If you have a token that has the permissions to execute commands on a VM, you can of course get access on the VM.
Get-AzRoleAssignment
Run command on VM
In this case, we add a user to the VM and add that local user to the local administrators.
A VM in Azure is very likely being monitored/protected by Azure's security mechanisms. So doing a reverse shell may get blocked
Get Public IP of VM
First, get the network interfaces that our token can read:
The name of the interface is bkpadconnect368. We can now get the details for the interface:
This will tell you the ID name of the publicIPAddress: bkpadconnectIP. Using this information, we can get the public IP using:
Connect to VM
Extract credentials from VM
For example, read console history:
Or dump lsass etc.
User Data
User Data are scripts or any other data that can be inserted on a Azure VM at time of provision or later. A popular use case is joining a domain with a script.
Any application on the VM can access the user data from the Azure Instance Metadata Service (IMDS) after provisioning
It is possible to modify user data if you have a identity with the permissions Microsoft.Compute/virtualMachines/Write.
Read User Data
Write User Data
Custom Script Extensions
Extensions are "small applications" used to provide post deployment configuration and other management tasks. They are used to run custom scripts on VMs.
Only one extension can be added to a VM at a time.
Can be inline or fetched for a storage blob (needs managed identity), or can be downloaded
These are executed with SYSTEM privileges
The following permissions are required to create a custom script extension and read the output:
Since Az PowerShell has some limitations with requesting permissions with for example Get-AzRoleAssignmentthat returns no output, we can do it manually using the API url:
Get Extensions
Set Extension
(This also executed it)
Now create a new powershell session and get more details:
