Flag 10

I am also able to list out the Ascension secret that was previously inaccessible.

The Ascension secret reminds me of what I did previously for Flag9, Invoke-AzKeyVaultKeyOperation so I attempted the same operation again.

$value = ConvertTo-SecureString -String "aJa+nuiOLWO0yQJk/2zxmYlCDR6y3POHUTuX84FF5Sx/EsHvvMmKMnN8zbLMCtXAodhAnpXHk6bG0zl744vwb9wk7/KwG18NJL/VqaX2/BP3iLkSg7X/uyGBqH+Ptsr0YoF5RBfRUE2QrWdfqGS5Q5n9YAI6mv2m93Zz8sLntRQe07R8NuGB8w5yHuVSREOiw/Lbagk4jk6QmUiH172HzYyC+Udh83JPHX2kiTo/usO/tHSuSRNAhnvqHeViANFONCK4TA9diWAgKmox2pn3P5SuiviIxtoIN+4V8cP1gW72KkG4/OhyqBYZbpxnP9stCensRnhWi3fb1AVOwEluJQ==" -AsPlainText -Force

Invoke-AzKeyVaultKeyOperation -Operation "Decrypt" -Algorithm "RSA1_5" -Name "LICIACube" -VaultName "cubesat" -Value $value

However I was shown an error saying that the parameter is incorrect. Which suggest that the key vault key is unable to decrypt the key vault secrets.

Recalling that in Flag 2, I needed to view version history of a file. I researched if key vault secret is versioned and come across this article. I am then able to list out the versions for the key vault key.

Get-AzKeyVaultKey -VaultName cubesat -Name LICIACUBE -IncludeVersions

I then used the other key to attempt the same decrypting operation.

$value= ConvertTo-SecureString -String "aJa+nuiOLWO0yQJk/2zxmYlCDR6y3POHUTuX84FF5Sx/EsHvvMmKMnN8zbLMCtXAodhAnpXHk6bG0zl744vwb9wk7/KwG18NJL/VqaX2/BP3iLkSg7X/uyGBqH+Ptsr0YoF5RBfRUE2QrWdfqGS5Q5n9YAI6mv2m93Zz8sLntRQe07R8NuGB8w5yHuVSREOiw/Lbagk4jk6QmUiH172HzYyC+Udh83JPHX2kiTo/usO/tHSuSRNAhnvqHeViANFONCK4TA9diWAgKmox2pn3P5SuiviIxtoIN+4V8cP1gW72KkG4/OhyqBYZbpxnP9stCensRnhWi3fb1AVOwEluJQ==" -AsPlainText -Force

$decrypt=Invoke-AzKeyVaultKeyOperation -Operation "Decrypt" -Algorithm "RSA1_5" -Name "LICIACube" -VaultName "cubesat" -Value $value -Version '2482e07e3dda4792af854ce1e7eebc02'

The result is a base64 string.

RxaUCkXRZmOgoI25hjBX7WdOn6wEVUyhF7aEqfsT3idsNY8mIDROZoCr5k3LMNzwk5rhrfnfuvkVACDbTyEgYg==

Recalling that in Flag 9, I identified that the user has access to cosmosdb.

Running Get-AzResources shows that the user have access to CosmosDb

Next I will perform enumeration on the CosmosDB. I was able to retrieve the CosmosDB account name and endpoint.

Using the Ascension decrypted secrets from before, I crafted a connection string for cosmosdb.

AccountEndpoint=https://outermainbelt.documents.azure.com:443/;AccountKey=RxaUCkXRZmOgoI25hjBX7WdOn6wEVUyhF7aEqfsT3idsNY8mIDROZoCr5k3LMNzwk5rhrfnfuvkVACDbTyEgYg==

Lastly, I used the Azure Cosmos DB Explorer to connect to Cosmos DB and retrieve the final flag.

Flag 10: 523af7b1494b22561445ef528647af73

The flag was not in the standard flag format, so I had to confirmed with the admin.

Because the flag was not in the standard format, I thought I did something wrong, and performed more research on CosmosDB while waiting for the admin to response. I decided to use RESTAPI using Postman to list the dbs, cols and documents. Refering to this article

Querying Azure Cosmos DB resources using the REST API

How to use Cosmos DB REST API with Postman in 2021

After confirming that there is only 1 dbs didymos , and 1 cols didymosb , and only 1 document aae805ee-7753-489a-b015-b4417453ffff, I messaged the admin to get a sanity check, and he confirmed that the Value is Flag 10.