Upgrade to Pro — share decks privately, control downloads, hide ads and more …

AWS IAM Privilege Escalation Methods

AWS IAM Privilege Escalation Methods

Presented at null Dubai Meet 26 July 2019 Monthly Meet


Pralhad Chaskar

July 26, 2019


  1. AWS IAM Privilege Escalation Methods Pralhad Chaskar (@c0d3xpl0it)

  2. None
  3. Recap of AWS • ACCESS_KEYS → Identifier of the user

    in account • SECRET_ACCESS_KEY → Password needed to authenticate • SESSION_TOKEN → Security Token • AWS CLI → Console client written in python that allows a user to interact with the different services offered by AWS
  4. Permission Policies

  5. Privilege Escalation in the cloud • Misconfiguration of identity and

    access management (IAM) policies • Manipulation of APIs • Cloud provider vulnerabilities https://searchcloudsecurity.techtarget.com/tip/3-reasons-privilege-escalation-in-the-cloud-works
  6. For Auditors/Pentesters/BlueTeamer Take one user per role in order to

    check Privilege Escalation possibility and feed the ACCESS_KEYS, SECRET_ACCESS_KEY, SESSION_TOKEN to below demo’ed tools.
  7. AWS_ESCALATE.py https://github.com/RhinoSecurityLabs/Cloud-Security-Research/tree/master/AWS/aws_escalate

  8. PACU • Pacu is an open source AWS exploitation framework,

    designed for offensive security testing against cloud environments. Below are some capabilities/modules • RECON_UNAUTH • ENUM • ESCALATE (run iam__privesc_scan) • LATERAL_MOVE • EXPLOIT • PERSIST • EXFIL • EVADE https://github.com/RhinoSecurityLabs/pacu
  9. None
  10. Demo

  11. References • https://github.com/RhinoSecurityLabs/Cloud-Security- Research/tree/master/AWS/aws_escalate • https://github.com/RhinoSecurityLabs/pacu/wiki/Module-Details • https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation

  12. None