Zeyad AbulabanFollowSystem Weakness--ListenShareThis challenge involved exploiting a misconfigured S3 bucket object policy to gain access to the credentials.txt object. This object contained the AWS keys of another user who had permissions to view and Retrieve Lambda Functions. One of the lambda functions included AWS keys as environment variables and an ARN (Amazon Resource Name) for a user that could be assumed during a GitHub Actions workflow. Challenge LinkFirst of all, let’s attempt to retrieve the credentials.txt object from the bucket.We don’t have sufficient permissions. Let’s check if we can list the ACLs of the bucket and object.Only the user watch4hack has full control over the bucket. Let’s check if there are any ACLs set for the objects in the bucket.As seen above, the object has a WRITE_ACP (Write Access Control Policy) permission granted to all users globally. According to AWS documentation, any user with this permission can be utilized to set ACL policies.To make the bucket publicly accessible, we will use the put-bucket-acl command. Once the bucket is accessible, we can proceed to download the credentials.txt object.The credentials.txt file contains credentials for a user named Binaryshadow, who had authorization to list and retrieve lambda functions. The account had approximately 15 extra_lambda functions, but in the following output, I have included only the important ones.This Function is responsible for resetting the ACLs on the bucket object (just a cleanup function)This function is responsible for removing users from the CodeBuildAdmins group. This piece of information will be useful later on.Going back to the extra_lambda_10 function, it had a base64-encoded hint in its environment variable, along with base64-encoded AWS access key and AWS secret key.So, we need to exploit this trust relationship to access the Secret Manager and retrieve the flag… easy right?Essentially, any GitHub action within the “rhalyc/ctf” GitHub repository can assume the role arn:aws:iam::520091917895:role/magichk_role. By doing so, it can retrieve the flag from AWS Secrets Manager.In order to achieve that, we need to somehow obtain the credentials or token belonging to the user “rhalyc”.After loading the credentials obtained from the extra_lambda_10 function, we are introduced to a new user named “Arget”.Returning to the remove_users lambda function, its purpose is to remove users from the CodeBuildAdmins group. Luckily, the user “Arget” has the necessary permissions to list groups and attach users to groups.Now that we have full access to AWS CodeBuild and have conducted some enumeration, we discovered that a GitHub personal access token is loaded into CodeBuild. However, unfortunately, it’s not possible to retrieve the token.After conducting some research, I came across an awesome technique AWS Codebuild — Token Leakage — HackTricks Cloud, this technique involves using a Docker container to proxy and redirect all connections to the attacker’s machine.Finally, after obtaining the token, we can create a GitHub workflow that allows us to assume the role arn:aws:iam::520091917895:role/magichk_role and retrieve the flag.Now push the changes and wait for the reverse shell.----System WeaknessOffensive Security enthusiast.Zeyad AbulabaninCloud Native Daily--Mr JokarinSystem Weakness--2Diego TellaroliinSystem Weakness--16Zeyad AbulabaninSystem Weakness--Devon GriffithinSystem Weakness--Zeyad AbulabaninCloud Native Daily--efran--Vishweshwaran M J--Mohamed Tarek--_Lennart_--1HelpStatusWritersBlogCareersPrivacyTermsAboutText to speechTeams