Pass Role: CloudFormation

Overly Permissive Permission can be abused by a user to perform privileged operations.

Objective: Leverage the policy attached to the student user and attain administrative privileges on the AWS account.


                                                                                                     
┌──(kali㉿kali)-[~]
└─$ aws iam list-attached-user-policies --user-name student
{
    "AttachedPolicies": [
        {
            "PolicyName": "IAMReadOnlyAccess",
            "PolicyArn": "arn:aws:iam::aws:policy/IAMReadOnlyAccess"
        }
    ]
}
                                                                                                      
┌──(kali㉿kali)-[~]
└─$ aws iam list-user-policies --user-name student
{
    "PolicyNames": [
        "terraform-20230512181254610400000001"
    ]
}
                                                                                                      
┌──(kali㉿kali)-[~]
└─$ aws iam get-user-policy --user-name student --policy-name terraform-20230512181254610400000001
{
    "UserName": "student",
    "PolicyName": "terraform-20230512181254610400000001",
    "PolicyDocument": {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Action": [
                    "iam:PassRole",
                    "cloudformation:Describe*",
                    "cloudformation:List*",
                    "cloudformation:Get*",
                    "cloudformation:CreateStack",
                    "cloudformation:UpdateStack",
                    "cloudformation:ValidateTemplate",
                    "cloudformation:CreateUploadBucket"
                ],
                "Effect": "Allow",
                "Resource": "*"
            }
        ]
    }
}
                                                                                                      
