| Objective: Owner | Difficulty Level: 1 |
|---|---|
| Help Goose James near the park discover the accidentally leaked SAS token in a public JavaScript file and determine what Azure Storage resource it exposes and what permissions it grants. | Location: The Park |
Solution Overview
Conduct reconnaisance of an Azure tenant looking for permission misconfigurations. The group IT Admins wass found on subscription the neighborhood-sub-3. Another group was nested inside IT Admins that contained a permanent permission assignment to a user. This violates the principle of least privilege and creates a permanent attack path.| Activity | Primary Tactic | MITRE ATT&CK Technique ID | MITRE ATT&CK Technique Name |
|---|---|---|---|
| Discovering a permanent owner assignment in Azure Storage | Reconnaissance | T1526 | Cloud Service Discovery |
Detailed Solution
Click to expand
Start by listing the accounts with this command:
az account list --query "[].name"
Next lets find which accounts are enabled:
az account list --query "[?state=='Enabled'].{Name:name, ID:id}"
Reviewing the Owners of the each listed subscription: pass in each subscription id.
az role assignment list --scope "/subscriptions/065cc24a-077e-40b9-b666-2f4dd9f3a617" --query [?roleDefinition=='Owner']
In addition to the PIM group, there is a group called IT Admins. Lets figure out the membership of the IT Admins group.
az ad group member list --group 6b982f2f-78a0-44a8-b915-79240b2b4796 | less
IT Admins is a nested group. Let's figure out the membership of the Subscription Admins group.
az ad group member list --group 631ebd3f-39f9-4492-a780-aef2aec8c94e | less
Answer: Use just-in-time elevated access instead of permanent assignments. Permanent Owner roles create persistent attack paths and violate least-privilege principles.
Tools Reference
| Tools Used | Tool Version |
|---|---|
| Azure CLI | N/A |
Hints Reference
| Provided By | Hint |
|---|---|
| Santa | This terminal has built-in hints! |
Acknowledgements
| Provided By | Notes |
|---|---|
| none | none |