During App Service enumeration, you discover that the compromised user can read App Service application settings. Find the hidden flag stored in the application settings.
正解:
See the Answer in Explanation below.
Explanation:
Flag{app_settings_should_not_store_secrets}
Detailed Solution:
Query App Service settings:
az webapp config appsettings list \
--name finance-reporting-api \
--resource-group rg-prod-apps-eastus \
--output json
Search for suspicious keys:
az webapp config appsettings list \
--name finance-reporting-api \
--resource-group rg-prod-apps-eastus \
--query " [?contains(name, ' FLAG ' ) || contains(name, ' Flag ' ) || contains(name, ' SECRET ' )] " \
--output table
Expected output:
Name SlotSetting Value
---------- ------------- ----------------------------------------
APP_FLAG False Flag{app_settings_should_not_store_secrets}
The flag is:
Flag{app_settings_should_not_store_secrets}
質問 2:
After gaining access to the Azure tenant, enumerate all resource groups available to the compromised user.
One resource group contains the word prod. What is the name of that resource group?
正解:
See the Answer in Explanation below.
Explanation:
rg-prod-apps-eastus
Detailed Solution:
List accessible resource groups:
az group list --output table
For a cleaner search:
az group list \
--query " [?contains(name, ' prod ' )].{Name:name,Location:location} " \
--output table
Expected output:
Name Location
-------------------- ----------
rg-prod-apps-eastus eastus
The resource group containing prod is:
rg-prod-apps-eastus
質問 3:
You've gained access to the Azure environment, now dig deeper. One of the accessible resources contains a hidden flag.
正解:
See the Answer in Explanation below.
Explanation:
Flag{a92f7e0c3c4b9d88a1f54e6723d4c1a2}
Detailed Solution:
Start by listing all Azure resources accessible to the compromised user.
az resource list --output table
The environment exposes at least these resources:
RnD-Tools Excalibur-Resources ukwest Microsoft.Web/sites
WebAppTokenIdentity Excalibur-Resources ukwest Microsoft.ManagedIdentity/userAssignedIdentities The most interesting target is the App Service:
RnD-Tools
Web Apps often store configuration values in App Settings. These commonly contain secrets, flags, API keys, connection strings, or credentials.
Query the App Service application settings:
az webapp config appsettings list \
--name RnD-Tools \
--resource-group Excalibur-Resources \
--output json
Look for keys such as:
Flag
secret
password
token
connectionString
clientSecret
The exposed app setting contains:
{
" name " : " Flag " ,
" slotSetting " : false,
" value " : " Flag{a92f7e0c3c4b9d88a1f54e6723d4c1a2} "
}
Final answer:
Flag{a92f7e0c3c4b9d88a1f54e6723d4c1a2}
質問 4:
The compromised service principal has Contributor access to a resource group but no direct Key Vault data- plane role. Can it immediately read Key Vault secret values?
A. No, service principals cannot access Key Vault
B. No, Contributor does not automatically grant Key Vault secret data-plane read
C. Yes, Contributor includes secret read permissions
D. Yes, if the vault is in the same resource group
正解:B
解説: (Pass4Test メンバーにのみ表示されます)
2 お客様のコメント




Fukano -
Pass4Testお陰様でいい問題集を出会いました。感謝です。