2024 Business CTF - Vault of Hope: Scurried

#htb #ctf #cloud #aws #iam #arn

Challenge Information

AttributeDetails
Event2024 Business CTF - Vault of Hope
CategoryCloud
ChallengeScurried
AuthorIridesc3nt
DifficultyMedium

Summary

The Scurried challenge requires extracting pertinent information from leaked AWS data to uncover the corresponding ARN (Amazon Resource Name) associated with an AWS Role. Participants are provided with a leaked role ID “AROAXYAFLIG2BLQFIIP34” and must use AWS IAM capabilities to transform this into a complete ARN format. The challenge demonstrates how AWS role IDs can be converted to ARNs through IAM configuration.

Analysis

The challenge involves understanding AWS IAM role structure and how role IDs relate to ARNs. Key concepts:

  1. AWS Role ID Format: AROAXYAFLIG2BLQFIIP34 is a unique identifier
  2. ARN Format: arn:aws:iam::<AWS_ACCOUNT_ID>:role/<ROLE_NAME>
  3. Trust Policy Modification: Role trust policies can be modified to accept principal ARNs
  4. AWS CLI Tool: The aws iam list-roles command displays full ARN information

The exploitation chain involves:

  1. Creating an AWS account and accessing IAM dashboard
  2. Creating a new IAM role with custom trust policy
  3. Modifying the trust policy to include the given role ID as a principal
  4. Using AWS CLI to observe the transformed principal information
  5. Extracting the full ARN from the CLI output

Solution

Step-by-step walkthrough:

  1. Create AWS Account and Access IAM:

    • Navigate to AWS IAM dashboard
    • Create a new IAM role

  2. Configure Custom Trust Policy:

    • Select “Custom Trust Policy” as the trusted entity
    • Include the leaked role ID in the trust policy:
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "AROAXYAFLIG2BLQFIIP34"
          },
          "Action": "sts:AssumeRole"
        }
      ]
    }

  3. Install and Configure AWS CLI:

    Terminal window
    aws configure

    Enter AWS credentials.

  4. List IAM Roles:

    Terminal window
    aws iam list-roles

  5. Observe Trust Policy Transformation: The AWS IAM service automatically converts role IDs to complete ARNs. The principal field in the trust policy becomes:

    arn:aws:iam::<AWS_ACCOUNT_ID>:role/<ROLE_NAME>

  6. Extract the Full ARN: The CLI output displays the complete ARN in the format:

    arn:aws:iam::532587168180:role/<ROLE_NAME>

  7. Construct the Flag: Wrap the extracted ARN in the HTB flag format:

    HTB{arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>}

Key Takeaways

  • AWS role IDs are converted to ARNs when used in trust policies
  • The AWS CLI reveals complete ARN information for all roles
  • Trust policies define which principals can assume a role
  • Understanding ARN structure is critical for AWS security
  • Role IDs alone are insufficient; the full ARN includes account ID and role name
  • AWS automatically resolves role principals to their complete ARN representation