Getting Started with Azure Automation DSC

Part (1 /2 )— Azure Automation DSC for Remote Code Execution and Privilege Escalation

Intro

This is the first of a two-part series of how we’ll be abusing Azure DSC configuration files for remote code execution and privilege escalation. First, it’s essential to understand some basic functionality and usage of Azure DSC, as this service has many ways of implementation and configuration.

Overview

Microsoft Azure’s Desired State Configuration(DSC) or Automation DSC provides a highly available configuration management solution that helps with typical administration tasks. In short, DSC allows you to create a configuration file of programs, settings, documents etc. that should be installed and configured a certain way on a VM when it’s created. There’s also built-in persistence mechanisms, so if an identified configuration item gets deleted, the VM will automatically ensure that it is replaced (depending on if this has been correctly configured). Alternatively, DSC can also ensure that particular items are not present on a system. As a simple example, you can create a configuration file to ensure that a text file named “hello.txt” is written to a user’s desktop.

Goal

For this demo, we’ll be using PowerShell to write a configuration file, which will perform an action on a Windows VM. Once this basic fundamental is covered, we will be moving toward abusing DSC for remote code execution and privilege escalation later on in part 2. We’ll be working all in command-line using the PowerShell DSC extension to write and publish configuration files for a Windows VM. Some steps are faster to perform in the Azure portal, however being able to perform these actions via command-line is advantageous as an attacker.

Prerequisites

You’ll need to have an understanding of Azure fundamentals along with a grasp of DSC, but you don’t need to be a pro. We’ll also need to install the following dependency’s:

PowerShell Modules

Azure Resources

The Azure resources can be created in the Azure portal, however to do this programmatically you can use the following PowerShell commands:

# Connect to your Azure Account
Connect-AzAccount
# View and Select Location
Get-AzLocation | select Location
$location = "pick your location"
# Create Resource Group
$resourceGroup = "Your Resource Group Name"
New-AzResourceGroup -Name $resourceGroup -Location $location
# Create Storage Account
$storageAccount = New-AzStorageAccount -ResourceGroupName $resourceGroup `
-Name "Your Storage Account Name" `
-SkuName Standard_LRS `
-Location $location `
# Get the Context of the Storage Account
$ctx = $storageAccount.Context
# Create File Container
$containerName = "Your Container Name"
New-AzStorageContainer -Name $containerName -Context $ctx -Permission blob

I already have a Resource Group named “Playground”, a VM named “vm01”, a Storage Account named “playgroundstor01”, and a file container named “windows-powershell-dsc”so I’ll be using these for the rest of the demo. You’ll also need to connect to your Azure account, using the ‘Connect-AzAccount’ commandlet. Be sure to alter the names of your resources and script names for the rest of the demo.

Step 1 — Create a Sample Script

Now we have all our dependency’s ready to go. First we’ll create a basic sample configuration script. This configuration script will write a PowerShell script to the user’s desktop, with some contents in it. A link to this script can be found here: https://github.com/nickpupp0/AzureDSC/blob/master/sample_config.ps1.

For this demo, do not change line 2. With our sample_config.ps1 script ready, we now need to zip the file. We’ll use the following PowerShell commands:

Compress-Archive -Path <path to sample_config.ps1> -DestinationPath <path>

At this point, we should now have a file named ‘sample_config.ps1.zip

Step 2 — Publish Configuration Script

We’ll need to publish this zip file to blob storage within our Storage Account using PowerShell:

Get-AzStorageAccount

2. Next we’ll pipe the desired Storage Account name into a variable. We can then run our variable to make sure the Storage Account is set to the one we want. In this case, playgroundstor01 is selected:

$storageAccount = Get-AzStorageAccount -Name "playgroundstor01" -ResourceGroupName "Playground"
$storageAccount

Figure 01: Setting Storage Account in Scope

3. We now have to add context to our Storage Account. Azure contexts are PowerShell objects representing your active subscription to run commands against. More information about context can be found below. The variable $ctxis used to pipe the context of the storage account and save the output:

$ctx=$storageAccount.Context

$ctx

4. We can now list our file containers:

Get-AzStorageContainer -Context $ctx

Figure 02: Setting Context of the Storage Account

5. Now, we can upload our zip file to the container using the following command:

Set-AzStorageBlobContent -File ".\sample_config.ps1.zip" -Container "windows-powershell-dsc" -Blob "sample_config.ps1.zip" -Context $ctx

Figure 03: Uploading Configuration File to Container

Step 3 — Run Configuration on VM

So now we have uploaded our configuration file to the file container. All we have to do now is publish it to the VM! You can use a sample script located here:https://github.com/nickpupp0/AzureDSC/blob/master/push_sample_config.ps1 . If you are using different named resources, make sure to replace the names of the variables and parameters with your own. You should only have to change the variable names and path to your file. Next we simply run the script. If all of your variable names and parameters are correct, we should have a successful job! This may take several minutes to complete. If you’re logged into your VM, you should see the PowerShell script applied to the Desktop:

.\push_sample_config.ps1

Figure 04: Applying Configuration to VM
Figure 05: Proof of File

That’s it! We see that our simple PowerShell script was applied to the VM, along with it’s contents. Pretty cool, right? Yeah…but so what? Well, we can do some pretty cool things as we’ll see next.

Security Researcher

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store