Compromising Azure Blobs and Storage Accounts
Storage Accounts are high-value targets in a tenant if an attacker is looking to exfiltrate sensitive data. What we'll focus on in this section is a common misconfiguration that exposes access keys for the storage account itself allowing an attacker to download files and data from it.
Storage Accounts are organized with a hierarchy:
Accounts
Containers
Blobs
In the SA (Storage Account) we might have a otter
account with 4 containers, each storing different kind of files.
Upon creation, every storage account can be interacted with using a default endpoint: https://<storage_account_name>.blob.core.windows.net
. Just like a normal website, we are able to navigate the containers and blobs by appending /<container_name>/<blob_name>
. When a SA is created, the user is given 3 choices of Public Access Level
No public read access
Public read access for blobs only
Public read access for both containers and blobs
Of course, the recommended setting is the first one but (at the time of writing this) the second one is the default setting.
Once we discover a SA, this can be done with DNS enumeration as well as other methods, we need to find out what containers are stored inside it
If the account has been set up with the before-mentioned misconfiguration, this command will return Storage Access Keys we can use to pull data from the SA; it will look something like this
With this information we can list the files stored in the SA
To download files / blobs from the container we discovered we can use a SAS (Shared Access Signature) URI or the AZCli; SAS URIs are sometimes "leaked" by companies on websites or other common locations so it's good practice to look out for those, they usually have the following format
SV
Version of the storage service
SS
What the service can access
SRT
What the SAS URI applies to
ST
Validity date of the SAS URI
SE
Expiration date of the SAS URI
SP
Operation permissions (R/W)
SIP
IP range the requests will be accepted from (similar to a Conditional Access Policies)
SPR
Only allows HTTPS connections
SIG
Signature
This format might be used along with regular expressions to scrape possible SAS URIs.
If the SAS with the signature value is not exposed already, we can generate one
Now we can use Azure Storage Explorer with the Connection string of
All of this can be skipped if we already know what files are present in which containers (this is a more unrealistic scenario but it can happen) and download the file with a simple web request
Last updated