Tryhackme

Advent of Cyber 2024 — Day 16: Azure The Wareville’s Key Vault Incident

In this challenge, McSkidy faces a potential breach in Wareville’s Azure tenant. A suspicious alert pointed toward unauthorized access to the Azure Key Vault, a critical resource for securely storing secrets. Unfortunately, the lack of log auditing complicated the investigation. Seeking assistance, McSkidy collaborated with the Glitch, who used Azure tools to retrace the intruder’s steps and analyze the attack path.

Learning Objectives

• Understand Azure and its utility as a Cloud Service Provider (CSP).
• Explore Azure services such as Azure Key Vault and Microsoft Entra ID.
• Learn Azure Cloud Shell and Azure CLI basics.
• Perform enumeration and evaluate role assignments to identify misconfigurations.

Key Takeaways

Introduction to Azure

• Azure is a CSP that provides scalable and cost-effective cloud services, simplifying infrastructure management.
• Key Azure benefits include:
• Resource scaling during peak demand.
• Access to over 200 cloud services like identity management, application hosting, and storage solutions.

Azure Services Explored

1. Azure Key Vault:

• Secure storage for sensitive information like passwords, API keys, and certificates.
• Includes features for secret auditing and access control.

2. Microsoft Entra ID:

• Identity and Access Management (IAM) system for granting and managing user access.

Attack Path Analysis

The assumed breach simulation began with valid credentials provided for testing. Using Azure CLI within Azure Cloud Shell, the following steps were performed:

Step 1: Enumeration

• Users: Identified users with the az ad user list command. A particular user (wvusr-backupware) displayed sensitive data within a field, raising suspicion.
• Groups: Found a group named “Secret Recovery Group” with significant permissions, including the aforementioned user.

Step 2: Role Assignments

• Enumerated roles using az role assignment list --assignee GROUP_ID --all:
• “Key Vault Reader” and “Key Vault Secrets User” roles were assigned to the group.
• These roles granted metadata access and secret reading permissions for the warevillesecrets Key Vault.

Step 3: Secret Access Verification

• Identified the warevillesecrets Key Vault using az keyvault list.
• Verified the existence of secrets using az keyvault secret list --vault-name warevillesecrets.

Misconfiguration Analysis

The misconfigurations enabling the breach:

1. Sensitive data exposed in user account fields.
2. Overly permissive roles assigned to the “Secret Recovery Group.”
3. Lack of auditing and monitoring for Key Vault access.

Mitigation Recommendations

1. Audit Logs: Enable Key Vault logging to monitor access and activities.
2. Role Minimization: Adopt the principle of least privilege for role assignments.
3. User Data Protection: Ensure sensitive information isn’t stored in user account attributes.
4. Access Reviews: Conduct periodic reviews of user roles and group permissions.

TASKS

• What is the password for backupware that was leaked? R3c0v3r_s3cr3ts!
• What is the group ID of the Secret Recovery Group? 7d96660a-02e1–4112–9515–1762d0cb66b7
• What is the name of the vault secret? aoc2024
• What are the contents of the secret stored in the vault? WhereIsMyMind1999

Conclusion

This challenge emphasized the importance of securing Azure environments, auditing sensitive resources, and following access control best practices. By identifying misconfigurations and reviewing Azure Role Assignments, McSkidy and the Glitch uncovered how the intruder accessed the warevillesecrets Key Vault and prevented further breaches.