Merge pull request #240 from HackTricks-wiki/update_Holiday_Hack_Challenge_2025__Act_1__-_Spare_Key_20260106_124916

carlospolop · web-flow · commit c716f0a3ba9e · 2026-01-18T15:57:07.000+01:00
Holiday Hack Challenge 2025 (Act 1) - Spare Key
diff --git a/src/pentesting-cloud/azure-security/az-services/az-storage.md b/src/pentesting-cloud/azure-security/az-services/az-storage.md
@@ -65,7 +65,24 @@ If "Allow Blob public access" is **enabled** (disabled by default), when creatin
 
 <figure><img src="https://lh7-rt.googleusercontent.com/slidesz/AGV_vUfoetUnYBPWQpRrWNnnlbqWpl8Rdoaeg5uBrCVlvcNDlnKwQHjZe8nUb2SfPspBgbu-lCZLmUei-hFi_Jl2eKbaxUtBGTjdUSDmkrcwr90VZkmuMjk9tyh92p75btfyzGiUTa0-=s2048?key=m8TV59TrCFPlkiNnmhYx3aZt" alt=""><figcaption></figcaption></figure>
 
-#### Auditing anonymous blob exposure
+### Static website (`$web`) exposure & leaked secrets
+
+- **Static websites** are served from the special `$web` container over a region-specific endpoint such as `https://<account>.z13.web.core.windows.net/`.
+- The `$web` container may report `publicAccess: null` via the blob API, but files are still reachable through the static site endpoint, so dropping config/IaC artifacts there can leak secrets.
+- Quick audit workflow:
+
+```bash
+# Identify storage accounts with static website hosting enabled
+az storage blob service-properties show --account-name <acc-name> --auth-mode login
+# Enumerate containers (including $web) and their public flags
+az storage container list --account-name <acc-name> --auth-mode login
+# List files served by the static site even when publicAccess is null
+az storage blob list --container-name '$web' --account-name <acc-name> --auth-mode login
+# Pull suspicious files directly (e.g., IaC tfvars containing secrets/SAS)
+az storage blob download -c '$web' --name iac/terraform.tfvars --file /dev/stdout --account-name <acc-name> --auth-mode login
+```
+
+### Auditing anonymous blob exposure
 
 - **Locate storage accounts** that can expose data: `az storage account list | jq -r '.[] | select(.properties.allowBlobPublicAccess==true) | .name'`. If `allowBlobPublicAccess` is `false` you cannot turn containers public.
 - **Inspect risky accounts** to confirm the flag and other weak settings: `az storage account show --name <acc> --query '{allow:properties.allowBlobPublicAccess, minTls:properties.minimumTlsVersion}'`.
@@ -467,6 +484,7 @@ az-file-shares.md
 - [https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction](https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction)
 - [https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview](https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview)
 - [https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support](https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support)
+- [Holiday Hack Challenge 2025 – Spare Key (Azure static website SAS leak)](https://0xdf.gitlab.io/holidayhack2025/act1/spare-key)
 - [Holiday Hack Challenge 2025: Blob Storage (Storage Secrets)](https://0xdf.gitlab.io/holidayhack2025/act1/blob-storage)
 - [https://learn.microsoft.com/en-us/cli/azure/storage/account](https://learn.microsoft.com/en-us/cli/azure/storage/account)
 - [https://learn.microsoft.com/en-us/cli/azure/storage/container](https://learn.microsoft.com/en-us/cli/azure/storage/container)
