I Hacked The Cloud: Azure Managed Identities

Im actually really happy with myself, because I actually understood all of that. My self studying been paying off.

If this isn't a complete course on why you should disable code or execution of things on an entire directory, or ya know disable direct access to user uploades using an iframe set to call the files in a sanitized way, as clean text only. I have to admit it's cool to see some of these things, but alot of these vulnerablities come off more as Pebuac sorts of the one who setup that web service, and less in 'it's in the cloud'.

I regulary Watch Your Video , But today i wanna say thank you to you man,.. You are doing great job. You Motivate me to work in the cyber security field in interesting way. Thank You John Sir !!🙏🏻🙏🏻

Really awesome video! Thank you John for sharing your knowledge for free! I am a DevOps Engineer with extensive Azure and PowerShell knowledge and love watching your videos. I do have a few small points to add about the VM exploitation. Once you're sure that the managed identity has the ability to execute Run Commands on the VM, you can also use the other default run commands to open a bunch of stuff up which may not have been configured. For example, in the video, you're using Enter-PSSession to access the VM, which will only work if PSRemoting/WinRM has already been enabled. To be certain that it is enabled, you can use a built-in run command with the ID "EnableRemotePS". The built-in command opens the necessary Windows Defender firewall ports for you as well. Another note is that the Run Commands you're using are the v1 run commands (called Action Run Commands) which have a long list of restrictions. The newer and better way to use run commands is what Azure calls "Managed Run Commands". Managed Run commands use the Set-AzVMRunCommand syntax and have a considerably higher chance of executing properly. They can have user-specified timeouts, run in parallel, run scripts sequentially, and return data considerably quicker from my experience.

very cool writeup! this is something that will get mitigated once CAE (continuous access evaluation) support managed identities.

This was great. I understood most of it. Started out with PS and now i'm learning linux OS to understand the basics before I go to networks and further.

If one needs a name, the initial access of the managed identity endpoint is effectively a case of SSRF - server side request forgery.

😊 love how your skills have evolved into beautiful public resources for knowledge, understanding, and wisdom. Thank you for all you time and teachings

John's the best there is. These are so Insighful.

Rad stuff. I guess one way to learn Azure AD I mean Entra ID is to learn some attack chains.

probably a dumb question, I'm no cybersecurity engineer, but what sort of website would allow you to just straight up browse /uploads in order to interact with arbitrary data you uploaded?

great demo ... i didnt know it could escalate this far... secure sites are the key to protect cloud env.

I am literally right now deploying AKS cluster, and also using Managed Identities for internal stuff. Damn, have to watch this :D

NICE!! well done and thanks for theat

Sir, its Entra ID sir

John has 'dirbuster' integrated right into his browser's auto complete suggestions :)

Very nice demonstration!

I actually wanted to get a blue team cert after the CBBH, but this looks too tempting

As always John the king of security

Hey John, I am a victim of someone hacking my multiple accounts gmail microsoft Facebook twitter etc maybe through my phone or somehow they got access to my Google password manager, Is there any safety steps I can take other than changing password and adding 2 factor authenticator app? Any help is appreciated.