update

Author: Randark-JMT

docs/Independent-Environment/RedLabs/AllLabs/KeyVault04/img/image_20260106-200616.png

@@ -0,0 +1,68 @@
+# Key Vault 04 - Subdomain Enumeration for Key Vault
+
+> Subdomain Enumeration for Key Vault
+
+:::info
+
+**Scenario**
+
+A key vault service has its own URL, we could check if a tenant or organization uses a key vault service through subdomain enumeration. Find and extract flag value from key vault through subdomain enumeration.
+
+**Overview**
+
+What is Azure key vault?
+
+A Key Vault is a secure cloud service in Azure that allows us to safeguard and manage cryptographic keys, secrets, and certificates. It provides a centralized location for storing and managing sensitive information used by our applications and services.
+
+What is subdomain enumeration?
+
+Subdomain enumeration, also known as subdomain discovery or subdomain reconnaissance, is the process of identifying and mapping subdomains associated with a domain name.
+
+**Hint**
+
+- Subdomain reconnaissance.
+
+**Impact**
+
+- Due to high privileges to the user, the user was  able to view the key vault secret.
+
+**Reference**
+
+- [Azure Key Vault Docs](https://learn.microsoft.com/en-us/azure/key-vault/general/overview)
+- [Microburst](https://github.com/NetSPI/MicroBurst)
+- [Azure Key Vault Secrets](https://learn.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates)
+- [Az PowerShell](https://learn.microsoft.com/en-us/powershell/azure/new-azureps-module-az?view=azps-10.4.1)
+
+:::
+
+题目中已经给出了 KeyVaultName 这一关键信息
+
+其实在界面中也可以看到
+
+![img](img/image_20260106-200616.png)
+
+在其 对象-机密 中可以看到目标
+
+![img](img/image_20260108-200826.png)
+
+查看其详情
+
+![img](img/image_20260108-200847.png)
+
+只存在有一个版本，查看具体内容
+
+![img](img/image_20260109-200925.png)
+
+:::info Flags
+
+<details>
+
+<summary> What is the flag value we obtained from key vault secret using subdomain enumeration technique? </summary>
+
+```plaintext
+asyfrihk735asaxgthd735
+```
+
+</details>
+
+:::

docs/Independent-Environment/RedLabs/AllLabs/KeyVault04/img/image_20260108-200826.png

@@ -0,0 +1,72 @@
+# Logic App 01 - Tamper Trigger Parameter
+
+> Tamper Trigger Parameter
+
+:::info
+
+**Scenario**
+
+Some developers leave some sensitive parameters that reveal sensitive data. Find the parameter in the URL and obtain the flag.
+
+**Overview**
+
+What is a logic app?
+
+Azure Logic Apps is a cloud-based service provided by Microsoft Azure that allows us to create and run automated workflows and integrate various applications, systems, and services.
+
+What is Requests trigger?
+
+Azure Logic Apps, the "Requests" trigger is a commonly used trigger that allows us to initiate a workflow whenever an HTTP request is received.
+
+What is IDOR?
+
+IDOR, or Insecure Direct Object Reference, is a type of security vulnerability that occurs when an application provides direct access to objects based on user-supplied input. In simpler terms, it means that an attacker can manipulate input, such as URLs or form parameters, to gain unauthorized access to data.
+
+**Hint**
+
+- IDORs are common web application vulnerabilities.
+
+**Impact**
+
+- Logic app using request trigger with parameter here acted as an IDOR vulnerability. When triggered with the "admin" parameter the logic app revealed sensitive data.
+
+**Reference**
+
+- [Logic Apps Docs](https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-overview)
+- [Logic Apps Docs](https://learn.microsoft.com/en-us/azure/connectors/connectors-native-reqres?tabs=consumption)
+
+:::
+
+题目给出的是 TriggerURL
+
+直接 GET 请求一下看看
+
+![img](img/image_20260155-205501.png)
+
+注意到 url 中的 `{admin}` 参数
+
+![img](img/image_20260155-205548.png)
+
+修改为 `admin`
+
+![img](img/image_20260156-205609.png)
+
+:::info Flags
+
+<details>
+
+<summary> What was the parameter which revealed the flag value? (admin or debug) </summary>
+
+```plaintext
+admin
+```
+
+<summary> What is the flag value we obtain ? </summary>
+
+```plaintext
+aswrafuk735asaetbjv735
+```
+
+</details>
+
+:::