Cloud

Here we have another case of blurred lines. A vulnerability that anyone in the world can exploit, except not really. To successfully exploit it, you need to know some key information, which makes it fall in the “Assumed breach: Malicious/Compromised user” category as well. So really the refined statement is: “Anyone in the world can exploit this provided they at some point had/have internal knowledge of the environment”. This means someone who used to work at Cloudfoxable Corp could exploit this, or even someone who currently works there but wants to keep their actions anonymous. ...

There’s a role that trusts the repo you just created. Find the role and exploit the trust to access the flag. Information Gathering I’ll start off by enumerating AWS roles in my sandbox account, hoping to see a trust policy for the repo i’ve created adicpnn/cfx_trust_me. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 adicpnn@laboratory aws % aws iam list-roles --profile cloudfoxable ... { "Path": "/", "RoleName": "t_rodman", "RoleId": "AROAR4HCPRIDWZYYOATJQ", "Arn": "arn:aws:iam::129323993607:role/t_rodman", "CreateDate": "2026-03-17T15:21:22+00:00", "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::129323993607:oidc-provider/token.actions.githubusercontent.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringLike": { "token.actions.githubusercontent.com:sub": "repo:adicpnn/cfx_trust_me:*", "token.actions.githubusercontent.com:aud": "sts.amazonaws.com" } } } ] }, "MaxSessionDuration": 3600 } ... What this trust policy statement allows, is for GitHub Actions to assume the role t_rodman using OpenID Connect. I’ll keep this information and mind, and keep unraveling the exploit chain. ...

In some challenges, you might not see an IAM role or an IP address as the starting point, but rather, an interesting ARN or something like that. Sometimes during cloud penetration tests, we first find something interesting and then work backwards to see who has access to it. Is it just the Administrators? Well, that’s not really a big deal. Is it all developers, or all users, or anyone in the world? That might be a really big deal! ...

A Lambda function URL can be used to expose a Lambda function to the internet without an API gateway or another load balancer. This is really handy for builders, but can also be really handy for offensive security folk, as it’s ripe for misconfiguration. Use cloudfox to find the furls1 FunctionURL and find the flag. Information Gathering I’ll start off by enumerating the lambda functions in this account. ...

This Lambda Function URL doesn’t just give you the key like furls1. You have to work a little harder for this one. CloudFox can definitely help you here. Information Gathering This time around, I don’t know which lambda function to target, since there’s no “furls2” function. Instead, I will list all the function URLs in the AWS account. (minus the one I’ve already exploited) ...

You’ve just gained access to the role ramos. This role has a bunch of read only access? Can you comb through the access you have and the resources that exist and see if you can find the flag? Information Gathering Short and concise challenge details, I will start by preparing a profile for ramos, and checking which policies are attached to it. ...

In the 2022 FIFA World Cup, Christian Pulisic put his body on the line to net a crucial goal for the USA, ensuring their progression beyond the group stage: https://www.youtube.com/watch?v=Y7VA30UYlQo. He did what he had to do, even though he knew it was going to hurt. Similarly, during a penetration test, whether in a cloud environment or otherwise, you might identify a exploit path that won’t be pleasant to exploit, but you know the end result will be worth it. ...

You’ve just gained access to the role Kent. Can you get to the root flag in the SSM parameter store? Information Gathering Short and concise challenge details, I will start by preparing a profile for ramos, and checking which policies are attached to it. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 adicpnn@laboratory cloud % cat ~/.aws/config| tail [profile kent] region = eu-central-1 role_arn = arn:aws:iam::129323993607:role/Kent source_profile = cloudfoxable adicpnn@laboratory cloud % aws iam list-attached-role-policies --role-name Kent --profile cloudfoxable { "AttachedPolicies": [ { "PolicyName": "root-policy1", "PolicyArn": "arn:aws:iam::129323993607:policy/root-policy1" } ] } A single policy attached, let’s see what type of access it grants. ...

You’ve just gained access to the reinier role. Utilize cloudfox and see where it takes you! Information Gathering First things first, set up the profile, and test access. 1 2 3 4 5 6 7 8 9 10 11 12 13 adicpnn@laboratory cloud % cat ~/.aws/config | tail [profile reinier] region = eu-central-1 role_arn = arn:aws:iam::129323993607:role/reinier source_profile = cloudfoxable adicpnn@laboratory cloud % aws sts get-caller-identity --profile reinier { "UserId": "AROAR4HCPRIDTDEJTABUR:botocore-session-1773311810", "Account": "129323993607", "Arn": "arn:aws:sts::129323993607:assumed-role/reinier/botocore-session-1773311810" } Then, enumerating attached policies. ...

You’ve just gained access to the role viniciusjr. At first glance, this role appears to only have some SNS read-only access? But I don’t think that’s accurate. See if you can get to the flag /cloudfoxable/flag/executioner in the SSM parameter store. Information Gathering First things first, set up the profile, and test access. 1 2 3 4 5 6 7 8 9 10 11 12 13 adicpnn@laboratory cloud % cat ~/.aws/config | tail [profile vini] region = eu-central-1 role_arn = arn:aws:iam::129323993607:role/viniciusjr source_profile = cloudfoxable adicpnn@laboratory cloud % aws sts get-caller-identity --profile vini { "UserId": "AROAR4HCPRIDXMLFGL22G:botocore-session-1773327029", "Account": "129323993607", "Arn": "arn:aws:sts::129323993607:assumed-role/viniciusjr/botocore-session-1773327029" } Then, enumerating attached policies. ...