Post

DART CTF - Objective 1

DART CTF - Objective 1 Walkthrough

Hey there and welcome back to another blog post series. This time, I’m excited to share my experiences delving into cloud security, with a particular focus on Azure Pentesting. On December 5th, 2023 i came across a tweet from Nikhil Mittal where he announced a FREE live class on “An introduction to Azure Red Teaming” , hosted by Altered Security. Eager to learn, I signed up for the class at redlabs.enterprisesecurity.io and joined the insightful and informative session on December 16th, 2023.

The course covered several key areas, including:

  • Introduction to Azure and Azure AD
  • Discovery and REcon of services and applications
  • Initial access
  • Enumeration
  • Authenticated enumeration
  • Privilege escalation
  • Lateral movement
  • Abuse of Azure services - storage, Logic Apps, Function App, Key Vault, Cosmos DB and more.

Already having some background in Azure, this course, particularly the lab exercises, greatly enhanced my understanding and piqued my interest in further exploring Azure. My aim is to make this blog series both informative and comprehensive, catering to a wide range of audiences from beginners to experts.

For those interested in joining in, the lab scenario (DART CTF) has been available since March 2023. It’s free and specifically designed to assist junior security professionals, penetration testers, and red teamers in improving their skills in Azure red teaming.

Lab Prerequisites

Objective 1

Task

  • Using the website - https://initiatedart.z13.web.core.windows.net/, find out more information about DART’s resources in Azure.
  • Capture Flag 1.

Solution

Visiting the website, you get an Azure Static Web App:

https://initiatedart.z13.web.core.windows.net/#about

image

There is nothing really interesting to poke around with, so let’s review the page source. I realised that the css was fetched from the companies (AlteredSecurity) github:

image

I also came across an exposed SAS Url that we will explore later.

image

However, visiting it displays an image.

image

Exploring the css file fetched from github leaked yet another url that looks like a Microsoft logic app URL and Flag 1

image

Visiting the URL, you get this error

image

This indicates that the request is missing a required query parameter: api-version. In Azure services, and particularly in Logic Apps, the api-version query parameter is often mandatory for API requests. This parameter specifies the version of the API that the request is intended for, ensuring that the correct version of the API is used to process the request.

In the next blog post of this series, we are going to dig deeper and see if we can find the api-version information in Objective 2. I’m also going to explain more about SAS URLs & Azure Logic Apps.

See you there. 😎

This post is licensed under CC BY 4.0 by the author.

Comments powered by Disqus.