[LAB] [CTF] iam:PutGroupPolicy PrivEsc
The prior lab showed how we can exploit custom and inline IAM policies to grant users elevated privileges (potentially even admin privileges), by uploading a JSON document. This lab is similar except it leverages
iam:PutGroupPolicy to upload custom policy documents to entire groups.
This lab has been misconfigured, so exploit it with
iam:PutGroupPolicy to grant your group Secrets Manager permissions.
You’ve successfully completed this lab once you’ve accessed the value of that secret in plaintext!
Tip #1: There’s more than 1 group in this lab environment, so make sure you enumerate sufficiently to know which group you’re part of.
- Using the provided Access Key ID and Secret Access Key, configure your AWS CLI profile
- Using the AWS CLI, identify what permissions your current user has access to and perform general reconnaissance to familiarize yourself with the AWS environment
- Leverage your
iam:PutGroupPolicypermissions to gain access to Secrets Manager
- Access Secrets Manager and retrieve the secret value