AWS IAM enumeration using AWS CLI (with CloudGoat)
24 Oct 2024
Explanation
To prepare for the full AWS environment pentest, write down some summary of how to use AWS CLI for IAM enumeration.
Setup target enviroment
Using CloudGaot, we can set up the target environment.
kali@kali:~/cloudgoat$ ./cloudgoat.py create iam_privesc_by_rollback
Using default profile "default" from config.yml...
Loading whitelist.txt...
A whitelist.txt file was found that contains at least one valid IP address or range.
Initializing the backend...
Initializing provider plugins...
- Finding latest version of hashicorp/local...
- Finding latest version of hashicorp/aws...
- Finding latest version of hashicorp/null...
- Installing hashicorp/local v2.5.2...
- Installed hashicorp/local v2.5.2 (signed by HashiCorp)
- Installing hashicorp/aws v5.72.1...
- Installed hashicorp/aws v5.72.1 (signed by HashiCorp)
- Installing hashicorp/null v3.2.3...
- Installed hashicorp/null v3.2.3 (signed by HashiCorp)
Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.
Terraform has been successfully initialized!
---snip---
[cloudgoat] terraform output completed with no error code.
cloudgoat_output_aws_account_id = 096165652555
cloudgoat_output_policy_arn = arn:aws:iam::096165652555:policy/cg-raynor-policy-iam_privesc_by_rollback_cgidi6arp6df8r
cloudgoat_output_raynor_access_key_id = AKI{MASKED}
cloudgoat_output_raynor_secret_key = twe{MASKED}
cloudgoat_output_username = raynor-iam_privesc_by_rollback_cgidi6arp6df8r
[cloudgoat] Output file written to:
/home/kali/cloudgoat/iam_privesc_by_rollback_cgidi6arp6df8r/start.txt
kali@kali:~/cloudgoat$
Setup AWS CLI
kali@kali:~/cloudgoat$ aws configure --profile raynor
AWS Access Key ID [****************NZOB]: AKI{MASKED}
AWS Secret Access Key [****************scS6]: twe{MASKED}
Default region name [None]:
Default output format [None]:
kali@kali:~/cloudgoat$
Listing profiles configured for AWS CLI
kali@kali:~/cloudgoat$ cat /home/kali/.aws/config
[default]
region = ap-northeast-1
[profile raynor]
kali@kali:~/cloudgoat$ cat /home/kali/.aws/credentials
[default]
aws_access_key_id = {MASKED}
aws_secret_access_key = {MASKED}
[raynor]
aws_access_key_id = {MASKED}
aws_secret_access_key = {MASKED}
kali@kali:~/cloudgoat$
Showing configuration of each profile
kali@kali:~/cloudgoat$ aws configure list
Name Value Type Location
---- ----- ---- --------
profile <not set> None None
access_key ****************EDF2 shared-credentials-file
secret_key ****************Su+Y shared-credentials-file
region ap-northeast-1 config-file ~/.aws/config
kali@kali:~/cloudgoat$ aws configure list --profile raynor
Name Value Type Location
---- ----- ---- --------
profile raynor manual --profile
access_key ****************O6UC shared-credentials-file
secret_key ****************/6AM shared-credentials-file
region <not set> None None
kali@kali:~/cloudgoat$
Information of the current user
kali@kali:~/cloudgoat$ aws sts get-caller-identity --profile raynor
{
"UserId": "AIDARMY7LNBF63A2U57CR",
"Account": "096165652555",
"Arn": "arn:aws:iam::096165652555:user/raynor-iam_privesc_by_rollback_cgidi6arp6df8r"
}
kali@kali:~/cloudgoat$ aws iam get-user --profile raynor
{
"User": {
"Path": "/",
"UserName": "raynor-iam_privesc_by_rollback_cgidi6arp6df8r",
"UserId": "AIDARMY7LNBF63A2U57CR",
"Arn": "arn:aws:iam::096165652555:user/raynor-iam_privesc_by_rollback_cgidi6arp6df8r",
"CreateDate": "2024-10-22T06:19:44+00:00",
"Tags": [
{
"Key": "Scenario",
"Value": "iam-privesc-by-rollback"
},
{
"Key": "Name",
"Value": "cg-raynor-iam_privesc_by_rollback_cgidi6arp6df8r"
},
{
"Key": "Stack",
"Value": "CloudGoat"
}
]
}
}
kali@kali:~/cloudgoat$
User enumeration
Listing IAM users:
kali@kali:~/cloudgoat$ aws iam list-users --profile raynor
{
"Users": [
{
"Path": "/",
