Back to Course

AWS IAM Privilege Escalation Labs

0% Complete
0/0 Steps
  1. Introduction

    About this course
  2. Real-world case studies
  3. Useful IAM tips and security tools
  4. Introduction to AWS Enumeration
    [LAB] Getting Started with the AWS CLI
  5. [LAB] Introduction to AWS IAM Enumeration
  6. [Cheat Sheet] IAM Enumeration CLI Commands
  7. [LAB] Introduction to Secrets Manager Enumeration
  8. [Cheat Sheet] Secrets Manager Enumeration CLI Commands
  9. [LAB] Introduction to Amazon S3 Enumeration
  10. iam:CreateAccessKey
    [LAB] [CTF] iam:CreateAccessKey PrivEsc
  11. iam:CreateAccessKey Solution
  12. iam:CreateLoginProfile
    [LAB] [CTF] iam:CreateLoginProfile PrivEsc
  13. iam:CreateLoginProfile Solution
  14. iam:UpdateLoginProfile
    [LAB] [CTF] iam:UpdateLoginProfile PrivEsc
  15. iam:UpdateLoginProfile Solution
  16. iam:SetDefaultPolicyVersion
    [LAB] [CTF] iam:SetDefaultPolicyVersion PrivEsc
  17. iam:SetDefaultPolicyVersion Solution
  18. iam:AddUserToGroup
    [LAB] [CTF] iam:AddUserToGroup PrivEsc
  19. iam:AddUserToGroup Solution
  20. iam:AttachUserPolicy
    [LAB] [CTF] iam:AttachUserPolicy PrivEsc
  21. iam:AttachUserPolicy Solution
  22. iam:AttachGroupPolicy
    [LAB] [CTF] iam:AttachGroupPolicy PrivEsc
  23. iam:AttachGroupPolicy Solution
  24. iam:PutUserPolicy
    [LAB] [CTF] iam:PutUserPolicy PrivEsc
  25. iam:PutUserPolicy Solution
  26. iam:PutGroupPolicy
    [LAB] [CTF] iam:PutGroupPolicy PrivEsc
  27. iam:PutGroupPolicy Solution
  28. iam:AttachRolePolicy
    [LAB] [CTF] iam:AttachRolePolicy PrivEsc
  29. iam:AttachRolePolicy Solution
  30. iam:PutRolePolicy
    [LAB] [CTF] iam:PutRolePolicy PrivEsc
  31. iam:PutRolePolicy Solution
  32. Challenges
    About challenges
  33. Challenge #1 - Secrets Unleashed
  34. Challenge #2 - IAM Escape Room
  35. Conclusion
    What did you think of the course?
  36. What's next?
Lesson 16 of 36
In Progress

[LAB] [CTF] iam:SetDefaultPolicyVersion PrivEsc

Christophe November 19, 2023
🧪Hands-On Lab
Help/Info

Scenario 🧪

IAM policies can have versioning enabled with up to 5 policy versions at a time (more info). Instead of overwriting an existing IAM policy, versioning will create a new version, set it as the default, and keep the prior policy as another version.

This is a useful feature for tracking changes over time and rolling back if you’ve made a mistake, but it can also lead to vulnerabilities. For that reason, you should limit which users have access to iam:SetDefaultPolicyVersion as otherwise they can use this to grant themselves higher privilege permissions.

This lab has been misconfigured, so exploit it with iam:SetDefaultPolicyVersion to grant yourself S3 permissions.

You’ve successfully completed this lab once you’ve: accessed and downloaded sensitive files containing customer PII in Amazon S3, then submitted the IP address of the first row entry (for ‘Cooper Luffman’). (The next lab will switch it up from S3 to keep it interesting, don’t worry!)

Steps

  • Using the provided Access Key ID and Secret Access Key, configure your AWS CLI profile
  • Using the AWS CLI, identify what permissions your current user has access to and perform general reconnaissance to familiarize yourself with the AWS environment
  • Revert back to a prior policy version that gives permissions to S3
  • Using your new permissions, access the S3 bucket containing sensitive data
  • Download those files and make sure they contain PII.
  • Submit the first row IP address (for ‘Cooper Luffman’) as the flag

Responses

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.