Logic App 14 - Abuse Action and Storage Container Recovery

Abuse Action and Storage Container Recovery

信息

Scenario

Logic apps use connectors that perform defined actions when triggered, which when misconfigured or when the trigger URL is exposed could reveal sensitive data. Abuse the storage blob connector and obtain the flag.

Overview

What is SAS URL (Shared Access Signature URL)?

A SAS URL (Shared Access Signature URL) is a URL that contains a shared access signature token. It allows secure access to specific resources within an Azure Storage account for a limited period, without requiring the account key. SAS URLs provide us with a way to grant granular access permissions to clients or applications without exposing the storage account keys.

Hint

• Get deleted items.

Impact

• Previously soft-deleted sensitive files could contain sensitive data which could be used to increase the attack surface of the target.

Reference

• Logic Apps Docs
• Storage Blob Docs
• Azure Storage Explorer
• Azure Blob Storage Connector
• Shared Access Signature

题目给出了 TriggerURL 和 ContainerSASURL

首先连接到 Blob Container 发现里面没有数据

尝试触发 TriggerURL

查看Blob颗粒的设置

恢复选中项

即可得到

Flags

What was the data protection feature used by the storage container for blobs in this challenge? (blob versioning or soft delete)

soft delete

What is the flag value we obtain ?

asohvmtl735asmcexhf735