Back to Course
AWS IAM Privilege Escalation Labs
0% Complete
0/0 Steps
-
Introduction
About this course -
Real-world case studies
-
Useful IAM tips and security tools
-
Introduction to AWS Enumeration[LAB] Getting Started with the AWS CLI
-
[LAB] Introduction to AWS IAM Enumeration
-
[Cheat Sheet] IAM Enumeration CLI Commands
-
[LAB] Introduction to Secrets Manager Enumeration
-
[Cheat Sheet] Secrets Manager Enumeration CLI Commands
-
[LAB] Introduction to Amazon S3 Enumeration
-
iam:CreateAccessKey[LAB] [CTF] iam:CreateAccessKey PrivEsc
-
iam:CreateAccessKey Solution
-
iam:CreateLoginProfile[LAB] [CTF] iam:CreateLoginProfile PrivEsc
-
iam:CreateLoginProfile Solution
-
iam:UpdateLoginProfile[LAB] [CTF] iam:UpdateLoginProfile PrivEsc
-
iam:UpdateLoginProfile Solution
-
iam:SetDefaultPolicyVersion[LAB] [CTF] iam:SetDefaultPolicyVersion PrivEsc
-
iam:SetDefaultPolicyVersion Solution
-
iam:AddUserToGroup[LAB] [CTF] iam:AddUserToGroup PrivEsc
-
iam:AddUserToGroup Solution
-
iam:AttachUserPolicy[LAB] [CTF] iam:AttachUserPolicy PrivEsc
-
iam:AttachUserPolicy Solution
-
iam:AttachGroupPolicy[LAB] [CTF] iam:AttachGroupPolicy PrivEsc
-
iam:AttachGroupPolicy Solution
-
iam:PutUserPolicy[LAB] [CTF] iam:PutUserPolicy PrivEsc
-
iam:PutUserPolicy Solution
-
iam:PutGroupPolicy[LAB] [CTF] iam:PutGroupPolicy PrivEsc
-
iam:PutGroupPolicy Solution
-
iam:AttachRolePolicy[LAB] [CTF] iam:AttachRolePolicy PrivEsc
-
iam:AttachRolePolicy Solution
-
iam:PutRolePolicy[LAB] [CTF] iam:PutRolePolicy PrivEsc
-
iam:PutRolePolicy Solution
-
ChallengesAbout challenges
-
Challenge #1 - Secrets Unleashed
-
Challenge #2 - IAM Escape Room
-
ConclusionWhat did you think of the course?
-
What's next?
Scenario 🧪
Best practices say that we should try to apply IAM policies to groups, and then add users to those groups so that they can inherit permissions. This is a best practice because it helps keep things organized and you can quickly and easily give or remove a user’s permissions by adding them or removing them from a group.
This lab is a great way to showcase why this is a best practice. Even just adding one inline policy to a user can wreak havoc, as you’re about to find out.
This lab has been misconfigured, so exploit it with iam:AddUserToGroup to grant yourself access to the Secrets Manager service so you can retrieve secrets from that AWS account.
You’ve successfully completed this lab once you’ve submitted the secret value!
Steps
- Using the provided Access Key ID and Secret Access Key, configure your AWS CLI profile
- Using the AWS CLI, identify what permissions your current user has access to and perform general reconnaissance to familiarize yourself with the AWS environment
- Leverage your
iam:AddUserToGrouppermissions to gain access to Secrets Manager - Access Secrets Manager and retrieve the secret value
- Copy/paste it to submit it as the flag
Responses