Back to Course

AWS IAM Privilege Escalation Labs

0% Complete
0/0 Steps
  1. Introduction

    About this course
  2. Real-world case studies
  3. Useful IAM tips and security tools
  4. Introduction to AWS Enumeration
    [LAB] Getting Started with the AWS CLI
  5. [LAB] Introduction to AWS IAM Enumeration
  6. [Cheat Sheet] IAM Enumeration CLI Commands
  7. [LAB] Introduction to Secrets Manager Enumeration
  8. [Cheat Sheet] Secrets Manager Enumeration CLI Commands
  9. [LAB] Introduction to Amazon S3 Enumeration
  10. iam:CreateAccessKey
    [LAB] [CTF] iam:CreateAccessKey PrivEsc
  11. iam:CreateAccessKey Solution
  12. iam:CreateLoginProfile
    [LAB] [CTF] iam:CreateLoginProfile PrivEsc
  13. iam:CreateLoginProfile Solution
  14. iam:UpdateLoginProfile
    [LAB] [CTF] iam:UpdateLoginProfile PrivEsc
  15. iam:UpdateLoginProfile Solution
  16. iam:SetDefaultPolicyVersion
    [LAB] [CTF] iam:SetDefaultPolicyVersion PrivEsc
  17. iam:SetDefaultPolicyVersion Solution
  18. iam:AddUserToGroup
    [LAB] [CTF] iam:AddUserToGroup PrivEsc
  19. iam:AddUserToGroup Solution
  20. iam:AttachUserPolicy
    [LAB] [CTF] iam:AttachUserPolicy PrivEsc
  21. iam:AttachUserPolicy Solution
  22. iam:AttachGroupPolicy
    [LAB] [CTF] iam:AttachGroupPolicy PrivEsc
  23. iam:AttachGroupPolicy Solution
  24. iam:PutUserPolicy
    [LAB] [CTF] iam:PutUserPolicy PrivEsc
  25. iam:PutUserPolicy Solution
  26. iam:PutGroupPolicy
    [LAB] [CTF] iam:PutGroupPolicy PrivEsc
  27. iam:PutGroupPolicy Solution
  28. iam:AttachRolePolicy
    [LAB] [CTF] iam:AttachRolePolicy PrivEsc
  29. iam:AttachRolePolicy Solution
  30. iam:PutRolePolicy
    [LAB] [CTF] iam:PutRolePolicy PrivEsc
  31. iam:PutRolePolicy Solution
  32. Challenges
    About challenges
  33. Challenge #1 - Secrets Unleashed
  34. Challenge #2 - IAM Escape Room
  35. Conclusion
    What did you think of the course?
  36. What's next?
Lesson 34 of 36
In Progress

Challenge #2 – IAM Escape Room

Christophe December 5, 2023
🧪Hands-On Lab
Help/Info

Scenario 🧪

Difficulty: Intermediate

Objective: ⛳️ You’ve successfully completed this challenge once you’ve downloaded a PDF document containing F-15 Eagle development information.

Description: You work for a defense contractor organization named GuardianSys Defense that helps develop parts for fighter jets. The organization’s IT runs both on-prem and in the AWS cloud as part of an effort to modernize and increase innovation. Due to the nature of the projects your organization works on, individuals are supposed to have access to documents only on an as-needed basis.

You (Kevin) are an application developer with access to basic S3 documents needed by the application you help support. However, due to upper management pressure, the IT team was not able to follow best AWS security practices and is hosting all of its documents in the same account using Amazon S3.

Facing mounting personal financial pressure, and after having been passed up for a promotion that you were clearly the better fit for, you’ve decided to steal proprietary and secret documents in order to sell them to the highest bidder on the black market.

To do that, you have to find a way to access those secret documents that your IAM user doesn’t currently have access to.

Given the provided credentials, look for IAM Privilege Escalation paths that will give you permissions to a bucket on Amazon S3 hosting sensitive documents.

Disclaimer: Obviously, we do not condone this behavior in real life. This scenario is meant to showcase how insider threats can be even more dangerous to an organization than outsider threats, and why it’s so important to have proper access control to defend against all plausible threats.

Hints

Hint #1: Unlike the labs throughout this course that focused on a single exploit at a time, this challenge will require chaining two or more exploits together. All of the exploits and techniques that you need have been covered in this course — there isn’t anything new. For convenience, here’s a checklist of exploits we learned about that might be useful for this challenge (you only technically need 3 and some of these will not work):

  • CreateAcessKey
  • CreateLoginProfile
  • SetDefaultPolicyVersion
  • AttachUserPolicy
  • AttachGroupPolicy
  • PutUserPolicy
  • PutGroupPolicy

Hint #2: Remember to start with enumeration. You need to get a lay of the land to understand what’s going on in that specific AWS environment and what you have access to.

As you enumerate, ask questions like:

  • Am I part of a group? If so, what permissions does that group give me? (Remember that groups can have both inline and attached policies which are retrieved with different commands)
  • Do I have any inline policies that give me additional permissions?
  • Is there a boundary policy applied to the user? Even if you can’t see that policy, it could explain why you don’t have access that you think you should have
  • Are there other groups in this AWS account? Do those groups have different permissions?
  • Can I change my permissions with something like SetDefaultPolicyVersion, AddUserToGroup, PutUserPolicy, etc…?
  • And/or, does my user have access to create access keys or create login profiles for other users of interest?

Hint #3: Escaping a locked room typically requires finding or creating a key 🙂

Responses

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  1. This course not only taught me how to think like an attacker, but also how easy it is to escalate privileges if excessive IAM permissions are present in the cloud. I honestly loved it and recommend it 100%!

  2. Hey @Christophe Limpalair đź‘‹,

    I just wanted to say that Challenge 2 was absolutely fantastic! 🎉 It’s evident that a lot of thought and effort went into crafting it. I really appreciated how it encompassed various learning strategies and commands. One of the standout features for me was how comprehensively it tackled IAM enumeration recon. đź‘Ź

    A quick tip for fellow students: It’s super beneficial to create your own notes on AWS CLI commands. Not only will it assist you in cracking Challenge 1, but it’s especially handy for navigating through Challenge 2. đź“ť

    Keep up the great work! Looking forward to more challenges ahead! 🚀

  3. I thoroughly enjoyed every aspect of this course. The content was engaging and well-structured, and I particularly appreciated the approach it took. Both challenges provided were not only interesting but also highly stimulating. I would strongly recommend this course to anyone interested in AWS Pentesting.

  4. Great course Christophe, I really loved the challenges and lab. I was initially planning to study for AWS Certified Security Specialty exam, but it occurred to me that I should first learn attacking AWS which led me to this platform.

    I must say that after doing these courses and labs, my knowledge has not only increased in the offensive side, but on also how can we secure our accounts by adding multiple layers of access controls like Permission Boundaries, Resource Based Policies, SCPs etc.

    I would love you to make a course in the future which covers how various AWS security related services identify and block these attacking methodologies and how we can try to bypass those protections.

    Thanks!

    1. I really appreciate the comment and I’m thrilled you both enjoyed the course and took away a lot from it! I would recommend these two courses next based on your interests: Introduction to AWS Security — especially the last few sections which talk about IAM Access Analyzer, detection services, and monitoring/alerting services — and Incident Response with CloudTrail Lake and Athena. The second course will show you how blue teams would be able to view activities and respond to incidents, which can be valuable information from a red teaming perspective as well.