Back to Course
AWS IAM Privilege Escalation Labs
0% Complete
0/0 Steps
-
Introduction
About this course -
Real-world case studies
-
Useful IAM tips and security tools
-
Introduction to AWS Enumeration[LAB] Getting Started with the AWS CLI
-
[LAB] Introduction to AWS IAM Enumeration
-
[Cheat Sheet] IAM Enumeration CLI Commands
-
[LAB] Introduction to Secrets Manager Enumeration
-
[Cheat Sheet] Secrets Manager Enumeration CLI Commands
-
[LAB] Introduction to Amazon S3 Enumeration
-
iam:CreateAccessKey[LAB] [CTF] iam:CreateAccessKey PrivEsc
-
iam:CreateAccessKey Solution
-
iam:CreateLoginProfile[LAB] [CTF] iam:CreateLoginProfile PrivEsc
-
iam:CreateLoginProfile Solution
-
iam:UpdateLoginProfile[LAB] [CTF] iam:UpdateLoginProfile PrivEsc
-
iam:UpdateLoginProfile Solution
-
iam:SetDefaultPolicyVersion[LAB] [CTF] iam:SetDefaultPolicyVersion PrivEsc
-
iam:SetDefaultPolicyVersion Solution
-
iam:AddUserToGroup[LAB] [CTF] iam:AddUserToGroup PrivEsc
-
iam:AddUserToGroup Solution
-
iam:AttachUserPolicy[LAB] [CTF] iam:AttachUserPolicy PrivEsc
-
iam:AttachUserPolicy Solution
-
iam:AttachGroupPolicy[LAB] [CTF] iam:AttachGroupPolicy PrivEsc
-
iam:AttachGroupPolicy Solution
-
iam:PutUserPolicy[LAB] [CTF] iam:PutUserPolicy PrivEsc
-
iam:PutUserPolicy Solution
-
iam:PutGroupPolicy[LAB] [CTF] iam:PutGroupPolicy PrivEsc
-
iam:PutGroupPolicy Solution
-
iam:AttachRolePolicy[LAB] [CTF] iam:AttachRolePolicy PrivEsc
-
iam:AttachRolePolicy Solution
-
iam:PutRolePolicy[LAB] [CTF] iam:PutRolePolicy PrivEsc
-
iam:PutRolePolicy Solution
-
ChallengesAbout challenges
-
Challenge #1 - Secrets Unleashed
-
Challenge #2 - IAM Escape Room
-
ConclusionWhat did you think of the course?
-
What's next?
Scenario 🧪
This lab is very similar to iam:CreateLoginProfile except instead of creating a login profile, if a user already has a login profile created, we can use UpdateLoginProfile to the same effect.
To make it less repetitive, we increased the difficulty just a little bit by adding a couple more steps that you will need to complete this lab! You’ve captured the flag when you’ve downloaded sensitive S3 data and submitted Joshua Lee’s credit card number from the customers.txt file.
Steps
- Using the provided Access Key ID and Secret Access Key, configure your AWS CLI profile
- Using the AWS CLI, identify what permissions your current user has access to and perform general reconnaissance to familiarize yourself with the AWS environment
- Identify which user has the permissions you need to access S3
- Gain access to and authenticate as the correct IAM user
- Using your new permissions, access the S3 bucket containing sensitive data
- Download those files and make sure they contain PII.
- Submit the flag by copy/pasting Joshua Lee’s credit card number from the customers.txt file
Not sure what I am doing wrong but I am only showing the allowed policies with no explicit denies, and get iam-updateloginprofile-privesc-1702564203600-Attacker is not authorized to perform when attempting to run the UpdateLoginProfile command.
That’s my bad, I pushed an update to this lab that broke it. I’ve fixed it and you should be good to go now!
Thanks Chris!