Back to Course
AWS IAM Privilege Escalation Labs
0% Complete
0/0 Steps
-
Introduction
About this course -
Real-world case studies
-
Useful IAM tips and security tools
-
Introduction to AWS Enumeration[LAB] Getting Started with the AWS CLI
-
[LAB] Introduction to AWS IAM Enumeration
-
[Cheat Sheet] IAM Enumeration CLI Commands
-
[LAB] Introduction to Secrets Manager Enumeration
-
[Cheat Sheet] Secrets Manager Enumeration CLI Commands
-
[LAB] Introduction to Amazon S3 Enumeration
-
iam:CreateAccessKey[LAB] [CTF] iam:CreateAccessKey PrivEsc
-
iam:CreateAccessKey Solution
-
iam:CreateLoginProfile[LAB] [CTF] iam:CreateLoginProfile PrivEsc
-
iam:CreateLoginProfile Solution
-
iam:UpdateLoginProfile[LAB] [CTF] iam:UpdateLoginProfile PrivEsc
-
iam:UpdateLoginProfile Solution
-
iam:SetDefaultPolicyVersion[LAB] [CTF] iam:SetDefaultPolicyVersion PrivEsc
-
iam:SetDefaultPolicyVersion Solution
-
iam:AddUserToGroup[LAB] [CTF] iam:AddUserToGroup PrivEsc
-
iam:AddUserToGroup Solution
-
iam:AttachUserPolicy[LAB] [CTF] iam:AttachUserPolicy PrivEsc
-
iam:AttachUserPolicy Solution
-
iam:AttachGroupPolicy[LAB] [CTF] iam:AttachGroupPolicy PrivEsc
-
iam:AttachGroupPolicy Solution
-
iam:PutUserPolicy[LAB] [CTF] iam:PutUserPolicy PrivEsc
-
iam:PutUserPolicy Solution
-
iam:PutGroupPolicy[LAB] [CTF] iam:PutGroupPolicy PrivEsc
-
iam:PutGroupPolicy Solution
-
iam:AttachRolePolicy[LAB] [CTF] iam:AttachRolePolicy PrivEsc
-
iam:AttachRolePolicy Solution
-
iam:PutRolePolicy[LAB] [CTF] iam:PutRolePolicy PrivEsc
-
iam:PutRolePolicy Solution
-
ChallengesAbout challenges
-
Challenge #1 - Secrets Unleashed
-
Challenge #2 - IAM Escape Room
-
ConclusionWhat did you think of the course?
-
What's next?
Scenario 🧪
The prior lab showed how we can exploit custom and inline IAM policies to grant users elevated privileges (potentially even admin privileges), by uploading a JSON document. This lab is similar except it leverages iam:PutGroupPolicy to upload custom policy documents to entire groups.
This lab has been misconfigured, so exploit it with iam:PutGroupPolicy to grant your group Secrets Manager permissions.
You’ve successfully completed this lab once you’ve submitted the secret value as the flag!
Tips
Tip #1: There’s more than 1 group in this lab environment, so make sure you enumerate sufficiently to know which group you’re part of.
Steps
- Using the provided Access Key ID and Secret Access Key, configure your AWS CLI profile
- Using the AWS CLI, identify what permissions your current user has access to and perform general reconnaissance to familiarize yourself with the AWS environment
- Leverage your
iam:PutGroupPolicypermissions to gain access to Secrets Manager - Access Secrets Manager and retrieve the secret value
- Submit the secret as the flag
Responses