Skip to main content
HashnodeOvawatch SecurityOvawatch Security

Command Palette

Search for a command to run...

Azure Blob Container to Initial Access

Updated
2 min read
Azure Blob Container to Initial Access
T
theblxckcicada
Software Integration and Security Engineer with a background in Cisco networking, ethical hacking, and secure application development. I hold a B. IT (cum laude) from Tshwane University of Technology, along with PNPT, PJPT, and PT1 certifications. My strengths include Active Directory and network penetration testing, web application reconnaissance, entry-level AppSec, and building lightweight tools for security assessments. I also work across Angular, TypeScript, C#, .NET, Azure Functions, Storage, Service Bus, Logic Apps, and Azure DevOps. I’m passionate about offensive security, bug bounty hunting, and building practical solutions that improve both software delivery and security posture.

In this article, we will explore the PwnedLabs Free Azure Blob Container as a potential vector for initial access. Our focus will be on identifying and leveraging any exposed blob storage that could provide a pathway to obtaining user-level access for the Megabigtech platform. We will analyze the configuration and security settings of the Azure Blob storage, evaluate the risks associated with its exposure, and discuss techniques for exploiting these vulnerabilities to gain unauthorized access. Join us as we delve into the methodologies and implications of such an approach in the realm of cloud security.

# url 
http://dev.megabigtech.com/$web/index.html

We attempted to use the MicroBurst to enumerate the blob, but we didn’t get any results, so now we are proceeding manually.

# we add these query parameters to the blob storage and see what we can find
?restype=container&comp=list

# Full url 
https://mbtwebsite.blob.core.windows.net/$web?restype=container&comp=list

Upon investigation, we discovered that only the static CSS and HTML files were available for the hosted website. Unfortunately, there wasn’t anything particularly engaging or noteworthy within the files.

# We add the query to include versions 
?restype=container&comp=list&include=versions

# Full url 
https://mbtwebsite.blob.core.windows.net/$web?restype=container&comp=list&include=versions

Although our previous attempts have not been entirely successful, we decided to utilize the terminal to incorporate the ‘x-ms-version’ header, specifically set to the date 2019-12-12, as outlined in the Microsoft documentation. By doing this, we finally managed to successfully access the ‘scripts-transfer.zip’ file.

# Full url 
https://mbtwebsite.blob.core.windows.net/$web?restype=container&comp=list&include=versions

# Terminal command 
 curl -H "x-ms-version: 2019-12-12" 'https://mbtwebsite.blob.core.windows.net/$web?restype=container&comp=list&include=versions'

I attempted to download the file using my browser, but unfortunately, that method wasn't successful. As a result, we decided to revert back to using the terminal for the download process. This time, we made sure to include the 'x-ms-version' as a header to ensure compatibility with the server's requirements.

# Terminal command
curl -H "x-ms-version: 2019-12-12" 'https://mbtwebsite.blob.core.windows.net/$web/scripts-transfer.zip?versionId=2024-03-29T20:55:40.8265593Z'  --output scripts-transfer.zip

The zip file contained two PowerShell scripts that include credentials for the Azure portal.

unzip scripts-transfer.zip

We use the cat command to list the contents of two files. However, entra_users.ps1 contains clear text credentials, and running this script would allow us to list all user information.

cat entra_users.ps1

Before running the script, we need to install the required modules, which are listed at the beginning of the script. Running the script will provide us with a flag that can be found under the job title in one of the user information sections.

# Install the modules 
Install-Module -Name Az
Install-Module -Name MSAL.PS

# Then we run the script 
.\entra_users.ps1

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

Ovawatch Security

5 posts