December 16, 2024 / Last updated : December 28, 2024 jason.sparrow615 Building Security Knowledge

THM AOC2024 DAY 16: Unveiling the Azure Attack Path

Every December, TryHackMe's Advent of Cyber delivers 24 free daily cybersecurity challenges, offering hands-on scenarios that simulate real-world attacks and defenses. Designed for beginners and professionals alike, it's an exciting, gamified way to explore topics like threat hunting, penetration testing, cryptography, and more. This event is perfect for building skills, gaining practical experience, and spreading some cybersecurity cheer during the festive season!

Learning Objectives

  1. Learn about Azure, what it is, and why it is used.
  2. Understand Azure services like Azure Key Vault and Microsoft Entra ID.
  3. Learn how to interact with an Azure tenant using Azure Cloud Shell.

Tools Overview

  • Azure Key Vault: A secure cloud-based service for managing secrets like API keys, certificates, and passwords. It ensures sensitive data is accessible only to authorized users and applications.
  • Microsoft Entra ID: Formerly known as Azure Active Directory, this identity and access management service streamlines user access control across Azure resources.
  • Azure CLI: A command-line tool integrated into Azure Cloud Shell, enabling efficient management and configuration of Azure resources.
  • Azure Cloud Shell: A browser-based command-line interface pre-configured for managing Azure environments, supporting both Bash and PowerShell.

Task Walkthrough

Overview

In this task, we investigate an assumed breach scenario in Wareville's Azure tenant. Using Azure CLI within Cloud Shell, we explore how an attacker could enumerate accounts, escalate privileges, and gain unauthorized access to sensitive secrets stored in Azure Key Vault.

Steps

Task 1: Setting Up the Environment

  1. Connect to the Azure Tenant:
    • Click on the Cloud Details button to generate credentials.
    • Use the credentials to log into the Azure Portal via the Open Lab button.
    • Launch Azure Cloud Shell and select the Bash environment.
  2. Verify Authentication:
    • Use the command az ad signed-in-user show to display the authenticated user details.

Task 2: Enumerating Accounts and Groups

  1. List All Users:az ad user list
    • Filter users starting with wvusr- for better focus:
    az ad user list --filter "startsWith('wvusr-', displayName)"
  2. Discover Privileged Accounts:
    • Identify unusual fields, such as stored passwords or admin roles.
  3. List Groups:az ad group list
    • Investigate the "Secret Recovery Group" and its members:
    az ad group member list --group "Secret Recovery Group"

Task 3: Exploring Azure Role Assignments

  1. Enumerate Role Assignments:
    • Check assigned roles for the group:
    az role assignment list --assignee <GROUP_ID> --all
    • Roles such as Key Vault Reader and Key Vault Secrets User suggest access to sensitive resources.

Task 4: Accessing Azure Key Vault

  1. List Available Key Vaults:az keyvault list
  2. Enumerate Secrets:az keyvault secret list --vault-name warevillesecrets
  3. Retrieve Secret Contents:az keyvault secret show --vault-name warevillesecrets --name <SECRET_NAME>
    • This confirms access to sensitive information.

Questions and Solutions

  1. What is the password for backupware that was leaked?
    • Answer: R3c0v3r_s3cr3ts!
  2. What is the group ID of the Secret Recovery Group?
    • Answer: 7d96660a-02e1-4112-9515-1762d0cb66b7
  3. What is the name of the vault secret?
    • Answer: aoc2024
  4. What are the contents of the secret stored in the vault?
    • Answer: WhereIsMyMind1999

Recap of Learning Objectives

1. Learn about Azure, what it is, and why it is used.

Azure is a Cloud Service Provider offering scalable computing resources. It reduces the complexity of managing on-premises infrastructure while providing robust services like identity management and secure storage, enabling organizations to focus on operational needs.

2. Learn about Azure services like Azure Key Vault and Microsoft Entra ID.

Azure Key Vault secures sensitive data such as passwords and API keys, while Microsoft Entra ID simplifies user access management across Azure resources. Together, they enhance security and streamline operations within the Azure ecosystem.

3. Learn how to interact with an Azure tenant using Azure Cloud Shell.

Azure Cloud Shell facilitates seamless management of Azure resources using pre-configured tools like Azure CLI and PowerShell. Its browser-based interface eliminates the need for local installations, allowing quick, efficient, and secure access to tenant environments.

This challenge demonstrated the importance of securing cloud environments and monitoring access roles to prevent privilege escalation and data breaches. McSkidy and Glitch are one step closer to understanding the attack paths within Wareville's digital infrastructure.

Categories
Building Security Knowledge and TryHackMe
Tags

Leave a Reply

Building Security Knowledge

Previous article

THM AOC2024 DAY 15: Active Directory Under Siege
December 15, 2024
Building Security Knowledge

Next article

THM AOC2024 DAY 17: Investigating with Splunk
December 17, 2024