{"id":1154,"date":"2026-01-24T01:03:59","date_gmt":"2026-01-24T00:03:59","guid":{"rendered":"https:\/\/babdcatha.net\/?p=1154"},"modified":"2026-01-31T22:14:11","modified_gmt":"2026-01-31T21:14:11","slug":"entragoat-scenario-1","status":"publish","type":"post","link":"https:\/\/babdcatha.net\/index.php\/2026\/01\/24\/entragoat-scenario-1\/","title":{"rendered":"EntraGoat: Scenario 1"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">After almost two years since my last post, I&#8217;m back \ud83d\ude42<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This time, with a small write up from the <a href=\"https:\/\/github.com\/Semperis\/EntraGoat\">EntraGoat<\/a> CTF\/Training environment.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">After setting up the environment with a free tenant we get the user we are going to be using for this first challenge, David Martinez. The first thing I did with it was enumerating the Entra tenant using AzureHound.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large wp-duotone-unset-1\"><img loading=\"lazy\" decoding=\"async\" width=\"1006\" height=\"1024\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2026\/01\/AzureHound_edited-1006x1024.png\" alt=\"\" class=\"wp-image-1170\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2026\/01\/AzureHound_edited-1006x1024.png 1006w, https:\/\/babdcatha.net\/wp-content\/uploads\/2026\/01\/AzureHound_edited-295x300.png 295w, https:\/\/babdcatha.net\/wp-content\/uploads\/2026\/01\/AzureHound_edited-768x781.png 768w, https:\/\/babdcatha.net\/wp-content\/uploads\/2026\/01\/AzureHound_edited.png 1258w\" sizes=\"auto, (max-width: 1006px) 100vw, 1006px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Then, I imported the resulting file in BloodHound, and used the &#8220;Shortest Path from Entra Users to Tier Zero \/ High Value targets&#8221; Cypher to see if BloodHound could find a path.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large wp-duotone-unset-2\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"530\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2026\/01\/BH_path_edited-1024x530.png\" alt=\"\" class=\"wp-image-1168\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2026\/01\/BH_path_edited-1024x530.png 1024w, https:\/\/babdcatha.net\/wp-content\/uploads\/2026\/01\/BH_path_edited-300x155.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2026\/01\/BH_path_edited-768x397.png 768w, https:\/\/babdcatha.net\/wp-content\/uploads\/2026\/01\/BH_path_edited-1536x795.png 1536w, https:\/\/babdcatha.net\/wp-content\/uploads\/2026\/01\/BH_path_edited-2048x1060.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Indeed, it finds one. We can observe that David Martinez owns the &#8220;Finance Analytics Dashboard&#8221; Service Principal, which has &#8220;Privileged Authentication Administrator&#8221; privileges over the default directory. This privilege can allow us to modify the password of any user on the directory, including administrators.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We can confirm this by logging into the Entra Portal<\/p>\n\n\n\n<figure class=\"wp-block-image size-large wp-duotone-unset-3\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"523\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2026\/01\/Adding_owner_edited-1-1024x523.png\" alt=\"\" class=\"wp-image-1169\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2026\/01\/Adding_owner_edited-1-1024x523.png 1024w, https:\/\/babdcatha.net\/wp-content\/uploads\/2026\/01\/Adding_owner_edited-1-300x153.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2026\/01\/Adding_owner_edited-1-768x393.png 768w, https:\/\/babdcatha.net\/wp-content\/uploads\/2026\/01\/Adding_owner_edited-1-1536x785.png 1536w, https:\/\/babdcatha.net\/wp-content\/uploads\/2026\/01\/Adding_owner_edited-1-2048x1047.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Using the Azure Command-Line Interface (azcli), we can then search for the id of this SP.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full wp-duotone-unset-4\"><img loading=\"lazy\" decoding=\"async\" width=\"798\" height=\"492\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2026\/01\/azcli_sp_finance_list_edited-1.png\" alt=\"\" class=\"wp-image-1167\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2026\/01\/azcli_sp_finance_list_edited-1.png 798w, https:\/\/babdcatha.net\/wp-content\/uploads\/2026\/01\/azcli_sp_finance_list_edited-1-300x185.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2026\/01\/azcli_sp_finance_list_edited-1-768x474.png 768w\" sizes=\"auto, (max-width: 798px) 100vw, 798px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">We can check that we got the right id by searching for the SP with the previously recovered id.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large wp-duotone-unset-5\"><img loading=\"lazy\" decoding=\"async\" width=\"781\" height=\"1024\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2026\/01\/azcli_sp_check_id-781x1024.png\" alt=\"\" class=\"wp-image-1164\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2026\/01\/azcli_sp_check_id-781x1024.png 781w, https:\/\/babdcatha.net\/wp-content\/uploads\/2026\/01\/azcli_sp_check_id-229x300.png 229w, https:\/\/babdcatha.net\/wp-content\/uploads\/2026\/01\/azcli_sp_check_id-768x1007.png 768w, https:\/\/babdcatha.net\/wp-content\/uploads\/2026\/01\/azcli_sp_check_id.png 932w\" sizes=\"auto, (max-width: 781px) 100vw, 781px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">And, since we are the owner of this SP, we can reset its credentials.