[LAB] [CTF] iam:AttachRolePolicy PrivEsc
AWS IAM roles are incredibly useful and powerful, and you can assume them to receive permissions either within your account, or even for cross-account access
You can do that using
AssumeRole which returns a set of temporary security credentials that can then be used in a similar way to regular access keys, except they are short-term credentials instead of long-term credentials.
If your IAM user has
AssumeRole permissions for a particular role (which is dictated by a role’s trust policy), you can assume that role and whatever permissions it has. If you have that permission plus the
iam:AttachRolePolicy permission, then you can update the permissions for that role.
Your lab user is one that has access to perform support functions by assuming roles with
AssumeRole, including a role that has access to a non-sensitive S3 bucket containing generic files for an application that you support.
However, this lab has been misconfigured to grant you
iam:AttachRolePolicy. Leverage this misconfiguration to give that role additional S3 permissions that allow you to access a bucket containing PII that you were not intended to have access to.
You’ve captured the flag when you’ve successfully downloaded the files contained in that bucket.
Tip #1: Since there can be a lot of roles in AWS accounts, you can use
list-roles --query to filter out unwanted results. To speed things up in this lab, I recommend typing this in (whenever you’re ready to enumerate roles) to surface the role you will be interested in:
aws iam list-roles --query "Roles[?RoleName=='SupportRole']"
Code language: CSS (css)
- Using the provided Access Key ID and Secret Access Key, configure your AWS CLI profile
- Using the AWS CLI, identify what permissions your current user has access to and perform general reconnaissance to familiarize yourself with the AWS environment
- Leverage your
iam:AttachRolePolicypermissions to gain access to an Amazon S3 bucket containing sensitive information
- Download the file in that S3 bucket