• Home
  • Become a Hacker
    • Get Started
    • Hacker Mindset
    • Roadmap
    • Simple Setup – Hacker 101
    • Types of Hackers
    • Recommended Courses
  • Boot People Offline
  • Courses
    • All Hacking Courses
    • Cyber Security School
  • CTF
    • Beginners to Advanced Guide
    • Create your own CTF box
    • Field and Resources Guide
    • Platforms & Wargames
    • Tools Used for Solving CTF
    • Writeups
  • Dark Web
    • Beginners Guide
    • Darknet Markets
    • Darkweb 101 (Anonymity Guide)
    • Dark Web OSINT Tools
    • Hacking Forums
    • Latest News
    • Onion Links
  • Hacker Gadgets
  • Hacking Books
  • Tools Directory
Menu
  • Home
  • Become a Hacker
    • Get Started
    • Hacker Mindset
    • Roadmap
    • Simple Setup – Hacker 101
    • Types of Hackers
    • Recommended Courses
  • Boot People Offline
  • Courses
    • All Hacking Courses
    • Cyber Security School
  • CTF
    • Beginners to Advanced Guide
    • Create your own CTF box
    • Field and Resources Guide
    • Platforms & Wargames
    • Tools Used for Solving CTF
    • Writeups
  • Dark Web
    • Beginners Guide
    • Darknet Markets
    • Darkweb 101 (Anonymity Guide)
    • Dark Web OSINT Tools
    • Hacking Forums
    • Latest News
    • Onion Links
  • Hacker Gadgets
  • Hacking Books
  • Tools Directory
Search
Close
  • Home
  • 2021
  • December
  • 5
  • IAM Vulnerable – Use Terraform To Create Your Own Vulnerable By Design AWS IAM Privilege Escalation Playground

IAM Vulnerable – Use Terraform To Create Your Own Vulnerable By Design AWS IAM Privilege Escalation Playground

December 5, 2021 Comments Off on IAM Vulnerable – Use Terraform To Create Your Own Vulnerable By Design AWS IAM Privilege Escalation Playground
IAM Vulnerable - Use Terraform To Create Your Own Vulnerable By Design AWS IAM Privilege Escalation Playground cybersecurity ethical hacking hack android hack app hack wordpress hacker news hacking hacking tools for windows keylogger kit kitploit password brute force penetration testing pentest pentest android pentest linux pentest toolkit pentest tools spy tool kit spyware tools

Use Terraform to create your own vulnerable by design AWS IAM privilege escalation playground.

IAM Vulnerable uses the Terraform binary and your AWS credentials to deploy over 250 IAM resources into your selected AWS account. Within minutes, you can start learning how to identify and exploit vulnerable IAM configurations that allow for privilege escalation.

Recommended Approach

  1. Select or create an AWS account – Do NOT use an account that has any production resources or sensitive data.
  2. Create your vulnerable playground – Use this repo to create the IAM principals and policies that support 31 unique AWS IAM privesc paths.
  3. Do your homework – Learn about the 21 original privesc paths pioneered by Spencer Gietzen.
  4. Hacky, hack – Practice exploitation in your new playground using Gerben Kleijn’s guide.
  5. Level up – Run your tools against your new IAM privesc playground account (i.e., Cloudsplaining, AWSPX, Principal Mapper, Pacu).

Detailed Usage Instructions

Blog Post: IAM Vulnerable – An AWS IAM Privilege Escalation Playground

Quick Start

This quick start outlines an opinionated approach to getting IAM Vulnerable up and running in your AWS account as quickly as possible. You might have many of these steps already completed, or you might want to tweak things to work with your current configuration. Check out the Other Use Cases section in this repository for some additional configuration options.

