Challenge 11 ☆☆☆☆

Welcome to challenge Challenge 11. You need to guess the secret that is hidden in Java, Docker, Kubernetes, Vault, AWS or GCP.

AWS SSM Parameter Store

We’ve now used Parameter Store directly from within the app, but there’s an IAM problem…​

Assume the role cant-read-secrets and try some IAM privilege escalation. Don’t cheat using your own roles :)

Here is where tools like ScoutSuite can really help detecting issues with your IAM setup. IAM might provide paths towards privilege escalation. These paths can often be used to create and/or assume other more powerful roles which might actually allow you to (among other things) read the secret.

If you’re stuck, try spotting the error in Terraform.

Answer to solution :

You can solve this challenge by the following steps:

  1. Find the privilege escalation path using just Terraform:

    • There should be something juicy in aws/irsa.tf.

  2. Find the privilege escalation path using ScoutSuite

    • Regardless of which method you use, check out the cant-read-secrets role. You’ll see it allows sts:AssumeRole on *. This means it enables assuming any role in the account.

    • Roles also have a trust relationship, and the one for our pod (wrongsecrets-secret-manager) is misconfigured. It allows arn:aws:iam::<account id>:root, which is equivalent to 'anyone within this AWS account as long as they have IAM permissions'. This means we are able to assume that role from cant-read-secrets!

After jumping to wrongsecrets-secret-manager from cant-read-secrets, we can simply run aws ssm get-parameter --name wrongsecretvalue --with-decryption.

Secrets management is more than secure storage:

As you can tell by now: there are many ways to get to a secret: whether hardcoded, stored in a misconfigured third party solution, or stored correctly, but with the wrong IAM access rights in accounts next to it. You will, by now see, why we say that "your security maturity reflects in your secrets management".

In this specific case, this kind of role assumption should be impossible given the proper configuration, but it’s a good idea to monitor for these events and flag them as suspicious.


0