Scenario/datafactory secrets

cloudgoat/scenarios/azure/datafactory_secret_theft/README.md

@@ -0,0 +1,25 @@
+# Scenario: datafactory_secret_theft
+**Size:** Small  
+**Dificulty:** Easy  
+**Command:** `cloudgoat create datafactory_secret_theft`  
+
+## Scenario Resources
+- 1 Data Factory (ADF)
+- 1 Key Vault
+
+## Scenario Start(s)
+1. Azure user: `cloudgoat-user[ID]@rhinosecuritylabs.onmicrosoft.com`
+2. Data Factory URL
+
+## Scenario Goal(s)
+Obtain the flag from Key Vault.
+
+## Summary
+Starting as the CloudGoat created user, access the Data Factory and figure out how to exfiltrate secrets from the linked service Key Vault.
+
+## Route Walkthrough
+1. Using the provided credentials and Data Factory URL, log into Data Factory.
+2. Identify the linked service Key Vault and its name.
+3. Use a Data Factory Pipeline web request to exfiltrate the secret name and secret value.
+
+A cheat sheet for this route is available [here](./cheat_sheet.md).

cloudgoat/scenarios/azure/datafactory_secret_theft/cheat_sheet.md

@@ -0,0 +1,19 @@
+
+### Enumerate Linke Services
+1. Open the Data Factory URL and log in as the starting CloudGoat user.
+2. Click "Manage" > "Linked services". Then click on the linked Key Vault.
+3. Note the linked Key Vault's Base URL.
+
+### Exfiltrate the secret using Data Factory Pipeline's "Web" feature
+1. Click "Author" > "Pipelines Actions" (three dots) > "New Pipeline".
+2. Drop down "General".
+3. Drag "Web" to the Pipeline designer.
+4. Click "Settings".
+5. Set the URL to https://{vault-baseurl}/secrets?api-version=7.3
+6. Set Method to "GET".
+7. Set "Authentication" to "system-assigned managed identity". (This will use the privileges assigned to the Data Factory).
+8. Set the "Resource" to https://vault.azure.net/.
+9. Click "Debug".
+10. Wait for the request to complete and click output to view the response of the request containing the secret name.
+11. Repeat this but use the URL:  https://{vault-baseurl}/{secret_name_from_step_10}?api-version=7.3
+12. This response will give you the flag contained in Key Vault.

cloudgoat/scenarios/azure/datafactory_secret_theft/manifest.yml

@@ -0,0 +1,14 @@
+---
+# The name of the scenario, alpha-numeric characters only, and underscore-separated
+- name: datafactory_secret_theft
+# The name of the author(s), comma separated
+- author: Dave yesland - Rhino Security Labs
+# The version of the scenario, where major versions are breaking changes and minor are small fixes.
+- version: 1.0
+# Text displayed to the user when they type "{{ scenario_name }} help"
+- help: |
+        With access to Data Factory, enumerate the linked services and connections to discover
+        the Key Vault linked service. Use the Key Vault linked service to access the secret via Data Factory.
+# Records the date upon which this scenario was last updated, in MM-DD-YYYY format
+- last-updated: 03-20-2025
+...

cloudgoat/scenarios/azure/datafactory_secret_theft/terraform/keyvault.tf

@@ -0,0 +1,44 @@
+resource "azurerm_key_vault" "main" {
+  name                = "cgkv${var.cgid}"
+  resource_group_name = azurerm_resource_group.main.name
+  location            = azurerm_resource_group.main.location
+  sku_name            = "standard"
+  tenant_id           = data.azuread_client_config.current.tenant_id
+}
+
+resource "azurerm_key_vault_access_policy" "main" {
+  key_vault_id = azurerm_key_vault.main.id
+  tenant_id    = data.azuread_client_config.current.tenant_id
+  object_id    = data.azuread_client_config.current.object_id
+  secret_permissions = [
+    "Get",
+    "List",
+    "Set",
+    "Delete",
+    "Recover",
+    "Backup",
+    "Restore",
+    "Purge"
+  ]
+}
+
+resource "azurerm_key_vault_secret" "storage_key" {
+  name         = "cg-flag-${var.cgid}"
+  value        = "cg-flag-33bf9df3-ccad-4887-be22-9c36f26bb32d"
+  key_vault_id = azurerm_key_vault.main.id
+
+  depends_on = [azurerm_key_vault_access_policy.main, azurerm_key_vault.main]
+}
+
+resource "azurerm_key_vault_access_policy" "datafactory" {
+  key_vault_id = azurerm_key_vault.main.id
+  tenant_id    = data.azuread_client_config.current.tenant_id
+  object_id    = data.azurerm_data_factory.main.identity[0].principal_id
+
+  secret_permissions = [
+    "Get",
+    "List"
+  ]
+
+  depends_on = [azurerm_data_factory.main]
+}

