Merge pull request nccgroup#88 from Hacking-the-Cloud/add_iam_priv_es…

…c_page

Added the first pass of the IAM privilege escalation page

content/aws/exploitation/iam_privilege_escalation.md

@@ -0,0 +1,126 @@
+---
+author: Nick Frichette
+title: AWS IAM Privilege Escalation Techniques
+description: Common techniques that can be leveraged to escalate privileges in an AWS account.
+enableEditBtn: true
+editBaseURL: https://github.com/Hacking-the-Cloud/hackingthe.cloud/blob/main/content
+---
+Original Research: [Spencer Gietzen](https://twitter.com/SpenGietz) - [AWS IAM Privilege Escalation](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/)
+Further Reading: [AWS-IAM-Privilege-Escalation](https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation)
+Further Reading: [Investigating PrivEsc Methods in AWS](https://bishopfox.com/blog/privilege-escalation-in-aws)
+
+## Quick List
+[codestar:CreateProject, codestar:AssociateTeamMember](/aws/exploitation/iam_privilege_escalation#codestarcreateproject-codestarassociateteammember)
+[glue:UpdateDevEndpoint](/aws/exploitation/iam_privilege_escalation#glueupdatedevendpoint)
+[iam:AddUserToGroup](/aws/exploitation/iam_privilege_escalation#iamaddusertogroup)
+[iam:AttachGroupPolicy](/aws/exploitation/iam_privilege_escalation#iamattachgrouppolicy)
+[iam:AttachRolePolicy](/aws/exploitation/iam_privilege_escalation#iamattachrolepolicy)
+[iam:AttachUserPolicy](/aws/exploitation/iam_privilege_escalation#iamattachuserpolicy)
+[iam:CreateAccessKey](/aws/exploitation/iam_privilege_escalation#iamcreateaccesskey)
+[iam:CreateLoginProfile](/aws/exploitation/iam_privilege_escalation#iamcreateloginprofile)
+[iam:CreatePolicyVersion](/aws/exploitation/iam_privilege_escalation#iamcreatepolicyversion)
+[iam:PassRole, cloudformation:CreateStack](/aws/exploitation/iam_privilege_escalation#iampassrole-cloudformationcreatestack)
+[iam:PassRole, codestar:CreateProject](/aws/exploitation/iam_privilege_escalation#iampassrole-codestarcreateproject)
+[iam:PassRole, datapipeline:CreatePipeline, datapipeline:PutPipelineDefinition, datapipeline:ActivatePipeline](/aws/exploitation/iam_privilege_escalation#iampassrole-datapipelineactivatepipeline-datapipelinecreatepipeline-datapipelineputpipelinedefinition)
+[iam:PassRole, ec2:RunInstances](/aws/exploitation/iam_privilege_escalation#iampassrole-ec2runinstances)
+[iam:PassRole, glue:CreateDevEndpoint](/aws/exploitation/iam_privilege_escalation#iampassrole-gluecreatedevendpoint)
+[iam:PassRole, lambda:AddPermission, lambda:CreateFunction](/aws/exploitation/iam_privilege_escalation#iampassrole-lambdaaddpermission-lambdacreatefunction)
+[iam:PassRole, lambda:CreateEventSourceMapping, lambda:CreateFunction](/aws/exploitation/iam_privilege_escalation#iampassrole-lambdacreateeventsourcemapping-lambdacreatefunction)
+[iam:PassRole, lambda:CreateFunction, lambda:InvokeFunction](/aws/exploitation/iam_privilege_escalation#iampassrole-lambdacreatefunction-lambdainvokefunction)
+[iam:PutGroupPolicy](/aws/exploitation/iam_privilege_escalation#iamputgrouppolicy)
+[iam:PutRolePolicy](/aws/exploitation/iam_privilege_escalation#iamputrolepolicy)
+[iam:PutUserPolicy](/aws/exploitation/iam_privilege_escalation#iamputuserpolicy)
+[iam:SetDefaultPolicyVersion](/aws/exploitation/iam_privilege_escalation#iamsetdefaultpolicyversion)
+[iam:UpdateAssumeRolePolicy](/aws/exploitation/iam_privilege_escalation#iamupdateassumerolepolicy)
+[iam:UpdateLoginProfile](/aws/exploitation/iam_privilege_escalation#iamupdateloginprofile)
+[lambda:UpdateFunctionCode](/aws/exploitation/iam_privilege_escalation#lambdaupdatefunctioncode)
+[lambda:UpdateFunctionConfiguration](/aws/exploitation/iam_privilege_escalation#lambdaupdatefunctionconfiguration)
+
+{{< notice success "Note" >}}
+If you'd like to get hands on experience exploiting these misconfigurations, check out [iam-vulnerable](https://github.com/BishopFox/iam-vulnerable) by [Seth Art](https://twitter.com/sethsec).
