No flags are included in this writeup.
Overview
Happy Birthday was an AWS challenge around S3’s 20th birthday. The challenge felt playful, but the path was not trivial. It combined account discovery, SNS policy behavior, API Gateway differences, and a file path bug in the birthday-card generation flow.
| Field | Value |
|---|---|
| Month | March 2026 |
| Points | 20 |
| Main area | AWS S3, SNS, API Gateway, path traversal |
Account Discovery
The important first step was identifying the correct AWS account behind the target bucket. Early error messages can be misleading, and this challenge punished chasing the wrong account ID.
The useful approach was using S3 account-owner discovery through IAM condition behavior around s3:ResourceAccount. Instead of brute forcing an entire 12-digit account ID, the technique narrows the account one digit at a time with wildcard matching.
That gave the correct target account for the rest of the AWS work.
SNS Subscription Bypass
The next stage involved an SNS topic used for birthday invitations. The topic policy restricted subscription endpoints with a string condition, but the condition checked the endpoint string too loosely.
A controlled webhook endpoint could be shaped so the string matched the allowed pattern while still routing to an attacker-controlled URL. After subscribing and confirming the SNS subscription, triggering the application flow caused the invitation token to arrive at the webhook.
This was a very “cloud policy parsing” moment. The policy did not understand intent; it only evaluated the string it was given.
API And Template Path
The invitation token led into an API flow. The important observation was that not all API Gateway/Lambda routes enforced the same validation. One path was stricter, another accepted input that could influence template selection.
The final bug was path traversal through the template/file selection logic. If the application joined paths unsafely, a template parameter could escape the expected directory and read a sensitive object.
The chain was:
- discover correct bucket owner account
- subscribe to SNS with endpoint string bypass
- receive invitation token
- choose the API route with weaker validation
- abuse path traversal in template handling
- render sensitive content into the birthday card response
Root Cause
The challenge combined several cloud-native mistakes:
- account identification was exposed through S3 policy behavior
- SNS endpoint validation relied on string suffix matching
- API routes had inconsistent validation
- path construction trusted user-controlled template input
- sensitive data was reachable through application rendering
Takeaways
Happy Birthday was a good AWS reminder:
- account IDs are often discoverable through side channels
- string-based resource policy checks can be bypassed with URL structure tricks
- every API route needs equivalent validation
os.path.join-style logic is not a security boundary- cloud service policies and application code bugs often compose into the final path
By solve count, this was one of the harder stamps before Split Horizon. It rewarded cloud-specific patience more than generic web exploitation.