We are tasked with conducting a security assessment of Serious Corp's environment. We have been granted access to an AWS IAM user, Adam, but lack detailed knowledge of the environment. We only know that Emma, an infrastructure engineer, uses the AppManagement IAM Role to carry out her responsibilities.
Adam, a member of the Developers IAM Group, can escalate privileges by adding himself to the Infrastructure Group. From there, the Infrastructure Group can assume an IAM Role, granting them any permissions. This leads to Adam accessing an encoded secret (flag) in AWS Secrets Manager.
Walkthrough
Enumeration
After setting up Adam's credentials with the AWS CLI, we'll want to try enumerating access.
aws--profileadamiamlist-attached-user-policies--user-nameiam-secrets-unleashed-privesc-1728355140609-AdamAnerroroccurred (AccessDenied) when calling the ListAttachedUserPolicies operation: User: arn:aws:iam::014498641659:user/iam-secrets-unleashed-privesc-1728355140609-Adam is not authorized to perform: iam:ListAttachedUserPolicies on resource: user iam-secrets-unleashed-privesc-1728355140609-Adam because no permissions boundary allows the iam:ListAttachedUserPolicies action
It appears that Adam has a Permissions Boundary policy applied. AWS IAM Permissions Boundary policies are designed to limit the permissions of IAM Users and Roles, offering protection against unintended access by restricting privilege escalation, even as an administrator.
Let's see if Adam is a member of any IAM Groups. Groups are a way to provide permissions at scale for multiple users.
Like users and roles, groups can have both Inline and Managed policies attached. This command will list any Inline policies attached but there were none.
Now that we have the IAM Policy ARN, we can check if the policy has multiple versions. IAM Managed policies support versioning and you can switch to a different policy version with the appropriate permissions. This could potentially elevate your access or allow access to new resources.
aws --profile adam iam list-policy-versions --policy-arn arn:aws:iam::014498641659:policy/iam-secrets-unleashed-privesc-1728355140609-developers
{
"Versions": [
{
"VersionId": "v1",
"IsDefaultVersion": true,
"CreateDate": "2024-10-08T02:39:41+00:00"
}
]
}
Alright, so there is only one version. Can we read the policy permissions?
Initially, I tried to assume the AppMangagement role but was blocked by a Permissions Boundary policy. The iam:AddUserToGroup permission is interesting. Let's see if there are other groups in the account.
Based on our IAM policy, we can add ourselves to any group in this path group/division_it/internal_apps/* . Let's add Adam to the Infrastructure group.
We're unable to enumerate any IAM policies attached to the role, but we know that Adam has the iam:AttachRolePolicy permission on the AppManagement IAM Role from the Developers group's policy. This should allow us to attach any policy e.g., the AWS Managed Administrator policy.
In a well-monitored environment, such actions might be detected. To be more discreet and access the flag in Secrets Manager, let's attach the AWS Managed policy SecretsManagerReadWrite.
