Clarify Azure WireServer access contexts

src/pentesting-cloud/azure-security/az-services/vms/README.md

@@ -873,29 +873,21 @@ The **ExtensionsConfig** contains detailed configuration of VM extensions and ma
 These endpoints are typically accessed via:
 
 ```bash
-curl -H "x-ms-version: 2012-11-30" http://168.63.129.16/?comp=goalstate
+curl -H "x-ms-version: 2012-11-30" http://168.63.129.16/machine?comp=goalstate
 ```
 
-### Access Restrictions
+### Access considerations
 
-Although the endpoint is reachable from the VM network, **it is not equally accessible from all contexts**.
+The WireServer IP is generally reachable from inside the VM through the guest network stack. It is not restricted only to the Azure VM Agent, Run Command, or VM extensions. Microsoft even documents agentless Linux provisioning examples where ordinary in-guest scripts query GoalState directly from `168.63.129.16`.
 
-**Accessible from**:
+However, not every process will necessarily get the same practical result:
 
-- Azure **VM Agent**
+- Some endpoints require Azure-specific headers, such as `x-ms-version: 2012-11-30` for GoalState.
-- Azure **Run Command**
+- Local guest controls can block or alter access, including host firewall rules, proxies, routes, network namespaces, containers, or endpoint protection.
-- **VM Extensions**
+- VM extensions and Run Command commonly execute as `root`/`SYSTEM` through the VM Agent, so they may bypass local OS restrictions that affect an interactive user.
+- Some data is agent/extension-specific and may depend on the VM's provisioning state, installed agent, configured extensions, or managed identity configuration.
 
-**Not reliably accessible from**:
+Therefore, if a request works from Run Command but fails from SSH, the usual explanation is a difference in OS user, environment, routing, proxy, firewall, or namespace, not a general Azure rule that only agent execution contexts can reach `168.63.129.16`.
-
-- Interactive SSH sessions (e.g., `azureuser`)
-- Unprivileged processes inside the VM
-
-This is because:
-
-- The WireServer is designed for **platform-agent communication**
-- Requests may require **specific headers, timing, or context**
-- Some responses are only available to the **VM Agent execution environment**
 
 ### Run Command vs SSH Context
 
@@ -906,11 +898,9 @@ Azure provides multiple ways to execute commands inside a VM, but **they do not
 Run Command is an Azure feature that executes scripts via the **VM Agent**.
 
 - Uses: `Microsoft.Compute/virtualMachines/runCommand/action`
-- Runs with **agent-level privileges**
+- Runs through the **Azure VM Agent**
-- Has access to:
+- Usually runs with elevated local privileges (`root` on Linux or `SYSTEM` on Windows)
-  - WireServer
+- Can often reach WireServer/GoalState/ExtensionsConfig even when a low-privileged user is blocked by local controls
-  - GoalState
-  - ExtensionsConfig
 
 Example:
 
@@ -928,12 +918,13 @@ When connecting via SSH:
 
 - Runs as a **regular OS user**
 - Uses standard network stack
-- Does **NOT have agent-level access**
+- Does **not** have VM Agent privileges by default
 
 As a result:
 
-- Requests to `168.63.129.16` may fail or return incomplete data
+- Requests to `168.63.129.16` can work from SSH if the guest configuration allows it
-- GoalState may not be accessible
+- Requests may fail if blocked by local firewall, proxy, routing, network namespace, or user-level controls
+- GoalState requests require the correct endpoint path and headers
 
 **Script Examples to get attached managed identities:**
 
@@ -949,7 +940,6 @@ ws="http://168.63.129.16"
 echo "[*] Getting Goal State..."
 
 goal_urls=(
-  "$ws/?comp=goalstate"
   "$ws/machine?comp=goalstate"
   "$ws/machine/?comp=goalstate"
 )
@@ -1081,7 +1071,6 @@ $h  = @{
 Write-Host "[*] Getting Goal State..." -ForegroundColor Cyan
 
 $goalUrls = @(
-    "$ws/?comp=goalstate",
     "$ws/machine?comp=goalstate",
     "$ws/machine/?comp=goalstate"
 )
@@ -1169,11 +1158,12 @@ foreach ($id in $ids) {
 - [https://learn.microsoft.com/en-us/azure/virtual-machines/overview](https://learn.microsoft.com/en-us/azure/virtual-machines/overview)
 - [https://hausec.com/2022/05/04/azure-virtual-machine-execution-techniques/](https://hausec.com/2022/05/04/azure-virtual-machine-execution-techniques/)
 - [https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service](https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service)
-- [https://learn.microsoft.com/en-us/azure/virtual-network/what-is-ip-address-168-63-129-16](https://learn.microsoft.com/en-us/azure/virtual-network/what-is-ip-address-168-63-129-16)  
+- [https://learn.microsoft.com/en-us/azure/virtual-network/what-is-ip-address-168-63-129-16](https://learn.microsoft.com/en-us/azure/virtual-network/what-is-ip-address-168-63-129-16)
-- [https://learn.microsoft.com/en-us/azure/virtual-machines/run-command](https://learn.microsoft.com/en-us/azure/virtual-machines/run-command)  
+- [https://learn.microsoft.com/en-us/azure/virtual-machines/linux/no-agent](https://learn.microsoft.com/en-us/azure/virtual-machines/linux/no-agent)
-- [https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/agent-linux](https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/agent-linux)  
+- [https://learn.microsoft.com/en-us/azure/virtual-machines/run-command](https://learn.microsoft.com/en-us/azure/virtual-machines/run-command)
+- [https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/agent-linux](https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/agent-linux)
+- [https://www.cybercx.com.au/blog/azure-ssrf-metadata/](https://www.cybercx.com.au/blog/azure-ssrf-metadata/)
 
 {{#include ../../../../banners/hacktricks-training.md}}
 
 
-