🟢Learning Objective 10

Task

In the Attack Lab:

1. Find and exploit the RCE vulnerability in the analytics application https://analytics.pharmacorphq.com/

2. Request access token by leveraging Managed Identity.

Applies to: Attack Lab

Topics Covered: RCE Vulnerability Exploitation, Request Access Token, and Information Extraction from Managed Identity

firefox https://analytics.pharmacorphq.com/

Create a new category and abuse command injection using URL encoding.

Execute the set command again to extract the environment variables.

After investigating we see an IDENTITY Endpoint

Azure provides the ability to assign Managed Identities to resources like App Services, Function Apps, Virtual Machines, and more.

Managed Identities are a feature of Azure Active Directory that eliminate the need for developers to manage credentials in their code, offering a more secure and streamlined authentication process.

These identities can be used to authenticate and access Azure services and resources without the need for embedded secrets or keys.

With Managed Identities, they can be assigned automatically, either as system-assigned or user-assigned, to a wide range of Azure resources, ensuring secure and seamless access control across your cloud infrastructure.

Forge a request abusing OS Injection:

Go to paste bin and create a new paste:

URL Encoding:

After obtaining the access token, remove any whitespaces. The cleaned token can then be used with the Az PowerShell module to authenticate and list resources accessible to the Managed Identity.

Token: