[LAB] [CTF] iam:DeactivateMFADevice and Change Password
Individual users can be granted the ability to list, create, deactivate, and delete MFA devices for their own profiles. However, when misconfigured, they can be granted the ability to do that for other users as well. Given that best practices say you should typically apply policies to Groups instead of individual users, it could be easy for an admin who doesn’t know better or who’s moving too quickly to apply those MFA permissions at the group level, creating an IAM PrivEsc path.
The senior developer in this lab account has been given access to a secret value stored in Secrets Manager. Since you are a junior developer in this scenario, you’re not supposed to be able to access that secret value for security purposes. However, since you’re clever, you will be able to discover an IAM misconfiguration that, through a few steps, gives you access to the flag stored in Secrets Manager.
You’ve successfully completed this lab once you’ve accessed the value of that secret in plaintext!
Steps
- Using the provided Access Key ID and Secret Access Key, configure your AWS CLI profile
- Using the AWS CLI, identify what permissions your current user has access to and perform general reconnaissance to familiarize yourself with the AWS environment
- Leverage your iam:DeactivateMFA permissions to gain access to other developer IAM users
- One of those IAM users is the senior developer who has access to a specific secret in Secrets Manager
- Access Secrets Manager and retrieve the secret value
Responses