Az - State Configuration RCE

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Check the complete post in:

Summary of Remote Server (C2) Infrastructure Preparation and Steps


The process involves setting up a remote server infrastructure to host a modified Nishang Invoke-PowerShellTcp.ps1 payload, named RevPS.ps1, designed to bypass Windows Defender. The payload is served from a Kali Linux machine with IP using a simple Python HTTP server. The operation is executed through several steps:

Step 1 — Create Files

  • Files Required: Two PowerShell scripts are needed:

    1. reverse_shell_config.ps1: A Desired State Configuration (DSC) file that fetches and executes the payload. It is obtainable from GitHub.

    2. push_reverse_shell_config.ps1: A script to publish the configuration to the VM, available at GitHub.

  • Customization: Variables and parameters in these files must be tailored to the user's specific environment, including resource names, file paths, and server/payload identifiers.

Step 2 — Zip Configuration File

  • The reverse_shell_config.ps1 is compressed into a .zip file, making it ready for transfer to the Azure Storage Account.

Compress-Archive -Path .\reverse_shell_config.ps1 -DestinationPath .\

Step 3 — Set Storage Context & Upload

  • The zipped configuration file is uploaded to a predefined Azure Storage container, azure-pentest, using Azure's Set-AzStorageBlobContent cmdlet.

Set-AzStorageBlobContent -File "" -Container "azure-pentest" -Blob "" -Context $ctx

Step 4 — Prep Kali Box

  • The Kali server downloads the RevPS.ps1 payload from a GitHub repository.

  • The script is edited to specify the target Windows VM and port for the reverse shell.

Step 5 — Publish Configuration File

  • The configuration file is executed, resulting in the reverse-shell script being deployed to the specified location on the Windows VM.

Step 6 — Host Payload and Setup Listener

  • A Python SimpleHTTPServer is started to host the payload, along with a Netcat listener to capture incoming connections.

sudo python -m SimpleHTTPServer 80
sudo nc -nlvp 443
  • The scheduled task executes the payload, achieving SYSTEM-level privileges.


The successful execution of this process opens numerous possibilities for further actions, such as credential dumping or expanding the attack to multiple VMs. The guide encourages continued learning and creativity in the realm of Azure Automation DSC.

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Last updated