Az - State Configuration RCE
Check the complete post in: https://medium.com/cepheisecurity/abusing-azure-dsc-remote-code-execution-and-privilege-escalation-ab8c35dd04fe
Summary of Remote Server (C2) Infrastructure Preparation and Steps
Overview
The process involves setting up a remote server infrastructure to host a modified Nishang Invoke-PowerShellTcp.ps1
payload, named RevPS.ps1
, designed to bypass Windows Defender. The payload is served from a Kali Linux machine with IP 40.84.7.74
using a simple Python HTTP server. The operation is executed through several steps:
Step 1 — Create Files
Customization: Variables and parameters in these files must be tailored to the user's specific environment, including resource names, file paths, and server/payload identifiers.
Step 2 — Zip Configuration File
The
reverse_shell_config.ps1
is compressed into a.zip
file, making it ready for transfer to the Azure Storage Account.
Step 3 — Set Storage Context & Upload
The zipped configuration file is uploaded to a predefined Azure Storage container, azure-pentest, using Azure's Set-AzStorageBlobContent cmdlet.
Step 4 — Prep Kali Box
The Kali server downloads the RevPS.ps1 payload from a GitHub repository.
The script is edited to specify the target Windows VM and port for the reverse shell.
Step 5 — Publish Configuration File
The configuration file is executed, resulting in the reverse-shell script being deployed to the specified location on the Windows VM.
Step 6 — Host Payload and Setup Listener
A Python SimpleHTTPServer is started to host the payload, along with a Netcat listener to capture incoming connections.
The scheduled task executes the payload, achieving SYSTEM-level privileges.
Conclusion
The successful execution of this process opens numerous possibilities for further actions, such as credential dumping or expanding the attack to multiple VMs. The guide encourages continued learning and creativity in the realm of Azure Automation DSC.
Last updated