Compromising Azure Blobs and Storage Accounts

Storage Accounts are high-value targets in a tenant if an attacker is looking to exfiltrate sensitive data. What we'll focus on in this section is a common misconfiguration that exposes access keys for the storage account itself allowing an attacker to download files and data from it.

Storage Accounts are organized with a hierarchy:

Accounts
- Containers
  - Blobs

In the SA (Storage Account) we might have a otter account with 4 containers, each storing different kind of files.

Upon creation, every storage account can be interacted with using a default endpoint: https://<storage_account_name>.blob.core.windows.net. Just like a normal website, we are able to navigate the containers and blobs by appending /<container_name>/<blob_name>. When a SA is created, the user is given 3 choices of Public Access Level

No public read access
Public read access for blobs only
Public read access for both containers and blobs

Of course, the recommended setting is the first one but (at the time of writing this) the second one is the default setting.

Once we discover a SA, this can be done with DNS enumeration as well as other methods, we need to find out what containers are stored inside it

PS /home/otter> az storage account keys list --subscription <subscription_id> --account-name <storage_account_name>

If the account has been set up with the before-mentioned misconfiguration, this command will return Storage Access Keys we can use to pull data from the SA; it will look something like this

[
	{
		"creationTime": "<some_creation_time>",
		"keyName": "key1",
		"permissions": "FULL",
		"value": "<storage_access_key>"
	}
]

With this information we can list the files stored in the SA

PS /home/otter> az storage blob list --subscription <subscription_id> --account-name <storage_account_name> --account-key "<storage_access_key>" --container-name "<container_name>"

To download files / blobs from the container we discovered we can use a SAS (Shared Access Signature) URI or the AZCli; SAS URIs are sometimes "leaked" by companies on websites or other common locations so it's good practice to look out for those, they usually have the following format

https://<something>.blob.core.windows.net/?restype=service&comp=properties&sv=<somehing>&ss=<somehing>&st=<somehing>&se=<somehing>&sr=<somehing>&sp=<somehing>&sip=<somehing>&srp=<somehing>&sig=<somehing>

Parameter	Meaning
SV	Version of the storage service
SS	What the service can access
SRT	What the SAS URI applies to
ST	Validity date of the SAS URI
SE	Expiration date of the SAS URI
SP	Operation permissions (R/W)
SIP	IP range the requests will be accepted from (similar to a Conditional Access Policies)
SPR	Only allows HTTPS connections
SIG	Signature

Parameter

Meaning

Version of the storage service

What the service can access

SRT

What the SAS URI applies to

Validity date of the SAS URI

Expiration date of the SAS URI

Operation permissions (R/W)

SIP

IP range the requests will be accepted from (similar to a Conditional Access Policies)

SPR

Only allows HTTPS connections

SIG

Signature

This format might be used along with regular expressions to scrape possible SAS URIs.

If the SAS with the signature value is not exposed already, we can generate one

PS /home/otter> az storage blob generate-sas --subscription <subscription_id> --account-key <storage_access_key> --account-name <storage_account_name> --continer-name <container_name> --permissions acdrw --name <file_name>

Now we can use Azure Storage Explorer with the Connection string of

DefaultEndpointsProtocol=https;AccountName=<some_name>;AccountKey=<storage_account_key>;<generated_sas>

All of this can be skipped if we already know what files are present in which containers (this is a more unrealistic scenario but it can happen) and download the file with a simple web request

PS /home/otter> Invoke-WebRequest -Uri "https://<some_storage_name>.blob.core.windows.net/<container_name>/<file_name>" -OutFile otter.txt

PreviousService Principal Abuse NextMalicious Device Join

Last updated 4 months ago