Back to Course

IAM Privilege Escalation Labs

0% Complete
0/0 Steps
  1. Introduction

    About this course
  2. Real-world case studies
  3. Useful IAM tips and security tools
  4. Introduction to AWS Enumeration
    [LAB] Getting Started with the AWS CLI
  5. [LAB] Introduction to AWS IAM Enumeration
  6. [Cheat Sheet] IAM Enumeration CLI Commands
  7. [LAB] Introduction to Secrets Manager Enumeration
  8. [Cheat Sheet] Secrets Manager Enumeration CLI Commands
  9. [LAB] Introduction to Amazon S3 Enumeration
  10. iam:CreateAccessKey
    [LAB] [CTF] iam:CreateAccessKey PrivEsc
  11. iam:CreateAccessKey Solution
  12. iam:CreateLoginProfile
    [LAB] [CTF] iam:CreateLoginProfile PrivEsc
  13. iam:CreateLoginProfile Solution
  14. iam:UpdateLoginProfile
    [LAB] [CTF] iam:UpdateLoginProfile PrivEsc
  15. iam:UpdateLoginProfile Solution
  16. iam:SetDefaultPolicyVersion
    [LAB] [CTF] iam:SetDefaultPolicyVersion PrivEsc
  17. iam:SetDefaultPolicyVersion Solution
  18. iam:AddUserToGroup
    [LAB] [CTF] iam:AddUserToGroup PrivEsc
  19. iam:AddUserToGroup Solution
  20. iam:AttachUserPolicy
    [LAB] [CTF] iam:AttachUserPolicy PrivEsc
  21. iam:AttachUserPolicy Solution
  22. iam:AttachGroupPolicy
    [LAB] [CTF] iam:AttachGroupPolicy PrivEsc
  23. iam:AttachGroupPolicy Solution
  24. iam:PutUserPolicy
    [LAB] [CTF] iam:PutUserPolicy PrivEsc
  25. iam:PutUserPolicy Solution
  26. iam:PutGroupPolicy
    [LAB] [CTF] iam:PutGroupPolicy PrivEsc
  27. iam:PutGroupPolicy Solution
  28. iam:AttachRolePolicy
    [LAB] [CTF] iam:AttachRolePolicy PrivEsc
  29. iam:AttachRolePolicy Solution
  30. iam:PutRolePolicy
    [LAB] [CTF] iam:PutRolePolicy PrivEsc
  31. iam:PutRolePolicy Solution
  32. Challenges
    About challenges
  33. Challenge #1 - Secrets Unleashed
  34. Challenge #2 - IAM Escape Room
  35. Conclusion
    What's next?
Lesson 33 of 35
In Progress

Challenge #1 – Secrets Unleashed

Christophe December 4, 2023
🧪Hands-On Lab

Scenario 🧪

Difficulty: Beginner

Objective: ⛳️ You’ve successfully completed this challenge once you’ve accessed and decoded a secret API key stored in Secrets Manager.

Description: You work for a cloud pentesting consulting firm, and you’ve been hired by Serious Corp to find vulnerabilities in their IAM configurations.

This is a grey box operation, and you’ve been given credentials to a lower-privileged IAM user named Adam, but you do not have any architectural diagrams of how the environment is configured or laid out.

In reviewing internal documentation that you were granted access to, you notice that there is an employee named Emma who is in charge of running the infrastructure within this particular AWS environment used to host internal apps and resources. You also noticed that Emma uses a role named AppManagement to perform most of her job functions in that AWS environment. She does that by assuming this role and using that role’s permissions to access resources in AWS. Finally, you learn that the organization uses Amazon Secrets Manager to store secret values, including secret keys for access to internal and sensitive APIs.

Given the provided credentials, look for IAM Privilege Escalation paths that will give you permissions to a access secrets within this environment’s Secrets Manager storage.


Hint #1: Unlike the labs throughout this course that focused on a single exploit at a time, this challenge will require chaining two or more exploits together. All of the exploits and techniques that you need have been covered in this course — there isn’t anything new. For convenience, here’s a checklist of exploits we learned about that could potentially be useful for this challenge (you only technically need two and some in this list will not work):

  • AddUserToGroup
  • AttachUserPolicy
  • AttachGroupPolicy
  • AttachRolePolicy
  • PutRolePolicy

Hint #2: Remember to start with enumeration. You need to get a lay of the land to understand what’s going on in that specific AWS environment and what you have access to.

As you enumerate, ask questions like:

  • Am I part of a group? If so, what permissions does that group give me? (Remember that groups can have both inline and attached policies which are retrieved with different commands)
  • Do I have any inline policies that give me additional permissions?
  • Is there a boundary policy applied to the user? Even if you can’t see that policy, it could explain why you don’t have access that you think you should have
  • Are there other groups in this AWS account? Do those groups have different permissions?
  • Can I change my permissions with something like SetDefaultPolicyVersion, AddUserToGroup, PutUserPolicy, etc…?
  • Knowing the role’s name from the scenario, and knowing that Emma uses that role to do her job, how can I use that to my advantage?

Hint #3: The secret value is encoded and needs to be decoded, but this will be easily done with online tools 🙂


Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.