Flag 2

In the initiatedart endpoint, there is also an URL Pointing to a SAS Token.

https://tsarray.blob.core.windows.net/azure-webjobs-secrets/DART.jpg?sv=2021-10-04&ss=b&srt=sco&se=2023-04-14T18%3A19%3A45Z&sp=rl&sig=SL06OYe4kJHHKo3oBD8wrHM8D%2FK6OWU%2FkG1w3wRBpnY%3D

NETSPI has an amazing article on how Azure SAS token work.

Azure SAS Tokens for Web Application Penetration TestersNetSPI

Using Azure Storage Explorer, I connect to the storage account using the SAS Token

In the tsarray storage account, there are 3 blob containers. After enumerating for hours, I found the version history for azure-webjobs-secrets/OSIRIS-REx.txt which contains the SAS Tokens for the Logic App endpoint from the GitHub repository.

In the tsarraystorage account, there are 3 blob containers. The version history for azure-webjobs-secrets/OSIRIS-REx.txtcontains the SAS Tokens for the Logic App endpoint.

There also alot of other useful information within the storage account.

• In the current version of azure-webjobs-secrets/OSIRIS-REx.txt in contains a GUID 6de8103e-049a-4f88-9abf-41099a79ca53 which will be useful later.

• In the azure-webjobs-secrets/rosarray/ it contains a bunch of json file, which contains functions keys and master keys. However, we are unable to use those keys as it is encrypted.

• But we managed to retrieved a function app endpoint rosarray.azurewebsites.net

  • I also identified the function name blanket, canister and deployer

Visiting the logic app endpoint appended with the SAS Token appended, I am greeted with an error page.

It is because the task test that is being requested does not exist. Using ffuf, I am able to enumerate the for valid api endpoint.

I managed to identify 2 valid endpoint, action and debug and retrieve flag 2 using the debug endpoint

Flag 2: Telemetry check-in confirmed.