. We are pulling our secrets in via Azure Keyvault at runtime with a managed identity, so this particular video interested me. This makes it super easy for the attacker to get access to the Keyvault to pull secrets. However if they are already on the server, they could dump memory and get them this one. I think the one take away is to make sure your managed identities are properly scoped. Don't use one managed identity for all applications.
@KyAreTR
Ай бұрын
Agree. Use system managed identity and use IAM to grant access to needed ressources and thats it. And i really do hope that people do not have VMs with PublicIPs available in azure...use a loadbalancer at least infront of it.
@rnts08
Ай бұрын
110% clickbait. The vulnerability is SSI, which has been known for 20+ years surfacing again due to clueless DevOps managing infrastructure.
Bro where is the XZ back door proof of concept video
Bro do you know how does someone exploited all the data of boat company
@stevenhernandez6856
Ай бұрын
@@wildstorm74 boat
@alone_rider_988
Ай бұрын
I mean boat a speaker etc brand
Serious
COOL!
You cant get away with this.
please 1 video how to hacked gmail password please please new video 🙏🙏🙏🙏🙏🙏
is it just me or did he look at the eclipse a little too long? eyes r a lil red lookin
Azure Active Directory? Don't you mean Entra ID? 🤮
funny that windows defender detects this as a trojan
Is bro still at the hotel that he leaked the address to in his last video? 😭 be safe bro
@pranavbanerjee8625
Ай бұрын
Why should he worry about that tho?
😱
Old hackers descend ppl from sky to earth sow y will never reach them😂😂😂
top
early gang
Hack my company if you can HOHOHOHO 👹👺👺
This was great. I understood most of it. Started out with PS and now i'm learning linux OS to understand the basics before I go to networks and further.