Az - VMs & Network Post Exploitation

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

VMs & Network

For more info about Azure VMs and networking check the following page:

Az - Virtual Machines & Network

VM Application Pivoting

VM applications can be shared with other subscriptions and tenants. If an application is being shared it's probably because it's being used. So if the attacker manages to compromise the application and uploads a backdoored version it might be possible that it will be executed in another tenant or subscription.

Sensitive information in images

It might be possible to find sensitive information inside images taken from VMs in the past.

List images from galleries

# Get galleries
az sig list -o table

# List images inside gallery
az sig image-definition list \
  --resource-group <RESOURCE_GROUP> \
  --gallery-name <GALLERY_NAME> \
  -o table

# Get images versions
az sig image-version list \
  --resource-group <RESOURCE_GROUP> \
  --gallery-name <GALLERY_NAME> \
  --gallery-image-definition <IMAGE_DEFINITION> \
  -o table

List custom images

az image list -o table

Create VM from image ID and search for sensitive info inside of it

# Create VM from image
az vm create \
  --resource-group <RESOURCE_GROUP> \
  --name <VM_NAME> \
  --image /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Compute/galleries/<GALLERY_NAME>/images/<IMAGE_DEFINITION>/versions/<IMAGE_VERSION> \
  --admin-username <ADMIN_USERNAME> \
  --generate-ssh-keys

Sensitive information in restore points

It might be possible to find sensitive information inside restore points.

List restore points

az restore-point list \
  --resource-group <RESOURCE_GROUP> \
  --restore-point-collection-name <COLLECTION_NAME> \
  -o table

Create a disk from a restore point

az disk create \
  --resource-group <RESOURCE_GROUP> \
  --name <NEW_DISK_NAME> \
  --source /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Compute/restorePointCollections/<COLLECTION_NAME>/restorePoints/<RESTORE_POINT_NAME>

Attach the disk to a VM (the attacker needs to have compromised a VM inside the account already)

az vm disk attach \
  --resource-group <RESOURCE_GROUP> \
  --vm-name <VM_NAME> \
  --name <DISK_NAME>

Mount the disk and search for sensitive info

# List all available disks
sudo fdisk -l

# Check disk format
sudo file -s /dev/sdX

# Mount it
sudo mkdir /mnt/mydisk
sudo mount /dev/sdX1 /mnt/mydisk

1. Open Disk Management

Right-click Start and select Disk Management.
The attached disk should appear as Offline or Unallocated.

2. Bring the Disk Online

Locate the disk in the bottom pane.
Right-click the disk (e.g., Disk 1) and select Online.

3. Initialize the Disk

If the disk is not initialized, right-click and select Initialize Disk.
Choose the partition style:
- MBR (Master Boot Record) or GPT (GUID Partition Table). GPT is recommended for modern systems.

4. Create a New Volume

Right-click the unallocated space on the disk and select New Simple Volume.
Follow the wizard to:
- Assign a drive letter (e.g., D:).
- Format the disk (choose NTFS for most cases).

Sensitive information in disks & snapshots

It might be possible to find sensitive information inside disks or even old disk's snapshots.

List snapshots

az snapshot list \
  --resource-group <RESOURCE_GROUP> \
  -o table

Create disk from snapshot (if needed)

az disk create \
  --resource-group <RESOURCE_GROUP> \
  --name <DISK_NAME> \
  --source <SNAPSHOT_ID> \
  --size-gb <DISK_SIZE>

Attach and mount the disk to a VM and search for sensitive information (check the previous section to see how to do this)

Sensitive information in VM Extensions & VM Applications

It might be possible to find sensitive information inside VM extensions and VM applications.

List all VM apps

## List all VM applications inside a gallery
az sig gallery-application list --gallery-name <gallery-name> --resource-group <res-group> --output table

Install the extension in a VM and search for sensitive info

az vm application set \
   --resource-group <rsc-group> \
   --name <vm-name> \
   --app-version-ids /subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.Compute/galleries/myGallery/applications/myReverseShellApp/versions/1.0.2 \
   --treat-deployment-as-failure true

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousAz - Table Storage Post Exploitation NextAz - Privilege Escalation

Last updated 10 days ago