Kali Linux

IAM Vulnerable : Use Terraform To Create Your Own Vulnerable By Design AWS IAM Privilege Escalation Playground

IAM Vulnerable is to use Terraform to create your own vulnerable by design AWS IAM privilege escalation playground.. IAM Vulnerable uses the Terraform binary and your AWS credentials to deploy over 250 IAM resources into your selected AWS account. Within minutes, you can start learning how to identify and exploit vulnerable IAM configurations that allow for privilege escalation.

Recommended Approach

  1. Select or create an AWS account – Do NOT use an account that has any production resources or sensitive data.
  2. Create your vulnerable playground – Use this repo to create the IAM principals and policies that support 31 unique AWS IAM privesc paths.
  3. Do your homework – Learn about the 21 original privesc paths pioneered by Spencer Gietzen.
  4. Hacky, hack – Practice exploitation in your new playground using Gerben Kleijn’s guide.
  5. Level up – Run your tools against your new IAM privesc playground account (i.e., Cloudsplaining, AWSPX, Principal Mapper, Pacu).

Quick Start

This quick start outlines an opinionated approach to getting IAM Vulnerable up and running in your AWS account as quickly as possible. You might have many of these steps already completed, or you might want to tweak things to work with your current configuration. Check out the Other Use Cases section in this repository for some additional configuration options.

  1. Select or create an AWS account. (Do NOT use an account that has any production resources or sensitive data!)
  2. Create a non-root user with administrative access that you will use when running Terraform.
  3. Create an access key for that user.
  4. Install the AWS CLI.
  5. Configure your AWS CLI with your newly created admin user as the default profile.
  6. Confirm your CLI is working as expected by executing aws sts get-caller-identity.
  7. Install the Terraform binary and add the binary location to your path.
  8. git clone https://github.com/BishopFox/iam-vulnerable
  9. cd iam-vulnerable/
  10. terraform init
  11. (Optional) export TF_VAR_aws_local_profile=PROFILE_IN_AWS_CREDENTIALS_FILE_IF_OTHER_THAN_DEFAULT
  12. (Optional) export TF_VAR_aws_local_creds_file=FILE_LOCATION_IF_NON_DEFAULT
  13. (Optional) terraform plan
  14. terraform apply
  15. (Optional) Add the IAM vulnerable profiles to your AWS credentials file, and change the account number.
    • The following commands make a backup of your current AWS credentials file, then takes the example credentials file from the repo and replaces the placeholder account with your target account number, and finally adds all of the IAM Vulnerable privesc profiles to your credentials file so you can use them:
    • cp ~/.aws/credentials ~/.aws/credentials.backup
    • tail -n +7 aws_credentials_file_example | sed s/111111111111/$(aws sts get-caller-identity | grep Account | awk -F\" '{print $4}')/g >> ~/.aws/credentials

Cleanup

Whenever you want to remove all of the IAM Vulnerable-created resources, you can run these commands:

  1. cd iam-vulnerable/
  2. terraform destroy

What resources were just created?

The Terraform binary just used your default AWS account profile credentials to create:

  • 31 users, roles, and policies each with a unique exploit path to administrative access of the playground account
  • Some additional users, groups, roles, and policies that are required to fully realize certain exploit paths
  • Some additional users, roles, and policies that test the detection capabilities of other tools

By default, every role created by this Terraform module is assumable by the user or role you used to run Terraform.

  • If you’d like Terraform to use a profile other than the default profile, or you’d like to hard-code the assume_role_policy ARN, see Other Use Cases.

How much is this going to cost?

Deploying IAM vulnerable in its default configuration will cost nothing. See the next section to learn how to enable non-default modules that do incur cost, and how much each module will cost per month if you deploy it.

A Modular Approach

IAM Vulnerable groups certain resources together in modules. Some of the modules are enabled by default (the ones that don’t have any cost implications), and others are disabled by default (the ones that incur cost if deployed). This way, you can enable specific modules as needed.

