Cloudy with a chance of meatball
Last updated
Last updated
Medium
500
3
Today in school, I learnt to code in HTML! View my brand new website! www.lncctf2023.tk Hint 1: Identify how the website is hosted using what services
Hint 2: Enumerate your role and the allowed actions
Viewing the website, we can identify that it is hosted on some azure services
Since there isnt much information, other than the domain name, we can use MicroBurst to perform unauthenticated enumeration.
Refering to HackTricks
From the MicroBurst output, I have identified 2 files, /private/instructions.txt
and /root/flag.txt
The /root/flag.txt
shows a troll flag but /private/instructions.txt
has some juicy information.
Since I have a set of credentials, we are able to use Azure PowerShell module to login with the service principal
Next, I can enumerate the resources our service principal has access to using Get-AzResource
I manage to identify that there is another storage account called lncctf2023private
. I am then able to retrieve the flag from the private storage account
Flag: LNC2023{aZuR3_pUbL1C_c0ntAiN3R_i3_n0T_s0_s3cuR3}