Scenario 🧪
The prior lab showed how we can exploit custom and inline IAM policies to grant users elevated privileges (potentially even admin privileges), by uploading a JSON document. This lab is similar except it leverages iam:PutGroupPolicy
to upload custom policy documents to entire groups.
This lab has been misconfigured, so exploit it with iam:PutGroupPolicy
to grant your group Secrets Manager permissions.
You’ve successfully completed this lab once you’ve submitted the secret value as the flag!
Tips
Tip #1: There’s more than 1 group in this lab environment, so make sure you enumerate sufficiently to know which group you’re part of.
Steps
- Using the provided Access Key ID and Secret Access Key, configure your AWS CLI profile
- Using the AWS CLI, identify what permissions your current user has access to and perform general reconnaissance to familiarize yourself with the AWS environment
- Leverage your
iam:PutGroupPolicy
permissions to gain access to Secrets Manager - Access Secrets Manager and retrieve the secret value
- Submit the secret as the flag
Responses