Cloudgoat AWS CTF solution- Scenerio 5 (iam_privesc_by_attachment)
Scenario: iam_privesc_by_attachment
Deployment:
git clone https://github.com/RhinoSecurityLabs/cloudgoat.git
cd cloudgoat
chmod +x cloudgoat.py
./cloudgoat.py create iam_privesc_by_attachment
~/.aws/credentials
Scenario Resources
- 1 VPC with: EC2 x 1
- 1 IAM User
Scenario Start(s)
- IAM User “Kerrigan”
Scenario Goal(s)
Delete the EC2 instance “cg-super-critical-security-server”
Summary
Starting with a very limited set of permissions, the attacker is able to leverage the instance-profile-attachment permissions to create a new EC2 instance with significantly greater privileges than their own. With access to this new EC2 instance, the attacker gains full administrative powers within the target account and is able to accomplish the scenario’s goal — deleting the cg-super-critical-security-server and paving the way for further nefarious actions.