IAM Access Compass

Challenge Description: Welcome, Agent. Your mission, should you choose to accept it, is to infiltrate Secure Corp’s GCP environment and uncover hidden IAM misconfigurations. You’ll be operating as part of Secure Corp’s Red Team, tasked with identifying security gaps in the cloud infrastructure. Recent security audits have raised concerns, and it’s up to you to simulate an adversary’s actions and expose any weaknesses before real attackers do.

This is a high-priority operation, and failure is not an option. Get ready to enumerate IAM roles, identify privilege escalations, and secure the flag before time runs out.

Initial Access: The participant is provided with the credentials of one of the employee users/ service accounts.
GCP Resources: Organizations have Service Accounts, Role Bindings, Custom Roles to manage the workflow.
Flag Format: The flag is in the format of Flag1+Flag2

Flag1: Determine the rolename of the role which is assigned to the testing-service-account

Flag2: Determine the email of service account which have admin permissions on the DevOps service account The final flag will be looking like CWL{base64} Flag1

Started the lab and downloaded the credentials
added the credentials to gcloud to authenticate
from the credential file, i found the project name as : woven-acolyte-428406-v9

After authentication i saved the IAM policy to a file, so I could search and analyze easily:

from the challenge desc, i found that i need to search for “testing-service-account” which was the value needed for the first part of the flag.
grepped for the testing-service-account from the extracted iam policy file
this showed me the line numbers where the account appeared. I opened the file found the line for the match

Flag 1: customViewerRole1 Flag 2

for the second flag i need to find the service account has admin rights over the DevOps
grepped for “admin”,”devops” from the iam file and found some matches.
from the grep output of “devops” i located the devops service account: