Cloud

The challenge provides Access Keys that allows for IAM enumeration that leads to a policy that has limited permissions for S3 and IAM, eventually allowing the user to assume a role with the necessary KMS:Decrypt permission to download the flag from the S3 bucket

The challenge provides Access Keys that allows for IAM enumeration that leads to a policy that has limited permissions for S3 . Enumerating Secrets reveal a private key that can be used to generate temporary credentials via IAM Roles Anywhere. By combining the discovered certificate from S3 with the private key from Secrets Manager, we were able to enumerate the Roles Anywhere trust anchors and profiles, ultimately assuming the crypto-buck-reader role which granted broader S3 access to retrieve the flag.

The challenge provides Access Keys that allows for IAM enumeration that leads to a policy that has permissions for S3, Lambda functions and Amazon SQS. Early enumeration restricts S3 object exfiltration but allows downloading the source code of a Lambda function which reveals sensitive arguments that can be published to the SQS service that invokes a Lambda function that reveals the flag in the Lambda Function logs

The challenge provides Access Keys that allows for IAM enumeration that leads to a policy that has permissions for Amazon SQS. An interesting permission allows us to read messages from the queue URL which reveals the flag

The challenge provides Client Credentials that can be used to authenticate and enumerate roles which have permissions to read available workflows from Logic Apps. One of the workflows reveal another set of credentials that we can use to authenticate and enumerate API permissions of another certain app.