The SecOps Group Certified Cloud Pentesting eXpert - Azure CCPenX-Az Exam Questions

Page: 1 / 14
Total 31 questions
Question 1

SIMULATION

After gaining access to the Azure tenant, enumerate all resource groups available to the compromised user. One resource group contains the word prod. What is the name of that resource group?



Answer : A

rg-prod-apps-eastus

Detailed Solution:

List accessible resource groups:

az group list --output table

For a cleaner search:

az group list \

--query '[?contains(name, 'prod')].{Name:name,Location:location}' \

--output table

Expected output:

Name Location

-------------------- ----------

rg-prod-apps-eastus eastus

The resource group containing prod is:

rg-prod-apps-eastus

================


Question 2

Using the managed identity principal ID discovered in the previous task, identify which Azure RBAC role is assigned to it.



Answer : C

Detailed Solution:

Query role assignments for the managed identity principal:

az role assignment list \

--assignee b72a4c19-92f6-47f3-b3dd-9db5a31831d1 \

--all \

--output table

Expected output:

Principal Role Scope

------------------------------------ ---------------------- ----------------------------------------------

b72a4c19-92f6-47f3-b3dd-9db5a31831d1 Key Vault Secrets User /subscriptions/.../resourceGroups/rg-prod-apps-eastus

The assigned role is:

Key Vault Secrets User

Azure RBAC role assignments can be granted to users, groups, service principals, and managed identities.

================


Question 3

SIMULATION

You discover a storage account named prodreportstore01. Determine whether public blob access is enabled on the storage account.



Answer : A

allowBlobPublicAccess: true

Detailed Solution:

Run:

az storage account show \

--name prodreportstore01 \

--resource-group rg-prod-apps-eastus \

--query '{Name:name,AllowBlobPublicAccess:allowBlobPublicAccess}' \

--output json

Expected output:

{

'Name': 'prodreportstore01',

'AllowBlobPublicAccess': true

}

This means public blob access is enabled at the storage-account level. That does not automatically mean every container is public, but it permits public container/blob exposure if configured.

================


Question 4

SIMULATION

You've gained access to the Azure environment, now dig deeper. One of the accessible resources contains a hidden flag.



Answer : A

Flag{a92f7e0c3c4b9d88a1f54e6723d4c1a2}

Detailed Solution:

Start by listing all Azure resources accessible to the compromised user.

az resource list --output table

The environment exposes at least these resources:

RnD-Tools Excalibur-Resources ukwest Microsoft.Web/sites

WebAppTokenIdentity Excalibur-Resources ukwest Microsoft.ManagedIdentity/userAssignedIdentities

The most interesting target is the App Service:

RnD-Tools

Web Apps often store configuration values in App Settings. These commonly contain secrets, flags, API keys, connection strings, or credentials.

Query the App Service application settings:

az webapp config appsettings list \

--name RnD-Tools \

--resource-group Excalibur-Resources \

--output json

Look for keys such as:

Flag

secret

password

token

connectionString

clientSecret

The exposed app setting contains:

{

'name': 'Flag',

'slotSetting': false,

'value': 'Flag{a92f7e0c3c4b9d88a1f54e6723d4c1a2}'

}

Final Answer:

Flag{a92f7e0c3c4b9d88a1f54e6723d4c1a2}

================


Question 5

SIMULATION

A compromised principal has permission to list role assignments. Identify which user has the User Access Administrator role at the resource group scope.



Answer : A

olivia.admin@cloudcorpsec.onmicrosoft.com

Detailed Solution:

Run:

az role assignment list \

--resource-group rg-prod-apps-eastus \

--all \

--output table

Or filter by role:

az role assignment list \

--resource-group rg-prod-apps-eastus \

--role 'User Access Administrator' \

--query '[].{Principal:principalName,Role:roleDefinitionName,Scope:scope}' \

--output table

Expected output:

Principal Role Scope

------------------------------------- ------------------------- ----------------------------

olivia.admin@cloudcorpsec.onmicrosoft.com User Access Administrator /subscriptions/.../rg-prod-apps-eastus

Final answer:

olivia.admin@cloudcorpsec.onmicrosoft.com

================


Question 6

While exploring the table storage, you've uncovered information that provides limited access to a storage account. Using this access, enumerate the blob containers. Which of the following containers is available?



Answer : C

Detailed Solution:

From Q7, you should recover a limited-access SAS token or storage access information.

Set the storage account name and SAS token:

ACCOUNT='excaliburstore'

SAS='<recovered-sas-token>'

List containers:

az storage container list \

--account-name '$ACCOUNT' \

--sas-token '$SAS' \

--output table

The available container is:

sensitive-files

You can also confirm directly:

az storage blob list \

--account-name '$ACCOUNT' \

--container-name sensitive-files \

--sas-token '$SAS' \

--output table

Final Answer:

C . sensitive-files

================


Question 7

SIMULATION

During App Service enumeration, you discover that the compromised user can read App Service application settings. Find the hidden flag stored in the application settings.



Answer : A

Flag{app_settings_should_not_store_secrets}

Detailed Solution:

Query App Service settings:

az webapp config appsettings list \

--name finance-reporting-api \

--resource-group rg-prod-apps-eastus \

--output json

Search for suspicious keys:

az webapp config appsettings list \

--name finance-reporting-api \

--resource-group rg-prod-apps-eastus \

--query '[?contains(name, 'FLAG') || contains(name, 'Flag') || contains(name, 'SECRET')]' \

--output table

Expected output:

Name SlotSetting Value

---------- ------------- ----------------------------------------

APP_FLAG False Flag{app_settings_should_not_store_secrets}

The flag is:

Flag{app_settings_should_not_store_secrets}

================


Page:    1 / 14   
Total 31 questions