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large wp-duotone-unset-6\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"180\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2026\/01\/azcli_sp_creds_reset_edited-1024x180.png\" alt=\"\" class=\"wp-image-1172\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2026\/01\/azcli_sp_creds_reset_edited-1024x180.png 1024w, https:\/\/babdcatha.net\/wp-content\/uploads\/2026\/01\/azcli_sp_creds_reset_edited-300x53.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2026\/01\/azcli_sp_creds_reset_edited-768x135.png 768w, https:\/\/babdcatha.net\/wp-content\/uploads\/2026\/01\/azcli_sp_creds_reset_edited.png 1256w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Finally, using them, we can login to azcli as the SP.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large wp-duotone-unset-7\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"323\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2026\/01\/azcli_login_as_sp_edited-1024x323.png\" alt=\"\" class=\"wp-image-1173\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2026\/01\/azcli_login_as_sp_edited-1024x323.png 1024w, https:\/\/babdcatha.net\/wp-content\/uploads\/2026\/01\/azcli_login_as_sp_edited-300x95.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2026\/01\/azcli_login_as_sp_edited-768x242.png 768w, https:\/\/babdcatha.net\/wp-content\/uploads\/2026\/01\/azcli_login_as_sp_edited.png 1251w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Since the sp has the Privileged Authentication Administrator privilege, we can now obtain the id of the global administrator, and reset its password.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large wp-duotone-unset-8\"><img loading=\"lazy\" decoding=\"async\" width=\"840\" height=\"1024\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2026\/01\/az_ad_list_users_edited-840x1024.png\" alt=\"\" class=\"wp-image-1174\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2026\/01\/az_ad_list_users_edited-840x1024.png 840w, https:\/\/babdcatha.net\/wp-content\/uploads\/2026\/01\/az_ad_list_users_edited-246x300.png 246w, https:\/\/babdcatha.net\/wp-content\/uploads\/2026\/01\/az_ad_list_users_edited-768x936.png 768w, https:\/\/babdcatha.net\/wp-content\/uploads\/2026\/01\/az_ad_list_users_edited.png 981w\" sizes=\"auto, (max-width: 840px) 100vw, 840px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-9\"><img loading=\"lazy\" decoding=\"async\" width=\"940\" height=\"140\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2026\/01\/az_as_sp_update_password.png\" alt=\"\" class=\"wp-image-1175\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2026\/01\/az_as_sp_update_password.png 940w, https:\/\/babdcatha.net\/wp-content\/uploads\/2026\/01\/az_as_sp_update_password-300x45.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2026\/01\/az_as_sp_update_password-768x114.png 768w\" sizes=\"auto, (max-width: 940px) 100vw, 940px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">We can then login as a global admin using the password we just set, and get our flag \ud83d\ude42<\/p>\n\n\n\n<figure class=\"wp-block-image size-large wp-duotone-unset-10\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"241\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2026\/01\/flag_edited-1024x241.png\" alt=\"\" class=\"wp-image-1176\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2026\/01\/flag_edited-1024x241.png 1024w, https:\/\/babdcatha.net\/wp-content\/uploads\/2026\/01\/flag_edited-300x71.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2026\/01\/flag_edited-768x181.png 768w, https:\/\/babdcatha.net\/wp-content\/uploads\/2026\/01\/flag_edited-1536x361.png 1536w, https:\/\/babdcatha.net\/wp-content\/uploads\/2026\/01\/flag_edited-2048x482.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>After almost two years since my last post, I&#8217;m back \ud83d\ude42 This time, with a small write up from the EntraGoat CTF\/Training environment. After setting up the environment with a free tenant we get the user we are going to be using for this first challenge, David Martinez. The first thing I did with it [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[4],"tags":[],"class_list":["post-1154","post","type-post","status-publish","format-standard","hentry","category-writeups"],"featured_image_src":null,"author_info":{"display_name":"BabdCatha","author_link":"https:\/\/babdcatha.net\/index.php\/author\/admin4804\/"},"_links":{"self":[{"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/posts\/1154","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/comments?post=1154"}],"version-history":[{"count":8,"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/posts\/1154\/revisions"}],"predecessor-version":[{"id":1177,"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/posts\/1154\/revisions\/1177"}],"wp:attachment":[{"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/media?parent=1154"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/categories?post=1154"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/tags?post=1154"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}