Merge pull request #28 from teamssix/main

feat: add azure container blob traversal scenario

Author: teamssix

README.md

@@ -38,7 +38,8 @@ Currently supported cloud vendors include Alibaba Cloud, Tencent Cloud, Huawei C
 |  24  | Google  Cloud Platform |      Object Storage       | [Unrestricted File Upload](https://github.com/HuoCorp/TerraformGoat/tree/main/gcp/object_storage_service/unrestricted_file_upload) |
 |  25  |  Google  Cloud Platform  | Elastic Computing Service | [VM Command Execution](https://github.com/HuoCorp/TerraformGoat/tree/main/gcp/elastic_computing_service/vm_command_execution) |
 |  26  |    Microsoft  Azure    |      Object Storage       | [Blob  Public Access](https://github.com/HuoCorp/TerraformGoat/tree/main/azure/object_storage_service/blob_public_access/) |
-|  27  |  Microsoft  Azure  | Elastic Computing Service | [VM Command Execution](https://github.com/HuoCorp/TerraformGoat/tree/main/azure/elastic_computing_service/vm_command_execution) |
+|  27  |    Microsoft  Azure    |      Object Storage       | [Container_Blob Traversal](https://github.com/HuoCorp/TerraformGoat/tree/main/azure/object_storage_service/container_blob_traversal/) |
+|  28  |  Microsoft  Azure  | Elastic Computing Service | [VM Command Execution](https://github.com/HuoCorp/TerraformGoat/tree/main/azure/elastic_computing_service/vm_command_execution) |
 
 ## :dizzy: Install
 

README_CN.md

@@ -13,7 +13,7 @@ Cloud Platform、Microsoft Azure 六个云厂商的云场景漏洞搭建。
 | :--: | :--------------------: | :----------: | :----------------------------------------------------------: |
 |  1   |         腾讯云         |   对象存储   | [Bucket 对象遍历](https://github.com/HuoCorp/TerraformGoat/tree/main/tencentcloud/object_storage_service/bucket_object_traversal) |
 |  2   |         腾讯云         |   对象存储   | [任意文件上传](https://github.com/HuoCorp/TerraformGoat/tree/main/tencentcloud/object_storage_service/unrestricted_file_upload) |
-|  2   |         腾讯云         |   对象存储   | [Bucket ACL 可写](https://github.com/HuoCorp/TerraformGoat/tree/main/tencentcloud/object_storage_service/bucket_acl_writable) |
+|  3  |         腾讯云         |   对象存储   | [Bucket ACL 可写](https://github.com/HuoCorp/TerraformGoat/tree/main/tencentcloud/object_storage_service/bucket_acl_writable) |
 |  4  |         腾讯云         |   弹性计算服务   | [CVM SSRF 漏洞环境](https://github.com/HuoCorp/TerraformGoat/tree/main/tencentcloud/elastic_computing_service/cvm_ssrf) |
 |  5  |         阿里云         |   对象存储   | [Bucket 对象遍历](https://github.com/HuoCorp/TerraformGoat/tree/main/aliyun/object_storage_service/bucket_object_traversal) |
 |  6  |         阿里云         |   对象存储   | [Object ACL 可写](https://github.com/HuoCorp/TerraformGoat/tree/main/aliyun/object_storage_service/object_acl_writable) |
@@ -37,7 +37,8 @@ Cloud Platform、Microsoft Azure 六个云厂商的云场景漏洞搭建。
 |  24  | Google  Cloud Platform |   对象存储   | [任意文件上传](https://github.com/HuoCorp/TerraformGoat/tree/main/gcp/object_storage_service/unrestricted_file_upload) |
 |  25  |  Google  Cloud Platform  | 弹性计算服务 | [VM 命令执行漏洞环境](https://github.com/HuoCorp/TerraformGoat/tree/main/gcp/elastic_computing_service/vm_command_execution) |
 |  26  |    Microsoft  Azure    |   对象存储   | [Blob 公开访问](https://github.com/HuoCorp/TerraformGoat/tree/main/azure/object_storage_service/blob_public_access/) |
-|  27  |  Microsoft  Azure  | 弹性计算服务 | [VM 命令执行漏洞环境](https://github.com/HuoCorp/TerraformGoat/tree/main/azure/elastic_computing_service/vm_command_execution) |
+|  27  |    Microsoft  Azure    |   对象存储   | [Container Blob 遍历](https://github.com/HuoCorp/TerraformGoat/tree/main/azure/object_storage_service/container_blob_traversal/) |
+|  28  |  Microsoft  Azure  | 弹性计算服务 | [VM 命令执行漏洞环境](https://github.com/HuoCorp/TerraformGoat/tree/main/azure/elastic_computing_service/vm_command_execution) |
 
