Skip to content

Exploitation via AWS CLI⚓︎

Difficulty:
Direct link: AWS 201 terminal

Objective⚓︎

Request

Flex some more advanced AWS CLI skills to escalate privileges! Help Gerty Snowburrow in the Cloud Ring to get hints for this challenge.

Sulfrod

Hey! You - come here!
You look like someone who knows how to do this nerd stuff.
I need my terminal to be stronger, like me!
flexes
You're gonna do that for me so I can bust into this cloud machine thing.

Hints⚓︎

IAM Privilege Escalation

You can try s3api or lambda service commands, but Chris Elgee's talk on AWS and IAM might be a good start!

(Attached) User Policies

AWS inline policies pertain to one identity while managed policies can be attached to many identities.

Solution⚓︎

Question 1⚓︎

Question

Use Trufflehog to find credentials in the Gitlab instance at https://haugfactory.com/asnowball/aws_scripts.git.
Configure these credentials for us-east-1 and then run aws sts get-caller-identity.

We can use the AWS credentials found in the previous challenge to configure the AWS CLI environment. Run aws configure and enter AKIAAIDAYRANYAHGQOHD, e95qToloszIgO9dNBsQMQsc5/foiPdKunPJwc1rL, and us-east-1 as the access key, secret key, and region values. Next, use aws sts get-caller-identity to confirm the credentials are working as expected.

Answer 1

Answer

Use the AWS credentials obtained via TruffleHog to configure the AWS CLI environment.

Question 2⚓︎

Question

Managed (think: shared) policies can be attached to multiple users. Use the AWS CLI to find any policies attached to your user.
The aws iam command to list attached user policies can be found here.
Hint: it is NOT list-user-policies.

Use the list-attached-user-policies command, with the haug user name found in the ARN from question 1, to list the policies.

Answer 2

Answer

aws iam list-attached-user-policies --user-name haug

Question 3⚓︎

Question

Now, view or get the policy that is attached to your user.
The aws iam command to get a policy can be found here.

The output from question 2 contains a policy ARN. Use this value with the get-policy command to view the policy.

Answer 3

Answer

aws iam get-policy --policy-arn "arn:aws:iam::602123424321:policy/TIER1_READONLY_POLICY"

Question 4⚓︎

Question

Attached policies can have multiple versions. View the default version of this policy.
The aws iam command to get a policy version can be found here.

Use the v1 default version ID from question 3 with the get-policy-version command to show the default version details.

Answer 4

Answer

aws iam get-policy-version --policy-arn "arn:aws:iam::602123424321:policy/TIER1_READONLY_POLICY" --version-id "v1"

Question 5⚓︎

Question

Inline policies are policies that are unique to a particular identity or resource. Use the AWS CLI to list the inline policies associated with your user.
The aws iam command to list user policies can be found here.
Hint: it is NOT list-attached-user-policies.

To list inline policies we need to use the list-user-policies command with haug as the user name.

Answer 5

Answer

aws iam list-user-policies --user-name haug

Question 6⚓︎

Question

Now, use the AWS CLI to get the only inline policy for your user.
The aws iam command to get a user policy can be found here.

The get-user-policy command will print the details of the S3Perms inline policy, found in the output of question 5.

Answer 6

Answer

aws iam get-user-policy --user-name haug --policy-name "S3Perms"

Question 7⚓︎

Question

The inline user policy named S3Perms disclosed the name of an S3 bucket that you have permissions to list objects. List those objects!
The aws s3api command to list objects in an s3 bucket can be found here.

To list the objects in the smogmachines3 bucket, shown in the output of question 6, we can use the list-objects command.

Answer 7

Answer

aws s3api list-objects --bucket "smogmachines3"

Question 8⚓︎

Question

The attached user policy provided you several Lambda privileges. Use the AWS CLI to list Lambda functions.
The aws lambda command to list functions can be found here.

The lambda command set contains a list-functions command that will list the lambda functions.

Answer 8

Answer

aws lambda list-functions

Question 9⚓︎

Question

Lambda functions can have public URLs from which they are directly accessible.
Use the AWS CLI to get the configuration containing the public URL of the Lambda function.
The aws lambda command to get the function URL config can be found here.

To show the public URL details of a specific lambda function, we can use the get-function-url-config command.

Answer 9

Answer

aws lambda get-function-url-config --function-name "smogmachine_lambda"

Response⚓︎

Sulfrod

Ha! Now I have the ring!
This computer stuff sure is easy if you just make someone do it for you.
Wait.. the computer gave you the ring? Gah, whatever.
This never happened, got it? Now beat it, nerd!