SIMULATION
After gaining access to the Azure tenant, enumerate all resource groups available to the compromised user. One resource group contains the word prod. What is the name of that resource group?
Answer : A
rg-prod-apps-eastus
Detailed Solution:
List accessible resource groups:
az group list --output table
For a cleaner search:
az group list \
--query '[?contains(name, 'prod')].{Name:name,Location:location}' \
--output table
Expected output:
Name Location
-------------------- ----------
rg-prod-apps-eastus eastus
The resource group containing prod is:
rg-prod-apps-eastus
================
Using the managed identity principal ID discovered in the previous task, identify which Azure RBAC role is assigned to it.
Answer : C
Detailed Solution:
Query role assignments for the managed identity principal:
az role assignment list \
--assignee b72a4c19-92f6-47f3-b3dd-9db5a31831d1 \
--all \
--output table
Expected output:
Principal Role Scope
------------------------------------ ---------------------- ----------------------------------------------
b72a4c19-92f6-47f3-b3dd-9db5a31831d1 Key Vault Secrets User /subscriptions/.../resourceGroups/rg-prod-apps-eastus
The assigned role is:
Key Vault Secrets User
Azure RBAC role assignments can be granted to users, groups, service principals, and managed identities.
================
SIMULATION
You discover a storage account named prodreportstore01. Determine whether public blob access is enabled on the storage account.
Answer : A
allowBlobPublicAccess: true
Detailed Solution:
Run:
az storage account show \
--name prodreportstore01 \
--resource-group rg-prod-apps-eastus \
--query '{Name:name,AllowBlobPublicAccess:allowBlobPublicAccess}' \
--output json
Expected output:
{
'Name': 'prodreportstore01',
'AllowBlobPublicAccess': true
}
This means public blob access is enabled at the storage-account level. That does not automatically mean every container is public, but it permits public container/blob exposure if configured.
================
SIMULATION
You've gained access to the Azure environment, now dig deeper. One of the accessible resources contains a hidden flag.
Answer : A
Flag{a92f7e0c3c4b9d88a1f54e6723d4c1a2}
Detailed Solution:
Start by listing all Azure resources accessible to the compromised user.
az resource list --output table
The environment exposes at least these resources:
RnD-Tools Excalibur-Resources ukwest Microsoft.Web/sites
WebAppTokenIdentity Excalibur-Resources ukwest Microsoft.ManagedIdentity/userAssignedIdentities
The most interesting target is the App Service:
RnD-Tools
Web Apps often store configuration values in App Settings. These commonly contain secrets, flags, API keys, connection strings, or credentials.
Query the App Service application settings:
az webapp config appsettings list \
--name RnD-Tools \
--resource-group Excalibur-Resources \
--output json
Look for keys such as:
Flag
secret
password
token
connectionString
clientSecret
The exposed app setting contains:
{
'name': 'Flag',
'slotSetting': false,
'value': 'Flag{a92f7e0c3c4b9d88a1f54e6723d4c1a2}'
}
Final Answer:
Flag{a92f7e0c3c4b9d88a1f54e6723d4c1a2}
================
SIMULATION
A compromised principal has permission to list role assignments. Identify which user has the User Access Administrator role at the resource group scope.
Answer : A
olivia.admin@cloudcorpsec.onmicrosoft.com
Detailed Solution:
Run:
az role assignment list \
--resource-group rg-prod-apps-eastus \
--all \
--output table
Or filter by role:
az role assignment list \
--resource-group rg-prod-apps-eastus \
--role 'User Access Administrator' \
--query '[].{Principal:principalName,Role:roleDefinitionName,Scope:scope}' \
--output table
Expected output:
Principal Role Scope
------------------------------------- ------------------------- ----------------------------
olivia.admin@cloudcorpsec.onmicrosoft.com User Access Administrator /subscriptions/.../rg-prod-apps-eastus
Final answer:
olivia.admin@cloudcorpsec.onmicrosoft.com
================
While exploring the table storage, you've uncovered information that provides limited access to a storage account. Using this access, enumerate the blob containers. Which of the following containers is available?
Answer : C
Detailed Solution:
From Q7, you should recover a limited-access SAS token or storage access information.
Set the storage account name and SAS token:
ACCOUNT='excaliburstore'
SAS='<recovered-sas-token>'
List containers:
az storage container list \
--account-name '$ACCOUNT' \
--sas-token '$SAS' \
--output table
The available container is:
sensitive-files
You can also confirm directly:
az storage blob list \
--account-name '$ACCOUNT' \
--container-name sensitive-files \
--sas-token '$SAS' \
--output table
Final Answer:
C . sensitive-files
================
SIMULATION
During App Service enumeration, you discover that the compromised user can read App Service application settings. Find the hidden flag stored in the application settings.
Answer : A
Flag{app_settings_should_not_store_secrets}
Detailed Solution:
Query App Service settings:
az webapp config appsettings list \
--name finance-reporting-api \
--resource-group rg-prod-apps-eastus \
--output json
Search for suspicious keys:
az webapp config appsettings list \
--name finance-reporting-api \
--resource-group rg-prod-apps-eastus \
--query '[?contains(name, 'FLAG') || contains(name, 'Flag') || contains(name, 'SECRET')]' \
--output table
Expected output:
Name SlotSetting Value
---------- ------------- ----------------------------------------
APP_FLAG False Flag{app_settings_should_not_store_secrets}
The flag is:
Flag{app_settings_should_not_store_secrets}
================