Level 6: IAM Misconfigurations

Task

For this final challenge, you're getting a user access key that has the SecurityAudit policy attached to it. See what else it can do and what else you might find in this AWS account.

Access key ID: AKIAJFQ6E7BY57Q3OBGA Secret: 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

Resolution

The first thing we need to do is create another AWS user with:

bashCopyEditsudo vim ~/.aws/credentials

Once the user is created, we check our identity and some of our details.

Now that we know our name, let's see which policies we can access.

On one hand, SecurityAudit is an AWS policy, while list_apigateways is a custom policy. Let's focus on the latter for now. Having its ARN, we can get the version ID:

With the version ID and ARN, we can see the current policy:

As we can see, this policy allows us to call "apigateway:GET" on "arn:aws:apigateway:us-west-3::/restapis/*".

Now we can list all the Lambda functions.

This shows that there is a function called Level6, and SecurityAudit allows us to execute it:

We can see that "s33ppypa75" is a rest-api-id, which can be used with another attached policy:

Finally, it indicates that the stageName is "Prod", so if we navigate to:

bashCopyEdithttps://s33ppypa75.execute-api.us-west-2.amazonaws.com/Prod/level6

We will see the following:

And if we access that link...

Lesson Learned

It is common to give people and entities read-only permissions such as the SecurityAudit policy. The ability to read your own and other's IAM policies can really help an attacker figure out what exists in your environment and look for weaknesses and mistakes.

Avoiding the mistake

Don't hand out any permissions liberally, even permissions that only let you read meta-data or know what your permissions are.