Deputy
Overview
Deputy is a medium Linux box built around a cloud-flavored web application.
A .git directory left exposed on the web server leaks Terraform infrastructure
files that include AWS IAM ARNs. The application’s event-role endpoint silently
accepts a lowercase field name (eventrolearn) that bypasses frontend validation,
allowing those ARNs — with a substituted account ID — to be used across account
boundaries. That grants access to a DynamoDB table holding credentials for a
mark account, which in turn leads to a second set of credentials that serve
as the root password.
Path: exposed .git → Terraform ARN leak → cross-account IAM role via
parameter case bypass → DynamoDB credential dump → root.
Enumeration
The initial scan reveals a web server on port 80. The nmap output confirms a Linux host serving a web application.

Directory brute-forcing surfaces a .git directory at the root of the
web server — a classic misconfiguration that exposes the entire repository
history to unauthenticated access.
Foothold — Git Dump and ARN Discovery
With a .git directory exposed, GitTools/Dumper
can reconstruct the repository:
$ git clone https://github.com/internetwache/GitTools
$ cd GitTools/Dumper
$ ./gitdumper.sh http://deputy.htb/.git/ /tmp/deputy-git

Reconstructing the working tree reveals Terraform configuration files:

The Terraform configs contain AWS IAM ARNs used to provision the application’s backend infrastructure — notably a role ARN tied to a DynamoDB event helper.
Enumeration — Web Application
Browsing to the web application shows a registration and login flow:

Registering an account (myles:myles123) and logging in reveals that
authentication is handled via a JWT:

The application also exposes a guest account (guest-user:guest-password) that
can be used to explore:


The application ties accounts together via a redirect mechanism:


Exploitation — Cross-Account IAM Role Bypass
The application exposes a role creation endpoint that accepts a JSON body with
eventName, eventRoleArn, and eventTable. The frontend hardcodes an ARN,
but intercepting the request in Burp allows modification:

Substituting the ARN from the git dump with the target account ID yields the first attempt:



The field name eventRoleArn (camelCase) is validated and restricted on the
frontend. However, sending eventrolearn (all lowercase) bypasses the
validation entirely — the backend accepts it without complaint:
{"eventName":"AllowEventHelperDynamoDBAccess","eventrolearn":"arn:aws:iam::789411671902:role/eventhelper","eventTable":"servers"}

User — DynamoDB Credential Leak
With the cross-account role assumed, the application queries a DynamoDB table
named servers. The response includes plaintext credentials:

mark@deputy.htb : bVhrE29cSbLP
[{"Password":"bVhrE29cSbLP","Server":"hws","Username":"mark","data":"servers","name":"hws-info"}]
Logging into the application as mark works:


Root
Exploring the application further as mark reveals an additional password:

The password D3puty0GfhCe is the root password on the underlying host,
granting direct privilege escalation.
Takeaways
- Exposed
.gitdirectories are a full source-code leak. Infrastructure code in the repository — Terraform files, ARNs, account IDs — hands an attacker the map to your cloud backend before they’ve touched a single endpoint. - API field-name case sensitivity is not a security boundary. Trusting the frontend to enforce which fields are sent, while the backend silently accepts alternate casings of the same parameter, is a trivially bypassable control.