Kabinet's GitBook
  • 🚩Kabinet CTF's Writeups
  • Page
  • 2025
    • Thuderdome
      • Emerge through the breach
      • Pulled from the sky
      • An absent defense
      • A new wave (web of deceit)
      • Crossing the great divide
      • Joining forces as one
      • Infiltrate (open the gate)
      • Jaeger
      • Victory
  • 2024
    • GreyCTF 2024
      • Markdown Parser
      • Fearless Concurrency
      • GreyCTF Survey
      • Baby Web
      • Beautiful Styles
      • All About Timing
      • Poly Playground
    • TetCTF 2024
      • Hello from API GW
      • Microservices
  • 2023
    • BSidesSF Cloud Village CTF
      • Tony Tony Tony
      • Plain Sight
      • A Suit of Armor Around The World
      • Sharing is Caring + Sequel
      • Photo Drive
    • DART CTF
      • Flag 1
      • Flag 2
      • Flag 3
      • Flag 4
      • Flag 5
      • Flag 6
      • Flag 7
      • Flag 8
      • Flag 9
      • Flag 10
    • EKS Cluster Games
    • Big IAM Challenge
  • 2022
    • Stack The Flag
      • Secret of Meow Olympurr
  • Authored
    • Cyber League 2025 Major 1
      • Perfect Storage
      • catalog commits
      • pawtainer hub
    • Lag and Crash 2023
      • Managed Secrets
      • Pickle Rick
      • Cloudy with a chance of meatball
    • NYP InfoSec December CTF 2022
      • Super Secure Technology Infrastructure
      • Self Introduction
      • Aww Cuter Cat
      • Obligatory Calc
      • BreadSecurity
  • NYP InfoSec Introduction to Pentesting Workshop
Powered by GitBook
On this page

Was this helpful?

  1. 2023
  2. DART CTF

Flag 10

PreviousFlag 9NextEKS Cluster Games

Last updated 2 years ago

Was this helpful?

I am also able to list out the Ascension secret that was previously inaccessible.

The Ascension secret reminds me of what I did previously for , Invoke-AzKeyVaultKeyOperation so I attempted the same operation again.

$value = ConvertTo-SecureString -String "aJa+nuiOLWO0yQJk/2zxmYlCDR6y3POHUTuX84FF5Sx/EsHvvMmKMnN8zbLMCtXAodhAnpXHk6bG0zl744vwb9wk7/KwG18NJL/VqaX2/BP3iLkSg7X/uyGBqH+Ptsr0YoF5RBfRUE2QrWdfqGS5Q5n9YAI6mv2m93Zz8sLntRQe07R8NuGB8w5yHuVSREOiw/Lbagk4jk6QmUiH172HzYyC+Udh83JPHX2kiTo/usO/tHSuSRNAhnvqHeViANFONCK4TA9diWAgKmox2pn3P5SuiviIxtoIN+4V8cP1gW72KkG4/OhyqBYZbpxnP9stCensRnhWi3fb1AVOwEluJQ==" -AsPlainText -Force

Invoke-AzKeyVaultKeyOperation -Operation "Decrypt" -Algorithm "RSA1_5" -Name "LICIACube" -VaultName "cubesat" -Value $value

However I was shown an error saying that the parameter is incorrect. Which suggest that the key vault key is unable to decrypt the key vault secrets.

Get-AzKeyVaultKey -VaultName cubesat -Name LICIACUBE -IncludeVersions

I then used the other key to attempt the same decrypting operation.

$value= ConvertTo-SecureString -String "aJa+nuiOLWO0yQJk/2zxmYlCDR6y3POHUTuX84FF5Sx/EsHvvMmKMnN8zbLMCtXAodhAnpXHk6bG0zl744vwb9wk7/KwG18NJL/VqaX2/BP3iLkSg7X/uyGBqH+Ptsr0YoF5RBfRUE2QrWdfqGS5Q5n9YAI6mv2m93Zz8sLntRQe07R8NuGB8w5yHuVSREOiw/Lbagk4jk6QmUiH172HzYyC+Udh83JPHX2kiTo/usO/tHSuSRNAhnvqHeViANFONCK4TA9diWAgKmox2pn3P5SuiviIxtoIN+4V8cP1gW72KkG4/OhyqBYZbpxnP9stCensRnhWi3fb1AVOwEluJQ==" -AsPlainText -Force

$decrypt=Invoke-AzKeyVaultKeyOperation -Operation "Decrypt" -Algorithm "RSA1_5" -Name "LICIACube" -VaultName "cubesat" -Value $value -Version '2482e07e3dda4792af854ce1e7eebc02'

The result is a base64 string.

RxaUCkXRZmOgoI25hjBX7WdOn6wEVUyhF7aEqfsT3idsNY8mIDROZoCr5k3LMNzwk5rhrfnfuvkVACDbTyEgYg==

Running Get-AzResources shows that the user have access to CosmosDb

Next I will perform enumeration on the CosmosDB. I was able to retrieve the CosmosDB account name and endpoint.

Using the Ascension decrypted secrets from before, I crafted a connection string for cosmosdb.

AccountEndpoint=https://outermainbelt.documents.azure.com:443/;AccountKey=RxaUCkXRZmOgoI25hjBX7WdOn6wEVUyhF7aEqfsT3idsNY8mIDROZoCr5k3LMNzwk5rhrfnfuvkVACDbTyEgYg==

Flag 10: 523af7b1494b22561445ef528647af73

The flag was not in the standard flag format, so I had to confirmed with the admin.

Because the flag was not in the standard format, I thought I did something wrong, and performed more research on CosmosDB while waiting for the admin to response. I decided to use RESTAPI using Postman to list the dbs, cols and documents. Refering to this article

After confirming that there is only 1 dbs didymos , and 1 cols didymosb , and only 1 document aae805ee-7753-489a-b015-b4417453ffff, I messaged the admin to get a sanity check, and he confirmed that the Value is Flag 10.

Recalling that in , I needed to view version history of a file. I researched if key vault secret is versioned and come across this . I am then able to list out the versions for the key vault key.

Recalling that in , I identified that the user has access to cosmosdb.

Lastly, I used the to connect to Cosmos DB and retrieve the final flag.

Flag 2
article
Flag 9
Azure Cosmos DB Explorer
Querying Azure Cosmos DB resources using the REST API
How to use Cosmos DB REST API with Postman in 2021
Flag9
Get-AzKeyVaultKey (Az.KeyVault)MicrosoftLearn
Logo
Use Azure Cosmos DB Explorer to manage your dataMicrosoftLearn
Logo