ADOKit: Azure DevOps Services Attack Toolkit

Azure DevOps Services Attack Toolkit – ADOKit is a toolkit that can be used to attack Azure DevOps Services by taking advantage of the available REST API. The tool allows the user to specify an attack module, along with specifying valid credentials (API key or stolen authentication cookie) for the respective Azure DevOps Services instance. The attack modules supported include reconnaissance, privilege escalation and persistence. ADOKit was built in a modular approach, so that new modules can be added in the future by the information security community.

Full details on the techniques used by ADOKit are in the X-Force Red whitepaper.

Release

Version 1.0 of ADOKit can be found in Releases

Installation/Building

Libraries Used

The below 3rd party libraries are used in this project.

Library	URL	License
Fody	Link	MIT License
Newtonsoft.Json	Link	MIT License

Pre-Compiled

Use the pre-compiled binary in Releases

Building Yourself

Take the below steps to setup Visual Studio in order to compile the project yourself. This requires two .NET libraries that can be installed from the NuGet package manager.

Load the Visual Studio project up and go to “Tools” –> “NuGet Package Manager” –> “Package Manager Settings”
Go to “NuGet Package Manager” –> “Package Sources”
Add a package source with the URL https://api.nuget.org/v3/index.json
Install the Costura.Fody NuGet package.
- Install-Package Costura.Fody -Version 3.3.3
Install the Newtonsoft.Json package
- Install-Package Newtonsoft.Json
You can now build the project yourself!

Command Modules

Recon
- check – Check whether organization uses Azure DevOps and if credentials are valid
- whoami – List the current user and its group memberships
- listrepo – List all repositories
- searchrepo – Search for given repository
- listproject – List all projects
- searchproject – Search for given project
- searchcode – Search for code containing a search term
- searchfile – Search for file based on a search term
- listuser – List users
- searchuser – Search for a given user
- listgroup – List groups
- searchgroup – Search for a given group
- getgroupmembers – List all group members for a given group
- getpermissions – Get the permissions for who has access to a given project
Persistence
- createpat – Create personal access token for user
- listpat – List personal access tokens for user
- removepat – Remove personal access token for user
- createsshkey – Create public SSH key for user
- listsshkey – List public SSH keys for user
- removesshkey – Remove public SSH key for user
Privilege Escalation
- addprojectadmin – Add a user to the “Project Administrators” for a given project
- removeprojectadmin – Remove a user from the “Project Administrators” group for a given project
- addbuildadmin – Add a user to the “Build Administrators” group for a given project
- removebuildadmin – Remove a user from the “Build Administrators” group for a given project
- addcollectionadmin – Add a user to the “Project Collection Administrators” group
- removecollectionadmin – Remove a user from the “Project Collection Administrators” group
- addcollectionbuildadmin – Add a user to the “Project Collection Build Administrators” group
- removecollectionbuildadmin – Remove a user from the “Project Collection Build Administrators” group
- addcollectionbuildsvc – Add a user to the “Project Collection Build Service Accounts” group
- removecollectionbuildsvc – Remove a user from the “Project Collection Build Service Accounts” group
- addcollectionsvc – Add a user to the “Project Collection Service Accounts” group
- removecollectionsvc – Remove a user from the “Project Collection Service Accounts” group
- getpipelinevars – Retrieve any pipeline variables used for a given project.
- getpipelinesecrets – Retrieve the names of any pipeline secrets used for a given project.
- getserviceconnections – Retrieve the service connections used for a given project.

Arguments/Options

/credential: – credential for authentication (PAT or Cookie). Applicable to all modules.
/url: – Azure DevOps URL. Applicable to all modules.
/search: – Keyword to search for. Not applicable to all modules.
/project: – Project to perform an action for. Not applicable to all modules.
/user: – Perform an action against a specific user. Not applicable to all modules.
/id: – Used with persistence modules to perform an action against a specific token ID. Not applicable to all modules.
/group: – Perform an action against a specific group. Not applicable to all modules.

Authentication Options

Below are the authentication options you have with ADOKit when authenticating to an Azure DevOps instance.

Stolen Cookie – This will be the UserAuthentication cookie on a user’s machine for the .dev.azure.com domain.
- /credential:UserAuthentication=ABC123
Personal Access Token (PAT) – This will be an access token/API key that will be a single string.
- /credential:apiToken

Module Details Table

The below table shows the permissions required for each module.

