Skip to content

Holiday Hack Challenge 2025 (Act 1) - Spare Key #240

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
carlospolop wants to merge 1 commit into
base: master
Choose a base branch
from
+25 −0
Open

Holiday Hack Challenge 2025 (Act 1) - Spare Key #240

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 25 additions & 0 deletions src/pentesting-cloud/azure-security/az-services/az-storage.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,30 @@ If "Allow Blob public access" is **enabled** (disabled by default), when creatin

<figure><img src="https://lh7-rt.googleusercontent.com/slidesz/AGV_vUfoetUnYBPWQpRrWNnnlbqWpl8Rdoaeg5uBrCVlvcNDlnKwQHjZe8nUb2SfPspBgbu-lCZLmUei-hFi_Jl2eKbaxUtBGTjdUSDmkrcwr90VZkmuMjk9tyh92p75btfyzGiUTa0-=s2048?key=m8TV59TrCFPlkiNnmhYx3aZt" alt=""><figcaption></figcaption></figure>

### Static website (`$web`) exposure & leaked secrets

- **Static websites** are served from the special `$web` container over a region-specific endpoint such as `https://<account>.z13.web.core.windows.net/`.
- The `$web` container may report `publicAccess: null` via the blob API, but files are still reachable through the static site endpoint, so dropping config/IaC artifacts there can leak secrets.
- Quick audit workflow:

```bash
# Identify storage accounts with static website hosting enabled
az storage blob service-properties show --account-name <acc-name> --auth-mode login
# Enumerate containers (including $web) and their public flags
az storage container list --account-name <acc-name> --auth-mode login
# List files served by the static site even when publicAccess is null
az storage blob list --container-name '$web' --account-name <acc-name> --auth-mode login
# Pull suspicious files directly (e.g., IaC tfvars containing secrets/SAS)
az storage blob download -c '$web' --name iac/terraform.tfvars --file /dev/stdout --account-name <acc-name> --auth-mode login
```

- Inspect downloaded files for leaked **SAS tokens** or credentials. SAS params show scope and risk: `sv` (API version), `ss` (services like blob `b`), `srt` (resource types `s`/`c`/`o`), `sp` (permissions such as `r`/`l`/`a`/`c`/`w`/`d`/`x`), `se` (expiry), and `sig` (signature). A wide `sp` set plus far-future `se` indicates a long-lived bearer credential that enables read/list/write/delete until revoked.
- Abuse a recovered SAS immediately, for example:

```bash
az storage blob list --account-name <acc-name> --container-name <target-container> --sas-token "<sv=...&ss=...&srt=...&sp=...&se=...&sig=...>"
```

### Connect to Storage

If you find any **storage** you can connect to you could use the tool [**Microsoft Azure Storage Explorer**](https://azure.microsoft.com/es-es/products/storage/storage-explorer/) to do so.
Expand Down Expand Up @@ -433,6 +457,7 @@ az-file-shares.md
- [https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction](https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction)
- [https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview](https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview)
- [https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support](https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support)
- [Holiday Hack Challenge 2025 – Spare Key (Azure static website SAS leak)](https://0xdf.gitlab.io/holidayhack2025/act1/spare-key)

{{#include ../../../banners/hacktricks-training.md}}

Expand Down