Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Check the complete post in: https://medium.com/cepheisecurity/abusing-azure-dsc-remote-code-execution-and-privilege-escalation-ab8c35dd04fe
The process involves setting up a remote server infrastructure to host a modified Nishang Invoke-PowerShellTcp.ps1 payload, named RevPS.ps1, designed to bypass Windows Defender. The payload is served from a Kali Linux machine with IP 40.84.7.74 using a simple Python HTTP server. The operation is executed through several steps:
Customization: Variables and parameters in these files must be tailored to the user's specific environment, including resource names, file paths, and server/payload identifiers.
The reverse_shell_config.ps1 is compressed into a .zip file, making it ready for transfer to the Azure Storage Account.
The zipped configuration file is uploaded to a predefined Azure Storage container, azure-pentest, using Azure's Set-AzStorageBlobContent cmdlet.
The Kali server downloads the RevPS.ps1 payload from a GitHub repository.
The script is edited to specify the target Windows VM and port for the reverse shell.
The configuration file is executed, resulting in the reverse-shell script being deployed to the specified location on the Windows VM.
A Python SimpleHTTPServer is started to host the payload, along with a Netcat listener to capture incoming connections.
The scheduled task executes the payload, achieving SYSTEM-level privileges.
The successful execution of this process opens numerous possibilities for further actions, such as credential dumping or expanding the attack to multiple VMs. The guide encourages continued learning and creativity in the realm of Azure Automation DSC.
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
