In some challenges, you might not see an IAM role or an IP address as the starting point, but rather, an interesting ARN or something like that. Sometimes during cloud penetration tests, we first find something interesting and then work backwards to see who has access to it. Is it just the Administrators? Well, that’s not really a big deal. Is it all developers, or all users, or anyone in the world? That might be a really big deal! ...
In the 2022 FIFA World Cup, Christian Pulisic put his body on the line to net a crucial goal for the USA, ensuring their progression beyond the group stage: https://www.youtube.com/watch?v=Y7VA30UYlQo. He did what he had to do, even though he knew it was going to hurt. Similarly, during a penetration test, whether in a cloud environment or otherwise, you might identify a exploit path that won’t be pleasant to exploit, but you know the end result will be worth it. ...
You’ve just gained access to the role Kent. Can you get to the root flag in the SSM parameter store? Information Gathering Short and concise challenge details, I will start by preparing a profile for ramos, and checking which policies are attached to it. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 adicpnn@laboratory cloud % cat ~/.aws/config| tail [profile kent] region = eu-central-1 role_arn = arn:aws:iam::129323993607:role/Kent source_profile = cloudfoxable adicpnn@laboratory cloud % aws iam list-attached-role-policies --role-name Kent --profile cloudfoxable { "AttachedPolicies": [ { "PolicyName": "root-policy1", "PolicyArn": "arn:aws:iam::129323993607:policy/root-policy1" } ] } A single policy attached, let’s see what type of access it grants. ...
You’ve just gained access to the reinier role. Utilize cloudfox and see where it takes you! Information Gathering First things first, set up the profile, and test access. 1 2 3 4 5 6 7 8 9 10 11 12 13 adicpnn@laboratory cloud % cat ~/.aws/config | tail [profile reinier] region = eu-central-1 role_arn = arn:aws:iam::129323993607:role/reinier source_profile = cloudfoxable adicpnn@laboratory cloud % aws sts get-caller-identity --profile reinier { "UserId": "AROAR4HCPRIDTDEJTABUR:botocore-session-1773311810", "Account": "129323993607", "Arn": "arn:aws:sts::129323993607:assumed-role/reinier/botocore-session-1773311810" } Then, enumerating attached policies. ...