Back to Course

AWS IAM Privilege Escalation Labs

0% Complete
0/0 Steps
  1. Introduction

    About this course
  2. Real-world case studies
  3. Useful IAM tips and security tools
  4. Introduction to AWS Enumeration
    [LAB] Getting Started with the AWS CLI
  5. [LAB] Introduction to AWS IAM Enumeration
  6. [Cheat Sheet] IAM Enumeration CLI Commands
  7. [LAB] Introduction to Secrets Manager Enumeration
  8. [Cheat Sheet] Secrets Manager Enumeration CLI Commands
  9. [LAB] Introduction to Amazon S3 Enumeration
  10. iam:CreateAccessKey
    [LAB] [CTF] iam:CreateAccessKey PrivEsc
  11. iam:CreateAccessKey Solution
  12. iam:CreateLoginProfile
    [LAB] [CTF] iam:CreateLoginProfile PrivEsc
  13. iam:CreateLoginProfile Solution
  14. iam:UpdateLoginProfile
    [LAB] [CTF] iam:UpdateLoginProfile PrivEsc
  15. iam:UpdateLoginProfile Solution
  16. iam:SetDefaultPolicyVersion
    [LAB] [CTF] iam:SetDefaultPolicyVersion PrivEsc
  17. iam:SetDefaultPolicyVersion Solution
  18. iam:AddUserToGroup
    [LAB] [CTF] iam:AddUserToGroup PrivEsc
  19. iam:AddUserToGroup Solution
  20. iam:AttachUserPolicy
    [LAB] [CTF] iam:AttachUserPolicy PrivEsc
  21. iam:AttachUserPolicy Solution
  22. iam:AttachGroupPolicy
    [LAB] [CTF] iam:AttachGroupPolicy PrivEsc
  23. iam:AttachGroupPolicy Solution
  24. iam:PutUserPolicy
    [LAB] [CTF] iam:PutUserPolicy PrivEsc
  25. iam:PutUserPolicy Solution
  26. iam:PutGroupPolicy
    [LAB] [CTF] iam:PutGroupPolicy PrivEsc
  27. iam:PutGroupPolicy Solution
  28. iam:AttachRolePolicy
    [LAB] [CTF] iam:AttachRolePolicy PrivEsc
  29. iam:AttachRolePolicy Solution
  30. iam:PutRolePolicy
    [LAB] [CTF] iam:PutRolePolicy PrivEsc
  31. iam:PutRolePolicy Solution
  32. Challenges
    About challenges
  33. Challenge #1 - Secrets Unleashed
  34. Challenge #2 - IAM Escape Room
  35. Conclusion
    What did you think of the course?
  36. What's next?
Lesson 3 of 36
In Progress

Useful IAM tips and security tools

Christophe November 19, 2023

Practical AWS CLI tips

This course requires heavy use of the AWS CLI, and especially aws iam commands. You’ll need to regularly refer to documentation but another tip is to use grep in order to search through the help menu, like this:

aws iam help | grep -e "list-group" -e "get-group"
       o get-group
       o get-group-policy
       o list-group-policies
       o list-groups
       o list-groups-for-userCode language: PHP (php)

That way you can save a lot of time instead of constantly going back and forth with docs.

About using tools/automation for this course

You do not need any of the tools in this lesson in order to successfully complete the labs in this course! Every single one of them can be 100% accomplished using the AWS CLI, and that’s how I recommend that you do it the first time around to get experience with using the AWS CLI.

With that said, if you’re already experienced or if you’ve already gone through a first run, trying out these automation tools is also a great idea as they can help speed things up and/or find issues you may not have manually found.

Also, please note that while I have personally used and continue to use some of these tools, I’ve also included some that I have heard about but haven’t personally (or thoroughly) tested, so they may not work as intended. Especially since some of them are a few years old and haven’t been recently updated. If that’s the case, please drop me a comment below and I’ll remove the tool. (I ultimately want to test them all, just haven’t had the time yet)

IAMActionHunter

https://github.com/RhinoSecurityLabs/IAMActionHunter

Quickly and easily evaluate one or more IAM policies to find issues.

This is a tool you can use to more quickly understand what the vulnerability might be across one policy or across multiple policies.

IAMFinder

https://github.com/prisma-cloud/IAMFinder

IAMFinder enumerates and finds users and IAM roles in a target AWS account.

EnumerateIAM

https://github.com/andresriancho/enumerate-iam

Enumerate the permissions associated with an AWS credential set. This tool tries to brute force all API calls allowed by the IAM policy. The calls performed by this tool are all non-destructive (only get* and list* calls are performed). Great for finding weaknesses you may not have manually found.

aws_escalate.py

https://github.com/RhinoSecurityLabs/Security-Research/blob/master/tools/aws-pentest-tools/aws_escalate.py

A script that can help you find privesc paths.

Pacu

https://github.com/RhinoSecurityLabs/pacu

Pacu is an open-source AWS exploitation framework, designed for offensive security testing against cloud environments. Pacu allows penetration testers to exploit configuration flaws within an AWS account, using modules to easily expand its functionality. This is the same tool we demonstrate in our Pentesting AWS Environments with Pacu, CloudGoat, and ChatGPT course

ScoutSuite, Prowler, etc…

There are also larger tools like ScoutSuite and Prowler that can scan environment to audit them, and that includes finding IAM misconfigurations, so it can be helpful in this sort of situation. A quick note: I don’t think ScoutSuite is being maintained anymore so your mileage may vary.

Any other tools we should add?

There are many other AWS security tools out there, but I tried only adding lightweight and open-source tools. If you have other tools you’d recommend adding to this list that fit that criteria and that’s specific to IAM, let me know in the comments below!

Responses

Your email address will not be published. Required fields are marked *

  1. New update on Fig.io:

    “Fig is sunsetting, migrate to Amazon CodeWhisperer
    Dear Fig users,

    Effective September 1, 2024 we will be ending access to Fig.

    We encourage users to migrate to Amazon CodeWhisperer for command line. It’s free on the Individual tier and is designed to be faster and more reliable than Fig. To make this transition as easy as possible, users can upgrade to CodeWhisperer for command line directly from the Fig dashboard.

    To learn more about the changes to Fig and how to export your data, read our blog post. …”

    1. πŸ™ such a shame. I’m still currently able to use it from a prior/older download, but it means no more updates. They’re forcing everyone to move to Amazon Q which isn’t as good. Really sucks.

  2. Hi, i feel like PMapper does not work anymore.
    From my research it’s not compatible with Python 3.12 ? but i might be wrong

  3. Hi @christophe, First of all a big thanks for creating this platform to support new techminds in Cyber field trying to learn about Cloud Security. I’d like to request you to consider Scoutsuite in the list of tools above as it can help get quite a lot of details regarding the security posture of a cloud Environment.

    1. Hey, thanks! I’m usually hesitant to add it because I don’t think it’s being maintained anymore with hundreds of open issues and lots of pull requests. I’ll add it as a mention to the lesson if anyone wants to check it out though! Thanks for the suggestion