Cloudy with a chance of meatball

Description

Today in school, I learnt to code in HTML! View my brand new website! www.lncctf2023.tk Hint 1: Identify how the website is hosted using what services

Hint 2: Enumerate your role and the allowed actions

Viewing the website, we can identify that it is hosted on some azure services

Since there isnt much information, other than the domain name, we can use MicroBurst to perform unauthenticated enumeration.

Refering to HackTricks

Page not found - HackTricks Cloudcloud.hacktricks.xyz

From the MicroBurst output, I have identified 2 files, /private/instructions.txt and /root/flag.txt

The /root/flag.txt shows a troll flag but /private/instructions.txt has some juicy information.

Since I have a set of credentials, we are able to use Azure PowerShell module to login with the service principal

Next, I can enumerate the resources our service principal has access to using Get-AzResource

I manage to identify that there is another storage account called lncctf2023private. I am then able to retrieve the flag from the private storage account

Flag: LNC2023{aZuR3_pUbL1C_c0ntAiN3R_i3_n0T_s0_s3cuR3}