1. Azure Blob Container to Initial Access

This write-up is based on PwnedLabs.ioā€™s free module, Azure Blob Container to Initial Access, which offers top-notch content at an unbeatable price. While Iā€™m not affiliated with PwnedLabs.io, I highly recommend their resources. Learn more about their subscription options at PwnedLabs.io/pricing.

Lessons Learned:
1. Azure Storage - Blob Container../Azure Services/Azure Storage Account

https://cloud.hacktricks.xyz/pentesting-cloud/azure-security/az-services/az-blob-storage
https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction

2. The lab

It feels to me this is a web application that requires Azure knowledge.

2.1 Get Blob location from web inspection

It starts off with a web address. Burp or curl can be used to check server response. A quick url inspection reveal more urls.

Adding ?restype=container&comp=list at the end of the $web will display all blobs in a xml document.

2.2 Information regarding all blobs

https://learn.microsoft.com/en-us/rest/api/storageservices/list-blobs?tabs=microsoft-entra-id#uri-parameters

https://mbtwebsite.blob.core.windows.net/$web/?restype=container&comp=list

2.3 Versions!

Tried to get the version information using include=versions, but we received an error.

2.4 Version Header

The following document indicates the request header format.

https://learn.microsoft.com/en-us/rest/api/storageservices/list-blobs?tabs=microsoft-entra-id#request-headers


With the updated header , I have received more information.

If we are using curl, use libxml2-util to easily read.

apt install libxml2-utils

2.5 Downloads require versions

The response indicates that scripts-transfer.zip is available to download. For whatever reason, it requires versionId to download.
Based on the following webpage, versionId is required for downloading.
https://learn.microsoft.com/en-us/rest/api/storageservices/versioning-for-the-azure-storage-services


Also, stackoverflow has a good information regarding this.

https://stackoverflow.com/questions/77485169/how-to-get-version-specific-url-in-azure-blob-storage

@Knowledge Apps When you request a specific version of a blob, the response will contain the content of that version of the blob. There is no separate URL generated for each version of the blob. Instead, you can use the same URL for the blob and pass the version ID as a query string parameter to retrieve a specific version of the blob. ā€“

After updating versionId and x-ms-version info, I was able to get the data.

curl -H "x-ms-version: 2019-12-12" 'https://mbtwebsite.blob.core.windows.net/$web/scripts-transfer.zip?versionId=2024-03-29T20:55:40.8265593Z'  --output scripts-transfer.zip

From the file, hard-coded credentials is retrieved.


# Define your Azure AD credentials
$Username = "marcus@megabigtech.com"
$Password = "********" | ConvertTo-SecureString -AsPlainText -Force
$Credential = New-Object System.Management.Automation.PSCredential ($Username, $Password)

2.6 Run powershell from linux - pwsh

Those install commands were in the entra_users.ps1 script.

Install-Module -Name Az
Install-Module -Name MSAL.PS

Then execute the powershell

./entra_user.ps1

Since the script worked, we know that the hard-coded credentials are valid.

And retrieved the flag using the following command.

Get-AzADUser -SignedIn |fl

2.7 Cleanup

Uninstall-Module -Name Az
Uninstall-Module -Name MSAL.PS

#AzureCloud #AzureCloudBlob #pwnedlabs #pwsh