Skip to content
Beginner Friendly
RedTeamBadge
azure (3)

Passwordless Credentials for Access and Escalation

See how exposed keys, certificates and tokens could be used to gain access to key user accounts!

30 Minute Playing time
Beginner Friendly 

azure (3)          RedTeamBadge

Passwordless Credentials for Access and Escalation

See how exposed keys, certificates and tokens could be used to gain access to key user accounts!

30 Minute Playing time
Overview

We have created this fun lab to highlight alternate forms of credential that can be abused to get access and move laterally in Azure. Get ready to leverage service principals, web app managed identities and administrative units as we look to go from external access to the top of the tree!

Scenario

On a red team engagement for our new client, Mega Big Tech, we have a mission to try and infiltrate their Azure environment and access sensitive data. Let's show what we can do!

Lab prerequisites
  • Basic Windows command line knowledge
  • Familiarity with Azure
  • Basic website enumeration
Learning outcomes
  • Use certificate-based authentication to access service principal
  • Leverage Website Contributor role to get command execution using the CLI
  • Move laterally from compromised web app to configured managed identity
  • Enumerate Azure and Entra ID resources
  • Leverage administrative unit permissions for lateral movement
Real-world context

Credentials are often not plaintext passwords but instead can be keys, certificates and credential derivatives such as hashes and tokens. This lab showcases certificate based authentication and tokens in additional to plaintext credentials. Executive accounts are often a key target for threat actors, as seen in the Midnight Blizzard breach that targeted Microsoft. Additionally, rather than exploiting CVEs we will look to harness existing system functionality to move laterally and vertically.