Back to Course
AWS IAM Privilege Escalation Labs
0% Complete
0/0 Steps
-
Introduction
About this course -
Real-world case studies
-
Useful IAM tips and security tools
-
Introduction to AWS Enumeration[LAB] Getting Started with the AWS CLI
-
[LAB] Introduction to AWS IAM Enumeration
-
[Cheat Sheet] IAM Enumeration CLI Commands
-
[LAB] Introduction to Secrets Manager Enumeration
-
[Cheat Sheet] Secrets Manager Enumeration CLI Commands
-
[LAB] Introduction to Amazon S3 Enumeration
-
iam:CreateAccessKey[LAB] [CTF] iam:CreateAccessKey PrivEsc
-
iam:CreateAccessKey Solution
-
iam:CreateLoginProfile[LAB] [CTF] iam:CreateLoginProfile PrivEsc
-
iam:CreateLoginProfile Solution
-
iam:UpdateLoginProfile[LAB] [CTF] iam:UpdateLoginProfile PrivEsc
-
iam:UpdateLoginProfile Solution
-
iam:SetDefaultPolicyVersion[LAB] [CTF] iam:SetDefaultPolicyVersion PrivEsc
-
iam:SetDefaultPolicyVersion Solution
-
iam:AddUserToGroup[LAB] [CTF] iam:AddUserToGroup PrivEsc
-
iam:AddUserToGroup Solution
-
iam:AttachUserPolicy[LAB] [CTF] iam:AttachUserPolicy PrivEsc
-
iam:AttachUserPolicy Solution
-
iam:AttachGroupPolicy[LAB] [CTF] iam:AttachGroupPolicy PrivEsc
-
iam:AttachGroupPolicy Solution
-
iam:PutUserPolicy[LAB] [CTF] iam:PutUserPolicy PrivEsc
-
iam:PutUserPolicy Solution
-
iam:PutGroupPolicy[LAB] [CTF] iam:PutGroupPolicy PrivEsc
-
iam:PutGroupPolicy Solution
-
iam:AttachRolePolicy[LAB] [CTF] iam:AttachRolePolicy PrivEsc
-
iam:AttachRolePolicy Solution
-
iam:PutRolePolicy[LAB] [CTF] iam:PutRolePolicy PrivEsc
-
iam:PutRolePolicy Solution
-
ChallengesAbout challenges
-
Challenge #1 - Secrets Unleashed
-
Challenge #2 - IAM Escape Room
-
ConclusionWhat did you think of the course?
-
What's next?
Scenario 🧪
While the prior two labs showed how to exploit managed policies (either AWS-managed or customer-managed) to grant users or groups elevated privileges, we can also exploit misconfigured iam:PutUserPolicy permissions to add or update inline policy documents for IAM users.
This lab has been misconfigured, so exploit it with iam:PutUserPolicy to grant yourself Secrets Manager permissions.
You’ve successfully completed this lab once you’ve submitted the secret value!
Tips
Tip #1: Familiarize yourself with the CLI command put-user-policy. It takes in a --policy-document which is a JSON IAM policy that you would create locally.
Steps
- Using the provided Access Key ID and Secret Access Key, configure your AWS CLI profile
- Using the AWS CLI, identify what permissions your current user has access to and perform general reconnaissance to familiarize yourself with the AWS environment
- Leverage your
iam:PutUserPolicypermissions to gain access to Secrets Manager - Access Secrets Manager and retrieve the secret value
- Submit the secret value as the flag
@Chris, I am getting below error during this operation – aws iam put-user-policy –user-name iam-putuserpolicy-privesc-1766415613921-SeniorDev –policy-name test –policy-document custom-policy-put-permission.json –profile iampriv
An error occurred (MalformedPolicyDocument) when calling the PutUserPolicy operation: Syntax errors in policy.
Let me know if this is still an issue but I believe I saw on Discord you said you resolved it
you need to stipule file:// and not just