  1. Select or create an AWS account. (Do NOT use an account that has any production resources or sensitive data!)
  2. Create a non-root user with administrative access that you will use when running Terraform.
  3. Create an access key for that user.
  4. Install the AWS CLI.
  5. Configure your AWS CLI with your newly created admin user as the default profile.
  6. Confirm your CLI is working as expected by executing aws sts get-caller-identity.
  7. Install the Terraform binary and add the binary location to your path.
  8. git clone https://github.com/BishopFox/iam-vulnerable
  9. cd iam-vulnerable/
  10. terraform init
  11. (Optional) export TF_VAR_aws_local_profile=PROFILE_IN_AWS_CREDENTIALS_FILE_IF_OTHER_THAN_DEFAULT
  12. (Optional) export TF_VAR_aws_local_creds_file=FILE_LOCATION_IF_NON_DEFAULT
  13. (Optional) terraform plan
  14. terraform apply
  15. (Optional) Add the IAM vulnerable profiles to your AWS credentials file, and change the account number.
    • The following commands make a backup of your current AWS credentials file, then takes the example credentials file from the repo and replaces the placeholder account with your target account number, and finally adds all of the IAM Vulnerable privesc profiles to your credentials file so you can use them:
    • cp ~/.aws/credentials ~/.aws/credentials.backup
    • tail -n +7 aws_credentials_file_example | sed s/111111111111/$(aws sts get-caller-identity | grep Account | awk -F" '{print $4}')/g >> ~/.aws/credentials

Cleanup

Whenever you want to remove all of the IAM Vulnerable-created resources, you can run these commands:

  1. cd iam-vulnerable/
  2. terraform destroy

What resources were just created?

The Terraform binary just used your default AWS account profile credentials to create:

  • 31 users, roles, and policies each with a unique exploit path to administrative access of the playground account
  • Some additional users, groups, roles, and policies that are required to fully realize certain exploit paths
  • Some additional users, roles, and policies that test the detection capabilities of other tools

By default, every role created by this Terraform module is assumable by the user or role you used to run Terraform.

  • If you’d like Terraform to use a profile other than the default profile, or you’d like to hard-code the assume_role_policy ARN, see Other Use Cases.

How much is this going to cost?

Deploying IAM vulnerable in its default configuration will cost nothing. See the next section to learn how to enable non-default modules that do incur cost, and how much each module will cost per month if you deploy it.

A Modular Approach

IAM Vulnerable groups certain resources together in modules. Some of the modules are enabled by default (the ones that don’t have any cost implications), and others are disabled by default (the ones that incur cost if deployed). This way, you can enable specific modules as needed.

For example, when you are ready to play with the exploit paths like ssm:StartSession that involve resources outside of IAM, you can deploy and tear down these resources on demand by uncommenting the module in the iam-vulnerable/main.tf file, and re-running terraform apply:

# Uncomment the next four lines to create an ec2 instance and related resources
#module "ec2" {
# source = "./modules/non-free-resources/ec2"
# aws_assume_role_arn = (var.aws_assume_role_arn != "" ? var.aws_assume_role_arn : data.aws_caller_identity.current.arn)
#}

After you uncomment the ec2 module, run:

terraform init
terraform apply

You have now deployed the required components to try the SSM privesc paths.

Free Resource Modules

There is no cost to anything deployed within free-resources:

Name Default Status Estimated Cost Description
privesc-paths Enabled None Contains all of the IAM privesc paths
tool-testing Enabled None Contains test cases that evaluate the capabilities of the different IAM privesc tools

Non-free Resource Modules

Deploying these additional modules can result in cost:

Name Default Status Estimated Cost Description Required for
EC2 Disabled


$4.50/month

Creates an EC2 instance and a security group that allows SSH from anywhere ssm-SendCommand
ssm-StartSession
ec2InstanceConnect-SendSSHPublicKey
Lambda Disabled


Monthly cost depends on usage (cost should be zero)

Creates a Lambda function Lambda-EditExistingLambdaFunctionWithRole
Glue Disabled





$4/hour

Creates a Glue dev endpoint Glue-UpdateExistingGlueDevEndpoint
SageMaker Disabled Not sure yet Creates a SageMaker notebook sageMakerCreatePresignedNotebookURL
CloudFormation Disabled


$0.40/month for the secret created via CloudFormation. Nothing or barely nothing for the stack itself

Creates a CloudFormation stack that creates a secret in secret manager privesc-cloudFormationUpdateStack

Supported Privilege Escalation Paths

Path Name IAM Vulnerable Profile Name Non-Default Modules Required Exploitation References
Category: IAM Permissions on Other Users
IAM-CreateAccessKey privesc4 None
力

