Holiday Hack Challenge 2025 Blob Storage (Storage Secrets)#239
Merged
carlospolop merged 1 commit intomasterfrom Jan 13, 2026
Conversation
Collaborator
Author
🔗 Additional ContextOriginal Blog Post: https://0xdf.gitlab.io/holidayhack2025/act1/blob-storage Content Categories: Based on the analysis, this content was categorized under "Azure Pentesting -> Az - Services -> Az - Storage Accounts & Blobs (or Az - Storage Unauth / Az - Blob Storage Post Exploitation): add a subsection on auditing allowBlobPublicAccess + container publicAccess (Blob vs Container vs null) and verification via anonymous blob download". Repository Maintenance:
Review Notes:
Bot Version: HackTricks News Bot v1.0 |
carlospolop
deleted the
update_Holiday_Hack_Challenge_2025__Blob_Storage__Storage_20260106_124314
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🤖 Automated Content Update
This PR was automatically generated by the HackTricks News Bot based on a technical blog post.
📝 Source Information
🎯 Content Summary
This post demonstrates how to audit Azure Blob Storage for anonymous/public data exposure caused by a storage-account-level misconfiguration:
allowBlobPublicAccess: true. When this flag is enabled on a Storage Account, individual containers can be configured for anonymous access, enabling internet users to read blobs without authenticating (depending on the container’spublicAccesssetting).Azure Blob Storage model / hierarchy (used to reason about where the security con...
🔧 Technical Details
Audit Azure Storage Accounts for anonymous blob exposure by enumerating accounts and checking
properties.allowBlobPublicAccess. If it istrue, containers can be configured for public/anonymous access.Determine effective anonymous access at the container level by enumerating containers and inspecting
properties.publicAccess:Bloballows anonymous reads for known object URLs (no listing),Containerallows anonymous listing + reads, andnullrequires authentication. Then enumerate exposed data withaz storage blob listand confirm impact by exfiltrating files usingaz storage blob download(e.g., print directly with--file /dev/stdout). Usejqto quickly filter large JSON outputs (e.g., count accounts, extract.name, inspect suspicious indices/properties).🤖 Agent Actions
Summary:
allowBlobPublicAccess-enabled accounts, enumerate containerpublicAccessmodes, and verify anonymous listing/download impact withazCLI and raw HTTP.Testing:
This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.