Latest

The challenge provides JSON credentials that can be used to authenticate and enumerate IAM Policies. The service account has policies that enable them to enumerate Storage Managers and Cloud Functions. After retrieving a a partial source code of a certain Cloud function, it was discovered that it was possible to invoke a limited access internal function by using an external function as a proxy. Thus, exfiltrating the flag

The challenge provides Access Keys that allows for IAM enumeration that leads to a Lambda permission which allows the user to access the source code of the Lambda function. Next, another crucial permission was present that allowed them to view a sensitive SSM parameter that ultimately allows for invoking the Lambda function that reveals the flag

The challenge provides Access Keys that are used to authenticate to the AWS instance and enumerate AWS IAM resources which includes users, policies, and roles

The challenge provides JSON credentials that can be used to authenticate and enumerate Service Accounts. IAM enumeration reveals that the SA has the permission to do service sccount impersonation. Further enumeration reveals a testing Cloud Function which could be invoked by an impersonated service account leading to the flag

The target runs a version of NextGen Healthcare Mirth Connect that is vulnerable to CVE-2023-43208 which allows for initial foothold. DB enumeration reveals a user credential encrypted in PBKDF2-HMAC-SHA256 which requires some decoding and cracking. Thus, gaining user access. Then, acquired root by identifying an SSTI vulnerability of unsafe user input validation within a custom script for Mirth Connect