Skip to content

Owner⚓︎

Difficulty:
Direct link: Owner

Objective⚓︎

Request

Help Goose James near the park discover the accidentally leaked SAS token in a public JavaScript file and determine what Azure Storage resource it exposes and what permissions it grants.

James

Screenshot 2026-04-21 132948

Solution⚓︎

James asked me to audit the HOA Azure's RBAC config for permanently assigned Owner roles.

The terminal session introduced the task and the Azure CLI environment.

Screenshot 2026-04-21 144456

The first task was to list all subscription names with the command:

List subscription names
1
az account list --query "[].name"

The output showed the subscription names available in the tenant.

Screenshot 2026-04-21 144534

The next task was to list enabled subscriptions by ID and check Owner roles associated with each subscription.

I first used the following command to list enabled subscriptions with IDs:

List enabled subscriptions
1
az account list --query "[?state=='Enabled'].{Name:name, ID:id}"

I later used this command to list owner for each subscription replacing the appropriate subscription ID:

List Owner role assignments
1
az role assignment list --scope "/subscriptions/2b0942f3-9bca-484b-a508-abdae2db5e64" --query "[?roleDefinition=='Owner']"

The results showed the Owner assignments for the first subscription (ID not shown on screenshot).

There is a group present with the Owner permission.

Screenshot 2026-04-21 144702

The next task was to check Owner permission on the second subscription:

Owners for subscription 4d9d...
1
az role assignment list --scope "/subscriptions/4d9dbf2a-90b4-4d40-a97f-dc51f3c3d46e" --query "[?roleDefinition=='Owner']"

The output listed Owner permission for the subscription as well.

Screenshot 2026-04-21 144733

The next task was to check Owner assignments on the third subscription:

Owners for subscription 065c...
1
az role assignment list --scope "/subscriptions/065cc24a-077e-40b9-b666-2f4dd9f3a617" --query "[?roleDefinition=='Owner']"

The output identified a group named "IT Admins".

Screenshot 2026-04-21 152942

The next task was to list members of "IT Admins" group using the command:

List group members (6b98...)
1
az ad member list --group 6b982f2f-78a0-44a8-b915-79240b2b4796

The results showed the users and service principals in that group and another group ID.

Screenshot 2026-04-21 153116

The next task was to list members of the nested group ID using the command:

List group members (631e...)
1
az ad member list --group 631ebd3f-39f9-4492-a780-aef2aec8c94e | less

The output revealed the identity of the IT admin user.

Screenshot 2026-04-21 153401

The challenge was completed after identifying the permanently assigned Owner role.

Screenshot 2026-04-21 153422

Response⚓︎

James

You found the permanent assignments! CLUCK! See, I'm not crazy - the security really WAS misconfigured. Now maybe I can finally get some peace and quiet...