cloudgoat/scenarios/azure/datafactory_secret_theft/terraform/main.tf

@@ -0,0 +1,30 @@
+resource "azurerm_resource_group" "main" {
+  name     = "cg_rg_${var.cgid}"
+  location = var.location
+}
+
+# Enable Managed Identity for Data Factory
+resource "azurerm_data_factory" "main" {
+  name                = "cg-datafactory-${var.cgid}"
+  resource_group_name = azurerm_resource_group.main.name
+  location            = azurerm_resource_group.main.location
+
+  identity {
+    type = "SystemAssigned"
+  }
+}
+
+# Create Data Factory Linked Service for Key Vault
+resource "azurerm_data_factory_linked_service_key_vault" "main" {
+  name            = "cg-adf-${var.cgid}-keyvault"
+  data_factory_id = azurerm_data_factory.main.id
+  key_vault_id    = azurerm_key_vault.main.id
+}
+
+# ✅ Fetch the correct Managed Identity Object ID (ONLY ONE INSTANCE)
+data "azurerm_data_factory" "main" {
+  name                = azurerm_data_factory.main.name
+  resource_group_name = azurerm_resource_group.main.name
+}
+
+data "azuread_client_config" "current" {}

cloudgoat/scenarios/azure/datafactory_secret_theft/terraform/outputs.tf

@@ -0,0 +1,12 @@
+output "cloudgoat_username" {
+  value = azuread_user.cloudgoat_user.user_principal_name
+}
+
+output "cloudgoat_password" {
+  value     = random_password.cloudgoat_password.result
+  sensitive = true
+}
+
+output "data_factory_url" {
+  value = "https://adf.azure.com/en/home?factory=%2Fsubscriptions%2F${var.subscription_id}%2FresourceGroups%2F${azurerm_resource_group.main.name}%2Fproviders%2FMicrosoft.DataFactory%2Ffactories%2F${azurerm_data_factory.main.name}"
+}

cloudgoat/scenarios/azure/datafactory_secret_theft/terraform/provider.tf

@@ -0,0 +1,23 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = ">= 3.0.0"
+    }
+    azuread = {
+      source  = "hashicorp/azuread"
+      version = ">= 2.0.0"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {
+    key_vault {
+	    purge_soft_delete_on_destroy = false
+	  }
+  }
+  subscription_id = var.subscription_id
+}
+
+provider "azuread" {}

cloudgoat/scenarios/azure/datafactory_secret_theft/terraform/roles.tf

@@ -0,0 +1,6 @@
+resource "azurerm_role_assignment" "cloudgoat_adf_role" {
+  scope                = azurerm_data_factory.main.id
+  role_definition_name = "Data Factory Contributor"
+  principal_id         = azuread_user.cloudgoat_user.object_id
+  depends_on = [azurerm_key_vault.main]
+}

cloudgoat/scenarios/azure/datafactory_secret_theft/terraform/users.tf

@@ -0,0 +1,13 @@
+data "azuread_domains" "tenant" {}
+
+resource "azuread_user" "cloudgoat_user" {
+  user_principal_name = "cloudgoat-user${var.cgid}@${data.azuread_domains.tenant.domains[0].domain_name}"
+  display_name        = "CloudGoat User${var.cgid}"
+  mail_nickname       = "cloudgoatuser${var.cgid}"
+  password           = "${random_password.cloudgoat_password.result}"
+}
+
+resource "random_password" "cloudgoat_password" {
+  length   = 16
+  special  = true
+}

cloudgoat/scenarios/azure/datafactory_secret_theft/terraform/variables.tf

@@ -0,0 +1,17 @@
+variable "cgid" {
+  description = "CGID variable for unique naming between scenarios"
+  type        = string
+  default     = ""
+}
+
+variable "location" {
+  description = "Azure region to deploy resources in"
+  type        = string
+  default     = "East US"
+}
+
+variable "subscription_id" {
+  description = "The Azure subscription ID"
+  type        = string
+  default     = ""
+}