{"id":1180,"date":"2026-02-14T23:39:08","date_gmt":"2026-02-14T22:39:08","guid":{"rendered":"https:\/\/babdcatha.net\/?p=1180"},"modified":"2026-03-01T11:52:58","modified_gmt":"2026-03-01T10:52:58","slug":"entragoat-scenario-2","status":"publish","type":"post","link":"https:\/\/babdcatha.net\/index.php\/2026\/02\/14\/entragoat-scenario-2\/","title":{"rendered":"EntraGoat: Scenario 2"},"content":{"rendered":"\n

Hello again! This time we’re going to go through the second scenario of the EntraGoat<\/a> environment.<\/p>\n\n\n\n

This time, we get the account of a lady named Jennifer Clark, and are given a pfx certificate that was apparently leaked through a CI\/CD misconfiguration.<\/p>\n\n\n\n

Once again, let’s start by enumerating the Tenant with the basic account we have access to, using AzureHound.<\/p>\n\n\n\n

.\/azurehound list -u \"jennifer.clark@babdcatha.onmicrosoft.com\" -p 'GoatAccess!123' -t \"babdcatha.onmicrosoft.com\" -o \"scenario2.json\"\n<\/code><\/pre>\n\n\n\n
Once imported into BloodHound, we can see this interesting path:<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
It would indeed be nice if the leaked certificate allowed us to login as the “Corporate Finance Analytics”<\/mark> application. To verify that, we forst need to convert the leaked certificate from a pfx<\/mark> to a pem<\/mark> certificate, as only the latter can be used to login with azcli<\/mark>.<\/p>\n\n\n\n
openssl pkcs12 -in cert.pfx -out cert.pem -nodes<\/code><\/pre>\n\n\n\n
We can then check the certificate details to see who it belongs to:<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
The certificate indeed belongs to the Corporate Finance Analytics application. This means that we can use it to authenticate as the application.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
From the attack path that BloodHound identified, we know that we should be able to do the following:<\/p>\n\n\n\n