Scenario 🧪
AWS IAM roles are incredibly useful and powerful, and you can assume them to receive permissions either within your account, or even for cross-account access
You can do that using AssumeRole
which returns a set of temporary security credentials that can then be used in a similar way to regular access keys, except they are short-term credentials instead of long-term credentials.
If your IAM user has AssumeRole
permissions for a particular role (which is dictated by a role’s trust policy), you can assume that role and whatever permissions it has. If you have that permission plus the iam:AttachRolePolicy
permission, then you can update the permissions for that role.
Your lab user is one that has access to perform support functions by assuming roles with AssumeRole
, including a role that has access to a non-sensitive S3 bucket containing generic files for an application that you support.
However, this lab has been misconfigured to grant you iam:AttachRolePolicy
. Leverage this misconfiguration to give that role additional S3 permissions that allow you to access a bucket containing PII that you were not intended to have access to.
You’ve captured the flag when you’ve successfully downloaded the files contained in that bucket, and submitted the credit card number for ‘Richard Gibson.’
Tips
Tip #1: Since there can be a lot of roles in AWS accounts, you can use list-roles --query
to filter out unwanted results. To speed things up in this lab, I recommend typing this in (whenever you’re ready to enumerate roles) to surface the role you will be interested in:
aws iam list-roles --query "Roles[?RoleName=='SupportRole']"
Code language: CSS (css)
Steps
- Using the provided Access Key ID and Secret Access Key, configure your AWS CLI profile
- Using the AWS CLI, identify what permissions your current user has access to and perform general reconnaissance to familiarize yourself with the AWS environment
- Leverage your
iam:AttachRolePolicy
permissions to gain access to an Amazon S3 bucket containing sensitive information - Download the file in that S3 bucket
- Submit the credit card number for ‘Richard Gibson’
Real-World Scenario
Can’t help but share this attack case study published by Palo Alto Network’s Unit 42 which unveiled an attack that took place and used the exact technique and privilege escalation path demonstrated by this lab.
Responses