 ## :dizzy: 安装
 

azure/object_storage_service/container_blob_traversal/README.md

@@ -0,0 +1,58 @@
+# Microsoft Azure storage blob traversal vulnerability environment
+
+English | [中文](./README_CN.md)
+
+## Description
+
+This is a vulnerability environment scenario for building traversal to Microsoft cloud storage blobs.
+
+After you build an environment with Terraform, the blobs in the container can be traversed.
+
+## Deployment Environment
+
+Execute the following command in the container
+
+```shell
+cd /TerraformGoat/azure/object_storage_service/container_blob_traversal/
+```
+
+Use the `az login` command for Azure identity authentication, and follow the prompts to authenticate.
+
+```shell
+az login
+```
+
+Deploy Vulnerable Environment
+
+```shell
+terraform init
+terraform apply
+```
+
+> When the terminal prompts `Enter a value:`, enter `yes`
+
+After the environment is set up, You can see the access address of the container at Outputs.
+
+## Vulnerability Utilization
+
+access container address, traverse blobs
+
+```shell
+https://hxxxxxx.blob.core.windows.net/hxxxxxx?restype=contriner&comp=list
+```
+
+![image](../../../images/1652413278.png)
+
+find the flag file
+
+```shell
+https://hxxxxxx.blob.core.windows.net/hxxxxxx/flag1650859
+```
+
+![image](../../../images/1652413373.png)
+
+## Destroy the environment
+
+```shell
+terraform destroy
+```

azure/object_storage_service/container_blob_traversal/README_CN.md

@@ -0,0 +1,60 @@
+# MicroSoft Azure storage blob 遍历漏洞环境
+
+[English](./README.md) | 中文
+
+## 描述信息
+
+这是一个用于构建微软云存储 blob 遍历的漏洞环境靶场。
+
+使用 Terraform 构建环境后，用户可以遍历到 container 中的 blob
+
+## 环境搭建
+
+在容器中执行以下命令
+
+```shell
+cd /TerraformGoat/azure/object_storage_service/container_blob_traversal/
+```
+
+通过 `az login` 命令进行 Azure 身份认证，根据提示进行认证即可。
+
+```shell
+az login
+```
+
+部署靶场
+
+```shell
+terraform init
+terraform apply
+```
+
+> 在终端提示 `Enter a value:` 时，输入 `yes` 即可
+
+当命令执行完后，在 Outputs 处可以看到 container 的访问地址。
+
+## 漏洞利用
+
+访问 container 地址，可以遍历 blob
+
+```shell
+https://hxxxxxx.blob.core.windows.net/hxxxxxx?restype=contriner&comp=list
+```
+
+![image](../../../images/1652413278.png)
+
+发现 flag 文件
+
+```shell
+https://hxxxxxx.blob.core.windows.net/hxxxxxx/flag1650859
+```
+
+![image](../../../images/1652413373.png)
+
+成功获得 flag
+
+## 销毁环境
+
+```shell
+terraform destroy
+```

azure/object_storage_service/container_blob_traversal/flag1650859

@@ -0,0 +1 @@
+{Congratulations on getting flag}

azure/object_storage_service/container_blob_traversal/main.tf

@@ -0,0 +1,36 @@
+provider "azurerm" {
+  features {}
+}
+
+resource "azurerm_resource_group" "hxexample" {
+  name     = "hx${random_string.random_suffix.result}"
+  location = "West Europe"
+}
+
+resource "azurerm_storage_account" "hxexample" {
+  name                     = "hx${random_string.random_suffix.result}"
+  resource_group_name      = azurerm_resource_group.hxexample.name
+  location                 = azurerm_resource_group.hxexample.location
+  account_tier             = "Standard"
+  account_replication_type = "LRS"
+}
+
+resource "azurerm_storage_container" "hxexample" {
+  name                  = "hx${random_string.random_suffix.result}"
+  storage_account_name  = azurerm_storage_account.hxexample.name
+  container_access_type = "container"
+}
+
+resource "azurerm_storage_blob" "hxexample" {
+  name                   = "flag1650859"
+  storage_account_name   = azurerm_storage_account.hxexample.name
+  storage_container_name = azurerm_storage_container.hxexample.name
+  type                   = "Block"
+  source                 = "flag1650859"
+}
+
+resource "random_string" "random_suffix" {
+  length  = 5
+  special = false
+  upper   = false
+}

azure/object_storage_service/container_blob_traversal/outputs.tf

@@ -0,0 +1,4 @@
+output "azurerm_storage_container_url" {
+  value       = "https://${azurerm_resource_group.hxexample.name}.blob.core.windows.net/${azurerm_resource_group.hxexample.name}?restype=contriner&comp=list"
+  description = "This is the bucket name of azurerm storage container url"
+}

azure/object_storage_service/container_blob_traversal/versions.tf

@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "3.3.0"
+    }
+  }
+}