Kabinet's GitBook
  • 🚩Kabinet CTF's Writeups
  • Page
  • 2025
    • Thuderdome
      • Emerge through the breach
      • Pulled from the sky
      • An absent defense
      • A new wave (web of deceit)
      • Crossing the great divide
      • Joining forces as one
      • Infiltrate (open the gate)
      • Jaeger
      • Victory
  • 2024
    • GreyCTF 2024
      • Markdown Parser
      • Fearless Concurrency
      • GreyCTF Survey
      • Baby Web
      • Beautiful Styles
      • All About Timing
      • Poly Playground
    • TetCTF 2024
      • Hello from API GW
      • Microservices
  • 2023
    • BSidesSF Cloud Village CTF
      • Tony Tony Tony
      • Plain Sight
      • A Suit of Armor Around The World
      • Sharing is Caring + Sequel
      • Photo Drive
    • DART CTF
      • Flag 1
      • Flag 2
      • Flag 3
      • Flag 4
      • Flag 5
      • Flag 6
      • Flag 7
      • Flag 8
      • Flag 9
      • Flag 10
    • EKS Cluster Games
    • Big IAM Challenge
  • 2022
    • Stack The Flag
      • Secret of Meow Olympurr
  • Authored
    • Cyber League 2025 Major 1
      • Perfect Storage
      • catalog commits
      • pawtainer hub
    • Lag and Crash 2023
      • Managed Secrets
      • Pickle Rick
      • Cloudy with a chance of meatball
    • NYP InfoSec December CTF 2022
      • Super Secure Technology Infrastructure
      • Self Introduction
      • Aww Cuter Cat
      • Obligatory Calc
      • BreadSecurity
  • NYP InfoSec Introduction to Pentesting Workshop
Powered by GitBook
On this page

Was this helpful?

  1. 2023
  2. DART CTF

Flag 10

PreviousFlag 9NextEKS Cluster Games

Last updated 1 year ago

Was this helpful?

I am also able to list out the Ascension secret that was previously inaccessible.

The Ascension secret reminds me of what I did previously for Flag9, Invoke-AzKeyVaultKeyOperation so I attempted the same operation again.

$value = ConvertTo-SecureString -String "aJa+nuiOLWO0yQJk/2zxmYlCDR6y3POHUTuX84FF5Sx/EsHvvMmKMnN8zbLMCtXAodhAnpXHk6bG0zl744vwb9wk7/KwG18NJL/VqaX2/BP3iLkSg7X/uyGBqH+Ptsr0YoF5RBfRUE2QrWdfqGS5Q5n9YAI6mv2m93Zz8sLntRQe07R8NuGB8w5yHuVSREOiw/Lbagk4jk6QmUiH172HzYyC+Udh83JPHX2kiTo/usO/tHSuSRNAhnvqHeViANFONCK4TA9diWAgKmox2pn3P5SuiviIxtoIN+4V8cP1gW72KkG4/OhyqBYZbpxnP9stCensRnhWi3fb1AVOwEluJQ==" -AsPlainText -Force

Invoke-AzKeyVaultKeyOperation -Operation "Decrypt" -Algorithm "RSA1_5" -Name "LICIACube" -VaultName "cubesat" -Value $value

However I was shown an error saying that the parameter is incorrect. Which suggest that the key vault key is unable to decrypt the key vault secrets.

Recalling that in Flag 2, I needed to view version history of a file. I researched if key vault secret is versioned and come across this article. I am then able to list out the versions for the key vault key.

Get-AzKeyVaultKey -VaultName cubesat -Name LICIACUBE -IncludeVersions

I then used the other key to attempt the same decrypting operation.

$value= ConvertTo-SecureString -String "aJa+nuiOLWO0yQJk/2zxmYlCDR6y3POHUTuX84FF5Sx/EsHvvMmKMnN8zbLMCtXAodhAnpXHk6bG0zl744vwb9wk7/KwG18NJL/VqaX2/BP3iLkSg7X/uyGBqH+Ptsr0YoF5RBfRUE2QrWdfqGS5Q5n9YAI6mv2m93Zz8sLntRQe07R8NuGB8w5yHuVSREOiw/Lbagk4jk6QmUiH172HzYyC+Udh83JPHX2kiTo/usO/tHSuSRNAhnvqHeViANFONCK4TA9diWAgKmox2pn3P5SuiviIxtoIN+4V8cP1gW72KkG4/OhyqBYZbpxnP9stCensRnhWi3fb1AVOwEluJQ==" -AsPlainText -Force

$decrypt=Invoke-AzKeyVaultKeyOperation -Operation "Decrypt" -Algorithm "RSA1_5" -Name "LICIACube" -VaultName "cubesat" -Value $value -Version '2482e07e3dda4792af854ce1e7eebc02'

The result is a base64 string.

RxaUCkXRZmOgoI25hjBX7WdOn6wEVUyhF7aEqfsT3idsNY8mIDROZoCr5k3LMNzwk5rhrfnfuvkVACDbTyEgYg==

Recalling that in Flag 9, I identified that the user has access to cosmosdb.

Running Get-AzResources shows that the user have access to CosmosDb

Next I will perform enumeration on the CosmosDB. I was able to retrieve the CosmosDB account name and endpoint.

Using the Ascension decrypted secrets from before, I crafted a connection string for cosmosdb.

AccountEndpoint=https://outermainbelt.documents.azure.com:443/;AccountKey=RxaUCkXRZmOgoI25hjBX7WdOn6wEVUyhF7aEqfsT3idsNY8mIDROZoCr5k3LMNzwk5rhrfnfuvkVACDbTyEgYg==

Lastly, I used the Azure Cosmos DB Explorer to connect to Cosmos DB and retrieve the final flag.

Flag 10: 523af7b1494b22561445ef528647af73

The flag was not in the standard flag format, so I had to confirmed with the admin.

Because the flag was not in the standard format, I thought I did something wrong, and performed more research on CosmosDB while waiting for the admin to response. I decided to use RESTAPI using Postman to list the dbs, cols and documents. Refering to this article

Querying Azure Cosmos DB resources using the REST API

How to use Cosmos DB REST API with Postman in 2021

After confirming that there is only 1 dbs didymos , and 1 cols didymosb , and only 1 document aae805ee-7753-489a-b015-b4417453ffff, I messaged the admin to get a sanity check, and he confirmed that the Value is Flag 10.

LogoGet-AzKeyVaultKey (Az.KeyVault)MicrosoftLearn
LogoUse Azure Cosmos DB Explorer to manage your dataMicrosoftLearn