The first challenge that wraps up the incredible IAM Privilege Escalation course on https://cybr.com
I’d first like to thank Cybr/Christophe very much for incredible customer service and providing/hosting this awesome platform. I’ve been in cyber/infosec almost 7 years, and between the wide variety of certs/courses/platforms, especially for Cloud, I put Cybr high on top of my list and can’t recommend enough!
Note: This is slightly condensed/edited for brevity/screenshots sake.
After receiving our keys/creds, let’s configure our account/profile and get our user name:
Great, we can see 2 users, let’s enumerate a bit further and see if we can start finding policies:
Turns out we can’t list-attached-user-policies but that’s all right, we can see we have 3 groups which we’ll check again for policies:
So now with the groups of Developers/Infrastructures, let’s dig a bit deeper and see what we can do with this. Now, it turns out we can list-attached-group-policies and inside the policy-name developer, we’re returned an arn to look up:
Great, now with this policy it says we can AddUserToGroup, let’s take a look at our other group:
This policy states we can AssumeRole as AppManagement, from there after assuming the role as AppManagement, we can then AttachRolePolicy, which misconfigured like this is a huge no-no, but a yes-yes for us.
So let’s begin our chained-attack:
- We need to add our current user, that’s in the Developers group, to the Infrastructure Group, and then verify we’re included in Infrastructure.
2. Once inside the Infrastructures Group, we now have the ability to AttachRolePolicy; I did skip ahead here, only because in the description we know we need the SecretsManager ARN policy:
However, to look for specific roles:
And to finish it up:
Essentially, we started with our user Adam, not being able to do too much, all we did was enumerate, look around the environment and find policies/misconfigurations.
Crazy to think there are a lot of misconfigurations out there similar to this, so how do we prevent against this?
Implementing/auditing/monitoring policies! It’s important to have security in mind during all phases, something like this could have been easily prevented, super easily prevented; but this is the environment/space we are in: whether it’s from prod pressure/not having enough time, plus needing to rush will cause further major headaches down the road.
Reminds me of an old saying I enjoy to say, but at times, I’ll admit not to practice: “Do what you don’t like first, then everything else is easy”.
I think I ranted a good bit, there are a lot of different theories/processes I’ll spare you here and leave you with 2 incredible resources:
https://rhinosecuritylabs.com/blog/?category=aws
Next write-up is the 2nd challenge from this course and that was a lot of fun as well!
