For this CTF, your starting CTF user has the following policies:

SecurityAudit (AWS Managed)
CloudFox (Customer Managed)
its-a-secret (Customer Managed)

The first two policies allow you to run CloudFox. The third policy allows this starting user to get the flag for this challenge. If you followed the setup steps in the First Flag challenge (if you are doing this in a workshop, the setup in First Flag has been done for you), you’ll have a profile called cloudfoxable which is tied to the user/ctf-starting-user.

To confirm this, run aws --profile cloudfoxable sts get-caller-identity.

Now run cloudfox using the cloudfoxable profile and see if you can access the secret named its-a-secret.

Information Gathering

As always, I need to check I have a valid identity, before proceeding any further.

1
2
3
4
5
6

adicpnn@laboratory:~$ aws sts get-caller-identity --profile cloudfoxable
{
    "UserId": "AIDAR4HCPRIDY7U3NLPYA",
    "Account": "129323993607",
    "Arn": "arn:aws:iam::129323993607:user/ctf-starting-user"
}

Then, a practice I’d like to get in the habit of, is trusting, but verifying the information I’ve been given. Next, I’ll look into the policies attached to my user.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

adicpnn@laboratory:~$ aws iam list-attached-user-policies --user-name ctf-starting-user --profile cloudfoxable
{
    "AttachedPolicies": [
        {
            "PolicyName": "CloudFox-policy-perms",
            "PolicyArn": "arn:aws:iam::129323993607:policy/CloudFox-policy-perms"
        },
        {
            "PolicyName": "its-a-secret-policy",
            "PolicyArn": "arn:aws:iam::129323993607:policy/its-a-secret-policy"
        },
        {
            "PolicyName": "SecurityAudit",
            "PolicyArn": "arn:aws:iam::aws:policy/SecurityAudit"
        }
    ]
}

Looks like everything is in order, so I’m going to proceed to look at the policy that’s been attached to my user.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22

adicpnn@laboratory:~$ aws iam get-policy-version --policy-arn arn:aws:iam::129323993607:policy/its-a-secret-policy --version-id v1 --profile cloudfoxable
{
    "PolicyVersion": {
        "Document": {
            "Statement": [
                {
                    "Action": [
                        "ssm:GetParameter"
                    ],
                    "Effect": "Allow",
                    "Resource": [
                        "arn:aws:ssm:eu-central-1:129323993607:parameter/cloudfoxable/flag/its-a-secret"
                    ]
                }
            ],
            "Version": "2012-10-17"
        },
        "VersionId": "v1",
        "IsDefaultVersion": true,
        "CreateDate": "2026-03-10T13:33:46+00:00"
    }
}

Execution

Aha! So we’re dealing with an SSM parameter. With all the information gathered, I have all the information on what I need to find, and confirmation that I can access it.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

adicpnn@laboratory:~$ aws ssm get-parameter --name /cloudfoxable/flag/its-a-secret --with-decryption --profile cloudfoxable
{
    "Parameter": {
        "Name": "/cloudfoxable/flag/its-a-secret",
        "Type": "SecureString",
        "Value": "FLAG{ItsASecret::IsASecretASecretIfTooManyPeopleHaveAccessToIt?}",
        "Version": 1,
        "LastModifiedDate": "2026-03-10T14:33:39.373000+01:00",
        "ARN": "arn:aws:ssm:eu-central-1:129323993607:parameter/cloudfoxable/flag/its-a-secret",
        "DataType": "text"
    }
}