In the initiatedart endpoint, there is also an URL Pointing to a SAS Token.

https://tsarray.blob.core.windows.net/azure-webjobs-secrets/DART.jpg?sv=2021-10-04&ss=b&srt=sco&se=2023-04-14T18%3A19%3A45Z&sp=rl&sig=SL06OYe4kJHHKo3oBD8wrHM8D%2FK6OWU%2FkG1w3wRBpnY%3D

NETSPI has an amazing article on how Azure SAS token work.

Using Azure Storage Explorer, I connect to the storage account using the SAS Token

https://tsarray.blob.core.windows.net/?sv=2021-10-04&ss=b&srt=sco&se=2023-04-14T18%3A19%3A45Z&sp=rl&sig=SL06OYe4kJHHKo3oBD8wrHM8D%2FK6OWU%2FkG1w3wRBpnY%3D

In the tsarray storage account, there are 3 blob containers. After enumerating for hours, I found the version history for azure-webjobs-secrets/OSIRIS-REx.txt which contains the SAS Tokens for the Logic App endpoint from the GitHub repository.

In the tsarraystorage account, there are 3 blob containers. The version history for azure-webjobs-secrets/OSIRIS-REx.txtcontains the SAS Tokens for the Logic App endpoint.

api-version=2018-07-01-preview&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=avLLG0xOCALGGT-7zmIJsddcUiL5o2GOijT4mPSA4JY

There also alot of other useful information within the storage account.

• In the current version of azure-webjobs-secrets/OSIRIS-REx.txt in contains a GUID 6de8103e-049a-4f88-9abf-41099a79ca53 which will be useful later.

• In the azure-webjobs-secrets/rosarray/ it contains a bunch of json file, which contains functions keys and master keys. However, we are unable to use those keys as it is encrypted.

• But we managed to retrieved a function app endpoint rosarray.azurewebsites.net

  • I also identified the function name blanket, canister and deployer

Visiting the logic app endpoint appended with the SAS Token appended, I am greeted with an error page.

https://prod-61.eastus.logic.azure.com:443/workflows/250827f3ebc54c368f85643619f38ce3/triggers/manual/paths/invoke/test?api-version=2018-07-01-preview&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=avLLG0xOCALGGT-7zmIJsddcUiL5o2GOijT4mPSA4JY

It is because the task test that is being requested does not exist. Using ffuf, I am able to enumerate the for valid api endpoint.

ffuf -u "https://prod-61.eastus.logic.azure.com/workflows/250827f3ebc54c368f85643619f38ce3/triggers/manual/paths/invoke/FUZZ?api-version=2018-07-01-preview&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=avLLG0xOCALGGT-7zmIJsddcUiL5o2GOijT4mPSA4JY" -w /usr/share/wordlists/seclists/Discovery/Web-Content/api/api-endpoints-res.txt  -fw 162

I managed to identify 2 valid endpoint, action and debug and retrieve flag 2 using the debug endpoint

https://prod-61.eastus.logic.azure.com/workflows/250827f3ebc54c368f85643619f38ce3/triggers/manual/paths/invoke/debug?api-version=2018-07-01-preview&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=avLLG0xOCALGGT-7zmIJsddcUiL5o2GOijT4mPSA4JY

Flag 2: Telemetry check-in confirmed.