Holiday Hack Challenge 2025 Blob Storage (Storage Secrets)

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://0xdf.gitlab.io/holidayhack2025/act1/blob-storage
• Blog Title: Holiday Hack Challenge 2025: Blob Storage (Storage Secrets)
• Suggested Section: Azure Pentesting -> Az - Services -> Az - Storage Accounts & Blobs (or Az - Storage Unauth / Az - Blob Storage Post Exploitation): add a subsection on auditing allowBlobPublicAccess + container publicAccess (Blob vs Container vs null) and verification via anonymous blob download

🎯 Content Summary

This post demonstrates how to audit Azure Blob Storage for anonymous/public data exposure caused by a storage-account-level misconfiguration: allowBlobPublicAccess: true. When this flag is enabled on a Storage Account, individual containers can be configured for anonymous access, enabling internet users to read blobs without authenticating (depending on the container’s publicAccess setting).

Azure Blob Storage model / hierarchy (used to reason about where the security con...

🔧 Technical Details

Audit Azure Storage Accounts for anonymous blob exposure by enumerating accounts and checking properties.allowBlobPublicAccess. If it is true, containers can be configured for public/anonymous access.

Determine effective anonymous access at the container level by enumerating containers and inspecting properties.publicAccess: Blob allows anonymous reads for known object URLs (no listing), Container allows anonymous listing + reads, and null requires authentication. Then enumerate exposed data with az storage blob list and confirm impact by exfiltrating files using az storage blob download (e.g., print directly with --file /dev/stdout). Use jq to quickly filter large JSON outputs (e.g., count accounts, extract .name, inspect suspicious indices/properties).

🤖 Agent Actions

Summary:

• Added an “Auditing anonymous blob exposure” subsection to Azure Storage Accounts & Blobs detailing how to find allowBlobPublicAccess-enabled accounts, enumerate container publicAccess modes, and verify anonymous listing/download impact with az CLI and raw HTTP.
• Expanded references to include the source blog and relevant Azure CLI documentation pages.

Testing:

• Not run (documentation-only change).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://0xdf.gitlab.io/holidayhack2025/act1/blob-storage

Content Categories: Based on the analysis, this content was categorized under "Azure Pentesting -> Az - Services -> Az - Storage Accounts & Blobs (or Az - Storage Unauth / Az - Blob Storage Post Exploitation): add a subsection on auditing allowBlobPublicAccess + container publicAccess (Blob vs Container vs null) and verification via anonymous blob download".

Repository Maintenance:

• MD Files Formatting: 574 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0