Blogs on security ?!

Cloudfoxable - Middle

Wed, 18 Mar 2026 00:00:00 +0000

Here we have another case of blurred lines. A vulnerability that anyone in the world can exploit, except not really. To successfully exploit it, you need to know some key information, which makes it fall in the “Assumed breach: Malicious/Compromised user” category as well.

So really the refined statement is: “Anyone in the world can exploit this provided they at some point had/have internal knowledge of the environment”. This means someone who used to work at Cloudfoxable Corp could exploit this, or even someone who currently works there but wants to keep their actions anonymous.

Cloudfoxable - Trust me

Tue, 17 Mar 2026 00:00:00 +0000

There’s a role that trusts the repo you just created. Find the role and exploit the trust to access the flag.

Information Gathering

I’ll start off by enumerating AWS roles in my sandbox account, hoping to see a trust policy for the repo i’ve created adicpnn/cfx_trust_me.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30


adicpnn@laboratory aws % aws iam list-roles --profile cloudfoxable
...
{
 "Path": "/",
 "RoleName": "t_rodman",
 "RoleId": "AROAR4HCPRIDWZYYOATJQ",
 "Arn": "arn:aws:iam::129323993607:role/t_rodman",
 "CreateDate": "2026-03-17T15:21:22+00:00",
 "AssumeRolePolicyDocument": {
 "Version": "2012-10-17",
 "Statement": [
 {
 "Sid": "",
 "Effect": "Allow",
 "Principal": {
 "Federated": "arn:aws:iam::129323993607:oidc-provider/token.actions.githubusercontent.com"
 },
 "Action": "sts:AssumeRoleWithWebIdentity",
 "Condition": {
 "StringLike": {
 "token.actions.githubusercontent.com:sub": "repo:adicpnn/cfx_trust_me:*",
 "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
 }
 }
 }
 ]
 },
 "MaxSessionDuration": 3600
 }
...

What this trust policy statement allows, is for GitHub Actions to assume the role t_rodman using OpenID Connect. I’ll keep this information and mind, and keep unraveling the exploit chain.

Cloudfoxable - Backwards

Thu, 12 Mar 2026 00:00:00 +0000

In some challenges, you might not see an IAM role or an IP address as the starting point, but rather, an interesting ARN or something like that.

Sometimes during cloud penetration tests, we first find something interesting and then work backwards to see who has access to it. Is it just the Administrators? Well, that’s not really a big deal. Is it all developers, or all users, or anyone in the world? That might be a really big deal!

Cloudfoxable - Furls1

Thu, 12 Mar 2026 00:00:00 +0000

A Lambda function URL can be used to expose a Lambda function to the internet without an API gateway or another load balancer. This is really handy for builders, but can also be really handy for offensive security folk, as it’s ripe for misconfiguration.

Use cloudfox to find the furls1 FunctionURL and find the flag.

Information Gathering

I’ll start off by enumerating the lambda functions in this account.

Cloudfoxable - Furls2

Thu, 12 Mar 2026 00:00:00 +0000

This Lambda Function URL doesn’t just give you the key like furls1. You have to work a little harder for this one. CloudFox can definitely help you here.

Information Gathering

This time around, I don’t know which lambda function to target, since there’s no “furls2” function. Instead, I will list all the function URLs in the AWS account. (minus the one I’ve already exploited)

Cloudfoxable - Needles

Thu, 12 Mar 2026 00:00:00 +0000

You’ve just gained access to the role ramos. This role has a bunch of read only access? Can you comb through the access you have and the resources that exist and see if you can find the flag?

Information Gathering

Short and concise challenge details, I will start by preparing a profile for ramos, and checking which policies are attached to it.

Cloudfoxable - Pain

Thu, 12 Mar 2026 00:00:00 +0000

In the 2022 FIFA World Cup, Christian Pulisic put his body on the line to net a crucial goal for the USA, ensuring their progression beyond the group stage: https://www.youtube.com/watch?v=Y7VA30UYlQo. He did what he had to do, even though he knew it was going to hurt.

Similarly, during a penetration test, whether in a cloud environment or otherwise, you might identify a exploit path that won’t be pleasant to exploit, but you know the end result will be worth it.

