Azure Blob Storage

Blob storage is used to store unstructured data (like filed, videos, audio, etc). There are three types of resources in blob storage:

Storage account - Unique namespace across Azure (can be accessed over HTTP and HTTPS)
Container in the storage account (may be multiple in a storage account) also known as the 'Folders' in the storage account
Blob in a container - Stores data. Three types of blobs - Block, append and page blobs.

Storage account endpoints

A storage account has globally unique endpoints. It is very useful in enumeration too by guessing the storage account names:

Storage Account Access

Storage Accounts support RBAC. For example the 'Storage Blob Data Reader' role allows a identity to read the data inside the storage account. Other than that, storage accounts support Access keys.

Access keys are not rotated by default

Anonymous access

By default, anonymous access is not allowed for storage accounts. However, if enabled, this allows read access to blobs or even containers to the public. We can enumerate these using Microbust:

Invoke-EnumerateAzureBlobs -Base x
Found Storage Account -  xcodebackup.blob.core.windows.net
Found Storage Account -  xcommon.blob.core.windows.net

If you have found a container that allows you to list blobs (files), you can list those files using:

https://xcommon.blob.core.windows.net/backup?restype=container&comp=list

It contains a blob called "blob_client.py", to access the file we can go to

https://xcommon.blob.core.windows.net/backup/blob_client.py

Check for interesting secrets that allow access to other storage accounts

If it contains a SASurl, we can use Azure Storage Explorer to connect to that container:

Storage Container

Get containers context

Get-AzStorageContainer -Context (New-AzStorageContext -StorageAccountName defcorpcodebackup)

Versioning

Maybe there are deleted files that we can recover. We can check for versioning using curl:

curl -H "x-ms-version: 2019-12-12" 'https://XXXX.blob.core.windows.net/RESOURCE?restype=container&comp=list&include=versions' | xmllint --format - | less

Note that we include the x-ms-versionas header because else this is not supported by Azure. If there are any hits download the file using curl:

curl -H "x-ms-version: 2019-12-12" 'https://XXXX.blob.core.windows.net/RESOURCE/myzip.zip?versionId=2024-03-29T20:55:40.8265593Z'  -o myzip.zip

PreviousAzure App Service NextPhishing with Evilginx

Last updated 4 months ago