Size: Medium
Difficulty: Moderate
Command: $ ./cloudgoat.py create iam_privesc_by_attachment
- 1 VPC with:
- EC2 x 1
- 1 IAM User
- IAM User "Kerrigan"
Delete the EC2 instance "cg-super-critical-security-server."
Starting with a very limited set of permissions, the attacker is able to leverage the instance-profile-attachment permissions to create a new EC2 instance with significantly greater privileges than their own. With access to this new EC2 instance, the attacker gains full administrative powers within the target account and is able to accomplish the scenario's goal - deleting the cg-super-critical-security-server and paving the way for further nefarious actions.
Note: This scenario may require you to create some AWS resources, and because CloudGoat can only manage resources it creates, you should remove them manually before running ./cloudgoat destroy
.
- Starting as the IAM user "Kerrigan," the attacker uses their limited privileges to explore the environment.
- The attacker first lists EC2 instances, identifying their target - the "cg-super-critical-security-server" - but being unable to directly affect the target, the attacker looks for another way...
- The attacker decides to enumerate existing instance profiles and roles within the account, identifying an instance profile they can use and a promising-looking role.
- With a plan in mind, the attacker prepares for their exploit. First, they swap the full-admin role onto the instance profile.
- Next, the attacker creates a new EC2 key pair.
- Then, the attacker creates a new EC2 instance with that keypair, meaning they now have shell access to it.
- As the final step in the exploit, the attacker then attaches the full-admin-empowered instance profile to the EC2 instance.
- By accessing and using the new EC2 instance as a staging platform, the attacker is able to execute AWS CLI commands with full admin privileges granted by the attached profile's role.
- The attacker is finally able to terminate the "cg-super-critical-security-server" EC2 instance, completing the scenario.
A cheat sheet for this route is available here.