From 393c6997b1db404e75b5c6134588dd1d5f6688f2 Mon Sep 17 00:00:00 2001 From: Carlos Polop Date: Tue, 5 May 2026 16:16:00 +0200 Subject: [PATCH] Clarify Azure WireServer access contexts --- .../azure-security/az-services/vms/README.md | 52 ++++++++----------- 1 file changed, 21 insertions(+), 31 deletions(-) diff --git a/src/pentesting-cloud/azure-security/az-services/vms/README.md b/src/pentesting-cloud/azure-security/az-services/vms/README.md index 241f71b05..4f08f6e7f 100644 --- a/src/pentesting-cloud/azure-security/az-services/vms/README.md +++ b/src/pentesting-cloud/azure-security/az-services/vms/README.md @@ -873,29 +873,21 @@ The **ExtensionsConfig** contains detailed configuration of VM extensions and ma These endpoints are typically accessed via: ```bash -curl -H "x-ms-version: 2012-11-30" http://168.63.129.16/?comp=goalstate +curl -H "x-ms-version: 2012-11-30" http://168.63.129.16/machine?comp=goalstate ``` -### Access Restrictions +### Access considerations -Although the endpoint is reachable from the VM network, **it is not equally accessible from all contexts**. +The WireServer IP is generally reachable from inside the VM through the guest network stack. It is not restricted only to the Azure VM Agent, Run Command, or VM extensions. Microsoft even documents agentless Linux provisioning examples where ordinary in-guest scripts query GoalState directly from `168.63.129.16`. -**Accessible from**: +However, not every process will necessarily get the same practical result: -- Azure **VM Agent** -- Azure **Run Command** -- **VM Extensions** +- Some endpoints require Azure-specific headers, such as `x-ms-version: 2012-11-30` for GoalState. +- Local guest controls can block or alter access, including host firewall rules, proxies, routes, network namespaces, containers, or endpoint protection. +- VM extensions and Run Command commonly execute as `root`/`SYSTEM` through the VM Agent, so they may bypass local OS restrictions that affect an interactive user. +- Some data is agent/extension-specific and may depend on the VM's provisioning state, installed agent, configured extensions, or managed identity configuration. -**Not reliably accessible from**: - -- Interactive SSH sessions (e.g., `azureuser`) -- Unprivileged processes inside the VM - -This is because: - -- The WireServer is designed for **platform-agent communication** -- Requests may require **specific headers, timing, or context** -- Some responses are only available to the **VM Agent execution environment** +Therefore, if a request works from Run Command but fails from SSH, the usual explanation is a difference in OS user, environment, routing, proxy, firewall, or namespace, not a general Azure rule that only agent execution contexts can reach `168.63.129.16`. ### Run Command vs SSH Context @@ -906,11 +898,9 @@ Azure provides multiple ways to execute commands inside a VM, but **they do not Run Command is an Azure feature that executes scripts via the **VM Agent**. - Uses: `Microsoft.Compute/virtualMachines/runCommand/action` -- Runs with **agent-level privileges** -- Has access to: - - WireServer - - GoalState - - ExtensionsConfig +- Runs through the **Azure VM Agent** +- Usually runs with elevated local privileges (`root` on Linux or `SYSTEM` on Windows) +- Can often reach WireServer/GoalState/ExtensionsConfig even when a low-privileged user is blocked by local controls Example: @@ -928,12 +918,13 @@ When connecting via SSH: - Runs as a **regular OS user** - Uses standard network stack -- Does **NOT have agent-level access** +- Does **not** have VM Agent privileges by default As a result: -- Requests to `168.63.129.16` may fail or return incomplete data -- GoalState may not be accessible +- Requests to `168.63.129.16` can work from SSH if the guest configuration allows it +- Requests may fail if blocked by local firewall, proxy, routing, network namespace, or user-level controls +- GoalState requests require the correct endpoint path and headers **Script Examples to get attached managed identities:** @@ -949,7 +940,6 @@ ws="http://168.63.129.16" echo "[*] Getting Goal State..." goal_urls=( - "$ws/?comp=goalstate" "$ws/machine?comp=goalstate" "$ws/machine/?comp=goalstate" ) @@ -1081,7 +1071,6 @@ $h = @{ Write-Host "[*] Getting Goal State..." -ForegroundColor Cyan $goalUrls = @( - "$ws/?comp=goalstate", "$ws/machine?comp=goalstate", "$ws/machine/?comp=goalstate" ) @@ -1169,11 +1158,12 @@ foreach ($id in $ids) { - [https://learn.microsoft.com/en-us/azure/virtual-machines/overview](https://learn.microsoft.com/en-us/azure/virtual-machines/overview) - [https://hausec.com/2022/05/04/azure-virtual-machine-execution-techniques/](https://hausec.com/2022/05/04/azure-virtual-machine-execution-techniques/) - [https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service](https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service) -- [https://learn.microsoft.com/en-us/azure/virtual-network/what-is-ip-address-168-63-129-16](https://learn.microsoft.com/en-us/azure/virtual-network/what-is-ip-address-168-63-129-16) -- [https://learn.microsoft.com/en-us/azure/virtual-machines/run-command](https://learn.microsoft.com/en-us/azure/virtual-machines/run-command) -- [https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/agent-linux](https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/agent-linux) +- [https://learn.microsoft.com/en-us/azure/virtual-network/what-is-ip-address-168-63-129-16](https://learn.microsoft.com/en-us/azure/virtual-network/what-is-ip-address-168-63-129-16) +- [https://learn.microsoft.com/en-us/azure/virtual-machines/linux/no-agent](https://learn.microsoft.com/en-us/azure/virtual-machines/linux/no-agent) +- [https://learn.microsoft.com/en-us/azure/virtual-machines/run-command](https://learn.microsoft.com/en-us/azure/virtual-machines/run-command) +- [https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/agent-linux](https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/agent-linux) +- [https://www.cybercx.com.au/blog/azure-ssrf-metadata/](https://www.cybercx.com.au/blog/azure-ssrf-metadata/) {{#include ../../../../banners/hacktricks-training.md}} -