Scurried

May 18, 2024 · Hack The Box / Business CTF 2024 cloudawsaws-iamarn-enumeration

Challenge

CTF: HTB Business CTF 2024: The Vault of Hope
Name: Scurried
Category: Cloud
Difficulty: Very Easy
Points: 325
Description: We have obtained leaked data pertaining to Vault 101, with suspicion that it may be linked to one of the leaders group. Your task is to analyze and extract pertinent information from the provided data. The flag is the ARN wrapped in HTB{} .

Writeup

Provided AWS ID: AROAXYAFLIG2BLQFIIP34

Researching what a Amazon Resource Name (ARN) is, we came across two reference guides. Using the following IAM ID Prefix guide, we can identify the IAM is for a service of IAM.

When IAM creates a user, user group, role, policy, instance profile, or server certificate, it assigns to each resource a unique ID that looks like this: AIDAJQABLZS4A3QDU576Q

From hackingthe.cloud, For IAM users (AIDA) and roles (AROA) you can reverse the unique ID to its corresponding ARN by referencing it in a resource-based policy.

First, we will create a role with the following trust policy:

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "AROAXYAFLIG2BLQFIIP34"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Refreshing the AWS configuration page, we can identify the ARN below:

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::532587168180:role/vault101"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Flag: HTB{arn:aws:iam::532587168180:role/vault101}