Cloudfoxable - Needles

You’ve just gained access to the role ramos. This role has a bunch of read only access? Can you comb through the access you have and the resources that exist and see if you can find the flag?

Information Gathering

Short and concise challenge details, I will start by preparing a profile for ramos, and checking which policies are attached to it.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
adicpnn@laboratory cloud % cat ~/.aws/config | tail 

[profile ramos]
region = eu-central-1
role_arn = arn:aws:iam::129323993607:role/ramos
source_profile = cloudfoxable

adicpnn@laboratory cloud % aws iam list-attached-role-policies --role-name ramos --profile cloudfoxable
{
    "AttachedPolicies": [
        {
            "PolicyName": "AWSCloudFormationReadOnlyAccess",
            "PolicyArn": "arn:aws:iam::aws:policy/AWSCloudFormationReadOnlyAccess"
        },
        {
            "PolicyName": "AWSWAFReadOnlyAccess",
            "PolicyArn": "arn:aws:iam::aws:policy/AWSWAFReadOnlyAccess"
        },
        {
            "PolicyName": "AWSBudgetsReadOnlyAccess",
            "PolicyArn": "arn:aws:iam::aws:policy/AWSBudgetsReadOnlyAccess"
        }
    ]
}

I’ll go ahead and focus on enumerating CloudFormation first.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
adicpnn@laboratory cloud % aws cloudformation list-stacks --profile ramos
{
    "StackSummaries": [
        {
            "StackId": "arn:aws:cloudformation:eu-central-1:129323993607:stack/cloudformationStack/1d193320-1d61-11f1-9695-0abb4b4e45b3",
            "StackName": "cloudformationStack",
            "CreationTime": "2026-03-11T15:43:56.269000+00:00",
            "StackStatus": "CREATE_COMPLETE",
            "DriftInformation": {
                "StackDriftStatus": "NOT_CHECKED"
            },
            "LastOperations": [
                {
                    "OperationType": "CREATE_STACK",
                    "OperationId": "d25db271-60c0-4784-a514-e91de30fb5b4"
                }
            ]
        },
    ]
}

Execution

There’s a CloudFormation stack already created, wonder I might find in it’s template?

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
adicpnn@laboratory cloud % aws cloudformation get-template-summary --stack-name cloudformationStack --profile ramos 
...
        {
            "ResourceType": "AWS::SecretsManager::Secret",
            "LogicalResourceIds": [
                "NotImportant"
            ],
            "ResourceIdentifiers": [
                "Id"
            ]
        },
...

That didn’t take long, looks like there might be a hardcoded secret in here.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
adicpnn@laboratory cloud % aws cloudformation get-template --stack-name cloudformationStack --profile ramos
....
    "NotImportant": {
                "Properties": {
                    "Description": "Secure secret for sensitive data",
                    "Name": "my-app-secret",
                    "SecretString": "FLAG{needles::hardcoded_secret_in_cloudformation}"
                },
                "Type": "AWS::SecretsManager::Secret"
            }
        }
...

Information Gathering#

Execution#

Information Gathering

Execution