Kabinet's GitBook
  • 🚩Kabinet CTF's Writeups
  • Page
  • 2025
    • Thuderdome
      • Emerge through the breach
      • Pulled from the sky
      • An absent defense
      • A new wave (web of deceit)
      • Crossing the great divide
      • Joining forces as one
      • Infiltrate (open the gate)
      • Jaeger
      • Victory
  • 2024
    • GreyCTF 2024
      • Markdown Parser
      • Fearless Concurrency
      • GreyCTF Survey
      • Baby Web
      • Beautiful Styles
      • All About Timing
      • Poly Playground
    • TetCTF 2024
      • Hello from API GW
      • Microservices
  • 2023
    • BSidesSF Cloud Village CTF
      • Tony Tony Tony
      • Plain Sight
      • A Suit of Armor Around The World
      • Sharing is Caring + Sequel
      • Photo Drive
    • DART CTF
      • Flag 1
      • Flag 2
      • Flag 3
      • Flag 4
      • Flag 5
      • Flag 6
      • Flag 7
      • Flag 8
      • Flag 9
      • Flag 10
    • EKS Cluster Games
    • Big IAM Challenge
  • 2022
    • Stack The Flag
      • Secret of Meow Olympurr
  • Authored
    • Cyber League 2025 Major 1
      • Perfect Storage
      • catalog commits
      • pawtainer hub
    • Lag and Crash 2023
      • Managed Secrets
      • Pickle Rick
      • Cloudy with a chance of meatball
    • NYP InfoSec December CTF 2022
      • Super Secure Technology Infrastructure
      • Self Introduction
      • Aww Cuter Cat
      • Obligatory Calc
      • BreadSecurity
  • NYP InfoSec Introduction to Pentesting Workshop
Powered by GitBook
On this page

Was this helpful?

  1. 2023
  2. DART CTF

Flag 2

PreviousFlag 1NextFlag 3

Last updated 4 months ago

Was this helpful?

In the endpoint, there is also an URL Pointing to a SAS Token.

https://tsarray.blob.core.windows.net/azure-webjobs-secrets/DART.jpg?sv=2021-10-04&ss=b&srt=sco&se=2023-04-14T18%3A19%3A45Z&sp=rl&sig=SL06OYe4kJHHKo3oBD8wrHM8D%2FK6OWU%2FkG1w3wRBpnY%3D

NETSPI has an amazing on how Azure SAS token work.

https://tsarray.blob.core.windows.net/?sv=2021-10-04&ss=b&srt=sco&se=2023-04-14T18%3A19%3A45Z&sp=rl&sig=SL06OYe4kJHHKo3oBD8wrHM8D%2FK6OWU%2FkG1w3wRBpnY%3D

In the tsarray storage account, there are 3 blob containers. After enumerating for hours, I found the version history for azure-webjobs-secrets/OSIRIS-REx.txt which contains the SAS Tokens for the Logic App endpoint from the GitHub repository.

In the tsarraystorage account, there are 3 blob containers. The version history for azure-webjobs-secrets/OSIRIS-REx.txtcontains the SAS Tokens for the Logic App endpoint.

api-version=2018-07-01-preview&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=avLLG0xOCALGGT-7zmIJsddcUiL5o2GOijT4mPSA4JY

There also alot of other useful information within the storage account.

  • In the current version of azure-webjobs-secrets/OSIRIS-REx.txt in contains a GUID 6de8103e-049a-4f88-9abf-41099a79ca53 which will be useful later.

  • In the azure-webjobs-secrets/rosarray/ it contains a bunch of json file, which contains functions keys and master keys. However, we are unable to use those keys as it is encrypted.

    • I also identified the function name blanket, canister and deployer

Visiting the logic app endpoint appended with the SAS Token appended, I am greeted with an error page.

https://prod-61.eastus.logic.azure.com:443/workflows/250827f3ebc54c368f85643619f38ce3/triggers/manual/paths/invoke/test?api-version=2018-07-01-preview&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=avLLG0xOCALGGT-7zmIJsddcUiL5o2GOijT4mPSA4JY

It is because the task test that is being requested does not exist. Using ffuf, I am able to enumerate the for valid api endpoint.

ffuf -u "https://prod-61.eastus.logic.azure.com/workflows/250827f3ebc54c368f85643619f38ce3/triggers/manual/paths/invoke/FUZZ?api-version=2018-07-01-preview&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=avLLG0xOCALGGT-7zmIJsddcUiL5o2GOijT4mPSA4JY" -w /usr/share/wordlists/seclists/Discovery/Web-Content/api/api-endpoints-res.txt  -fw 162

I managed to identify 2 valid endpoint, action and debug and retrieve flag 2 using the debug endpoint

https://prod-61.eastus.logic.azure.com/workflows/250827f3ebc54c368f85643619f38ce3/triggers/manual/paths/invoke/debug?api-version=2018-07-01-preview&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=avLLG0xOCALGGT-7zmIJsddcUiL5o2GOijT4mPSA4JY

Flag 2: Telemetry check-in confirmed.

Using , I connect to the storage account using the SAS Token

But we managed to retrieved a function app endpoint

Azure Storage Explorer
rosarray.azurewebsites.net
initiatedart
article
Azure SAS Tokens for Web Application Penetration Testers | NetSPINetSPI
Logo