[LAB] [CTF] iam:PutUserPolicy PrivEsc
While the prior two labs showed how to exploit managed policies (either AWS-managed or customer-managed) to grant users or groups elevated privileges, we can also exploit misconfigured
iam:PutUserPolicy permissions to add or update inline policy documents for IAM users.
This lab has been misconfigured, so exploit it with
iam:PutUserPolicy to grant yourself Secrets Manager permissions.
You’ve successfully completed this lab once you’ve accessed the value of that secret in plaintext!
Tip #1: Familiarize yourself with the CLI command
put-user-policy. It takes in a
--policy-document which is a JSON IAM policy that you would create locally.
- Using the provided Access Key ID and Secret Access Key, configure your AWS CLI profile
- Using the AWS CLI, identify what permissions your current user has access to and perform general reconnaissance to familiarize yourself with the AWS environment
- Leverage your
iam:PutUserPolicypermissions to gain access to Secrets Manager
- Access Secrets Manager and retrieve the secret value