Owner⚓︎
Difficulty:
Direct link: Owner
Area: Near the park
In-game avatar: Goose James
Objective⚓︎
Request
Help Goose James near the park discover the accidentally leaked SAS token in a public JavaScript file and determine what Azure Storage resource it exposes and what permissions it grants.
Goose James
The Neighborhood HOA uses Azure for their IT infrastructure.
The Neighborhood network admins use RBAC fo access control.
Your task is to audit their RBAC configuration to ensure they're following security best practices.
High-Level Steps⚓︎
- Enumerate – Identify subscriptions and their Owner role assignments.
- Investigate – Examine groups and nested memberships for excessive privileges.
- Confirm – Validate permanent Owner access and complete the audit.
flowchart TD
subgraph Row1["Enumerate"]
direction LR
A[List subscriptions]
B[List Owner role assignments]
A --> B
end
subgraph Row2["Investigate"]
direction LR
C[Identify non-PIM Owner group]
D[Enumerate group members]
E[Trace nested groups]
C --> D --> E
end
subgraph Row3["Confirm"]
direction LR
F[Detect permanent Owner access]
G[Least-privilege violation confirmed]
H[Objective completed]
F --> G --> H
end
Row1 --> Row2
Row2 --> Row3Solution⚓︎
Goal 1⚓︎
az account list --query "[].name"
Goal 2⚓︎
You can do some more advanced queries using conditional filtering with custom output.
$ az account list --query "[?state=='Enabled'].{Name:name, ID:id}"
Cool! 😎 [?condition] filters what you want, {custom:fields} makes clean output ✨
az account list --query "[?state=='Enabled'].{Name:name, ID:id}"
Goal 3⚓︎
Let's take a look at the Owner's of the first listed subscription 🔍. Pass in the first subscription id.
Try: az role assignment list --scope "/subscriptions/{ID of first Subscription}" --query [?roleDefinition=='Owner']
az role assignment list --scope "/subscriptions/2b0942f3-9bca-484b-a508-abdae2db5e64" --query [?roleDefinition=='Owner']
Goal 4⚓︎
Ok 🤔 — there is a group present for the Owners permission; however, we've been assured this is a 🔐 PIM enabled group.
Currently, no PIM activations are present. 🚨
Let's run the previous command against the other subscriptions to see what we come up with.
This below subscription has a group which is not PIM-Owner. Rather, there is a group named "IT-Admins"
az role assignment list --scope "/subscriptions/065cc24a-077e-40b9-b666-2f4dd9f3a617" --query [?roleDefinition=='Owner']
Goal 4⚓︎
Looks like you are on to something here! 🕵️ We were assured that only the 🔐 PIM group was present for each subscription.
🔎 Let's figure out the membership of that group.
Hint: use the az ad member list command. Pass the group id instead of the name.
Remember: | less lets you scroll through long output
az ad member list --group "6b982f2f-78a0-44a8-b915-79240b2b4796"
Goal 5⚓︎
Well 😤, that's annoying. Looks like we have a nested group!
Let's run the command one more time against this group.
az ad member list --group "631ebd3f-39f9-4492-a780-aef2aec8c94e"
Goal 6⚓︎
elevated access instead of permanent assignments.
Permanent Owner roles create persistent attack paths and violate least-privilege principles.
Challenge Complete! To finish, type: finish
finish
This completes the challenge.
Answer
Completed in the game.
Response⚓︎
Goose James
You found the permanent assignments! CLUCK!
See, I'm not crazy - the security really WAS misconfigured. Now maybe I can finally get some peace and quiet...
Learnings⚓︎
- Permanent Owner assignments could be dangerous, especially when they're hidden behind groups and nested memberships.
Prevention & Hardening Notes⚓︎
- Use Azure PIM for all Owner-level access and avoid permanent Owner assignments at the subscription scope.
- Regularly audit RBAC role assignments, including group memberships and nested groups, to ensure least-privilege is actually being enforced.