"UserName": "CloudGoat",
"UserId": "AIDARMY7LNBF2BDO326TP",
"Arn": "arn:aws:iam::096165652555:user/CloudGoat",
"CreateDate": "2024-10-17T00:46:41+00:00"
},
{
"Path": "/",
"UserName": "pacu-test",
"UserId": "AIDARMY7LNBFU5F7IRXOU",
"Arn": "arn:aws:iam::096165652555:user/pacu-test",
"CreateDate": "2024-10-16T06:11:35+00:00"
},
{
"Path": "/",
"UserName": "raynor-iam_privesc_by_rollback_cgidi6arp6df8r",
"UserId": "AIDARMY7LNBF63A2U57CR",
"Arn": "arn:aws:iam::096165652555:user/raynor-iam_privesc_by_rollback_cgidi6arp6df8r",
"CreateDate": "2024-10-22T06:19:44+00:00"
}
]
}
kali@kali:~/cloudgoat$
Listing IAM roles:
kali@kali:~/cloudgoat$ aws iam list-roles
{
"Roles": [
{
"Path": "/aws-service-role/ops.apigateway.amazonaws.com/",
"RoleName": "AWSServiceRoleForAPIGateway",
"RoleId": "AROARMY7LNBFSXQV75EUN",
"Arn": "arn:aws:iam::096165652555:role/aws-service-role/ops.apigateway.amazonaws.com/AWSServiceRoleForAPIGateway",
"CreateDate": "2024-04-26T08:37:38+00:00",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ops.apigateway.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"Description": "The Service Linked Role is used by Amazon API Gateway.",
"MaxSessionDuration": 3600
},
---snip---
Listing IAM groups:
kali@kali:~/cloudgoat$ aws iam list-groups --profile raynor
{
"Groups": [
{
"Path": "/",
"GroupName": "administrators",
"GroupId": "AGPARMY7LNBF7TF724LYP",
"Arn": "arn:aws:iam::096165652555:group/administrators",
"CreateDate": "2024-04-11T05:04:18+00:00"
}
]
}
kali@kali:~/cloudgoat$
Information about the specific role/group
Gaining information of the specific role:
kali@kali:~/cloudgoat$ aws iam get-role --role-name AWSServiceRoleForOrganizations --profile raynor
{
"Role": {
"Path": "/aws-service-role/organizations.amazonaws.com/",
"RoleName": "AWSServiceRoleForOrganizations",
"RoleId": "AROARMY7LNBF7F4M55MCE",
"Arn": "arn:aws:iam::096165652555:role/aws-service-role/organizations.amazonaws.com/AWSServiceRoleForOrganizations",
"CreateDate": "2024-04-11T05:00:51+00:00",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "organizations.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"Description": "Service-linked role used by AWS Organizations to enable integration of other AWS services with Organizations.",
"MaxSessionDuration": 3600,
"RoleLastUsed": {}
}
}
kali@kali:~/cloudgoat$
Gaining information of the specific group:
kali@kali:~/cloudgoat$ aws iam get-group --group-name administrators --profile raynor
{
"Users": [],
"Group": {
"Path": "/",
"GroupName": "administrators",
"GroupId": "AGPARMY7LNBF7TF724LYP",
"Arn": "arn:aws:iam::096165652555:group/administrators",
"CreateDate": "2024-04-11T05:04:18+00:00"
}
}
kali@kali:~/cloudgoat$
Managed Policy Enumeration
Listing attached policies for the specific user:
kali@kali:~/cloudgoat$ aws iam list-attached-user-policies --profile raynor --user-name raynor-iam_privesc_by_rollback_cgidi6arp6df8r
{
"AttachedPolicies": [
{
"PolicyName": "cg-raynor-policy-iam_privesc_by_rollback_cgidi6arp6df8r",
"PolicyArn": "arn:aws:iam::096165652555:policy/cg-raynor-policy-iam_privesc_by_rollback_cgidi6arp6df8r"
}
]
}
kali@kali:~/cloudgoat$
Listing attached policies for the specific role:
kali@kali:~/cloudgoat$ aws iam list-attached-role-policies --profile raynor --role-name AWSServiceRoleForOrganizations
{
"AttachedPolicies": [
{
"PolicyName": "AWSOrganizationsServiceTrustPolicy",
"PolicyArn": "arn:aws:iam::aws:policy/aws-service-role/AWSOrganizationsServiceTrustPolicy"
}
]
}
kali@kali:~/cloudgoat$
Listing attached policies for the specific group:
kali@kali:~/cloudgoat$ aws iam list-attached-group-policies --profile raynor --group-name administrators
{
"AttachedPolicies": [
{
"PolicyName": "AdministratorAccess",
"PolicyArn": "arn:aws:iam::aws:policy/AdministratorAccess"
}
]
}
kali@kali:~/cloudgoat$
