Skip to content

Blob Storage Challenge in the Neighborhood⚓︎

Neighborhood Watch Bypass

Difficulty:
Direct link: Blob Storage Challenge in the Neighborhood
Area: Near the pond
In-game avatar: Goose Grace

Objective⚓︎

Request

Help the Goose Grace near the pond find which Azure Storage account has been misconfigured to allow public blob access by analyzing the export file.

Goose Grace

HONK!!! HONK!!!! The Neighborhood HOA uses Azure storage accounts for various IT operations. You've been asked to audit their storage security configuration to ensure no sensitive data is publicly accessible. Recent security reports suggest some storage accounts might have public blob access enabled, creating potential data exposure risks.

High-Level Steps⚓︎

  1. Enumerate – List Azure storage accounts and review configuration.
  2. Identify – Find storage accounts with public blob access enabled.
  3. Validate – Access exposed blobs to confirm data exposure.
flowchart TD

  subgraph Row1["Enumerate"]
    direction LR
    A[List storage accounts]
    B[Review account settings]
    A --> B
  end

  subgraph Row2["Identify"]
    direction LR
    C[Detect public blob access]
    D[List containers and blobs]
    C --> D
  end

  subgraph Row3["Validate"]
    direction LR
    E[Download public blob]
    F[Confirm sensitive data exposure]
    G[Objective completed]
    E --> F --> G
  end

  Row1 --> Row2
  Row2 --> Row3

Solution⚓︎

Goal 1 :⚓︎

You may not know this but the Azure cli help messages are very easy to access.
First, try typing: 

az help | less

az help | less

Goal 2 :⚓︎

Next, you've already been configured with credentials. 🔑 

az account show | less
Pipe the output to | less so you can scroll.
Press 'q' to exit less.

az account show | less

Goal 3 :⚓︎

Now that you've run a few commands, Let's take a look at some Azure storage accounts.
Try: az storage account list | less
For more information:
https://learn.microsoft.com/en-us/cli/azure/storage/account?view=azure-cli-latest

az storage account list | less
az storage account list | less

Goal 4 :⚓︎

hmm... one of these looks suspicious 🚨, i think there may be a misconfiguration here somewhere. Try showing the account that has a common misconfiguration: az storage account show --name xxxxxxxxxx | less

az storage account show --name neighborhood2 | less
The storage account named "neighborhood2" as "allowBlobPublicAccess" as true.

az storage account list | less

Goal 5 :⚓︎

Now we need to list containers in neighborhood2. After running the command what's interesting in the list?
For more information:
https://learn.microsoft.com/en-us/cli/azure/storage/container?view=azure-cli-latest#az-storage-container-list

az storage container list --account-name neighborhood2

az storage container lists

Goal 6⚓︎

Let's take a look at the blob list in the public container for neighborhood2.
For more information: https://learn.microsoft.com/en-us/cli/azure/storage/blob?view=azure-cli-latest#az-storage-blob-list

az storage blob list --container-name public --account-name neighborhood2

az storage blob list

Goal 7⚓︎

Try downloading and viewing the blob file named admin_credentials.txt from the public container.
💡 hint: --file /dev/stdout should print in the terminal. Dont forget to use | less! 

az storage blob download --container-name public --account-name neighborhood2 --name admin_credentials.txt --file /dev/stdout
az storage blob download

Goal 8⚓︎

Type finish to complete the objective

finish

Answer

Completed in the game.

Response⚓︎

Goose Grace

HONK HONK HONK! 'No sensitive data publicly accessible' they claimed. Meanwhile, literally everything was public! Good save, security expert!

Learnings⚓︎

One config flag (allowBlobPublicAccess in this case) can flip a cloud service from private to public.

Prevention & Hardening Notes⚓︎

  1. Turn off public blob access unless there's a real reason.
  2. Regularly check storage accounts for anything accidentally exposed.