Flag 10
Last updated
Was this helpful?
Last updated
Was this helpful?
I am also able to list out the Ascension
secret that was previously inaccessible.
The Ascension
secret reminds me of what I did previously for , Invoke-AzKeyVaultKeyOperation
so I attempted the same operation again.
However I was shown an error saying that the parameter is incorrect. Which suggest that the key vault key is unable to decrypt the key vault secrets.
I then used the other key to attempt the same decrypting operation.
The result is a base64 string.
Running Get-AzResources
shows that the user have access to CosmosDb
Next I will perform enumeration on the CosmosDB. I was able to retrieve the CosmosDB account name and endpoint.
Using the Ascension
decrypted secrets from before, I crafted a connection string for cosmosdb.
Flag 10: 523af7b1494b22561445ef528647af73
The flag was not in the standard flag format, so I had to confirmed with the admin.
Because the flag was not in the standard format, I thought I did something wrong, and performed more research on CosmosDB while waiting for the admin to response. I decided to use RESTAPI using Postman to list the dbs, cols and documents. Refering to this article
After confirming that there is only 1 dbs didymos
, and 1 cols didymosb
, and only 1 document aae805ee-7753-489a-b015-b4417453ffff
, I messaged the admin to get a sanity check, and he confirmed that the Value is Flag 10.
Recalling that in , I needed to view version history of a file. I researched if key vault secret is versioned and come across this . I am then able to list out the versions for the key vault key.
Recalling that in , I identified that the user has access to cosmosdb.
Lastly, I used the to connect to Cosmos DB and retrieve the final flag.