Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Microsoft Azure Automation allows customers to execute automation code in a managed fashion. You can schedule jobs, provide input and output, and more. Each customer’s automation code runs inside a sandbox, isolated from other customers’ code executing on the same virtual machine.

The researcher details their full process for finding the vulnerability. When trying to find a cross-client escape, the first thing to do is get a shell on the machine. Now, you can explore how the system works in full, including open ports, files, logs and many other things.

While looking through the logs, an interesting line popped up: http://127.0.0.1:40008. Within the web service (C#, which is easy to decompile), they reverse engineered the service to see what it did. Among the interesting things was a GET request to get tokens to allow for calls to be made in your account. By itself, this is fine.

The author noticed that the ports would jump around randomly within about 10 ports. So, they ran a port scan within the service and noticed that ports 4000-4010 were always being used. When making the API call to get the JWT token, you can request it for ANY of the accounts in the virtual machine! By making this call to other ports, you would get credentials for other accounts.

When vulnerabilities like this are found, it makes me think that there was no pentest on this. This is such a trivial vulnerability to allow for cross-account credential theft. Overall, good write up besides all of the marketing bots and non-sense.