Flag 2

In the initiatedart endpoint, there is also an URL Pointing to a SAS Token.


NETSPI has an amazing article on how Azure SAS token work.

Using Azure Storage Explorer, I connect to the storage account using the SAS Token


In the tsarray storage account, there are 3 blob containers. After enumerating for hours, I found the version history for azure-webjobs-secrets/OSIRIS-REx.txt which contains the SAS Tokens for the Logic App endpoint from the GitHub repository.

In the tsarraystorage account, there are 3 blob containers. The version history for azure-webjobs-secrets/OSIRIS-REx.txtcontains the SAS Tokens for the Logic App endpoint.


There also alot of other useful information within the storage account.

  • In the current version of azure-webjobs-secrets/OSIRIS-REx.txt in contains a GUID 6de8103e-049a-4f88-9abf-41099a79ca53 which will be useful later.

  • In the azure-webjobs-secrets/rosarray/ it contains a bunch of json file, which contains functions keys and master keys. However, we are unable to use those keys as it is encrypted.

  • But we managed to retrieved a function app endpoint rosarray.azurewebsites.net

    • I also identified the function name blanket, canister and deployer

Visiting the logic app endpoint appended with the SAS Token appended, I am greeted with an error page.


It is because the task test that is being requested does not exist. Using ffuf, I am able to enumerate the for valid api endpoint.

ffuf -u "https://prod-61.eastus.logic.azure.com/workflows/250827f3ebc54c368f85643619f38ce3/triggers/manual/paths/invoke/FUZZ?api-version=2018-07-01-preview&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=avLLG0xOCALGGT-7zmIJsddcUiL5o2GOijT4mPSA4JY" -w /usr/share/wordlists/seclists/Discovery/Web-Content/api/api-endpoints-res.txt  -fw 162

I managed to identify 2 valid endpoint, action and debug and retrieve flag 2 using the debug endpoint


Flag 2: Telemetry check-in confirmed.

Last updated