7.2 KiB
Az - VMs & Network Post Exploitation
{% hint style="success" %}
Learn & practice AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
VMs & Network
For more info about Azure VMs and networking check the following page:
{% content-ref url="../az-services/vms/" %} vms {% endcontent-ref %}
VM Application Pivoting
VM applications can be shared with other subscriptions and tenants. If an application is being shared it's probably because it's being used. So if the attacker manages to compromise the application and uploads a backdoored version it might be possible that it will be executed in another tenant or subscription.
Sensitive information in images
It might be possible to find sensitive information inside images taken from VMs in the past.
- List images from galleries
# Get galleries
az sig list -o table
# List images inside gallery
az sig image-definition list \
--resource-group <RESOURCE_GROUP> \
--gallery-name <GALLERY_NAME> \
-o table
# Get images versions
az sig image-version list \
--resource-group <RESOURCE_GROUP> \
--gallery-name <GALLERY_NAME> \
--gallery-image-definition <IMAGE_DEFINITION> \
-o table
- List custom images
az image list -o table
- Create VM from image ID and search for sensitive info inside of it
# Create VM from image
az vm create \
--resource-group <RESOURCE_GROUP> \
--name <VM_NAME> \
--image /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Compute/galleries/<GALLERY_NAME>/images/<IMAGE_DEFINITION>/versions/<IMAGE_VERSION> \
--admin-username <ADMIN_USERNAME> \
--generate-ssh-keys
Sensitive information in restore points
It might be possible to find sensitive information inside restore points.
- List restore points
az restore-point list \
--resource-group <RESOURCE_GROUP> \
--restore-point-collection-name <COLLECTION_NAME> \
-o table
- Create a disk from a restore point
{% code overflow="wrap" %}
az disk create \
--resource-group <RESOURCE_GROUP> \
--name <NEW_DISK_NAME> \
--source /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Compute/restorePointCollections/<COLLECTION_NAME>/restorePoints/<RESTORE_POINT_NAME>
{% endcode %}
- Attach the disk to a VM (the attacker needs to have compromised a VM inside the account already)
az vm disk attach \
--resource-group <RESOURCE_GROUP> \
--vm-name <VM_NAME> \
--name <DISK_NAME>
- Mount the disk and search for sensitive info
{% tabs %} {% tab title="Linux" %}
# List all available disks
sudo fdisk -l
# Check disk format
sudo file -s /dev/sdX
# Mount it
sudo mkdir /mnt/mydisk
sudo mount /dev/sdX1 /mnt/mydisk
{% endtab %}
{% tab title="Windows" %}
1. Open Disk Management
- Right-click Start and select Disk Management.
- The attached disk should appear as Offline or Unallocated.
2. Bring the Disk Online
- Locate the disk in the bottom pane.
- Right-click the disk (e.g., Disk 1) and select Online.
3. Initialize the Disk
- If the disk is not initialized, right-click and select Initialize Disk.
- Choose the partition style:
- MBR (Master Boot Record) or GPT (GUID Partition Table). GPT is recommended for modern systems.
4. Create a New Volume
- Right-click the unallocated space on the disk and select New Simple Volume.
- Follow the wizard to:
- Assign a drive letter (e.g.,
D:). - Format the disk (choose NTFS for most cases). {% endtab %} {% endtabs %}
- Assign a drive letter (e.g.,
Sensitive information in disks & snapshots
It might be possible to find sensitive information inside disks or even old disk's snapshots.
- List snapshots
az snapshot list \
--resource-group <RESOURCE_GROUP> \
-o table
- Create disk from snapshot (if needed)
az disk create \
--resource-group <RESOURCE_GROUP> \
--name <DISK_NAME> \
--source <SNAPSHOT_ID> \
--size-gb <DISK_SIZE>
- Attach and mount the disk to a VM and search for sensitive information (check the previous section to see how to do this)
Sensitive information in VM Extensions & VM Applications
It might be possible to find sensitive information inside VM extensions and VM applications.
- List all VM apps
{% code overflow="wrap" %}
## List all VM applications inside a gallery
az sig gallery-application list --gallery-name <gallery-name> --resource-group <res-group> --output table
{% endcode %}
- Install the extension in a VM and search for sensitive info
{% code overflow="wrap" %}
az vm application set \
--resource-group <rsc-group> \
--name <vm-name> \
--app-version-ids /subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.Compute/galleries/myGallery/applications/myReverseShellApp/versions/1.0.2 \
--treat-deployment-as-failure true
{% endcode %}
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.