For example, when you are ready to play with the exploit paths like ssm:StartSession that involve resources outside of IAM, you can deploy and tear down these resources on demand by uncommenting the module in the iam-vulnerable/main.tf file, and re-running terraform apply:

Uncomment the next four lines to create an ec2 instance and related resources
module “ec2” {
source = “./modules/non-free-resources/ec2”
aws_assume_role_arn = (var.aws_assume_role_arn != “” ? var.aws_assume_role_arn : data.aws_caller_identity.current.arn)
}

After you uncomment the ec2 module, run:

terraform init
terraform apply

You have now deployed the required components to try the SSM privesc paths.

Free Resource Modules

There is no cost to anything deployed within free-resources:

NameDefault StatusEstimated CostDescription
privesc-pathsEnabledNoneContains all of the IAM privesc paths
tool-testingEnabledNoneContains test cases that evaluate the capabilities of the different IAM privesc tools

Non-free Resource Modules

Deploying these additional modules can result in cost:

NameDefault StatusEstimated CostDescriptionRequired for
EC2Disabled💲
$4.50/month
Creates an EC2 instance and a security group that allows SSH from anywheressm-SendCommand
ssm-StartSession
ec2InstanceConnect-SendSSHPublicKey
LambdaDisabled🙂
Monthly cost depends on usage (cost should be zero)
Creates a Lambda functionLambda-EditExistingLambdaFunctionWithRole
GlueDisabled💲💲💲💲
$4/hour
Creates a Glue dev endpointGlue-UpdateExistingGlueDevEndpoint
SageMakerDisabledNot sure yetCreates a SageMaker notebooksageMakerCreatePresignedNotebookURL
CloudFormationDisabled🙂
$0.40/month for the secret created via CloudFormation. Nothing or barely nothing for the stack itself
Creates a CloudFormation stack that creates a secret in secret managerprivesc-cloudFormationUpdateStack

Supported Privilege Escalation Paths

Path NameIAM Vulnerable Profile NameNon-Default Modules RequiredExploitation References
Category: IAM Permissions on Other Users
IAM-CreateAccessKeyprivesc4None🦊 Well, That Escalated Quickly – Privesc 04
🔒 s3cur3.it IAMVulnerable – Part 3
IAM-CreateLoginProfileprivesc5None🦊 Well, That Escalated Quickly – Privesc 05
🔒 s3cur3.it IAMVulnerable – Part 3
IAM-UpdateLoginProfileprivesc6None🦊 Well, That Escalated Quickly – Privesc 06
🔒 s3cur3.it IAMVulnerable – Part 3
Category: PassRole to Service
CloudFormation-PassExistingRoleToCloudFormationprivesc20None🦊 Well, That Escalated Quickly – Privesc 20
CodeBuild-CreateProjectPassRoleprivesc-codeBuildProjectNone
DataPipeline-PassExistingRoleToNewDataPipelineprivesc21None🦊 Well, That Escalated Quickly – Privesc 21
EC2-CreateInstanceWithExistingProfileprivesc3None🦊 Well, That Escalated Quickly – Privesc 03
🔒 s3cur3.it IAMVulnerable – Part 2
Glue-PassExistingRoleToNewGlueDevEndpointprivesc18None🦊 Well, That Escalated Quickly – Privesc 18
Lambda-PassExistingRoleToNewLambdaThenInvokeprivesc15None🦊 Well, That Escalated Quickly – Privesc 15
Lambda-PassRoleToNewLambdaThenTriggerprivesc16None🦊 Well, That Escalated Quickly – Privesc 16
SageMaker-CreateNotebookPassRoleprivesc-sageNotebookNone🦏 AWS IAM Privilege Escalation – Method 2
SageMaker-CreateTrainingJobPassRoleprivesc-sageTrainingNone
SageMaker-CreateProcessingJobPassRoleprivesc-sageProcessingNone
Category: Permissions on Policies
IAM-AddUserToGroupprivesc13None🦊 Well, That Escalated Quickly – Privesc 13
IAM-AttachGroupPolicyprivesc8None🦊 Well, That Escalated Quickly – Privesc 08
IAM-AttachRolePolicyprivesc9None🦊 Well, That Escalated Quickly – Privesc 09
IAM-AttachUserPolicyprivesc7None🦊 Well, That Escalated Quickly – Privesc 07
IAM-CreateNewPolicyVersionprivesc1None🦊 Well, That Escalated Quickly – Privesc 01
🔒 s3cur3.it IAMVulnerable – Part 1
IAM-PutGroupPolicyprivesc11None🦊 Well, That Escalated Quickly – Privesc 11
IAM-PutRolePolicyprivesc12None🦊 Well, That Escalated Quickly – Privesc 12
IAM-PutUserPolicyprivesc10None🦊 Well, That Escalated Quickly – Privesc 10
IAM-SetExistingDefaultPolicyVersionprivesc2None🦊 Well, That Escalated Quickly – Privesc 02
🔒 s3cur3.it IAMVulnerable – Part 2
Category: Privilege Escalation using AWS Services
EC2InstanceConnect-SendSSHPublicKeyprivesc-instanceConnectEC2
CloudFormation-UpdateStackprivesc-cfUpdateStackCloudFormation
Glue-UpdateExistingGlueDevEndpointprivesc19Glue🦊 Well, That Escalated Quickly – Privesc 19
Lambda-EditExistingLambdaFunctionWithRoleprivesc17Lambda🦊 Well, That Escalated Quickly – Privesc 17
🔒 s3cur3.it IAMVulnerable – Part 4
SageMakerCreatePresignedNotebookURLprivesc-sageUpdateURLSagemaker🦏 AWS IAM Privilege Escalation – Method 3
SSM-SendCommandprivesc-ssm-commandEC2
SSM-StartSessionprivesc-ssm-sessionEC2
STS-AssumeRoleprivesc-assumeroleNone
Category: Updating an AssumeRole Policy
IAM-UpdatingAssumeRolePolicyprivesc14None🦊 Well, That Escalated Quickly – Privesc 14

