Breaching Azure

Breaching Azure Intro
Getting Started
2 Topics
How to access the Labs
BA Lab Objectives
BA Rules of Engagement
Introduction to Azure
BA 01 – Getting started with Azure
2 Topics
Overview of Azure Services
Identity & Common Azure Resources
BA 02 – Azure Portal
BA 03 – Azure Cloud Shell
Breaching SolarDrops
BA 04 – Anonymous Azure Services Enumeration
3 Topics
BA 04 – Credential Discovery
BA Lab 01 – Anonymous Azure Services Enumeration
BA Lab 01 – Solution
BA 05 – Phishing Attacks
6 Topics
BA 05 – Email Spoofing using Exchange Online
BA 05 – Device Code Phishing Attack
BA 05 – Bypass 2FA using Reverse Proxy
BA 05 – Illicit Consent Grant
BA Lab 02 – Azure Device Code Phishing Attack
BA Lab 02 – Solution
BA 06 – Abusing Azure Management and Azure Graph APIs
2 Topics
BA Lab 03 – RCE on Azure Web App Service
BA Lab 03 – Solution
BA 07 – Password Spraying Entra ID
2 Topics
BA Lab 04 – Entra ID Users and Password Spraying
BA Lab 04 – Solution
BA 08 – Azure Access Token
4 Topics
BA Lab 05 – Azure Resource Pivoting
BA Lab 05 – Solution
BA Lab 06 – Azure Keyvault Secret Dumping
BA Lab 06 – Solution
BA 09 – Entra Conditional Access Policy
2 Topics
BA Lab 07 – Bypass Entra Conditional Access Policy
BA Lab 07 – Solution
BA 10 – Azure Logic App
2 Topics
BA Lab 08 – Exploiting Azure Logic App
BA Lab 08 – Solution
BA 11 – Azure Storage Account
2 Topics
BA Lab 09 – Extract Sensitive Data using Azure Storage Explorer
BA Lab 09 – Solution
BA 12 – Azure Automation Account
2 Topics
BA Lab 10 – Privilege Escalation in Azure Automation Account
BA Lab 10 – Solution
BA 13 – Microsoft Entra Connect & MSOL
4 Topics
BA Lab 11 – Attacking On-Premises DC using malicious RunBooks
BA Lab 11 – Solution
BA Lab 12 – Stealing Azure User’s Credentials stored in Browser
BA Lab 12 – Solution
Breaching Bogus Bank
BA 14 – B2B Collaboration with Entra ID
4 Topics
BA Lab 13 – Abusing Multi-Tenant Entra ID Users
BA Lab 13 – Solution
BA Lab 14 – Authenticated Entra ID enumeration & Illicit Consent Attack
BA Lab 14 – Solution
BA 15 – Azure and Microsoft 365 REST APIs
2 Topics
BA Lab 15 – Utilizing SharePoint APIs to Dump Sensitive Files
BA Lab 15 – Solution
BA 16 – DevSecOps Fundamentals
12 Topics
BA Lab 16 – Use KICKS to Identify Misconfigurations in Terraform
BA Lab 16 – Solution
BA 16 – What is SonarQube?
BA 16 – What is Azure Kubernetes Service and its Common Misconfigurations?
BA Lab 17 – Leverage SonarQube to Discover and Exploit Application Vulnerabilities
BA Lab 17 – Solution
BA Lab 18 – Entra ID Groups Enumeration
BA Lab 18 – Solution
BA Lab 19 – Entra ID User Takeover
BA Lab 19 – Solution
BA Lab 20 – Final Step
BA Lab 20 – Solution
Previous Topic
Next Lesson

BA Lab 01 – Solution

Breaching Azure BA 04 – Anonymous Azure Services Enumeration BA Lab 01 – Solution

MicroBurst is a great tool that automates the reconnaissance process. Using a PowerShell terminal import MicroBurst and run it against the SolarDrops cloud infrastructure as shown below: 

Import-Module .\BreachingAzureTools\MicroBurst-master\MicroBurst.psm1
Invoke-EnumerateAzureSubDomains -Base SolarDrops -Verbose

Output:

Subdomain                                 Service
---------                                 -------
SolarDropsuserfiles.azurewebsites.net     App Services
SolarDropsservices.azurewebsites.net      App Services
SolarDropsservices.scm.azurewebsites.net  App Services - Management
SolarDropsuserfiles.scm.azurewebsites.net App Services - Management
SolarDrops.mail.protection.outlook.com    Email
SolarDrops.onmicrosoft.com                Microsoft Hosted Domain
SolarDrops.sharepoint.com                 SharePoint
SolarDrops-my.sharepoint.com              SharePoint
SolarDropsstorage.blob.core.windows.net   Storage Accounts - Blobs
SolarDropsstorage.file.core.windows.net   Storage Accounts - Files
SolarDropsstorage.queue.core.windows.net  Storage Accounts - Queues
SolarDropsstorage.table.core.windows.net  Storage Accounts - Tables

Based on the above output, we managed to retrieve a number of useful services such as, App Services including the Management (SCM), Storage, Sharepoint and Email Endpoints.

By visiting “https://solardropsservices.azurewebsites.net/” we can observe a device validation message:

https://solardropsuserfiles.azurewebsites.net/ is the SolarDrops business website.

And If we try to visit App Service Management  (SCM) – https://solardropsuserfiles.scm.azurewebsites.net/, It redirects us to authenticate using Entra ID credentials.

Source Control Manager (SCM)

The “scm” in App Service refers to the Source Control Manager, which is a web interface and service associated with Azure App Service deployments. The Source Control Manager, commonly known as Kudu, provides a centralized platform for managing application deployments, integration with version control systems, and diagnostic tools. It allows developers to deploy and manage their applications directly from source control repositories such as Git or Azure Repos. Kudu offers features like continuous integration, deployment slots, and detailed logging for troubleshooting. Additionally, it provides a convenient way to view and manage files, access environment variables, and execute commands in the context of the application. The Source Control Manager is a valuable component in the Azure App Service ecosystem, streamlining deployment processes and enhancing the overall development and debugging experience.

Additional Reading

Previous Topic
Back to Lesson
Next Lesson