Carefully enumerate the accessible Azure Blob Container to locate a file containing credentials for an App Registration within the tenant. What is the Application/Client ID of the discovered App Registration?
A compromised principal has permission to list role assignments. Identify which user has the User Access Administrator role at the resource group scope.
Using the Azure access of the second compromised user, perform lateral movement within the environment to discover sensitive information. What is the flag uncovered during this activity?
From inside the App Service environment, request an Azure Resource Manager token using the managed identity endpoint. Which resource value should be requested for Azure Resource Manager access?
After gaining access to the Azure tenant, enumerate all resource groups available to the compromised user. One resource group contains the word prod. What is the name of that resource group?
The compromised service principal has Contributor access to a resource group but no direct Key Vault data-plane role. Can it immediately read Key Vault secret values?
During App Service enumeration, you discover that the compromised user can read App Service application settings. Find the hidden flag stored in the application settings.
You have been given a breached Azure user credential for an authorized lab tenant:
james.ward@cloudcorpsec.onmicrosoft.com
After logging in, identify the Azure Tenant ID and Subscription ID associated with the account.
Using the previously retrieved credentials, authenticate as the App Registration within the tenant and enumerate potential lateral movement vectors. Which of the following roles is assigned to the App Registration?