Detailed Solution:
Use the app registration credentials recovered from blob storage.
az login --service-principal \
-u ' < client-id > ' \
-p ' < client-secret > ' \
--tenant f015f36d-c07f-41fb-9bde-fffc3a22ee8b
Confirm that you are authenticated as a service principal:
az account show
Now enumerate role assignments for the app registration.
az role assignment list \
--assignee ' < client-id > ' \
--all \
--output table
If the --assignee lookup fails, first resolve the service principal object ID:
az ad sp show \
--id ' < client-id > ' \
--query id \
--output tsv
Then query role assignments by object ID:
SP_OBJECT_ID=$(az ad sp show --id ' < client-id > ' --query id -o tsv)
az role assignment list \
--assignee " $SP_OBJECT_ID " \
--all \
--output table
The assigned role is:
Key Vault Secrets User
This role allows the principal to read secret values from Azure Key Vault. That is the lateral movement path into the final flag.
Final Answer:
A. Key Vault Secrets User
================
Submit