DART CTF - Objective 2
DART CTF - Objective 2 Walkthrough
Objective 2
- Use a SAS URL to access a storage account in target Azure environment.
- Abuse storage account versioning to extract sensitive information.
- Fuzz a logic app to find parameters for different actions.
- Abuse logic app to find Flag 2.
In my previous blog post, we came across a SAS URL. But what really is it?
A SAS (Shared Access Signature) URL is a way to grant limited access to objects in your Azure Storage account without providing them with your account keys. It is a secure URL that encapsulates various constraints such as permissions, the start and end time of access, an IP address range that can access the data, and the protocol used to access the storage.
Here’s how a SAS URL typically works in Azure:
A SAS URL is generated by someone with appropriate permissions in the Azure Storage account. This person decides what resources the SAS will grant access to, what permissions it will allow, and how long the SAS will be valid.
The SAS URL can be restricted in several ways:
- Time window: You can specify when the SAS becomes valid and when it expires.
- Permissions: You can set permissions such as read, write, delete, etc., for the data.
- IP Range: You can specify an IP range that can use the SAS URL, adding an extra layer of security.
- Protocols: You can specify whether the SAS can be used over HTTP, HTTPS, or both.
The recipient of the SAS URL can access the specified resources in the storage account according to the permissions granted by the SAS, without needing the account keys.
Since the SAS URL is a secure token, it prevents users from needing the storage account’s keys, which are much more powerful and should be protected. However, it’s important to note that if a SAS URL is leaked, anyone with the URL can access the resources according to the permissions granted until the SAS expires.
Solution
Having understood that, let’s dissect the SAS URL we found component by component.
1
https://tsarray.blob.core.windows.net/azure-webjobs-secrets/DART.jpg?sv=2021-12-02&ss=b&srt=sco&sp=rl&se=2025-05-01T19:00:19Z&st=2023-05-01T11:00:19Z&spr=https,http&sig=pMFZaRK7jfzs3GnvL1%2FoFss5g6XynaEV98wCh%2Bd68Kk%3D
Base URL -
https://tsarray.blob.core.windows.net/azure-webjobs-secrets/DART.jpg
- https:// - is the protocol
- tsarray.blob.core.windows.net - is the domain, indicating it’s an Azure Blob Storage.
- azure-webjobs-secrets - is the name of the container in the Blob Storage.
- DART.jpg - is the specific blob (file) being accessed.
SAS Token - Everything after the ? is part of the SAS token, which grants specific permissions, time frame, and other constraints for accessing DART.jpg.
- sv=2021-12-02: The service version that the SAS token is compatible with.
- ss=b: The service type is Blob storage.
- srt=sco: The scope of the resource types. Here sco means service, container, and object.
- sp=rl: The type of permission granted. r stands for read, and l stands for list.
- se=2025-05-01T19:00:19Z: The expiry date and time for the SAS token. The SAS will no longer be valid after this timestamp.
- st=2023-05-01T11:00:19Z: The start time from which the SAS token becomes valid. This is also in UTC format.
- spr=https,http: The allowed protocols for access. Both HTTPS and HTTP are allowed here.
- sig=pMFZaRK7jfzs3GnvL1%2FoFss5g6XynaEV98wCh%2Bd68Kk%3D: The signature for the SAS token. It’s a hash-based message authentication code (HMAC) that is encrypted using the Azure storage account’s key.
With that in mind, we should now think of accessing the storage container, list the blobs inside the container. In order to do that, you can leverage on Microsoft’s Azure Storage Explorer. Upon successful instalation, you get access to the following interface.
To connect to the storage, you need to redact the container name (azure-webjobs-secrets) from the SAS URL and follow along:
Open the connect dialogue and select Storage account or service.
Choose SAS
Enter a display name and a Service URL (without container name azure-webjobs-secrets) and click next.
Confirm summary and click connect.
You get a successful connection. You can also see at the bottom left pane that you have Read & List permissions on the blob container.
Inspecting the azure-webjobs-secrets
container, you find some files. OSIRIS-REx.txt
contains what resembles a GUID.
This tool can help you identify if there are other versions of the same blob. On the top ribbon, select Manage History and select manage versions.
This time round you get a different version.
Inspecting it, you get a SAS Token:
1
api-version=2018-07-01-preview&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=avLLG0xOCALGGT-7zmIJsddcUiL5o2GOijT4mPSA4JY
Earlier, I found Azure Logic Apps URL. But what are logic apps? 🤔
Azure Logic Apps is a cloud service provided by Microsoft Azure that allows you to automate workflows and integrate apps, data, systems, and services across different environments. Logic Apps simplifies the process of designing, implementing, and scaling solutions for app integration, data integration, system integration, and enterprise application integration, both in the cloud and on-premises. In a nutshell, here is what Logic Apps offer:
Workflow Automation: Logic Apps allows you to define a series of steps or a workflow that automates a business process.
Visual Designer: Offers a visual designer interface within the Azure Portal, allowing you to create workflows by dragging and dropping connectors and components, making it accessible even to those with limited coding experience.
Connectors: Provides a large collection of built-in connectors to various services such as Office 365, Salesforce, Dropbox, and many others, enabling easy integration with various cloud and on-premises services.
Customizability and Extensibility: While it provides out-of-the-box solutions, it also allows for custom development. You can extend Logic Apps with custom APIs, Azure Functions, and more.
Scalability and Reliability: It automatically scales to meet demand and ensures high availability.
Monitoring and Management: Offers built-in monitoring and management tools, and integrates with Azure Monitor and Azure Log Analytics for in-depth diagnostics and logging.
With that in mind, lets go back to our lab environment. Earlier, we got the following error indicating that the request is missing a required query parameter: api-version
Since we now have this information, we can try appending the logic app url with the SAS token we found since the sp
parameter contains the trigger manual run value specified in it.
1
https://prod-61.eastus.logic.azure.com/workflows/250827f3ebc54c368f85643619f38ce3/triggers/manual/paths/invoke/test?api-version=2018-07-01-preview&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=avLLG0xOCALGGT-7zmIJsddcUiL5o2GOijT4mPSA4JY
Visiting this URL, you get a warning and some information.
Doesn’t seem to work 🤔 but atleast we are getting somewhere. How about we try fuzzing the test
parameter using tools like ffuf, wfuzz.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
wfuzz -w /usr/share/seclists/Discovery/Web-Content/common.txt -u "https://prod-61.eastus.logic.azure.com/workflows/250827f3ebc54c368f85643619f38ce3/triggers/manual/paths/invoke/FUZZ?api-version=2018-07-01-preview&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=avLLG0xOCALGGT-7zmIJsddcUiL5o2GOijT4mPSA4JY" --hw 14,164 -hc 404
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: https://prod-61.eastus.logic.azure.com/workflows/250827f3ebc54c368f85643619f38ce3/triggers/manual/paths/invoke/FUZZ?api-version=2018-07-01-preview&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=avLLG0xOCALGGT-7zmIJsddcUiL5o2GOijT4mPSA4JY
Total requests: 4715
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000492: 200 33 L 88 W 1049 Ch "action"
000001399: 200 11 L 35 W 403 Ch "debug"
If we replace the test
parameter with debug
, we now get some python code and Flag 2. 🚩
1
https://prod-61.eastus.logic.azure.com/workflows/250827f3ebc54c368f85643619f38ce3/triggers/manual/paths/invoke/debug?api-version=2018-07-01-preview&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=avLLG0xOCALGGT-7zmIJsddcUiL5o2GOijT4mPSA4JY
In the next blog post of this series, we are going to dig deeper and dissect the script.
See you there 😎
Comments powered by Disqus.