Well, That Escalated Quickly – Privesc 04



s3cur3.it IAMVulnerable – Part 3

IAM-CreateLoginProfile privesc5 None
力

Well, That Escalated Quickly – Privesc 05



s3cur3.it IAMVulnerable – Part 3

IAM-UpdateLoginProfile privesc6 None
力

Well, That Escalated Quickly – Privesc 06



s3cur3.it IAMVulnerable – Part 3

Category: PassRole to Service
CloudFormation-PassExistingRoleToCloudFormation privesc20 None
力

Well, That Escalated Quickly – Privesc 20

CodeBuild-CreateProjectPassRole privesc-codeBuildProject None
DataPipeline-PassExistingRoleToNewDataPipeline privesc21 None
力

Well, That Escalated Quickly – Privesc 21

EC2-CreateInstanceWithExistingProfile privesc3 None
力

Well, That Escalated Quickly – Privesc 03



s3cur3.it IAMVulnerable – Part 2

Glue-PassExistingRoleToNewGlueDevEndpoint privesc18 None
力

Well, That Escalated Quickly – Privesc 18

Lambda-PassExistingRoleToNewLambdaThenInvoke privesc15 None
力

Well, That Escalated Quickly – Privesc 15

Lambda-PassRoleToNewLambdaThenTrigger privesc16 None
力

Well, That Escalated Quickly – Privesc 16

SageMaker-CreateNotebookPassRole privesc-sageNotebook None
憐

AWS IAM Privilege Escalation – Method 2

SageMaker-CreateTrainingJobPassRole privesc-sageTraining None
SageMaker-CreateProcessingJobPassRole privesc-sageProcessing None
Category: Permissions on Policies
IAM-AddUserToGroup privesc13 None
力

Well, That Escalated Quickly – Privesc 13

IAM-AttachGroupPolicy privesc8 None
力

Well, That Escalated Quickly – Privesc 08

IAM-AttachRolePolicy privesc9 None
力

Well, That Escalated Quickly – Privesc 09

IAM-AttachUserPolicy privesc7 None
力

Well, That Escalated Quickly – Privesc 07

IAM-CreateNewPolicyVersion privesc1 None
力

Well, That Escalated Quickly – Privesc 01



s3cur3.it IAMVulnerable – Part 1

IAM-PutGroupPolicy privesc11 None
力

Well, That Escalated Quickly – Privesc 11

IAM-PutRolePolicy privesc12 None
力

Well, That Escalated Quickly – Privesc 12

IAM-PutUserPolicy privesc10 None
力

Well, That Escalated Quickly – Privesc 10

IAM-SetExistingDefaultPolicyVersion privesc2 None
力

Well, That Escalated Quickly – Privesc 02



s3cur3.it IAMVulnerable – Part 2

Category: Privilege Escalation using AWS Services
EC2InstanceConnect-SendSSHPublicKey privesc-instanceConnect EC2
CloudFormation-UpdateStack privesc-cfUpdateStack CloudFormation
Glue-UpdateExistingGlueDevEndpoint privesc19 Glue
力

Well, That Escalated Quickly – Privesc 19

Lambda-EditExistingLambdaFunctionWithRole privesc17 Lambda
力

Well, That Escalated Quickly – Privesc 17



s3cur3.it IAMVulnerable – Part 4

SageMakerCreatePresignedNotebookURL privesc-sageUpdateURL Sagemaker
憐

AWS IAM Privilege Escalation – Method 3

SSM-SendCommand privesc-ssm-command EC2
SSM-StartSession privesc-ssm-session EC2
STS-AssumeRole privesc-assumerole None
Category: Updating an AssumeRole Policy
IAM-UpdatingAssumeRolePolicy privesc14 None
力

Well, That Escalated Quickly – Privesc 14

Other Use Cases

Default – No terraform.tfvars configured

  • Deploy using your default AWS profile (Default)
  • All created roles are assumable by the principal used to run Terraform (specified in your default profile)

Use a profile other than the default to run Terraform

  • Copy terraform.tfvars.example to terraform.tvvars
  • Uncomment the line #aws_local_profile = "profile_name" and enter the profile name you’d like to use
  • If you are using a non-default profile, and still want to use the aws_credentails_file_example file, you can use this command to generate an AWS credentials file that works with your non-default profile name (Thanks @scriptingislife)
    • Remember to replace nondefaultuser with the profile name you are using):
    • tail -n +7 aws_credentials_file_example | sed -e "s/111111111111/$(aws sts get-caller-identity | grep Account | awk -F" '{print $4}')/g;s/default/nondefaultuser/g" >> ~/.aws/credentials