Cloudfoxable - Root

Thu, 12 Mar 2026 00:00:00 +0000

You’ve just gained access to the role Kent. Can you get to the root flag in the SSM parameter store?

Information Gathering

Short and concise challenge details, I will start by preparing a profile for ramos, and checking which policies are attached to it.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16


adicpnn@laboratory cloud % cat ~/.aws/config| tail

[profile kent]
region = eu-central-1
role_arn = arn:aws:iam::129323993607:role/Kent
source_profile = cloudfoxable

adicpnn@laboratory cloud % aws iam list-attached-role-policies --role-name Kent --profile cloudfoxable
{
 "AttachedPolicies": [
 {
 "PolicyName": "root-policy1",
 "PolicyArn": "arn:aws:iam::129323993607:policy/root-policy1"
 }
 ]
}

A single policy attached, let’s see what type of access it grants.

Cloudfoxable - Segue

Thu, 12 Mar 2026 00:00:00 +0000

You’ve just gained access to the reinier role. Utilize cloudfox and see where it takes you!

Information Gathering

First things first, set up the profile, and test access.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13


adicpnn@laboratory cloud % cat ~/.aws/config | tail

[profile reinier]
region = eu-central-1
role_arn = arn:aws:iam::129323993607:role/reinier
source_profile = cloudfoxable

adicpnn@laboratory cloud % aws sts get-caller-identity --profile reinier
{
 "UserId": "AROAR4HCPRIDTDEJTABUR:botocore-session-1773311810",
 "Account": "129323993607",
 "Arn": "arn:aws:sts::129323993607:assumed-role/reinier/botocore-session-1773311810"
}

Then, enumerating attached policies.

Cloudfoxable - The topic is execution

Thu, 12 Mar 2026 00:00:00 +0000

You’ve just gained access to the role viniciusjr. At first glance, this role appears to only have some SNS read-only access? But I don’t think that’s accurate. See if you can get to the flag /cloudfoxable/flag/executioner in the SSM parameter store.

Information Gathering

First things first, set up the profile, and test access.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13


adicpnn@laboratory cloud % cat ~/.aws/config | tail

[profile vini]
region = eu-central-1
role_arn = arn:aws:iam::129323993607:role/viniciusjr
source_profile = cloudfoxable

adicpnn@laboratory cloud % aws sts get-caller-identity --profile vini
{
 "UserId": "AROAR4HCPRIDXMLFGL22G:botocore-session-1773327029",
 "Account": "129323993607",
 "Arn": "arn:aws:sts::129323993607:assumed-role/viniciusjr/botocore-session-1773327029"
}

Then, enumerating attached policies.

Cloudfoxable - The topic is exposure

Thu, 12 Mar 2026 00:00:00 +0000

What does it mean when we say something is “public” in the cloud? Do you need an IP address to be public? What if a resource is accessible to anyone in the world, provided they have an AWS account (any AWS account). That seems close enough to public to scare me!

Note: FWIW, there is a policy on the resource in question that will only allow you to exploit it from your IP address to prevent misuse)

Cloudfoxable - It's another secret

Wed, 11 Mar 2026 00:00:00 +0000

TL;DR: You’ve just gained access to the role Ertz. Can you find and access the its-another-secret flag?

A lot of the challenges in the category Assumed Breach: Principal will have you assume into a role to simulate a new starting point. You’ll technically start as ctf-starting-user, but your first action will be to assume the role Ertz listed above. This is to simulate a scenario where you’ve just gained access to the role Ertz.

Cloudfoxable - It's a secret

Tue, 10 Mar 2026 00:00:00 +0000

For this CTF, your starting CTF user has the following policies:

SecurityAudit (AWS Managed)
CloudFox (Customer Managed)
its-a-secret (Customer Managed)

The first two policies allow you to run CloudFox. The third policy allows this starting user to get the flag for this challenge. If you followed the setup steps in the First Flag challenge (if you are doing this in a workshop, the setup in First Flag has been done for you), you’ll have a profile called cloudfoxable which is tied to the user/ctf-starting-user.