Scenario 🧪
Difficulty: Intermediate
Objective: ⛳️ You’ve successfully completed this challenge once you’ve downloaded a PDF document containing F-15 Eagle development information.
Description: You work for a defense contractor organization named GuardianSys Defense that helps develop parts for fighter jets. The organization’s IT runs both on-prem and in the AWS cloud as part of an effort to modernize and increase innovation. Due to the nature of the projects your organization works on, individuals are supposed to have access to documents only on an as-needed basis.
You (Kevin) are an application developer with access to basic S3 documents needed by the application you help support. However, due to upper management pressure, the IT team was not able to follow best AWS security practices and is hosting all of its documents in the same account using Amazon S3.
Facing mounting personal financial pressure, and after having been passed up for a promotion that you were clearly the better fit for, you’ve decided to steal proprietary and secret documents in order to sell them to the highest bidder on the black market.
To do that, you have to find a way to access those secret documents that your IAM user doesn’t currently have access to.
Given the provided credentials, look for IAM Privilege Escalation paths that will give you permissions to a bucket on Amazon S3 hosting sensitive documents.
Disclaimer: Obviously, we do not condone this behavior in real life. This scenario is meant to showcase how insider threats can be even more dangerous to an organization than outsider threats, and why it’s so important to have proper access control to defend against all plausible threats.
Hints
Hint #1: Unlike the labs throughout this course that focused on a single exploit at a time, this challenge will require chaining two or more exploits together. All of the exploits and techniques that you need have been covered in this course — there isn’t anything new. For convenience, here’s a checklist of exploits we learned about that might be useful for this challenge (you only technically need 3 and some of these will not work):
- CreateAcessKey
- CreateLoginProfile
- SetDefaultPolicyVersion
- AttachUserPolicy
- AttachGroupPolicy
- PutUserPolicy
- PutGroupPolicy
Hint #2: Remember to start with enumeration. You need to get a lay of the land to understand what’s going on in that specific AWS environment and what you have access to.
As you enumerate, ask questions like:
- Am I part of a group? If so, what permissions does that group give me? (Remember that groups can have both inline and attached policies which are retrieved with different commands)
- Do I have any inline policies that give me additional permissions?
- Is there a boundary policy applied to the user? Even if you can’t see that policy, it could explain why you don’t have access that you think you should have
- Are there other groups in this AWS account? Do those groups have different permissions?
- Can I change my permissions with something like SetDefaultPolicyVersion, AddUserToGroup, PutUserPolicy, etc…?
- And/or, does my user have access to create access keys or create login profiles for other users of interest?
Hint #3: Escaping a locked room typically requires finding or creating a key 🙂
I’d love your feedback on this challenge lab. Are you finding it too difficult? Is it a fun challenge? Let me know in the comments!
This course not only taught me how to think like an attacker, but also how easy it is to escalate privileges if excessive IAM permissions are present in the cloud. I honestly loved it and recommend it 100%!
Yay!!! That just made my day! Thank you for sharing, Mariana, and nice work getting through the entire course :)!
Hey @Christophe Limpalair đź‘‹,
I just wanted to say that Challenge 2 was absolutely fantastic! 🎉 It’s evident that a lot of thought and effort went into crafting it. I really appreciated how it encompassed various learning strategies and commands. One of the standout features for me was how comprehensively it tackled IAM enumeration recon. đź‘Ź
A quick tip for fellow students: It’s super beneficial to create your own notes on AWS CLI commands. Not only will it assist you in cracking Challenge 1, but it’s especially handy for navigating through Challenge 2. đź“ť
Keep up the great work! Looking forward to more challenges ahead! 🚀
Great tip, Ritesh, and thank you for the fantastic feedback :)! Glad you enjoyed it!
I thoroughly enjoyed every aspect of this course. The content was engaging and well-structured, and I particularly appreciated the approach it took. Both challenges provided were not only interesting but also highly stimulating. I would strongly recommend this course to anyone interested in AWS Pentesting.
So glad you enjoyed it! Thank you for taking the time to write this comment and for enrolling in our course 🙂
Great course Christophe, I really loved the challenges and lab. I was initially planning to study for AWS Certified Security Specialty exam, but it occurred to me that I should first learn attacking AWS which led me to this platform.
I must say that after doing these courses and labs, my knowledge has not only increased in the offensive side, but on also how can we secure our accounts by adding multiple layers of access controls like Permission Boundaries, Resource Based Policies, SCPs etc.
I would love you to make a course in the future which covers how various AWS security related services identify and block these attacking methodologies and how we can try to bypass those protections.
Thanks!
I really appreciate the comment and I’m thrilled you both enjoyed the course and took away a lot from it! I would recommend these two courses next based on your interests: Introduction to AWS Security — especially the last few sections which talk about IAM Access Analyzer, detection services, and monitoring/alerting services — and Incident Response with CloudTrail Lake and Athena. The second course will show you how blue teams would be able to view activities and respond to incidents, which can be valuable information from a red teaming perspective as well.