Other Use Cases

Default – No terraform.tfvars configured

  • Deploy using your default AWS profile (Default)
  • All created roles are assumable by the principal used to run Terraform (specified in your default profile)

Use a profile other than the default to run Terraform

  • Copy terraform.tfvars.example to terraform.tvvars
  • Uncomment the line #aws_local_profile = "profile_name" and enter the profile name you’d like to use
  • If you are using a non-default profile, and still want to use the aws_credentails_file_example file, you can use this command to generate an AWS credentials file that works with your non-default profile name (Thanks @scriptingislife)
    • Remember to replace nondefaultuser with the profile name you are using):
    • tail -n +7 aws_credentials_file_example | sed -e "s/111111111111/$(aws sts get-caller-identity | grep Account | awk -F\" '{print $4}')/g;s/default/nondefaultuser/g" >> ~/.aws/credentials

Use an ARN other than the caller as the principal that can assume the newly created roles

  • Copy terraform.tfvars.example to terraform.tvvars
  • Uncomment the line #aws_assume_role_arn = "arn:aws:iam::112233445566:user/you" and enter the ARN you’d like to use

Once created, each of the privesc roles will be assumable by the principal (ARN) you specified.

Create the resource in account X, but use an ARN from account Y as the principal that can assume the newly created roles

If you have configured AWS CLI profiles that assume roles into other accounts, you will want to specify the profile name AND manually specify the ARN you’d like to use to assume into the different roles.

In the example below, the resources will be created in the account that is tied to "prod-cross-org-access-role", but each role that Terraform creates can be accessed by "arn:aws:iam::112233445566:user/you", which belongs to another account.

aws_local_profile = “prod-cross-org-access-role”
aws_assume_role_arn = “arn:aws:iam::112233445566:user/you”

R K

Recent Posts

Kali Linux 2024.4 Released, What’s New?

Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…

3 days ago

Lifetime-Amsi-EtwPatch : Disabling PowerShell’s AMSI And ETW Protections

This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…

3 days ago

GPOHunter – Active Directory Group Policy Security Analyzer

GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…

5 days ago

2024 MITRE ATT&CK Evaluation Results – Cynet Became a Leader With 100% Detection & Protection

Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…

1 week ago

SecHub : Streamlining Security Across Software Development Lifecycles

The free and open-source security platform SecHub, provides a central API to test software with…

1 week ago

Hawker : The Comprehensive OSINT Toolkit For Cybersecurity Professionals

Don't worry if there are any bugs in the tool, we will try to fix…

1 week ago