Support HackTricks and get benefits!
- If you want to see your company advertised in HackTricks or if you want access to the latest version of the PEASS or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Azure Blob storage is Microsoft's object storage solution for the cloud. Blob storage is optimized for storing massive amounts of unstructured data. Unstructured data is data that doesn't adhere to a particular data model or definition, such as text or binary data.
Blob storage offers three types of resources:
- The storage account (unique name)
- A container in the storage account (folder)
- A blob in a container
 (2).png)
| Blob storage | https://<storage-account>.blob.core.windows.net |
|---|---|
| Azure Data Lake Storage Gen2 | https://<storage-account>.dfs.core.windows.net |
| Azure Files | https://<storage-account>.file.core.windows.net |
| Queue storage | https://<storage-account>.queue.core.windows.net |
| Table storage | https://<storage-account>.table.core.windows.net |
- Use Azure AD principals via RBAC roles supported.
- Access Keys: Use access keys of the storage account. This provides full access to the storage account.
- Shared Access Signature (SAS): Time limited and specific permissions.
- You can generate a SAS url with an access key (more complicated to detect).
If "Allow Blob public access" is enabled (disabled by default), it's possible to:
- Give public access to read blobs (you need to know the name).
- List container blobs and read them.
If you find any storage you can connect to you could use the tool Microsoft Azure Storage Explorer to do so.
A shared access signature (SAS) provides secure delegated access to resources in your storage account. With a SAS, you have granular control over how a client can access your data. For example:
- What resources the client may access.
- What permissions they have to those resources.
- How long the SAS is valid.
Use Storage Explorer to access the data
You can secure a shared access signature (SAS) token for access to a container, directory, or blob by using either Azure Active Directory (Azure AD) credentials or an account key. To create a user delegation SAS, you must first request a ** **_**user delegation key**_, which you then use to sign the SAS.
A user delegation SAS is supported for Azure Blob Storage and Azure Data Lake Storage Gen2. Stored access policies are not supported for a user delegation SAS.
Note that user delegation SAS is secured with Azure AD credentials instead of storage account keys. This prevents clients/applications from storing/retrieving storage keys to create SAS.
A service SAS is secured with the storage account key. A service SAS delegates access to a resource in only one of the Azure Storage services: Blob storage, Queue storage, Table storage, or Azure Files. The URI for a service-level SAS consists of the URI to the resource for which the SAS will delegate access, followed by the SAS token.
To use Azure Active Directory (Azure AD) credentials to secure a SAS for a container or blob, user a user delegation SAS.
An account SAS is secured with one of the storage account keys (there are 2). An account SAS delegates access to resources in one or more of the storage services. All of the operations available via a service or user delegation SAS are also available via an account SAS.
By creating an account SAS, you can:
- Delegate access to service-level operations that aren't currently available with a service-specific SAS, such as the
Get/Set Service PropertiesandGet Service Statsoperations. - Delegate access to more than one service in a storage account at a time. For example, you can delegate access to resources in both Azure Blob Storage and Azure Files by using an account SAS.
- Delegate access to write and delete operations for containers, queues, tables, and file shares, which are not available with an object-specific SAS.
- Specify an IP address or a range of IP addresses from which to accept requests.
- Specify the HTTP protocol from which to accept requests (either HTTPS or HTTP/HTTPS).
A SAS URL looks like this: https://<container_name>.blob.core.windows.net/newcontainer?sp=r&st=2021-09-26T18:15:21Z&se=2021-10-27T02:14:21Z&spr=https&sv=2021-07-08&sr=c&sig=7S%2BZySOgy4aA3Dk0V1cJyTSIf1cW%2Fu3WFkhHV32%2B4PE%3D
# Get storage accounts
Get-AzStorageAccount | fl
# Get rules to access the storage account
Get-AzStorageAccount | select -ExpandProperty NetworkRuleSet
# Get IPs
(Get-AzStorageAccount | select -ExpandProperty NetworkRuleSet).IPRules
# Get containers of a storage account
Get-AzStorageContainer -Context (Get-AzStorageAccount -name <NAME> -ResourceGroupName <NAME>).context
# Get blobs inside container
Get-AzStorageBlob -Container epbackup-planetary -Context (Get-AzStorageAccount -name <name> -ResourceGroupName <name>).context
# Get a blob from a container
Get-AzStorageBlobContent -Container <NAME> -Context (Get-AzStorageAccount -name <NAME> -ResourceGroupName <NAME>).context -Blob <blob_name> -Destination .\Desktop\filename.txt- https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction
- https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview
Support HackTricks and get benefits!
- If you want to see your company advertised in HackTricks or if you want access to the latest version of the PEASS or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.