+{{< /notice >}}
+
+## codestar:CreateProject, codestar:AssociateTeamMember
+With access to the [codestar:CreateProject](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/codestar/create-project.html) and [codestar:AssociateTeamMember](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/codestar/associate-team-member.html) permissions, an adversary can create a new [CodeStar](https://aws.amazon.com/codestar/) project and associate themselves as an Owner of the project.
+
+This will attach a new policy to the user that provides access to a number of permissions for AWS services. This is most useful for further enumeration as it gives access to lambda:List*, iam:ListRoles, iam:ListUsers, and more.
+
+![Using codestar:AssociateTeamMember](/images/aws/exploitation/iam_privilege_escalation/codestar_associate.png)
+
+![Showing the CodeStar policy](/images/aws/exploitation/iam_privilege_escalation/codestar_policy.png)
+
+## glue:UpdateDevEndpoint
+With access to the [glue:UpdateDevEndpoint](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/glue/update-dev-endpoint.html) permission, an adversary can update the existing SSH key associated with the glue endpoint. This will allow the adversary to SSH into the host and gain access to IAM credentials associated with the role attached to the glue endpoint. Though not required, it may be helpful to have the [glue:GetDevEndpoint](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/glue/get-dev-endpoint.html) permission as well, if the existing endpoint cannot be identified via other means. 
+
+## iam:AddUserToGroup
+With access to the [iam:AddUserToGroup](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/add-user-to-group.html) permission, an adversary can add an IAM user they control to an existing group with more privileges. Although this is not required, it may be helpful to have other permissions in the IAM family to identify other groups and their privileges. 
+
+## iam:AttachGroupPolicy
+With access to the [iam:AttachGroupPolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/attach-group-policy.html) permission, an adversary can attach an IAM policy to a group they are a member of. This potentially includes policies such as AdministratorAccess, which would provide them (surprise) administrator access to the AWS account.
+
+## iam:AttachRolePolicy
+With access to the [iam:AttachRolePolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/attach-role-policy.html) permission, an adversary can attach an IAM policy to a role they have access to. This potentially includes policies such as AdministratorAccess, which would provide them administrator access to the AWS account.
+
+## iam:AttachUserPolicy
+With access to the [iam:AttachUserPolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/attach-user-policy.html) permission, an adversary can attach an IAM policy to an IAM user they have access to. This potentially includes policies such as AdministratorAccess, which would provide them administrator access to the AWS account.
+
+## iam:CreateAccessKey
+With access to the [iam:CreateAccessKey](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-access-key.html) permission, an adversary can create an IAM Access Key and Secret Access Key for other users. This would allow them to create credentials for more privileged users and have access to their privileges.
+
+![Showing iam:CreateAccessKey](/images/aws/exploitation/iam_privilege_escalation/create_access_key.png)
+
+## iam:CreateLoginProfile
+With access to the [iam:CreateLoginProfile](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-login-profile.html) permission, an adversary can create a password for a more privileged IAM user to login to the console as. Note: if a password is already set, you must use [iam:UpdateLoginProfile](/aws/exploitation/iam_privilege_escalation#iamupdateloginprofile) instead.
+
+## iam:CreatePolicyVersion
+With access to the [iam:CreatePolicyVersion](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-policy-version.html) permission, an adversary can create a new version of a existing policy with more privilege. If the adversary has access to the principal that policy is attached to, they can elevate their privileges.
+
+## iam:PassRole, cloudformation:CreateStack
+With access to the [iam:PassRole](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_iam-passrole-service.html) and [cloudformation:CreateStack](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudformation/create-stack.html) permissions, an adversary can create a new CloudFormation stack and pass a more privileged role to it. This would allow an adversary to escalate privileges to that more privileged role.
+
+## iam:PassRole, codestar:CreateProject
+With access to the [iam:PassRole](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_iam-passrole-service.html) and [codestar:CreateProject](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/codestar/create-project.html) permissions, an adversary can create a new CodeStar project and pass a more privileged role to it. This would allow an adversary to escalate privileges to that more privileged role including that of an administrator.
+
+## iam:PassRole, datapipeline:ActivatePipeline, datapipeline:CreatePipeline, datapipeline:PutPipelineDefinition
+With access to the [iam:PassRole](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_iam-passrole-service.html), [datapipeline:ActivatePipeline](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/datapipeline/activate-pipeline.html), [datapipeline:CreatePipeline](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/datapipeline/create-pipeline.html), and [datapipeline:PutPipelineDefinition](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/datapipeline/put-pipeline-definition.html) permissions, an adversary can create a new pipeline and pass in a more privileged role. It is worth noting that to do this the AWS account must already contain a role that can be assumed by DataPipeline and that role must have greater privileges (or at least different ones) than the principal the adversary controls.
