Cloudgoat AWS CTF solution- Scenerio 5 (iam_privesc_by_attachment)

Scenario: iam_privesc_by_attachment

Deployment:

Scenario Resources

  • 1 VPC with: EC2 x 1
  • 1 IAM User

Scenario Start(s)

  1. IAM User “Kerrigan”

Scenario Goal(s)

Delete the EC2 instance “cg-super-critical-security-server”

Summary

Starting with a very limited set of permissions, the attacker is able to leverage the instance-profile-attachment permissions to create a new EC2 instance with significantly greater privileges than their own. With access to this new EC2 instance, the attacker gains full administrative powers within the target account and is able to accomplish the scenario’s goal — deleting the cg-super-critical-security-server and paving the way for further nefarious actions.

Exploitation Route(s)

Walkthrough — IAM User “kerrigan”

  1. Starting as the IAM user “Kerrigan,” the attacker uses their limited privileges to explore the environment.

a. Used pacu’s “iam__bruteforce_permissions” module to enumerate permissions-

b. Using iam-enumerate to Bruteforce permissions.

after downloading aws-sdk-js in “enumerate_iam” folder run the generate_bruteforce_tests.py script.

c. Running “enumerate-iam

2. Checking running ec2 instances using ec2:DescribeInstances-

3. Checking available instance profiles-

We found a interesting instance profile “arn:aws:iam::864154101007:instance-profile/cg-ec2-meek-instance-profile-iam_privesc_by_attachment_cgidztq4yffc22” with role “cg-ec2-meek-role-iam_privesc_by_attachment_cgidztq4yffc22”.

4. Let’s list roles as we have list-roles permissions-

We found 2 interesting roles-

cg-ec2-meek-role-iam_privesc_by_attachment_cgidztq4yffc22 and cg-ec2-mighty-role-iam_privesc_by_attachment_cgidztq4yffc22 and by looking at the name “mighty” one seems more interesting.

5. Let’s try to add “mighty” role to the instance profile.

Note: Our enumeration tools like pacu or iam-enumerate were unable to determine these four permissions-

“iam:AddRoleToInstanceProfile”,“iam:RemoveRoleFromInstanceProfile”, “ec2:AssociateIamInstanceProfile”,”ec2:RunInstances

but upon manually checking I found our user has these additional permissions..

we got an error “Cannot exceed quota for InstanceSessionsPerInstanceProfile: 1”. Let’s try to remove the existing attached role and try to add “mighty” role-

6. Now we can use “AssociateIamInstanceProfile” permission to associate this profile(“cg-ec2-meek-instance-profile-iam_privesc_by_attachment_cgidztq4yffc22”) with running ec2.

7. No we are ready to spin an ec2 instance with full permissions

a) Creating ec2 ssh_key_pair

b) Running ec2-

8. Logging in and fetching credentials from this instance-

OR

We can directly install aws cli withing the ec2 instance and then run the commands within ec2 cli.

9. Using these credentials to delete “cg-super-critical-security-server”

i-0064345de3f005c7a

References:

https://github.com/RhinoSecurityLabs/cloudgoat/blob/master/scenarios/iam_privesc_by_attachment/README.md

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store