Pentesting Notes
  • Home
  • 🌐Web pentesting
    • Content Discovery
    • Subdomain Enumeration
    • Authentication bypass
    • IDOR (Insecure Direct Object Reference)
    • Git repository
    • XSS
    • SSRF
    • CSRF
    • Injection
      • SQL Injection
      • Cypher injection
      • Command injection
      • Server Side Template Injection
      • NoSQL injection
      • XXE
    • FI (File Inclusion)
    • File upload
    • OAuth
    • JWT
    • CORS
    • Prototype pollution
    • Request Smuggling
  • Windows Pentesting
    • Enumerating users (No credentials)
    • Privilege Escalation
    • Post-Exploitation
    • Cross-domain enumeration
    • LDAP port (389, 636, 3268, 3269)
    • SMB port (139,445)
    • MSSQL port (1433)
    • Certificate Authority (CA)
    • Delegation attacks
    • Attacking Kerberos
    • Relay attacks
    • Bypassing Security
    • File Transfer
    • GPO (Group Policy Object)
    • Tools
      • Mimikatz
      • NetExec
      • Crackmapexec (CME)
      • Powerview
      • Bloodhound
      • Impacket
      • BloodyAD
      • Sliver C2
  • 🐧Linux Pentesting
    • Linux Privilege Esclation
    • Escape docker
    • Ansible
  • 🕊️Cross platform pivoting
    • Pivoting
  • ☁️Cloud
    • Kubernetes
    • Azure
      • Architecture
        • RBAC & ABAC roles
        • Entra ID roles
        • Entra ID - Authentication with OAuth and API's
        • Consent and Permissions
      • Service Discovery, Recon, Enumeration and Initial Access Attacks
        • Unauthenticated Recon
        • Password Spraying
        • Azure App Service
        • Azure Blob Storage
        • Phishing with Evilginx
        • Conditional Access
      • Authenticated Enumeration
        • ROADTools
        • BloodHound & AzureHound
        • Storage Accounts (database)
      • Privilege Escalation
        • Illicit Consent Grant
        • Macro enabled Word-files (Revshell)
        • Add secrets to app
        • Automation Accounts & Function Apps
        • Virtual Machines
        • Key Vault
        • ARM Deployment History
        • Enterprise Application / Service Principal
      • Lateral Movement
        • Entra ID Devices & Primary Refresh Tokens
        • Dynamic Groups
        • Application Proxy
        • Hybrid Identity
  • 🔁Reversing
    • Windows executables and DLL's
    • Linux binaries
    • Java applications
    • Android APK
  • 🛜Wireless networks
    • WPA/WPA2
    • WPS
    • WEP
    • Capative portal bypass
    • Setting up a Rogue Access Point
    • WPA Enterpise (WPA-MGT)
  • ⭐Tips and tricks
    • Tips and tricks
Powered by GitBook
On this page
  • Storage account endpoints
  • Storage Account Access
  • Anonymous access
  • Storage Container
  • Versioning
  1. Cloud
  2. Azure
  3. Service Discovery, Recon, Enumeration and Initial Access Attacks

Azure Blob Storage

PreviousAzure App ServiceNextPhishing with Evilginx

Last updated 2 months ago

Blob storage is used to store unstructured data (like filed, videos, audio, etc). There are three types of resources in blob storage:

  1. Storage account - Unique namespace across Azure (can be accessed over HTTP and HTTPS)

  2. Container in the storage account (may be multiple in a storage account) also known as the 'Folders' in the storage account

  3. Blob in a container - Stores data. Three types of blobs - Block, append and page blobs.

Storage account endpoints

A storage account has globally unique endpoints. It is very useful in enumeration too by guessing the storage account names:

Storage Account Access

Storage Accounts support RBAC. For example the 'Storage Blob Data Reader' role allows a identity to read the data inside the storage account. Other than that, storage accounts support Access keys.

Access keys are not rotated by default

Anonymous access

By default, anonymous access is not allowed for storage accounts. However, if enabled, this allows read access to blobs or even containers to the public. We can enumerate these using Microbust:

Invoke-EnumerateAzureBlobs -Base x
Found Storage Account -  xcodebackup.blob.core.windows.net
Found Storage Account -  xcommon.blob.core.windows.net

If you have found a container that allows you to list blobs (files), you can list those files using:

https://xcommon.blob.core.windows.net/backup?restype=container&comp=list

It contains a blob called "blob_client.py", to access the file we can go to

https://xcommon.blob.core.windows.net/backup/blob_client.py

Check for interesting secrets that allow access to other storage accounts

If it contains a SASurl, we can use Azure Storage Explorer to connect to that container:

Storage Container

Get containers context

Get-AzStorageContainer -Context (New-AzStorageContext -StorageAccountName defcorpcodebackup)

Versioning

Maybe there are deleted files that we can recover. We can check for versioning using curl:

curl -H "x-ms-version: 2019-12-12" 'https://XXXX.blob.core.windows.net/RESOURCE?restype=container&comp=list&include=versions' | xmllint --format - | less

Note that we include the x-ms-versionas header because else this is not supported by Azure. If there are any hits download the file using curl:

curl -H "x-ms-version: 2019-12-12" 'https://XXXX.blob.core.windows.net/RESOURCE/myzip.zip?versionId=2024-03-29T20:55:40.8265593Z'  -o myzip.zip

☁️