Az - VMs & Network Post Exploitation

Reading time: 5 minutes

VMs & Network

For more info about Azure VMs and networking check the following page:

Az - Virtual Machines & Network

VM Application Pivoting

VM applications can be shared with other subscriptions and tenants. If an application is being shared it's probably because it's being used. So if the attacker manages to compromise the application and uploads a backdoored version it might be possible that it will be executed in another tenant or subscription.

Sensitive information in images

It might be possible to find sensitive information inside images taken from VMs in the past.

1. List images from galleries

# Get galleries
az sig list -o table

# List images inside gallery
az sig image-definition list \
  --resource-group <RESOURCE_GROUP> \
  --gallery-name <GALLERY_NAME> \
  -o table

# Get images versions
az sig image-version list \
  --resource-group <RESOURCE_GROUP> \
  --gallery-name <GALLERY_NAME> \
  --gallery-image-definition <IMAGE_DEFINITION> \
  -o table

2. List custom images

az image list -o table

3. Create VM from image ID and search for sensitive info inside of it

# Create VM from image
az vm create \
  --resource-group <RESOURCE_GROUP> \
  --name <VM_NAME> \
  --image /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Compute/galleries/<GALLERY_NAME>/images/<IMAGE_DEFINITION>/versions/<IMAGE_VERSION> \
  --admin-username <ADMIN_USERNAME> \
  --generate-ssh-keys

Sensitive information in restore points

It might be possible to find sensitive information inside restore points.

1. List restore points

az restore-point list \
  --resource-group <RESOURCE_GROUP> \
  --restore-point-collection-name <COLLECTION_NAME> \
  -o table

2. Create a disk from a restore point

az disk create \
  --resource-group <RESOURCE_GROUP> \
  --name <NEW_DISK_NAME> \
  --source /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Compute/restorePointCollections/<COLLECTION_NAME>/restorePoints/<RESTORE_POINT_NAME>

3. Attach the disk to a VM (the attacker needs to have compromised a VM inside the account already)

az vm disk attach \
  --resource-group <RESOURCE_GROUP> \
  --vm-name <VM_NAME> \
  --name <DISK_NAME>

4. Mount the disk and search for sensitive info

# List all available disks
sudo fdisk -l

# Check disk format
sudo file -s /dev/sdX

# Mount it
sudo mkdir /mnt/mydisk
sudo mount /dev/sdX1 /mnt/mydisk

Sensitive information in disks & snapshots

It might be possible to find sensitive information inside disks or even old disk's snapshots.

1. List snapshots

az snapshot list \
  --resource-group <RESOURCE_GROUP> \
  -o table

2. Create disk from snapshot (if needed)

az disk create \
  --resource-group <RESOURCE_GROUP> \
  --name <DISK_NAME> \
  --source <SNAPSHOT_ID> \
  --size-gb <DISK_SIZE>

3. Attach and mount the disk to a VM and search for sensitive information (check the previous section to see how to do this)

Sensitive information in VM Extensions & VM Applications

It might be possible to find sensitive information inside VM extensions and VM applications.

1. List all VM apps

## List all VM applications inside a gallery
az sig gallery-application list --gallery-name <gallery-name> --resource-group <res-group> --output table

2. Install the extension in a VM and search for sensitive info

az vm application set \
   --resource-group <rsc-group> \
   --name <vm-name> \
   --app-version-ids /subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.Compute/galleries/myGallery/applications/myReverseShellApp/versions/1.0.2 \
   --treat-deployment-as-failure true