This walkthrough assumes you have CloudGoat set up on your Kali Linux. You can use our post, Working with CloudGoat: The “vulnerable by design” AWS environment as a guide in deploying it.
Scenario summary
This scenario starts with an IAM user “Raynor” with limited privileges. The attacker is able to review previous IAM policy versions and restore one which allows full admin privileges, resulting in a privilege escalation exploit. The goal of the scenario is to acquire full administrative privileges in the AWS account.
Walkthrough
To deploy the resources for each scenario on AWS: ./cloudgoat.py create iam_privesc_by_rollback
Without Pacu
Enumerate the policies and permissions attached to the user “Raynor” and see what privileges the user has.
Running the below revealed nothing.
aws iam list-user-policies –-user-name
aws iam list-attached-user-policies –-user-name
Get more information on the managed policy attached to the IAM user:
aws iam get-policy -–policy-arn
get-policy: Retrieves information about the specified managed policy, including the policy’s default version and the total number of IAM users, groups and roles to which the policy is attached. We can see that this policy version is v1. When you make changes to an IAM customer-managed policy and when AWS makes changes to an AWS-managed policy, the changed policy doesn’t overwrite the existing policy. Instead, IAM creates a new version of the managed policy. IAM stores up to five versions of your customer-managed policies.
Review details of the policy attached to this IAM user:
aws iam get-policy-version -–policy-arn
We noticed that this policy has iam:SetDefaultPolicyVersion allowed. When modifying a policy, AWS automatically creates a new policy version with the changes. Those changes can then be undone by reverting the policy to a previous version. Users with the iam:SetDefaultPolicyVersion are allowed to set which version of the policy is the default (active) version. An attacker with the iam:SetDefaultPolicyVersion permission may be able to escalate privileges through existing policy versions not currently in use. If a policy that they have access to has versions that are not the default, they would be able to change the default version to any other existing version.
Check to see if there are other versions of this policy:
aws iam list-policy-versions -–policy-arn
We can see that there are five (5) versions of this policy. We check other versions of the IAM policy just in case.
Review other versions of the policy
aws iam get-policy-version -–policy-arn
This policy allows all actions to all resources. This basically grants the user administrative access to the AWS account. Version 3
This policy allows the only the following actions: “s3:ListBucket”, “s3:GetObject” and “s3:ListAllMyBuckets”. Version 4
This policy whitelists those two (2) IP subnets. Version 5
This policy allows this action “iam:Get*” to all AWS resources but only allows for a specified time period which has expired.
Restore the previous version of the policy (v2):
aws iam get-policy-version -–policy-arn
Confirm the version attached to the IAM user:
Confirm new privileges by creating a new s3 bucket:
aws s3api create-bucket –bucket
With Pacu
Set AWS keys for the users:
Enumerate information about all users, roles, customer-managed policies and groups in the account.
run iam__enum_users_roles_policies_groups
Check the information extracted and stored in the database during the enumeration.
data
Run the IAM privilege scan module:
run iam__privesc_scan
Switch to version v5, which grants the IAM user administrative access to the AWS environment.
Confirm which version of the policy is attached to the IAM user:
Test the new privileges and create a new bucket:
aws s3api create-bucket –bucket
Sources
Versioning IAM Policies, AWS AWS CLI Command Reference – IAM, AWS Well, that escalated quickly, Bishop Fox AWS IAM Privilege Escalation Methods, Rhino Security Labs
