f

Author: carlospolop

src/pentesting-cloud/azure-security/az-privilege-escalation/az-functions-app-privesc.md

@@ -66,11 +66,11 @@ This config will usually contain a **SAS URL to download** the code from the Sto
 > [!CAUTION]
 > With enough permission to connect to the blob container that **contains the code in zip** it's possible to execute arbitrary code in the Function and escalate privileges.
 
-- **`github-actions-deploy`** (`WEBSITE_RUN_FROM_PACKAGE)`
+- **`github-actions-deploy`** (`WEBSITE_RUN_FROM_PACKAGE`)
 
 Just like in the previous case, if the deployment is done via Github Actions it's possible to find the folder **`github-actions-deploy`** in the Storage Account containing a zip of the code and a SAS URL to the zip in the setting `WEBSITE_RUN_FROM_PACKAGE`.
 
-- **`scm-releases`**`(WEBSITE_CONTENTAZUREFILECONNECTIONSTRING` and `WEBSITE_CONTENTSHARE`)
+- **`scm-releases`**(`WEBSITE_CONTENTAZUREFILECONNECTIONSTRING` and `WEBSITE_CONTENTSHARE`)
 
 With permissions to read the containers inside the Storage Account that stores the function data it's possible to find the container **`scm-releases`**. In there it's possible to find the latest release in **Squashfs filesystem file format** and therefore it's possible to read the code of the function:
 
@@ -170,12 +170,18 @@ curl -X PUT "https://consumptionexample.azurewebsites.net/admin/vfs/site/wwwroot
 
 ### `Microsoft.Web/sites/functions/listKeys/action`
 
-This permission allows to get the host key, of the specified function with:
+This permission allows to get the default key, of the specified function with:
 
 ```bash
 az rest --method POST --uri "https://management.azure.com/subscriptions/<subsription-id>/resourceGroups/<resource-group>/providers/Microsoft.Web/sites/<func-name>/functions/<func-endpoint-name>/listKeys?api-version=2022-03-01"
 ```
 
+Invoke the function using the default key obtained:
+
+```bash
+curl "https://<app-name>.azurewebsites.net/api/<func-endpoint-name>?code=<default-key>"
+```
+
 ### `Microsoft.Web/sites/host/functionKeys/write`
 
 This permission allows to create/update a function key of the specified function with:
@@ -203,6 +209,16 @@ This permission allows to create/update a system function key to the specified f
 az functionapp keys set --resource-group <res_group> --key-name <key-name> --key-type masterKey --name <func-key> --key-value q_8ILAoJaSp_wxpyHzGm4RVMPDKnjM_vpEb7z123yRvjAzFuo6wkIQ==
 ```
 
+Use the key:
+
+```bash
+# Ejemplo: Acceso a endpoints de Durable Functions
+curl "https://<app-name>.azurewebsites.net/runtime/webhooks/durabletask/instances?code=<system-key>"
+
+# Ejemplo: Acceso a Event Grid webhooks
+curl "https://<app-name>.azurewebsites.net/runtime/webhooks/eventgrid?code=<system-key>"
+```
+
 ### `Microsoft.Web/sites/config/list/action`
 
 This permission allows to get the settings of a function. Inside these configurations it might be possible to find the default values **`AzureWebJobsStorage`** or **`WEBSITE_CONTENTAZUREFILECONNECTIONSTRING`** which contains an **account key to access the blob storage of the function with FULL permissions**.