AWS Security - S3cret Santa | Advent of Cyber 2025 - Day 23

This guide contains the answer and steps necessary to get to them for the AWS Security - S3cret Santa room.

Table of contents

• Introduction
• IAM: Users, Roles, Groups and Policies
• Practical: Enumerating a User's Permissions
• Assuming Roles
• Grabbing a file from S3

Introduction

1. Run aws sts get-caller-identity. What is the number shown for the "Account" parameter?

   We will be running aws sts get-caller-identity to get the information about the configure user.

   

   Click for answer

   123456789012

IAM: Users, Roles, Groups and Policies

1. What IAM component is used to describe the permissions to be assigned to a user or a group?

   The answer to this question can be found in the text.

   Click for answer

   policy

Practical: Enumerating a User's Permissions

1. What is the name of the policy assigned to sir.carrotbane?

   We can list the inline policies for his account using:

   cmd

   Copy

   aws iam list-user-policies --user-name sir.carrotbane
   

   

   Click for answer

   SirCarrotbanePolicy

Assuming Roles

1. Apart from GetObject and ListBucket, what other action can be taken by assuming the bucketmaster role?

   We need to see what action can be performed by the role 'bucketmaster'. Using the following command:

   cmd

   Copy

   aws iam get-role-policy --policy-name BucketMasterPolicy --role-name bucketmaster
   

   

   Click for answer

   ListAllMyBuckets

Grabbing a file from S3

1. What are the contents of the cloud_password.txt file?

   First, we need to assume the 'bucketmaster' role. This can be done using the following commands:

   cmd

   Copy

   aws sts assume-role --role-arn arn:aws:iam::123456789012:role/bucketmaster --role-session-name TBFC
   
   export AWS_ACCESS_KEY_ID="ASIARZPUZDIKGOANAAGV"
   export AWS_SECRET_ACCESS_KEY="agHlyxjLjO73hsoieB4Txt0bM3aT7IpBsI/TjcdH"
   export AWS_SESSION_TOKEN="FQoGZXIvYXdzEBYaDie4xs35h+TC1csNaJQa1r0xD45kuAInHsDMyTGWu4pEOYgF0mUERVcyRAKwP9WjiPe5nxDyxOUwC9hFw83hJyO72quNSb3knuBNAAcyUkYP9DKyu2Z7SOWygKm8p+YEsNpKlprK4oo0gncd3nGCoALJ7YLJylUbIN5x8oHKAAZwhUhwqkSJpUghJMVxN6Ur611+b4r1fALMl0VcyNcgwVt0aDNa7J8HSXMykuIksT5+1Bl1xn5nz7aa7jWW+jnRFzJ4703dIpiIieQlhAWxJdSe04v59tUjWItUgHLV/JaFta1yQz3hyZ7UcxfSHC5kZKUkTbJmwcapgdZqyt0="
   
   aws sts get-caller-identity
   > Check what role we are using.
   

   

   Now we can list all available S3 bucket using:

   cmd

   Copy

   aws s3api list-buckets
   

   

   One of these buckets might contain some interesting information. Lets list the object in this secret bucket.

   cmd

   Copy

   aws s3api list-objects --bucket easter-secrets-123145
   

   

   The should download the password file and see what is inside.

   cmd

   Copy

   aws s3api get-object --bucket easter-secrets-123145 --key cloud_password.txt cloud_password.txt
   
   cat cloud_password.txt
   

   

   Click for answer

   THM{more_like_sir_cloudbane}