Getting Started with Azure Automation DSC
Part (1 /2 )— Azure Automation DSC for Remote Code Execution and Privilege Escalation
Intro
This is the first of a two-part series of how we’ll be abusing Azure DSC configuration files for remote code execution and privilege escalation. First, it’s essential to understand some basic functionality and usage of Azure DSC, as this service has many ways of implementation and configuration.
Overview
Microsoft Azure’s Desired State Configuration(DSC) or Automation DSC provides a highly available configuration management solution that helps with typical administration tasks. In short, DSC allows you to create a configuration file of programs, settings, documents etc. that should be installed and configured a certain way on a VM when it’s created. There’s also built-in persistence mechanisms, so if an identified configuration item gets deleted, the VM will automatically ensure that it is replaced (depending on if this has been correctly configured). Alternatively, DSC can also ensure that particular items are not present on a system. As a simple example, you can create a configuration file to ensure that a text file named “hello.txt” is written to a user’s desktop.
Goal
For this demo, we’ll be using PowerShell to write a configuration file, which will perform an action on a Windows VM. Once this basic fundamental is covered, we will be moving toward abusing DSC for remote code execution and privilege escalation later on in part 2. We’ll be working all in command-line using the PowerShell DSC extension to write and publish configuration files for a Windows VM. Some steps are faster to perform in the Azure portal, however being able to perform these actions via command-line is advantageous as an attacker.
Prerequisites
You’ll need to have an understanding of Azure fundamentals along with a grasp of DSC, but you don’t need to be a pro. We’ll also need to install the following dependency’s:
PowerShell Modules
- ComputerManagementDsc
- PSDscResources
- xPSDesiredStateConfiguration
- Az
Azure Resources
- Azure Subscription
- Storage Account
- Resource Group
- Windows VM
- File Container / Blob
The Azure resources can be created in the Azure portal, however to do this programmatically you can use the following PowerShell commands:
# Connect to your Azure Account
Connect-AzAccount# View and Select Location
Get-AzLocation | select Location
$location = "pick your location"# Create Resource Group
$resourceGroup = "Your Resource Group Name"
New-AzResourceGroup -Name $resourceGroup -Location $location# Create Storage Account
$storageAccount = New-AzStorageAccount -ResourceGroupName $resourceGroup `
-Name "Your Storage Account Name" `
-SkuName Standard_LRS `
-Location $location `# Get the Context of the Storage Account
$ctx = $storageAccount.Context# Create File Container
$containerName = "Your Container Name"
New-AzStorageContainer -Name $containerName -Context $ctx -Permission blob
I already have a Resource Group named “Playground”, a VM named “vm01”, a Storage Account named “playgroundstor01”, and a file container named “windows-powershell-dsc”so I’ll be using these for the rest of the demo. You’ll also need to connect to your Azure account, using the ‘Connect-AzAccount’ commandlet. Be sure to alter the names of your resources and script names for the rest of the demo.
Step 1 — Create a Sample Script
Now we have all our dependency’s ready to go. First we’ll create a basic sample configuration script. This configuration script will write a PowerShell script to the user’s desktop, with some contents in it. A link to this script can be found here: https://github.com/nickpupp0/AzureDSC/blob/master/sample_config.ps1.
For this demo, do not change line 2. With our sample_config.ps1 script ready, we now need to zip the file. We’ll use the following PowerShell commands:
Compress-Archive -Path <path to sample_config.ps1> -DestinationPath <path>
At this point, we should now have a file named ‘sample_config.ps1.zip’
Step 2 — Publish Configuration Script
We’ll need to publish this zip file to blob storage within our Storage Account using PowerShell:
- First we’ll list the Storage Accounts so we verify which one we want to use. In this case, I already know I’m going to be using the ‘playgroundstor01’ account:
Get-AzStorageAccount
2. Next we’ll pipe the desired Storage Account name into a variable. We can then run our variable to make sure the Storage Account is set to the one we want. In this case, playgroundstor01 is selected:
$storageAccount = Get-AzStorageAccount -Name "playgroundstor01" -ResourceGroupName "Playground"
$storageAccount
3. We now have to add context to our Storage Account. Azure contexts are PowerShell objects representing your active subscription to run commands against. More information about context can be found below. The variable $ctxis used to pipe the context of the storage account and save the output:
$ctx=$storageAccount.Context
$ctx
4. We can now list our file containers:
Get-AzStorageContainer -Context $ctx
5. Now, we can upload our zip file to the container using the following command:
Set-AzStorageBlobContent -File ".\sample_config.ps1.zip" -Container "windows-powershell-dsc" -Blob "sample_config.ps1.zip" -Context $ctx
Step 3 — Run Configuration on VM
So now we have uploaded our configuration file to the file container. All we have to do now is publish it to the VM! You can use a sample script located here:https://github.com/nickpupp0/AzureDSC/blob/master/push_sample_config.ps1 . If you are using different named resources, make sure to replace the names of the variables and parameters with your own. You should only have to change the variable names and path to your file. Next we simply run the script. If all of your variable names and parameters are correct, we should have a successful job! This may take several minutes to complete. If you’re logged into your VM, you should see the PowerShell script applied to the Desktop:
.\push_sample_config.ps1
That’s it! We see that our simple PowerShell script was applied to the VM, along with it’s contents. Pretty cool, right? Yeah…but so what? Well, we can do some pretty cool things as we’ll see next.
