1. Azure Blob Container to Initial Access
This write-up is based on PwnedLabs.io’s free module, Azure Blob Container to Initial Access, which offers top-notch content at an unbeatable price. While I’m not affiliated with PwnedLabs.io, I highly recommend their resources. Learn more about their subscription options at PwnedLabs.io/pricing.
Lessons Learned:
1. Azure Storage - Blob Container../Azure Services/Azure Storage Account
https://cloud.hacktricks.xyz/pentesting-cloud/azure-security/az-services/az-blob-storage
https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction
2. The lab
It feels to me this is a web application that requires Azure knowledge.
2.1 Get Blob location from web inspection
It starts off with a web address. Burp or curl can be used to check server response. A quick url inspection reveal more urls.
Adding ?restype=container&comp=list at the end of the $web will display all blobs in a xml document.
2.2 Information regarding all blobs
https://mbtwebsite.blob.core.windows.net/$web/?restype=container&comp=list
2.3 Versions!
Tried to get the version information using include=versions, but we received an error.
2.4 Version Header
The following document indicates the request header format.
With the updated header , I have received more information.
If we are using curl, use libxml2-util to easily read.
apt install libxml2-utils
2.5 Downloads require versions
The response indicates that scripts-transfer.zip is available to download. For whatever reason, it requires versionId to download.
Based on the following webpage, versionId is required for downloading.
https://learn.microsoft.com/en-us/rest/api/storageservices/versioning-for-the-azure-storage-services
So what is versioning and why matter?
Key informations can be found here.
https://learn.microsoft.com/en-us/azure/storage/blobs/versioning-overview
You can enable Blob storage versioning to automatically maintain previous versions of an object. When blob versioning is enabled, you can access earlier versions of a blob to recover your data if it's modified or deleted.
- Blob versioning, to automatically maintain previous versions of a blob. When blob versioning is enabled, you can restore an earlier version of a blob to recover your data if it's erroneously modified or deleted. To learn how to enable blob versioning, see Enable and manage blob versioning.
Also, stackoverflow has a good information regarding this.
https://stackoverflow.com/questions/77485169/how-to-get-version-specific-url-in-azure-blob-storage
@Knowledge Apps When you request a specific version of a blob, the response will contain the content of that version of the blob. There is no separate URL generated for each version of the blob. Instead, you can use the same URL for the blob and pass the version ID as a query string parameter to retrieve a specific version of the blob. –
After updating versionId and x-ms-version info, I was able to get the data.
Using Burp Pro, I was able to find more versions.
curl -H "x-ms-version: 2019-12-12" 'https://mbtwebsite.blob.core.windows.net/$web/scripts-transfer.zip?versionId=2024-03-29T20:55:40.8265593Z' --output scripts-transfer.zip
From the downloaded file, hard-coded credentials is retrieved.
# Define your Azure AD credentials
$Username = "marcus@megabigtech.com"
$Password = "********" | ConvertTo-SecureString -AsPlainText -Force
$Credential = New-Object System.Management.Automation.PSCredential ($Username, $Password)
2.6 Run powershell from linux - pwsh
Those install commands were in the entra_users.ps1 script.
Install-Module -Name Az
Install-Module -Name MSAL.PS
Then execute the powershell
./entra_user.ps1
Since the script worked, we know that the hard-coded credentials are valid.
And retrieved the flag using the following command.
Get-AzADUser -SignedIn |fl
2.7 Cleanup
Uninstall-Module -Name Az
Uninstall-Module -Name MSAL.PS