back to blog

DownUnderCTF 2025 — Mary had a little lambda (154 pts)

September 1, 2025 ctfdownunderctf-2025cloudawsprivilege-escalation

Overview

This challenge involved exploiting exposed AWS credentials to access Lambda functions and retrieve sensitive database passwords stored in AWS Systems Manager Parameter Store.

Challenge Progression

Initial Access: Contestants received AWS credentials for a devopsadmin user, establishing initial AWS access through credential configuration.

Reconnaissance: The solver enumerated Lambda functions and discovered the yakbase function, which referenced database credentials stored in SSM Parameter Store at /production/database/password.

Permission Analysis: Direct SSM access was denied due to restrictive IAM policies. The devopsadmin user could only list Lambda functions and read the lambda_role details.

Privilege Escalation: The critical insight involved assuming the lambda_role IAM role using STS (Security Token Service). This role, used by the Lambda function itself, possessed broader permissions than the initial user account.

Flag Recovery: With assumed role credentials exported as environment variables, the solver successfully retrieved the encrypted database password parameter.

Flag

DUCTF{.*#--BosMutusOfTheTibetanPlateau--#*.}

Key Takeaway

The challenge demonstrated common cloud security misconfigurations: exposed credentials with insufficient initial permissions but ability to assume more privileged roles, insufficient compartmentalization of IAM policies, and sensitive data exposure through accessible parameter stores.