| Objective: Spare Key | Difficulty Level: 1 |
|---|---|
| Help Goose Barry near the pond identify which identity has been granted excessive Onwer permissions at the subscription level, violating the principle of least privilege. | Location: Frozen Pond |
Solution Overview
Next to Grace is Barry, who tells us that the Neighborhood HOA hosts a static website on Azure Storage. An admin accidentally uploaded an infrastructure config file containing a long-lived SAS token. We need to use azure cli to find the leak.We're connected to a read-only AZ CLI session. We find the
neighborhoodhoa storage account with a $web container. Listing the blob associated with that container shows an iac/terraform.tfvars file with likely exposed secrets. Downloading the file reveals the long-lived SAS token, expiring 2100-01-01.
| Activity | Primary Tactic | MITRE ATT&CK Technique ID | MITRE ATT&CK Technique Name |
|---|---|---|---|
| Enumerate Storage Containers | Discovery | T1619 | Cloud Storage Object Discovery |
| Download TFVars File | Collection | T1530 | Data from Cloud Storage |
| Extract SAS Token | Credential Access | T1552.001 | Unsecured Credentials: Credentials in Files |
Detailed Solution
Click to expand
We begin with two introductory discovery commands:
az group list -o table
az storage account list --resource-group rg-the-neighborhood -o table
Since our objective tells us the issue is related to the Neighborhood HOA's static website, we first take a look at rg-the-neighborhood.
The az storage account list command shows us a number of different storage accounts within the rg-the-neighborhood resource group. Again referencing our objective, we investigate the neighborhoodhoa account further.
We aim to identify which container within this storage account contains the infrastructure configuration file holding the long-lived SAS token.
Of the two containers found within the
neighborhoodhoa storage account, the $web container most likely contains data related to the static website targeted by the objective. Listing the blob contents of this container reveals two static .html files and a file named terraform.tfvars within the iac folder.
Infrastructure-as-code (IaC or iac) is a popular methodology used for the provisioning and management of modern digital resources. Terraform, developed by HashiCorp, is an IaC tool enabling users to safely and predictably build, change, and version infrastructure resources using declarative configuration files. The terraform.tfvars is therefore the infrastructure configuration file indicated by our objective.
We utilize az storage blob download with some unix I/O redirection capability to download the contents of the infrastructure configuration file to our local terminal instance. By downloading the contents to /dev/stdout, we are then able to utilize the append (>>) operator to create a local tfvars.txt file containing our targeted contents.
az storage blob download --account-name neighborhoodhoa --container-name '$web' --auth-mode login --name 'iac/terraform.tfvars' --file /dev/stdout >> tfvars.txt
The image below displays a subsection of this configuration file's contents, with the SAS token in question highlighted in green.
</details>
Tools Reference
| Tools Used | Tool Version |
|---|---|
| Azure CLI | 2.81.0 |
Hints Reference
| Provided By | Hint |
|---|---|
| Santa | This terminal has built-in hints! |
Acknowledgements
| Provided By | Notes |
|---|---|
| none | none |