Flag 2
Last updated
Last updated
In the initiatedart endpoint, there is also an URL Pointing to a SAS Token.
NETSPI has an amazing article on how Azure SAS token work.
Using Azure Storage Explorer, I connect to the storage account using the SAS Token
In the tsarray storage account, there are 3 blob containers. After enumerating for hours, I found the version history for azure-webjobs-secrets/OSIRIS-REx.txt which contains the SAS Tokens for the Logic App endpoint from the GitHub repository.
In the tsarraystorage account, there are 3 blob containers. The version history for azure-webjobs-secrets/OSIRIS-REx.txtcontains the SAS Tokens for the Logic App endpoint.
There also alot of other useful information within the storage account.
In the current version of azure-webjobs-secrets/OSIRIS-REx.txt in contains a GUID 6de8103e-049a-4f88-9abf-41099a79ca53 which will be useful later.
In the azure-webjobs-secrets/rosarray/ it contains a bunch of json file, which contains functions keys and master keys. However, we are unable to use those keys as it is encrypted.
But we managed to retrieved a function app endpoint rosarray.azurewebsites.net
I also identified the function name blanket, canister and deployer
Visiting the logic app endpoint appended with the SAS Token appended, I am greeted with an error page.
It is because the task test that is being requested does not exist. Using ffuf, I am able to enumerate the for valid api endpoint.
I managed to identify 2 valid endpoint, action and debug and retrieve flag 2 using the debug endpoint
Flag 2: Telemetry check-in confirmed.
