Back to Course

IAM Privilege Escalation Labs

0% Complete
0/0 Steps
  1. Introduction

    About this course
  2. Real-world case studies
  3. Useful IAM tips and security tools
  4. Introduction to AWS Enumeration
    [LAB] Getting Started with the AWS CLI
  5. [LAB] Introduction to AWS IAM Enumeration
  6. [Cheat Sheet] IAM Enumeration CLI Commands
  7. [LAB] Introduction to Secrets Manager Enumeration
  8. [Cheat Sheet] Secrets Manager Enumeration CLI Commands
  9. [LAB] Introduction to Amazon S3 Enumeration
  10. iam:CreateAccessKey
    [LAB] [CTF] iam:CreateAccessKey PrivEsc
  11. iam:CreateAccessKey Solution
  12. iam:CreateLoginProfile
    [LAB] [CTF] iam:CreateLoginProfile PrivEsc
  13. iam:CreateLoginProfile Solution
  14. iam:UpdateLoginProfile
    [LAB] [CTF] iam:UpdateLoginProfile PrivEsc
  15. iam:UpdateLoginProfile Solution
  16. iam:SetDefaultPolicyVersion
    [LAB] [CTF] iam:SetDefaultPolicyVersion PrivEsc
  17. iam:SetDefaultPolicyVersion Solution
  18. iam:AddUserToGroup
    [LAB] [CTF] iam:AddUserToGroup PrivEsc
  19. iam:AddUserToGroup Solution
  20. iam:AttachUserPolicy
    [LAB] [CTF] iam:AttachUserPolicy PrivEsc
  21. iam:AttachUserPolicy Solution
  22. iam:AttachGroupPolicy
    [LAB] [CTF] iam:AttachGroupPolicy PrivEsc
  23. iam:AttachGroupPolicy Solution
  24. iam:PutUserPolicy
    [LAB] [CTF] iam:PutUserPolicy PrivEsc
  25. iam:PutUserPolicy Solution
  26. iam:PutGroupPolicy
    [LAB] [CTF] iam:PutGroupPolicy PrivEsc
  27. iam:PutGroupPolicy Solution
  28. iam:AttachRolePolicy
    [LAB] [CTF] iam:AttachRolePolicy PrivEsc
  29. iam:AttachRolePolicy Solution
  30. iam:PutRolePolicy
    [LAB] [CTF] iam:PutRolePolicy PrivEsc
  31. iam:PutRolePolicy Solution
  32. Challenges
    About challenges
  33. Challenge #1 - Secrets Unleashed
  34. Challenge #2 - IAM Escape Room
  35. Conclusion
    What's next?
Lesson 30 of 35
In Progress

[LAB] [CTF] iam:PutRolePolicy PrivEsc

Christophe December 18, 2023
🧪Hands-On Lab
Help/Info

Scenario 🧪

AWS IAM roles are incredibly useful and powerful, and you can assume them to receive permissions either within your account, or even for cross-account access.

You can do that using AssumeRole which returns a set of temporary security credentials that can then be used in a similar way to regular access keys, except they are short-term credentials instead of long-term credentials.

If your IAM user has AssumeRole permissions for a particular role (which is dictated by a role’s trust policy), you can assume that role and whatever permissions it has. If you have that permission plus the iam:PutRolePolicy permission, then you can update the permissions for that role using whatever custom IAM policy you want (instead of having to use a managed policy like we saw in the prior lab).

Your lab user has access to perform support functions by assuming roles with AssumeRole, including a role that has access to a non-sensitive S3 bucket containing generic files for an application that you support.

However, this lab has been misconfigured to grant you iam:PutRolePolicy. Leverage this misconfiguration to give that role additional permissions to access secrets in Secrets Manager.

You’ve captured the flag when you’ve successfully decoded the secret string stored in Secrets Manager and you’re able to read it in plaintext.

Tips

Tip #1: Since there can be a lot of roles in AWS accounts, you can use list-roles --query to filter out unwanted results. To speed things up in this lab, I recommend typing this in (whenever you’re ready to enumerate roles) to surface the role you will be interested in:

aws iam list-roles --query "Roles[?RoleName=='SupportRole']"

Code language: CSS (css)

Tip #2: When creating the custom IAM policy, I recommend uploading a full permissions policy like this:

vim policy.json

{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": "*",
        "Resource": "*"
      }
    ]
  }

Code language: JavaScript (javascript)

(I’m using vim but you can use whatever text editor you’re comfortable with)

Tip #3: The encoding applied to the secret string is nothing fancy. You can use simple online tools like this to decode it.

Steps

  • Using the provided Access Key ID and Secret Access Key, configure your AWS CLI profile
  • Using the AWS CLI, identify what permissions your current user has access to and perform general reconnaissance to familiarize yourself with the AWS environment
  • Leverage your iam:PutRolePolicy permissions to gain access to a secret encoded string value stored in Secrets Manager
  • Decode the string and read it in plaintext

Responses

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.