+
+## iam:PassRole, ec2:RunInstances
+With access to the [iam:PassRole](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_iam-passrole-service.html) and [ec2:RunInstances](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/run-instances.html) permissions, an adversary can create a new EC2 instance and pass a more privileged role to it. It is worth noting that there must already exist a role in the AWS account that can be assumed by the EC2 service.
+
+## iam:PassRole, glue:CreateDevEndpoint
+With access to the [iam:PassRole](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_iam-passrole-service.html) and [glue:CreateDevEndpoint](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/glue/create-dev-endpoint.html) permissions, an adversary can create a new Glue development endpoint and pass in a more privileged role. It is worth noting that to do this the AWS account must already contain a role that can be assumed by Glue and that role must have greater privileges (or at least different ones) than the principal the adversary controls.
+
+## iam:PassRole, lambda:AddPermission, lambda:CreateFunction
+With access to the [iam:PassRole](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_iam-passrole-service.html), [lambda:AddPermission](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/add-permission.html), and [lambda:CreateFunction](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/create-function.html) permissions, an adversary can create a Lambda function with an existing role. This function could then by updated with lambda:AddPermission to allow another principal in another AWS account the permission to invoke it. It is worth noting that the AWS account must already contain a role that can be assumed by Lambda.
+
+## iam:PassRole, lambda:CreateEventSourceMapping, lambda:CreateFunction
+With access to the [iam:PassRole](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_iam-passrole-service.html), [lambda:CreateEventSourceMapping](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/create-event-source-mapping.html), and [lambda:CreateFunction](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/create-function.html) permissions, an adversary can create a Lambda function with an existing privileged role and associating it with a DynamoDB table. Then, when a new record is inserted into the table, the Lambda function will trigger with the privilege of the passed in role.
+
+It is worth noting that the AWS account must already contain a role that can be assumed by Lambda. Additionally, while not required, it may be beneficial to have the [dynamodb:CreateTable](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/dynamodb/create-table.html) and [dynamodb:PutItem](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/dynamodb/put-item.html) permissions to trigger this yourself.
+
+## iam:PassRole, lambda:CreateFunction, lambda:InvokeFunction
+With access to the [iam:PassRole](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_iam-passrole-service.html), [lambda:CreateFunction](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/create-function.html), and [lambda:InvokeFunction](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/invoke.html) permissions, an adversary can create a new Lambda function and pass an existing role to it. They can then invoke the function allowing them access to the privileges of the role associated with the function. It is worth noting that unless the adversary can create a role, they must use an already existing role that can be assumed by Lambda.
+
+## iam:PutGroupPolicy
+With access to the [iam:PutGroupPolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/put-group-policy.html) permission, an adversary can create an inline policy for a group they are in and give themselves administrator access to the AWS account.
+
+## iam:PutRolePolicy
+With access to the [iam:PutRolePolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/put-role-policy.html) permission, an adversary can create an inline policy for a role they have access to and give themselves administrator access to the AWS account.
+
+## iam:PutUserPolicy
+With access to the [iam:PutUserPolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/put-user-policy.html) permission, an adversary can create an inline policy for a user they have access to and give themselves administrator access to the AWS account.
+
+## iam:SetDefaultPolicyVersion
+With access to the [iam:SetDefaultPolicyVersion](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/set-default-policy-version.html) permission, an adversary can revert a policy associated with their principal to a previous version. This is useful for scenarios in which a previous version of a policy had more access than the current version.
+
+## iam:UpdateAssumeRolePolicy
+With access to the [iam:UpdateAssumeRolePolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/update-assume-role-policy.html) permission, an adversary can modify the assume-role policy of a role, allowing them to assume it. This is useful to gain access to administrator roles, or other more privileged roles.
+
+## iam:UpdateLoginProfile
+With access to the [iam:UpdateLoginProfile](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/update-login-profile.html) permission, an adversary can change the password of an IAM user. This would allow them to log into the console as that user.
+
+## lambda:UpdateFunctionCode
+With access to the [lambda:UpdateFunctionCode](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/update-function-code.html) permission, an adversary can modify an existing Lambda function's code. This would allow them to gain access to the privileges of the associated IAM role the next time the function is executed.
+
+## lambda:UpdateFunctionConfiguration
+With access to the [lambda:UpdateFunctionConfiguration](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/update-function-configuration.html) permission, an adversary can modify an existing Lambda function's configuration to add a new Lambda Layer. This Layer would then override an existing library and allow an adversary to execute malicious code under the privilege of the role associated with the Lambda function.