Spare Key

Difficulty:
Direct link: Spare Key
Area: Near the pond
In-game avatar: Goose Barry

Objective

Request

Help Goose Barry near the pond identify which identity has been granted excessive Owner permissions at the subscription level, violating the principle of least privilege.

Goose Barry

You want me to say what exactly? Do I really look like someone who says MOOO? The Neighborhood HOA hosts a static website on Azure Storage. An admin accidentally uploaded an infrastructure config file that contains a long-lived SAS token. Use Azure CLI to find the leak and report exactly where it lives.

High-Level Steps

1. Enumerate – Identify Azure resources and storage accounts.
2. Inspect – Review containers and static website files for sensitive data.
3. Confirm – Analyze exposed configuration files to confirm the secret leak.

flowchart TD

  subgraph Row1["Enumerate"]
    direction LR
    A[List resource groups]
    B[List storage accounts]
    A --> B
  end

  subgraph Row2["Inspect"]
    direction LR
    C[Check static website settings]
    D[List containers and blobs]
    C --> D
  end

  subgraph Row3["Confirm"]
    direction LR
    E[Download suspect file]
    F[Identify exposed SAS token]
    G[Objective completed]
    E --> F --> G
  end

  Row1 --> Row2
  Row2 --> Row3

Solution

Goal 1

Let's start by listing all resource groups.
$ az group list -o table
This will show all resource groups in a readable table format.

az group list -o table

Goal 2

az storage account list --resource-group rg-the-neighborhood -o table
This shows what storage accounts exist and their types.

 az storage account list --resource-group rg-the-neighborhood -o table

Goal 3

Someone mentioned there was a website in here.
maybe a static website?
try:$ az storage blob service-properties show --account-name --auth-mode login

az storage blob service-properties show --account-name neighborhoodhoa --auth-mode login

Goal 4

Let's see what 📦 containers exist in the storage account.
💡 Hint: You will need to use az storage container list.
We want to list the container and its public access levels.

az storage container list --account-name neighborhoodhoa --auth-mode login

Goal 5

Examine what files are in the static website container
💡 hint: when using --container-name you might need ''
Look 👀 for any files that shouldn't be publicly accessible!

Looking at the the container named "public"

az storage blob list --account-name neighborhoodhoa --auth-mode login --container-name public

Looking at the the container named "$web"

az storage blob list --account-name neighborhoodhoa --auth-mode login --container-name '$web' --output table

Goal 6

Take a look at the files here, what stands out?
Try examining a suspect file 🕵️:
💡 hint: --file /dev/stdout | less will print to your terminal 💻.

az storage blob download --account-name neighborhoodhoa --auth-mode login --container-name '$web' --name iac/terraform.tfvars --file tfvars.txt --debug

Goal 7

⚠️ Accidentally uploading config files to $web can leak secrets. 🔐
Challenge Complete! To finish, type: finish

Answer

Completed in the game.

Response

Goose Barry

There it is. A SAS token with read-write-delete permissions, publicly accessible.
At least someone around here knows how to do a proper security audit.

Learnings

A static website can also accidentally expose config files [(terraform.tfvars)] with secrets.

Prevention & Hardening Notes

1. During app deployment ensure infra related config files are also not deployed.
2. Hunt for exposed secrets in stores like blobs/s3 buckets and rotate them immediately.