Attack Scenario	Module	Special Permissions?
Recon	`check`	No
Recon	`whoami`	No
Recon	`listrepo`	No
Recon	`searchrepo`	No
Recon	`listproject`	No
Recon	`searchproject`	No
Recon	`searchcode`	No
Recon	`searchfile`	No
Recon	`listuser`	No
Recon	`searchuser`	No
Recon	`listgroup`	No
Recon	`searchgroup`	No
Recon	`getgroupmembers`	No
Recon	`getpermissions`	No
Persistence	`createpat`	No
Persistence	`listpat`	No
Persistence	`removepat`	No
Persistence	`createsshkey`	No
Persistence	`listsshkey`	No
Persistence	`removesshkey`	No
Privilege Escalation	`addprojectadmin`	Yes – `Project Administrator`, `Project Collection Administrator` or `Project Collection Service Accounts`
Privilege Escalation	`removeprojectadmin`	Yes – `Project Administrator`, `Project Collection Administrator` or `Project Collection Service Accounts`
Privilege Escalation	`addbuildadmin`	Yes – `Project Administrator`, `Project Collection Administrator` or `Project Collection Service Accounts`
Privilege Escalation	`removebuildadmin`	Yes – `Project Administrator`, `Project Collection Administrator` or `Project Collection Service Accounts`
Privilege Escalation	`addcollectionadmin`	Yes – `Project Collection Administrator` or `Project Collection Service Accounts`
Privilege Escalation	`removecollectionadmin`	Yes – `Project Collection Administrator` or `Project Collection Service Accounts`
Privilege Escalation	`addcollectionbuildadmin`	Yes – `Project Collection Administrator` or `Project Collection Service Accounts`
Privilege Escalation	`removecollectionbuildadmin`	Yes – `Project Collection Administrator` or `Project Collection Service Accounts`
Privilege Escalation	`addcollectionbuildsvc`	Yes – `Project Collection Administrator`, `Project Colection Build Administrators` or `Project Collection Service Accounts`
Privilege Escalation	`removecollectionbuildsvc`	Yes – `Project Collection Administrator`, `Project Colection Build Administrators` or `Project Collection Service Accounts`
Privilege Escalation	`addcollectionsvc`	Yes – `Project Collection Administrator` or `Project Collection Service Accounts`
Privilege Escalation	`removecollectionsvc`	Yes – `Project Collection Administrator` or `Project Collection Service Accounts`
Privilege Escalation	`getpipelinevars`	Yes – `Contributors` or `Readers` or `Build Administrators` or `Project Administrators` or `Project Team Member` or `Project Collection Test Service Accounts` or `Project Collection Build Service Accounts` or `Project Collection Build Administrators` or `Project Collection Service Accounts` or `Project Collection Administrators`
Privilege Escalation	`getpipelinesecrets`	Yes – `Contributors` or `Readers` or `Build Administrators` or `Project Administrators` or `Project Team Member` or `Project Collection Test Service Accounts` or `Project Collection Build Service Accounts` or `Project Collection Build Administrators` or `Project Collection Service Accounts` or `Project Collection Administrators`
Privilege Escalation	`getserviceconnections`	Yes – `Project Administrator`, `Project Collection Administrator` or `Project Collection Service Accounts`

Examples

Validate Azure DevOps Access

Use Case

Perform authentication check to ensure that organization is using Azure DevOps and that provided credentials are valid.

Syntax

Provide the check module, along with any relevant authentication information and URL. This will output whether the organization provided is using Azure DevOps, and if so, will attempt to validate the credentials provided.

ADOKit.exe check /credential:apiKey /url:https://dev.azure.com/organizationName

ADOKit.exe check /credential:"UserAuthentication=ABC123" /url:https://dev.azure.com/organizationName

Example Output

C:\>ADOKit.exe check /credential:apiKey /url:https://dev.azure.com/YourOrganization

==================================================
Module:         check
Auth Type:      API Key
Search Term:
Target URL:     https://dev.azure.com/YourOrganization

Timestamp:      3/28/2023 3:33:01 PM
==================================================


[*] INFO: Checking if organization provided uses Azure DevOps

[+] SUCCESS: Organization provided exists in Azure DevOps


[*] INFO: Checking credentials provided

[+] SUCCESS: Credentials provided are VALID.

3/28/23 19:33:02 Finished execution of check

For more click here.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.