Merge pull request #239 from HackTricks-wiki/update_Holiday_Hack_Challenge_2025__Blob_Storage__Storage_20260106_124314

Holiday Hack Challenge 2025 Blob Storage (Storage Secrets)

Author: carlospolop

src/pentesting-cloud/azure-security/az-services/az-storage.md

@@ -65,6 +65,30 @@ If "Allow Blob public access" is **enabled** (disabled by default), when creatin
 
 <figure><img src="https://lh7-rt.googleusercontent.com/slidesz/AGV_vUfoetUnYBPWQpRrWNnnlbqWpl8Rdoaeg5uBrCVlvcNDlnKwQHjZe8nUb2SfPspBgbu-lCZLmUei-hFi_Jl2eKbaxUtBGTjdUSDmkrcwr90VZkmuMjk9tyh92p75btfyzGiUTa0-=s2048?key=m8TV59TrCFPlkiNnmhYx3aZt" alt=""><figcaption></figcaption></figure>
 
+#### Auditing anonymous blob exposure
+
+- **Locate storage accounts** that can expose data: `az storage account list | jq -r '.[] | select(.properties.allowBlobPublicAccess==true) | .name'`. If `allowBlobPublicAccess` is `false` you cannot turn containers public.
+- **Inspect risky accounts** to confirm the flag and other weak settings: `az storage account show --name <acc> --query '{allow:properties.allowBlobPublicAccess, minTls:properties.minimumTlsVersion}'`.
+- **Enumerate container-level exposure** where the flag is enabled:
+
+```bash
+az storage container list --account-name <acc> \
+  --query '[].{name:name, access:properties.publicAccess}'
+```
+
+  - `"Blob"`: anonymous reads allowed **only when blob name is known** (no listing).
+  - `"Container"`: anonymous **list + read** of every blob.
+  - `null`: private; authentication required.
+- **Prove access** without credentials:
+  - If `publicAccess` is `Container`, anonymous listing works: `curl "https://<acc>.blob.core.windows.net/<container>?restype=container&comp=list"`.
+  - For both `Blob` and `Container`, anonymous blob download works when the name is known:
+
+```bash
+az storage blob download -c <container> -n <blob> --account-name <acc> --file /dev/stdout
+# or via raw HTTP
+curl "https://<acc>.blob.core.windows.net/<container>/<blob>"
+```
+
 ### Connect to Storage
 
 If you find any **storage** you can connect to you could use the tool [**Microsoft Azure Storage Explorer**](https://azure.microsoft.com/es-es/products/storage/storage-explorer/) to do so.
@@ -222,6 +246,9 @@ Azure Blob Storage now supports the SSH File Transfer Protocol (SFTP), enabling
 {{#tabs }}
 {{#tab name="az cli" }}
 
+<details>
+<summary>az cli enumeration</summary>
+
 ```bash
 # Get storage accounts
 az storage account list #Get the account name from here
@@ -339,11 +366,16 @@ az storage account local-user list \
   --resource-group <resource-group-name>
 ```
 
+</details>
+
 {{#endtab }}
 
 {{#tab name="Az PowerShell" }}
 
-```bash
+<details>
+<summary>Az PowerShell enumeration</summary>
+
+```powershell
 # Get storage accounts
 Get-AzStorageAccount | fl
 # Get rules to access the storage account
@@ -401,6 +433,8 @@ New-AzStorageBlobSASToken `
   -ExpiryTime (Get-Date "2024-12-31T23:59:00Z")
 ```
 
+</details>
+
 {{#endtab }}
 {{#endtabs }}
 
@@ -433,6 +467,10 @@ az-file-shares.md
 - [https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction](https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction)
 - [https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview](https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview)
 - [https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support](https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support)
+- [Holiday Hack Challenge 2025: Blob Storage (Storage Secrets)](https://0xdf.gitlab.io/holidayhack2025/act1/blob-storage)
+- [https://learn.microsoft.com/en-us/cli/azure/storage/account](https://learn.microsoft.com/en-us/cli/azure/storage/account)
+- [https://learn.microsoft.com/en-us/cli/azure/storage/container](https://learn.microsoft.com/en-us/cli/azure/storage/container)
+- [https://learn.microsoft.com/en-us/cli/azure/storage/blob](https://learn.microsoft.com/en-us/cli/azure/storage/blob)
 
 {{#include ../../../banners/hacktricks-training.md}}