Use an ARN other than the caller as the principal that can assume the newly created roles

  • Copy terraform.tfvars.example to terraform.tvvars
  • Uncomment the line #aws_assume_role_arn = "arn:aws:iam::112233445566:user/you" and enter the ARN you’d like to use

Once created, each of the privesc roles will be assumable by the principal (ARN) you specified.

Create the resource in account X, but use an ARN from account Y as the principal that can assume the newly created roles

If you have configured AWS CLI profiles that assume roles into other accounts, you will want to specify the profile name AND manually specify the ARN you’d like to use to assume into the different roles.

In the example below, the resources will be created in the account that is tied to "prod-cross-org-access-role", but each role that Terraform creates can be accessed by "arn:aws:iam::112233445566:user/you", which belongs to another account.

aws_local_profile = "prod-cross-org-access-role"
aws_assume_role_arn = "arn:aws:iam::112233445566:user/you"

FAQ

How does IAM Vulnerable compare to CloudGoat, Terragoat, and SadCloud?

All of these tools use Terraform to deploy intentionally vulnerable infrastructure to AWS. However, IAM Vulnerable’s focus is IAM privilege escalation, whereas the other tools either don’t cover IAM privesc or only cover some scenarios.

  • CloudGoat deploys eight unique scenarios, some of which cover IAM privesc paths, while others focus on other areas like secrets in EC2 metadata.
  • Terragoat and SadCloud both focus on the many ways you can misconfigure your cloud accounts, but do not cover IAM privesc paths. In fact, you can almost think of IAM vulnerable as a missing puzzle piece when applied along side Terragoat or SadCloud. The intentionally vulnerable configurations complement each other.

How does IAM Vulnerable compare to Cloudsplaining, AWSPX, Principal Mapper, Pacu, Cloudmapper, or ScouteSuite?

All of these tools help identify existing misconfigurations in your AWS environment. Some, like Pacu, also help you exploit misconfigurations. In contrast, IAM Vulnerable creates intentionally vulnerable infrastructure. If you really want to learn how to use tools like Principal Mapper (PMapper), AWSPX, Pacu, and Cloudsplaining, IAM Vulnerable is for you.

I’ve never used Terraform and I’m afraid of it. Help!?

I was also afraid of Terraform and projects that would create resources in my account before I knew how Terraform worked. Here are some things that might ease your anxiety:

  • By using an AWS account for this single purpose, you can rest assured that this repository won’t negatively impact anything else you care about. Even if you deploy IAM Vulnerable to a separate account in an AWS organization, you can rest assured that the other accounts in the org will be outside the blast radius of this playground account.
  • The terraform plan command is a dry run. It shows you exactly what will be deployed if you run terraform apply before you actually run it.
  • Rest assured knowing that you can terraform destroy anything you terraform apply for a clean slate.
  • If your concern is cost, check out Infracost. You download this binary, register for a free API key, and execute it within a Terraform directory like iam-vulnerable. This tool runs terraform plan and calculates the monthly cost associated with the plan as it is currently configured. This is the tool I used to populate the module cost estimates table above.

Can I run this tool and another tool like CloudGoat, Terragoat, or SadCloud in the same AWS account?

Yes. Each tool will keep its Terraform state separately, but all resources will be created, updated, and deleted in the same account, and they can coexist.

