Holiday Hack Challenge 2025 (Act 1) - Spare Key

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://0xdf.gitlab.io/holidayhack2025/act1/spare-key
• Blog Title: Holiday Hack Challenge 2025 (Act 1) - Spare Key
• Suggested Section: Azure Pentesting -> Az - Services -> Az - Storage Accounts & Blobs (or Az - Storage Unauthenticated Enum & Initial Entry) : add a subsection on 'Azure Storage Static Website ($web) secret exposure + SAS token leakage/abuse'

🎯 Content Summary

This post demonstrates a cloud secret-leakage audit against an Azure Storage static website where an administrator accidentally published an infrastructure configuration file containing a long-lived Azure Storage Shared Access Signature (SAS) token. It explains where the leaked token is found, how SAS tokens work as bearer credentials, and why broad permissions plus a far-future expiry makes the leak high risk. The workflow shown uses Azure CLI to enumerate resource groups, storage accounts, con...

🔧 Technical Details

Azure Storage static websites serve content from the special $web container via a website endpoint. Even if container properties show publicAccess as null, files may still be publicly reachable through the static website endpoint; placing secrets or config artifacts into $web can therefore leak them. A repeatable audit pattern is to enumerate Azure resources, identify which storage account has static website enabled, list containers, enumerate blobs in public and $web, and investigate suspicious artifacts such as Terraform tfvars files. For triage, download suspicious blobs for inspection and, if a SAS token is found, parse its fields (sv/ss/srt/sp/se/sig) to assess scope, permissions, and expiry; broad permissions plus a far-future expiry indicates long-lived unauthorized access risk.

🤖 Agent Actions

Summary:

• Added a static website ($web) exposure section to Azure Storage Accounts & Blobs, covering endpoint behavior, audit workflow with az CLI, and risks of leaking IaC/config artifacts via static websites.
• Documented SAS token triage/abuse guidance (field meanings, long-lived scope/permission risks, and usage via --sas-token).
• Updated references to include the Holiday Hack “Spare Key” blog source.

Tests:

• Not run (documentation-only changes).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://0xdf.gitlab.io/holidayhack2025/act1/spare-key

Content Categories: Based on the analysis, this content was categorized under "Azure Pentesting -> Az - Services -> Az - Storage Accounts & Blobs (or Az - Storage Unauthenticated Enum & Initial Entry) : add a subsection on 'Azure Storage Static Website ($web) secret exposure + SAS token leakage/abuse'".

Repository Maintenance:

• MD Files Formatting: 574 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0