Listing policies configured by customers:
kali@kali:~/cloudgoat$ aws iam list-policies --scope Local
{
"Policies": [
{
"PolicyName": "cg-raynor-policy-iam_privesc_by_rollback_cgidi6arp6df8r",
"PolicyId": "ANPARMY7LNBF5KTFGEFVW",
"Arn": "arn:aws:iam::096165652555:policy/cg-raynor-policy-iam_privesc_by_rollback_cgidi6arp6df8r",
"Path": "/",
"DefaultVersionId": "v1",
"AttachmentCount": 1,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"CreateDate": "2024-10-22T06:19:44+00:00",
"UpdateDate": "2024-10-22T06:19:47+00:00"
},
{
"PolicyName": "pacu_privesc_test",
"PolicyId": "ANPARMY7LNBFYER5B7WXH",
"Arn": "arn:aws:iam::096165652555:policy/pacu_privesc_test",
"Path": "/",
"DefaultVersionId": "v1",
"AttachmentCount": 1,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"CreateDate": "2024-10-15T05:19:51+00:00",
"UpdateDate": "2024-10-15T05:19:51+00:00"
}
]
}
kali@kali:~/cloudgoat$
Gaining the detail of the specific policy:
kali@kali:~/cloudgoat$ aws iam get-policy --profile raynor --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
{
"Policy": {
"PolicyName": "AdministratorAccess",
"PolicyId": "ANPAIWMBCKSKIEE64ZLYK",
"Arn": "arn:aws:iam::aws:policy/AdministratorAccess",
"Path": "/",
"DefaultVersionId": "v1",
"AttachmentCount": 2,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"Description": "Provides full access to AWS services and resources.",
"CreateDate": "2015-02-06T18:39:46+00:00",
"UpdateDate": "2015-02-06T18:39:46+00:00",
"Tags": []
}
}
kali@kali:~/cloudgoat$
Checking the version of the policy:
kali@kali:~/cloudgoat$ aws iam list-policy-versions --profile raynor --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
{
"Versions": [
{
"VersionId": "v1",
"IsDefaultVersion": true,
"CreateDate": "2015-02-06T18:39:46+00:00"
}
]
}
kali@kali:~/cloudgoat$
Showing the policy document of the specific version of the policy:
kali@kali:~/cloudgoat$ aws iam get-policy-version --profile raynor --policy-arn arn:aws:iam::aws:policy/AdministratorAccess --version-id v1
{
"PolicyVersion": {
"Document": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
},
"VersionId": "v1",
"IsDefaultVersion": true,
"CreateDate": "2015-02-06T18:39:46+00:00"
}
}
kali@kali:~/cloudgoat$
Inline Policy Enumeration
Listing the inline policy of the specific user:
kali@kali:~/cloudgoat$ aws iam list-user-policies --user-name raynor-iam_privesc_by_rollback_cgidi6arp6df8r
{
"PolicyNames": []
}
kali@kali:~/cloudgoat$
Listing the inline policy of the specific group:
kali@kali:~/cloudgoat$ aws iam list-group-policies --group-name administrators
{
"PolicyNames": []
}
kali@kali:~/cloudgoat$
Showing the policy document of the specific inline policy for the specific user:
kali@kali:~/cloudgoat$ aws iam get-user-policy --user-name raynor-iam_privesc_by_rollback_cgidi6arp6df8r --policy-name {POLICY_NAME}
Showing the policy document of the specific inline policy for the specific group:
kali@kali:~/cloudgoat$ aws iam get-group-policy --group-name administrators --policy-name {POLICY_NAME}
Listing access-keys for the specific user
kali@kali:~/cloudgoat$ aws iam list-access-keys --user-name raynor-iam_privesc_by_rollback_cgidi6arp6df8r
{
"AccessKeyMetadata": [
{
"UserName": "raynor-iam_privesc_by_rollback_cgidi6arp6df8r",
"AccessKeyId": "AKI{MASKED}",
"Status": "Active",
"CreateDate": "2024-10-22T06:19:45+00:00"
}
]
}
kali@kali:~/cloudgoat$
Showing the password policy
kali@kali:~/cloudgoat$ aws iam get-account-password-policy --profile raynor
{
"PasswordPolicy": {
"MinimumPasswordLength": 8,
"RequireSymbols": false,
"RequireNumbers": false,
"RequireUppercaseCharacters": false,
"RequireLowercaseCharacters": false,
"AllowUsersToChangePassword": false,
"ExpirePasswords": true,
"MaxPasswordAge": 90,
"HardExpiry": false
}
}
kali@kali:~/cloudgoat$