- Published on
The challenge provides Access Keys that allows for IAM enumeration that leads to a policy that has limited permissions for S3 . Enumerating Secrets reveal a private key that can be used to generate temporary credentials via IAM Roles Anywhere. By combining the discovered certificate from S3 with the private key from Secrets Manager, we were able to enumerate the Roles Anywhere trust anchors and profiles, ultimately assuming the crypto-buck-reader role which granted broader S3 access to retrieve the flag.