Day 16

The Wareville’s Key Vault grew three sizes that day.

Last updated 4 months ago

Was this helpful?

Day 16

The Wareville’s Key Vault grew three sizes that day.

Welcome to Day 16 of Advent of Cyber!

In this challenge, we step into the role of McSkidy, investigating a potential security breach in Wareville's Azure environment. Our goal is to trace the attack path and understand how an attacker might have gained access to sensitive data, particularly through Azure Key Vault.

Introduction to Azure : Azure, Microsoft's cloud computing platform, provides on-demand services that allow businesses to manage their infrastructure without the complexity of physical hardware. Understanding Azure’s key components is essential for our investigation.

Lets Begin:

Click on "Cloud Details" to get the credentials.
Click "Join Lab" to generate your credentials and access the lab.

Once logged in, we’ll use Azure Cloud Shell to interact with Azure resources. This browser-based command-line interface allows us to manage resources using Azure CLI.

The command az ad signed-in-user show will display details about the authenticated user.

The first step in the investigation is to enumerate the users and groups in the Azure tenant to understand the environment and identify potential targets.

Run the command:
```
az ad user list
```

This will list all users in the Azure tenant. Depending on the number of accounts, this may take a while.

Filter Users of Interest:
Filter users whose names start with "wvusr-"
```
az ad user list --filter "startsWith('wvusr-', displayName)"
```

From this, we observe that an unusual parameter was set to a specific account in the output. One of the users, wvusr-backupware, has its password stored in one of the fields.

Use command az ad group list to view all groups

From the output, the Secret Recovery Group is intersting ,described as a group for recovering Wareville's secrets.

So we select only that group using the command :

az ad group member list --group "Secret Recovery Group"

Now we have the email and password of new user, so let's jump to another user by clearing the current Azure CLI account session and logging in with the new account.

az account clear
az login -u EMAIL -p PASSWORD

Let's list the accessible key vaults by executing the command below. az keyvault list

and to filter the list with the vault name use:

az keyvault secret list --vault-name warevillesecrets

From the output we can see the name of the vault.

Now we need to read the contents of the secret stored in the vault?

For this use :

az keyvault secret show --vault-name warevillesecrets --name aoc2024

Questions

1.What is the password for backupware that was leaked?

A: R3c0v3r_s3cr3ts!

2.What is the group ID of the Secret Recovery Group?

A: 7d96660a-02e1-4112-9515-1762d0cb66b7

3.What is the name of the vault secret?

A: aoc2024

4.What are the contents of the secret stored in the vault?

A: WhereIsMyMind1999

Stay tuned for Day 17, and happy hacking! 🎄

Thank you!

PreviousDay 15 NextDay 18

Last updated 4 months ago

Was this helpful?

Welcome to Day 16 of Advent of Cyber!

Introduction to Azure : Azure, Microsoft's cloud computing platform, provides on-demand services that allow businesses to manage their infrastructure without the complexity of physical hardware. Understanding Azure’s key components is essential for our investigation.

Lets Begin:

Click on "Cloud Details" to get the credentials.
Click "Join Lab" to generate your credentials and access the lab.

Once logged in, we’ll use Azure Cloud Shell to interact with Azure resources. This browser-based command-line interface allows us to manage resources using Azure CLI.

The command az ad signed-in-user show will display details about the authenticated user.

The first step in the investigation is to enumerate the users and groups in the Azure tenant to understand the environment and identify potential targets.

Run the command:
```
az ad user list
```

This will list all users in the Azure tenant. Depending on the number of accounts, this may take a while.

Filter Users of Interest:
Filter users whose names start with "wvusr-"
```
az ad user list --filter "startsWith('wvusr-', displayName)"
```

From this, we observe that an unusual parameter was set to a specific account in the output. One of the users, wvusr-backupware, has its password stored in one of the fields.

Use command az ad group list to view all groups

From the output, the Secret Recovery Group is intersting ,described as a group for recovering Wareville's secrets.

So we select only that group using the command :

az ad group member list --group "Secret Recovery Group"

Now we have the email and password of new user, so let's jump to another user by clearing the current Azure CLI account session and logging in with the new account.

az account clear
az login -u EMAIL -p PASSWORD

Let's list the accessible key vaults by executing the command below. az keyvault list

and to filter the list with the vault name use:

az keyvault secret list --vault-name warevillesecrets

From the output we can see the name of the vault.

Now we need to read the contents of the secret stored in the vault?

For this use :

az keyvault secret show --vault-name warevillesecrets --name aoc2024

Questions

1.What is the password for backupware that was leaked?

A: R3c0v3r_s3cr3ts!

2.What is the group ID of the Secret Recovery Group?

A: 7d96660a-02e1-4112-9515-1762d0cb66b7

3.What is the name of the vault secret?

A: aoc2024

4.What are the contents of the secret stored in the vault?

A: WhereIsMyMind1999

Stay tuned for Day 17, and happy hacking! 🎄

Thank you!