It's time for an internal pentest, and the Huge Logistics internal security team have provided us with starting credentials to use for the assessment. Can you capitalize on a critical finding and show the client how overly permissive settings can lead to breach? The defenders have planted a flag for us in case we can escalate our access.

• Familiarity with the Linux command line
• Familiarity with AWS
• Familiarity with web-based Git repositories

• Use Cloudfox to gain situational awareness
  #
• Leverage OpenID Connect to exfiltrate credentials and files from AWS
• Enumerate IAM policies
• Assume IAM role to escalate privileges
• Retrieve sensitive user data from the EC2 instance metadata service
• Enumerate and retrieve secrets from AWS Secrets Manager

When enabling OpenID Connect (OIDC) for ID federation between GitLab and AWS, the official GitLab documentation recommends that role assumption be restricted to a specific group, project, branch, or tag.

However, we see multiple instances on GitLab forums or StackOverflow of people creating overly permissive role assumption policies, whether for convenience or to overcome problems.

As AWS account IDs are not considered by AWS to be sensitive, and given that it's possible to brute force the principal discovery within a given AWS account, threat actors could capitalize on such misconfigurations, as assume the role.