Flag 2 - Data leak🚩

Check for resources associated with the powershell account

PS C:\Program Files\PowerShell\7> Get-AzResource
 
Name              : financemegamultinational
ResourceGroupName : MegaMultinational
ResourceType      : Microsoft.Storage/storageAccounts
Location          : eastus
ResourceId        : /subscriptions/7417f1f8-3d91-451a-a354-966c173efb48/resourceGroups/MegaMultinational/providers/Microsoft.Storage/storageAccounts/financemegamultinational
Tags              :
 
Name              : DemoAutomation-3592
ResourceGroupName : MegaMultinational-3592
ResourceType      : Microsoft.Automation/automationAccounts
Location          : westus
ResourceId        : /subscriptions/7417f1f8-3d91-451a-a354-966c173efb48/resourceGroups/MegaMultinational-3592/providers/Microsoft.Automation/automationAccounts/DemoAutomation-3592
Tags              :
 
Name              : DemoAutomation-3592/NewDomain
ResourceGroupName : MegaMultinational-3592
ResourceType      : Microsoft.Automation/automationAccounts/configurations
Location          : westus
ResourceId        : /subscriptions/7417f1f8-3d91-451a-a354-966c173efb48/resourceGroups/MegaMultinational-3592/providers/Microsoft.Automation/automationAccounts/DemoAutomation-3592/configurations/
                    NewDomain
Tags              :
 
Name              : DemoAutomation-3592/Get-Credential
ResourceGroupName : MegaMultinational-3592
ResourceType      : Microsoft.Automation/automationAccounts/runbooks
Location          : westus
ResourceId        : /subscriptions/7417f1f8-3d91-451a-a354-966c173efb48/resourceGroups/MegaMultinational-3592/providers/Microsoft.Automation/automationAccounts/DemoAutomation-3592/runbooks/Get-Credential
Tags              :
 

We see there is a storage account

We can check for public access

Get storage accounts

PS C:\Program Files\PowerShell\7> Get-AzStorageAccount
 
StorageAccountName       ResourceGroupName PrimaryLocation SkuName        Kind      AccessTier CreationTime        ProvisioningState EnableHttpsTrafficOnly LargeFileShares
------------------       ----------------- --------------- -------        ----      ---------- ------------        ----------------- ---------------------- ---------------
financemegamultinational MegaMultinational eastus          Standard_RAGRS StorageV2 Hot        8/5/2021 2:12:35 PM Succeeded         True
 

Check Public Access for Azure Storage Accounts

PS C:\Program Files\PowerShell\7> Get-AzStorageAccount | Select-Object -Property StorageAccountName, ResourceGroupName, EnableHttpsTrafficOnly, AllowBlobPublicAccess
 
StorageAccountName       ResourceGroupName EnableHttpsTrafficOnly AllowBlobPublicAccess
------------------       ----------------- ---------------------- ---------------------
financemegamultinational MegaMultinational                   True                  True

We can see that the account can be accessed publicly

Login to azure portal using the supplied creds

Check for storage accounts

Look for containers in the storage account

Finance caught my eye

This is publicly acessible

On investigating we get a file named employees.xlsx which is password protected

I tried ‘password’ as password

Voila!