Back to Course

IAM Privilege Escalation Labs

0% Complete
0/0 Steps
  1. Introduction

    About this course
  2. Real-world case studies
  3. Useful IAM tips and security tools
  4. Introduction to AWS Enumeration
    [LAB] Getting Started with the AWS CLI
  5. [LAB] Introduction to AWS IAM Enumeration
  6. [Cheat Sheet] IAM Enumeration CLI Commands
  7. [LAB] Introduction to Secrets Manager Enumeration
  8. [Cheat Sheet] Secrets Manager Enumeration CLI Commands
  9. [LAB] Introduction to Amazon S3 Enumeration
  10. iam:CreateAccessKey
    [LAB] [CTF] iam:CreateAccessKey PrivEsc
  11. iam:CreateAccessKey Solution
  12. iam:CreateLoginProfile
    [LAB] [CTF] iam:CreateLoginProfile PrivEsc
  13. iam:CreateLoginProfile Solution
  14. iam:UpdateLoginProfile
    [LAB] [CTF] iam:UpdateLoginProfile PrivEsc
  15. iam:UpdateLoginProfile Solution
  16. iam:SetDefaultPolicyVersion
    [LAB] [CTF] iam:SetDefaultPolicyVersion PrivEsc
  17. iam:SetDefaultPolicyVersion Solution
  18. iam:AddUserToGroup
    [LAB] [CTF] iam:AddUserToGroup PrivEsc
  19. iam:AddUserToGroup Solution
  20. iam:AttachUserPolicy
    [LAB] [CTF] iam:AttachUserPolicy PrivEsc
  21. iam:AttachUserPolicy Solution
  22. iam:AttachGroupPolicy
    [LAB] [CTF] iam:AttachGroupPolicy PrivEsc
  23. iam:AttachGroupPolicy Solution
  24. iam:PutUserPolicy
    [LAB] [CTF] iam:PutUserPolicy PrivEsc
  25. iam:PutUserPolicy Solution
  26. iam:PutGroupPolicy
    [LAB] [CTF] iam:PutGroupPolicy PrivEsc
  27. iam:PutGroupPolicy Solution
  28. iam:AttachRolePolicy
    [LAB] [CTF] iam:AttachRolePolicy PrivEsc
  29. iam:AttachRolePolicy Solution
  30. iam:PutRolePolicy
    [LAB] [CTF] iam:PutRolePolicy PrivEsc
  31. iam:PutRolePolicy Solution
  32. Challenges
    About challenges
  33. Challenge #1 - Secrets Unleashed
  34. Challenge #2 - IAM Escape Room
  35. Conclusion
    What's next?
Lesson 28 of 35
In Progress

[LAB] [CTF] iam:AttachRolePolicy PrivEsc

Christophe December 18, 2023
🧪Hands-On Lab
Help/Info

Scenario 🧪

AWS IAM roles are incredibly useful and powerful, and you can assume them to receive permissions either within your account, or even for cross-account access

You can do that using AssumeRole which returns a set of temporary security credentials that can then be used in a similar way to regular access keys, except they are short-term credentials instead of long-term credentials.

If your IAM user has AssumeRole permissions for a particular role (which is dictated by a role’s trust policy), you can assume that role and whatever permissions it has. If you have that permission plus the iam:AttachRolePolicy permission, then you can update the permissions for that role.

Your lab user is one that has access to perform support functions by assuming roles with AssumeRole, including a role that has access to a non-sensitive S3 bucket containing generic files for an application that you support.

However, this lab has been misconfigured to grant you iam:AttachRolePolicy. Leverage this misconfiguration to give that role additional S3 permissions that allow you to access a bucket containing PII that you were not intended to have access to.

You’ve captured the flag when you’ve successfully downloaded the files contained in that bucket.

Tips

Tip #1: Since there can be a lot of roles in AWS accounts, you can use list-roles --query to filter out unwanted results. To speed things up in this lab, I recommend typing this in (whenever you’re ready to enumerate roles) to surface the role you will be interested in:

aws iam list-roles --query "Roles[?RoleName=='SupportRole']"
Code language: CSS (css)

Steps

  • Using the provided Access Key ID and Secret Access Key, configure your AWS CLI profile
  • Using the AWS CLI, identify what permissions your current user has access to and perform general reconnaissance to familiarize yourself with the AWS environment
  • Leverage your iam:AttachRolePolicy permissions to gain access to an Amazon S3 bucket containing sensitive information
  • Download the file in that S3 bucket

Responses

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.