S3

The challenge provides Access Keys that allows for IAM enumeration that leads to a policy that has limited permissions for S3 . Enumerating Secrets reveal a private key that can be used to generate temporary credentials via IAM Roles Anywhere. By combining the discovered certificate from S3 with the private key from Secrets Manager, we were able to enumerate the Roles Anywhere trust anchors and profiles, ultimately assuming the crypto-buck-reader role which granted broader S3 access to retrieve the flag.

The challenge provides Access Keys that allows for IAM enumeration that leads to a policy that has permissions for S3, Lambda functions and Amazon SQS. Early enumeration restricts S3 object exfiltration but allows downloading the source code of a Lambda function which reveals sensitive arguments that can be published to the SQS service that invokes a Lambda function that reveals the flag in the Lambda Function logs

The challenge provides Access Keys that allows for IAM enumeration that leads to an additional user policy from the Permission Boundary. The policy allows for a specific S3 bucket enumeration. From there, a KMS decryption key was found and is used to decrypt and download unauthorized sensitive files such as the flag

The challenge provides Access Keys that is used to authenticate as a user that has the sts:AssumeRole permission. It is then used to escalate privileges by impersonating a role that was created leading to an S3 bucket compromise revealing the flag