Presentation Material
Abstract
Case study of privilege escalation in Azure: from Reader role to Global Admin. CONFidence 2024, 27 May 2024, Kraków.
AI Generated Summary
The talk details a multi-stage attack chain initiated from a minimal Reader role within Azure Active Directory and subscription management. Initial enumeration of serverless services—including Function Apps, Logic Apps, and Automation Accounts—revealed exposed source code. This code contained credentials for a service principal with Application.ReadWrite.All permissions. Compromising this app allowed the addition of client secrets, escalating to Application Administrator privileges.
Further enumeration identified an Enterprise Application with Group.ReadWrite.All. Using this, the testers added their user to a group possessing Owner permissions at the Root Management Group, granting control over all 25+ subscriptions and more than 3,000 resources.
A separate cloud-to-on-premises pivot began with a Function App holding a Contributor role. Its publish profile provided access to the Kudu console, from which