Prior work and good references

  • https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation
  • https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
  • https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/
  • https://labs.bishopfox.com/tech-blog/privilege-escalation-in-aws
  • https://ermetic.com/whats-new/blog/aws/auditing-passrole-a-problematic-privilege-escalation-permission/
Download Iam-Vulnerable

Post navigation

SQLRecon: C# MS-SQL toolkit designed for offensive reconnaissance and post-exploitation
Metasploit 6.1.17 releases: penetration testing platform

Related Articles

Shelltropy: hiding malicious shellcode via Shannon encoding

Shelltropy: hiding malicious shellcode via Shannon encoding

- Hack Tools
June 29, 2022
Jwtear - Modular Command-Line Tool To Parse, Create And Manipulate JWT Tokens For Hackers

Jwtear – Modular Command-Line Tool To Parse, Create And Manipulate JWT Tokens For Hackers

- Hack Tools
June 29, 2022
Nimc2 - A C2 Fully Written In Nim

Nimc2 – A C2 Fully Written In Nim

- Hack Tools
June 29, 2022
hacker gadgets
hacker phone covers

Recent Posts

Shelltropy: hiding malicious shellcode via Shannon encoding

Shelltropy: hiding malicious shellcode via Shannon encoding

June 29, 2022
Third and Final “EastSideHigh” Defendant Pleads Guilty

Third and Final “EastSideHigh” Defendant Pleads Guilty

June 29, 2022
Jwtear - Modular Command-Line Tool To Parse, Create And Manipulate JWT Tokens For Hackers

Jwtear – Modular Command-Line Tool To Parse, Create And Manipulate JWT Tokens For Hackers

June 29, 2022
Nimc2 - A C2 Fully Written In Nim

Nimc2 – A C2 Fully Written In Nim

June 29, 2022
CURL 7.84 released: tool to transfer data from or to a server

CURL 7.84 released: tool to transfer data from or to a server

June 29, 2022
HintInject: embedding shellcode to Hint/Name Table

HintInject: embedding shellcode to Hint/Name Table

June 28, 2022

Social Media Hacking

SocialPath – Track users across Social Media Platforms

SocialPath – Track users across Social Media Platforms

- Social Media Hacking
October 16, 2019October 16, 2019

SocialPath is a django application for gathering social media intelligence on specific username. It checks for Twitter, Instagram, Facebook, Reddit...

SocialScan – Check Email Address and Username Availability on Online Platforms

SocialScan – Check Email Address and Username Availability on Online Platforms

June 17, 2019
Shellphish – Phishing Tool For 18 Social Media Apps

Shellphish – Phishing Tool For 18 Social Media Apps

June 10, 2019July 27, 2019
WhatsApp Hacking using QRLJacking

WhatsApp Hacking using QRLJacking

May 2, 2019May 19, 2019
How to Hack any Facebook Account with Z-Shadow

How to Hack any Facebook Account with Z-Shadow

April 26, 2019June 29, 2020
hacker buffs
ABOUT US

Haxf4rall is a collective, a good starting point and provides a variety of quality material for cyber security professionals.

Our primary focus revolves around the latest tools released in the Infosec community and provide a platform for developers to showcase their skillset and current projects.

COMPANY
  • Contact Us
  • Disclaimer
  • Hacker Gadgets
  • LANC Remastered
  • PCPS IP Puller
  • Privacy Policy
  • Sitemap
  • Submit your Tool
Menu
  • Contact Us
  • Disclaimer
  • Hacker Gadgets
  • LANC Remastered
  • PCPS IP Puller
  • Privacy Policy
  • Sitemap
  • Submit your Tool
Live Chat
RESOURCES
  • Attack Process
  • Become a Hacker
  • Career Pathways
  • Dark Web
  • Hacking Books
  • Practice Your Skills
  • Recommended Courses
  • Simple Setup – Hacker 101
Menu
  • Attack Process
  • Become a Hacker
  • Career Pathways
  • Dark Web
  • Hacking Books
  • Practice Your Skills
  • Recommended Courses
  • Simple Setup – Hacker 101
Get Started
TOOLBOX
  • Anonymity
  • Bruteforce
  • DoS – Denial of Service
  • Information Gathering
  • Phishing
  • SQL Injection
  • Vulnerability Scanners
  • Wifi Hacking
Menu
  • Anonymity
  • Bruteforce
  • DoS – Denial of Service
  • Information Gathering
  • Phishing
  • SQL Injection
  • Vulnerability Scanners
  • Wifi Hacking
Tools Directory

2014 – 2020 | Haxf4rall.com               Stay Connected:

Facebook Twitter Google-plus Wordpress
Please wait...

Join Our Community

Subscribe now and get your free HACKERS HANDBOOK

Don't Worry ! You will not be spammed
SIGN UP FOR NEWSLETTER NOW