In this post we present Cyclone, the BlackSky Cloud Hacking Lab scenario for Microsoft Azure by Hack The Box and our review of it.
Y-Security recently collaborated with Hack The Box and took the challenge of reviewing their BlackSky Cloud Hacking Labs. The main focus of the review was testing the created challenges and presented attack path against Y-Security’s experience of real-life attacks in cloud environments.
Overview of BlackSky Cloud Labs
The BlackSky Cloud Hacking Labs are separated into individual scenarios distributed within the environment of the most common cloud provider, namely Amazon Web Services, Google Cloud Platform and Microsoft Azure. Each of the environments contains a unique scenario and attack path to reach the goal of the assessment by chaining common cloud related vulnerabilities and misconfigurations.
BlackSky provides dedicated scenarios, allowing you to practice different attack techniques and exploitation of common vulnerabilities, in order to understand how cloud platforms can be compromised.
Hack The Box
Cyclone: Microsoft Azure
In the below section we give some feedback and insights into the Cyclone: Microsoft Azure scenario and our experience with realistic vulnerabilities in Azure cloud infrastructures. Y-Security followed its detailed Cloud Penetration Testing methodology while solving the Cloud Hacking Lab.
Scope of Cyclone
The Cyclone: Microsoft Azure scenario aims at the below resources, which are also likely to be found in a real cloud project. Additionally Hack The Box promoted the scenario with the below attack techniques/outcome:
Cyclone
Resources
- Microsoft PowerShell
- Azure Storage
- Azure Keyvaults
- Azure Runbooks
- Azure Logic Apps
- Container Management
- DevOps vectors
Promoted Outcome
- Azure enumeration
- Exploitation of serverless applications
- Exploiting misconfigurations
- Lateral movement
- Local privilege escalation
- Mitigations and best practices
- Situational awareness
- Phishing
Tips & Tricks
Since Azure is Microsoft’s very own cloud platform, it is often used within Windows-heavy environments and uses it’s own Azure Active Directory. Therefore any prior experience with PowerShell and Windows in general will be beneficial when working on this lab. Most tools targeted at Azure are aiming for external attack vectors and information gathering purposes – however the Cyclone lab is designed as an „assumed compromise“ exercise, which is why most of the lab could be done with Microsoft’s own toolkit. Some of the tools I used are highlighted below:
- Azure CLI: Microsoft’s CLI Tool to interact with Azure (Windows, Linux & Mac)
- Azure PowerShell: Microsoft’s Collection of PowerShell Scripts to interact with Azure
- AADInternals: A PowerShell Module aimed at Azure AD Hacking
- ROADtools: ROADtools is a framework written in Python to interact with Azure AD
- 365-Stealer: 365-Stealer is a tool written in Python3 which can be used in illicit consent grant attacks
- Mimikatz: A popular tool to extract secrets from Windows memory and perform various types of attacks against Windows systems
The Lab
At the beginning of the lab we receive a set of credentials, that belong to an already compromised employee, which means we can start off right from the Azure Portal. Our target is a fictional company named Mega Multinational and the goal is to escalate privileges, gain access to several resources and collect all 14 flags along the way.
During the lab I felt there was always a clear path, that led me to the next target inside the company’s Azure environment with a few sidetracks to collect more flags. Some of those could be obtained independently, while others required me to chain multiple things.
Attack Path
The demonstrated attack path requires you to exploit Cloud Misconfigurations, perform Post Exploitation Steps and move laterally through the company’s Azure environment as well as closely inspecting already compromised assets. While working through the lab you will see common mistakes that are often seen in real assessments and environments, such as hardcoded credentials or token theft attacks.
Y-Security followed its Cloud Penetration Testing methodology during the assessment which aligns and completes common methodologies and frameworks in particular the OWASP Web Security Testing Guide, the BSI Leitfaden IT-Sicherheits-Penetrationstest, applicable CIS Benchmarks, the MITRE ATT&CK® Framework and Cloud Provider specific security best practice guidelines.
Sometimes it’s important to explore multiple techniques to perform an attack, as one might not lead to the desired result or might not work at all. There were some instances in the lab where you should use the GUI, and some where you should use the CLI, or both. You will use some familiar tools like mimikatz and discover that it can also be very useful during a Cloud Assessment.
Conclusion
As someone with very little prior experience in Microsoft Azure and Cloud Platforms in general, this lab was a great introduction to Cloud Penetration Testing. This lab taught me that it’s important to stay up to date and do my own research, as technology and especially the Cloud constantly evolves. I would recommend this lab for anyone with an interest in Cloud Security, who has some experience in Windows Penetration Testing and Lateral Movement.
Personally I learned a lot about the different services that Azure offers and how to interact with them or even subvert their intended purpose. Some flags were a little more hidden than others, which was tiresome at first, but it required me to methodically go through different configurations and paths within Azure, that I normally would have ignored.
Compared to the AWS: Hailstorm and GCP: Blizzard Labs this one was definitely the most approachable for me because I was able to solve most of it without relying on third party tools and I think HackTheBox did a great job with keeping me focused and steering me into the right direction.
A great introduction into Azure Penetration Testing and absolute recommendation for every fan of the usually more AD focused HackTheBox Prolabs, who wants to try something a little different and get their feet wet with attacking Cloud Infrastructure.
Thore
Further Reading
We would like to thank Hack The Box for providing us with access to have a deep dive into their professional offerings and benchmarking our cloud testing methodology against those sophisticated playbook exercises.
Author
Thore Imhof
thore@y-security.de
Y-Security GmbH
28. February 2023