KringleCraft - Solution for Objective Spare Key

Spare Key

Difficulty:

Shown in Report

Help Goose Barry near the pond identify which identity has been granted excessive Owner permissions at the subscription level, violating the principle of least privilege.

Back

Challenge

You really want me to moo? Nope - I honk.
The Neighborhood HOA hosts a static site on Azure Storage. An admin accidentally uploaded an infrastructure config file that contains a long-lived SAS token.
Task: Use the Azure CLI to locate the leak and report exactly where the token lives.

Solution

This task is guided by the system. Therefore, I will only show the commands and most important console outputs here:

🎄 Welcome to the Spare Key! 🎄
You're connected to a read-only Azure CLI session in "The Neighborhood" tenant.
Your mission: Someone left a spare key out in the open. Find WHERE it is.
Connecting you now... ❄️

Let's start by listing all resource groups
$ az group list -o table
This will show all resource groups in a readable table format.

neighbor@57605f6d2eb5:~$ az group list -o table
Name                 Location    ProvisioningState
-------------------  ----------  -------------------
rg-the-neighborhood  eastus      Succeeded
...

Now let's find storage accounts in the neighborhood resource group 📦
$ az storage account list --resource-group rg-the-neighborhood -o table
This shows what storage accounts exist and their types.

neighbor@57605f6d2eb5:~$ az storage account list --resource-group rg-the-neighborhood -o table
Name             Kind         Location    ResourceGroup        ProvisioningState
---------------  -----------  ----------  -------------------  -------------------
neighborhoodhoa  StorageV2    eastus      rg-the-neighborhood  Succeeded
...

Someone mentioned there was a website in here.
maybe a static website?
try:$ az storage blob service-properties show --account-name <insert_account_name> --auth-mode login

neighbor@57605f6d2eb5:~$ az storage blob service-properties show --account-name neighborhoodhoa --auth-mode login
{
  "enabled": true,
  "errorDocument404Path": "404.html",
  "indexDocument": "index.html"
}
neighbor@57605f6d2eb5:~$

Let's see what 📦 containers exist in the storage account
💡 Hint: You will need to use az storage container list
We want to list the container and its public access levels.

neighbor@57605f6d2eb5:~$ az storage container list --account-name neighborhoodhoa --auth-mode login
[
  {
    "name": "$web",
...

Examine what files are in the static website container
💡 hint: when using --container-name you might need '<name>'
Look 👀 for any files that shouldn't be publicly accessible!

neighbor@57605f6d2eb5:~$ az storage blob list --account-name neighborhoodhoa --container-name '$web'  --auth-mode login
...
    "name": "iac/terraform.tfvars",
...
        "WARNING": "LEAKED_SECRETS"
...

Take a look at the files here, what stands out?
Try examining a suspect file 🕵️:
💡 hint: --file /dev/stdout | less will print to your terminal 💻.

az storage blob download --account-name neighborhoodhoa --container-name '$web' --name 'iac/terraform.tfvars' --auth-mode login --file /dev/stdout | less

...
# This SAS token provides full access - HIGHLY SENSITIVE!
migration_sas_token = "sv=2023-11-03&ss=b&srt=co&sp=rlacwdx&se=2100-01-01T00:00:00Z&spr=https&sig=1djO1Q%2Bv0wIh7mYi3n%2F7r1d%2F9u9H%2F5%2BQxw8o2i9QMQc%3D"
...

You found the leak! A migration_sas_token within /iac/terraform.tfvars exposed a long-lived SAS token (expires 2100-01-01) 🔑
⚠️   Accidentally uploading config files to $web can leak secrets. 🔐

Challenge Complete! To finish, type: finish