search
TryHackMeHackTheBoxLinkedIn

Azure: Tapper

Azure challenge for cloud pentesters: Can you find the attack path and abuse it? - by zieglers

LogoTryHackMe | Cyber Security TrainingTryHackMechevron-right

The following post by 0xb0b is licensed under CC BY 4.0arrow-up-rightarrow-up-rightarrow-up-right

hashtag
Scenario

In Azure: Tapper we are faced with the following scenario:

Lab Scenario

  • During the reconnaissance, you came across a password: D3l4w4r3R1v3r$#@!

  • You don't know much about which permissions you have on the Azure Portal.

  • You don't know much about which resources you can access on the Azure Portal.

  • All you have is a compromised password!

  • How far can you go with it?

  • Which attack path(s) can you discover and how will you exploit it?

hashtag
Summary

chevron-rightSummaryhashtag

In Tapper we begin with Azure tenant access and enumerate available resources, identifying a virtual machine without public exposure and three Entra ID users: goo, gumby, and pokey. Reviewing role assignments reveals goo as a Network Contributor and pokey as a Virtual Machine Data Access Administrator, while gumby owns an over-privileged Entra ID application named Tapper with the UserAuthenticationMethod.ReadWrite.All permission. Using credentials for gumby, we authenticate to the Azure portal, create a new client secret for the Tapper app, and obtain an application access token via Microsoft Graph API. With this token, we generate Temporary Access Passes (TAPs) for other users, allowing passwordless lateral movement first to goo and then to pokey. As pokey, we leverage the assigned data access permissions to query virtual machine metadata, discovering a custom script extension that exposes the flag at /tmp/flag.txt.

hashtag
Recon

We open the dashboard of Microsoft Azure and head to Resource or All resources.

At All resource in Microsoft Azure we'll find a VM called VM1.

If we click on that resource we can find a username at the Connect page in the SSH connection string. But this user seems to be just a place holder, if we checkout the users available. More on that later. Furthermore we won't be able to access the VM, since the network is not properly configured and there is no public IP configured.

If we move to the users section, we are able to identify three users of the tenant:

When checking the Azure role assignment, we'll find that the user goo has the role Network Contributor. This role allows the user to manage networking resources such as virtual networks, subnets, network interfaces, route tables, network security groups, and load balancers, but does not grant permission to access virtual machines or their operating systems.

LogoAzure built-in roles for Networking - Azure RBACMicrosoftLearnchevron-right

Lets you manage networks, but not access to them. This role does not grant you permission to deploy or manage Virtual Machines.

The user pokey has the Azure role Virtual Machine Data Access Administrator preview. This role allows the user to access and manage data on Azure virtual machines.

LogoAzure built-in roles for Compute - Azure RBACMicrosoftLearnchevron-right

Manage access to Virtual Machines by adding or removing role assignments for the Virtual Machine Administrator Login and Virtual Machine User Login roles. Includes an ABAC condition to constrain role assignments.

Next, we check App Registrations to see if any applications are available. We're looking for an app with over-trusted ownership or permissions, which could allow us to issue a Temporary Access Pass (TAP) for the users available; hinted at by the challenge name, Azure: Tapper. We find the Tapper application.

At first glance, we can see that client credentials have been created.

And we hit the jackpot right away. The app has the UserAuthenticationMethod.ReadWrite.All permission enabled. With that we could theoretically add authentication methods to any user, remove authentication methods from any user and take over accounts without passwords by issuing Temporary Access Passes TAPs... if we can authenticate as the application.

LogoUserAuthenticationMethod.ReadWrite.All | Graph Permissionsgraphpermissions.merill.netchevron-right

Next, we check which user has ownership over the app. In this case it is the user gumby. Once we have obtained access as gumby, we can add a client secret that we control and use to authenticate as the application, thereby issuing TAPs for other users.

With our current user we cannot add a secret and also can't retrieve the existing one.

hashtag
Access as gumby

In addition to the Azure Portal user, the scenario also provides us with a password described in the scenario itself, which was found during enumeration. From our initial enumeration, we were able to identify three users. We note that the password from the scenario is gumby's.

We can log in, but we have to set up Microsoft Authenticator to do so.

The idea now is to use gumby to abuse the over-privileged Entra ID application Tapper that has UserAuthenticationMethod.ReadWrite.All, allowing us to directly manage authentication methods for users. By generating a Temporary Access Pass (TAP) for other accounts we move laterally and search for the flag.

Now that we have access as gumby, we return to the Tapper application overview and create a new client secret.

hashtag
Access as goo

We make a note of the value and the Secret ID.

To obtain an app-only access token of the Tapper application we can request one with the following command:

Next, we verify the access. We save the token to the variable TOKEN to make our request more compact.

We query the Microsoft Graph API using the provided access token to retrieve a list of users in the tenant, then formats the JSON response in a readable way using jq. Unfortunately, we do not have sufficient permission for this.

Recalling the users we gathered so far, we try to request the authentcation methods of each.

We can do this with the following request. We are allowed to retreive the authentication methods like depcited in our enumeration - see UserAuthenticationMethod.ReadWrite.All.

Next, we try to create a Temporary Access Pass (TAP) for the user goo. We note down the temporaryAccessPass and can now authenticate as goo to the portal.

hashtag
Access as pokey

We repeat the same for the user pokey and create a Temporary Access Pass (TAP). We note down the temporaryAccessPass and can now authenticate as pokey to the portal.

We log in as pokey.

hashtag
Caputure The Flag - Getting VM details

Recalling the role assignments gain, we know goo is Network Contributer ...

... and pokey has the role assignment Virtual Machine Data Access Administrator (preview).

If we move back to the VM1 as pokey, we go to the CLI/PS.

We are now able to use the CLI/PS without modifying the environment and without violating the rules of engagement. Next, we try to get the details of the VM.

Here we find a CustomScriptsExtension that writes the flag to /tmp/flag.txt.

triangle-exclamation

Don't forget to remove the authenticator you enabled for gumby to make the scenario accessible for other user.

Go to the account settings of gumby ...

... and remove the authenticator in the security informations tab.

PreviousKernel BlackoutNext2025

Last updated

Was this helpful?