XMGoat – An Open Source Pentesting Tool for Azure

Overview

We created XMGoat as an open source tool with the purpose of teaching penetration testers, red teamers, security consultants, and cloud experts how to abuse different misconfigurations within the Azure environment. In this way, you learn about common Azure security issues.

XMGoat contains multiple environments in the form of terraform templates. After installation, the template automatically deploys the environment within Azure. The environments contain some significant misconfigurations, making them vulnerable.

Each environment represents a scenario, where your job is to discover the attack path towards the critical asset, and compromise it. The scenario starts with the breach point, which is the initial foothold the attacker has gained in the Azure environment. This can be a user or service principal. In each scenario, the breach points and the critical assets are different. Each scenario allows for multiple attack paths towards the critical asset. 

As of now, we’ve created three different attack scenarios for you to master. We plan to continue deploying more as time goes on. Below, we describe the scenarios and how we would compromise them. There are, of course, other ways.

For additional information, about how to use the open source tool, go to XMGoat github repository, which can be found here:  https://github.com/XMCyber/XMGoat.

Scenario 1 – Compromise Sensitive Storage account Container

Breach Point: User
Critical Asset: Sensitive Container Blob (within a storage account)

Attack Flow

  1. First, we do our reconnaissance:
    1. We authenticate with the user.
    2. We discover that the user is the owner of an application. 
  2. Now it’s time to hack:
    1. As the owner, we modify the application password and authenticate with it. 
    2. As the service principal that represents the application, we enumerate all virtual machines within a specific subscription. 
    3. We identify that we can execute commands on a specific virtual machine.
    4. We request access tokens for the identity attached to the machine and act on its behalf. 
    5. As the identity, we enumerate all storage accounts, containers, and blobs. 
  3. Let’s go in for the compromise:
    1. We find a sensitive blob within the storage account container.
    2. We have compromised the critical asset of this scenario – the sensitive container blob.

Scenario 2 – Compromise subscription

Breach Point : Service Principal
Critical Asset : Subscription

Attack Flow

  1. First, we do our reconnaissance:
    1. We authenticate with the service principal.
    2. We identify key-vaults in the subscription. 
  2. Now it’s time to hack:
    1. Since our user has permissions to read secrets from a specific key-vault, we can retrieve a secret. 
    2. We identify that the secret contains the credential for a user in Azure Active Directory.
    3. We authenticate as the reconned user.
    4. We identify that the user has permissions to modify permissions on the subscription level.
  3. Let’s go in for the compromise:
    1. We create for the user new role assignments.
    2. We modify the user permissions.
    3. We assign owner permissions to the user.
    4. We have now compromised the critical asset, which in this scenario was the subscription.

Scenario 3 – Account takeover, compromise tenant

Breach Point : User
Critical Asset : AAD tenant

Attack Flow

  1. First, we do our reconnaissance:
    1. We authenticate with the user.
    2. We identify that the user has permissions to enumerate function apps within the subscription. In addition, the user has permissions to update the function app code.
    3. We identify a specific application with a global administrator role.
  2. Now it’s time to hack:
    1. We use the user to modify the code and compromise the identity attached to the function app.
    2. We authenticate with the identity.
    3. We identify that the identity is the application administrator in Azure Active Directory, which can add a password to any application that is created in the tenant.
  3. Let’s go in for the compromise:
    1. We add a password for the specific application that we reconned and authenticate with it. 
    2. And with that, we compromise the critical asset, which in this scenario is the AAD tenant.

Summary

Misconfigurations within Azure environments are common. It’s important to learn and understand how attackers can exploit those misconfigurations and, more importantly, what causes them behind the scene.

Feel free to contribute to this repository. In addition, for any questions, contact us via the repository.

 

By Zur Ulianitzky and Bill Ben Haim