┌──(kali㉿kali)-[~]
└─$ aws iam list-roles                                                                            
{
    "Roles": [
        {
            "Path": "/aws-service-role/ops.apigateway.amazonaws.com/",
            "RoleName": "AWSServiceRoleForAPIGateway",
            "RoleId": "AROA23X2D5M7U63AZG7PK",
            "Arn": "arn:aws:iam::746775112511:role/aws-service-role/ops.apigateway.amazonaws.com/AWSServiceRoleForAPIGateway",
            "CreateDate": "2022-08-16T16:44:28+00:00",
            "AssumeRolePolicyDocument": {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Effect": "Allow",
                        "Principal": {
                            "Service": "ops.apigateway.amazonaws.com"
                        },
                        "Action": "sts:AssumeRole"
                    }
                ]
            },
            "Description": "The Service Linked Role is used by Amazon API Gateway.",
            "MaxSessionDuration": 3600
        },
        {
            "Path": "/aws-service-role/autoscaling.amazonaws.com/",
            "RoleName": "AWSServiceRoleForAutoScaling",
            "RoleId": "AROA23X2D5M74UFNWJJFQ",
            "Arn": "arn:aws:iam::746775112511:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling",
            "CreateDate": "2022-08-07T20:59:16+00:00",
            "AssumeRolePolicyDocument": {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Effect": "Allow",
                        "Principal": {
                            "Service": "autoscaling.amazonaws.com"
                        },
                        "Action": "sts:AssumeRole"
                    }
                ]
            },
            "Description": "Default Service-Linked Role enables access to AWS Services and Resources used or managed by Auto Scaling",
            "MaxSessionDuration": 3600
        },
        {
            "Path": "/aws-service-role/cloudtrail.amazonaws.com/",
            "RoleName": "AWSServiceRoleForCloudTrail",
            "RoleId": "AROA23X2D5M7RNDZNTHL7",
            "Arn": "arn:aws:iam::746775112511:role/aws-service-role/cloudtrail.amazonaws.com/AWSServiceRoleForCloudTrail",
            "CreateDate": "2022-08-04T14:13:48+00:00",
            "AssumeRolePolicyDocument": {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Effect": "Allow",
                        "Principal": {
                            "Service": "cloudtrail.amazonaws.com"
                        },
                        "Action": "sts:AssumeRole"
                    }
                ]
            },
            "MaxSessionDuration": 3600
        },
        {
            "Path": "/aws-service-role/organizations.amazonaws.com/",
            "RoleName": "AWSServiceRoleForOrganizations",
            "RoleId": "AROA23X2D5M7YFUJWGYUS",
            "Arn": "arn:aws:iam::746775112511:role/aws-service-role/organizations.amazonaws.com/AWSServiceRoleForOrganizations",
            "CreateDate": "2022-08-04T14:10:46+00:00",
            "AssumeRolePolicyDocument": {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Effect": "Allow",
                        "Principal": {
                            "Service": "organizations.amazonaws.com"
                        },
                        "Action": "sts:AssumeRole"
                    }
                ]
            },
            "Description": "Service-linked role used by AWS Organizations to enable integration of other AWS services with Organizations.",
            "MaxSessionDuration": 3600
        },
        {
            "Path": "/aws-service-role/support.amazonaws.com/",
            "RoleName": "AWSServiceRoleForSupport",
            "RoleId": "AROA23X2D5M7QNSNN74XS",
            "Arn": "arn:aws:iam::746775112511:role/aws-service-role/support.amazonaws.com/AWSServiceRoleForSupport",
            "CreateDate": "2022-08-04T14:10:45+00:00",
            "AssumeRolePolicyDocument": {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Effect": "Allow",
                        "Principal": {
                            "Service": "support.amazonaws.com"
                        },
                        "Action": "sts:AssumeRole"
                    }
                ]
            },
            "Description": "Enables resource access for AWS to provide billing, administrative and support services",
            "MaxSessionDuration": 3600
        },
        {
            "Path": "/aws-service-role/trustedadvisor.amazonaws.com/",
            "RoleName": "AWSServiceRoleForTrustedAdvisor",
            "RoleId": "AROA23X2D5M7USKW64IQJ",
            "Arn": "arn:aws:iam::746775112511:role/aws-service-role/trustedadvisor.amazonaws.com/AWSServiceRoleForTrustedAdvisor",
            "CreateDate": "2022-08-04T14:10:45+00:00",
            "AssumeRolePolicyDocument": {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Effect": "Allow",
                        "Principal": {
                            "Service": "trustedadvisor.amazonaws.com"
                        },
                        "Action": "sts:AssumeRole"
                    }
                ]
            },
            "Description": "Access for the AWS Trusted Advisor Service to help reduce cost, increase performance, and improve security of your AWS environment.",
            "MaxSessionDuration": 3600
        },
        {
            "Path": "/",
            "RoleName": "lab12CFDeployRole",
            "RoleId": "AROA23X2D5M7WDBZEFLWP",
            "Arn": "arn:aws:iam::746775112511:role/lab12CFDeployRole",
            "CreateDate": "2023-05-12T18:12:54+00:00",
            "AssumeRolePolicyDocument": {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Effect": "Allow",
                        "Principal": {
                            "Service": "cloudformation.amazonaws.com"
                        },
                        "Action": "sts:AssumeRole"
                    }
                ]
            },
            "MaxSessionDuration": 3600
        },
        {
            "Path": "/",
            "RoleName": "TheOracle",
            "RoleId": "AROA23X2D5M732KK7F4EK",
            "Arn": "arn:aws:iam::746775112511:role/TheOracle",
            "CreateDate": "2022-08-04T14:10:45+00:00",
            "AssumeRolePolicyDocument": {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Effect": "Allow",
                        "Principal": {
                            "AWS": [
                                "arn:aws:iam::002763723555:root",
                                "arn:aws:iam::719592403832:root"
                            ]
                        },
                        "Action": "sts:AssumeRole"
                    }
                ]
            },
            "MaxSessionDuration": 3600
        }
    ]
}
            "CreateDate": "2023-05-12T18:12:54+00:00",
            "AssumeRolePolicyDocument": {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Effect": "Allow",
                        "Principal": {
                            "Service": "cloudformation.amazonaws.com"
                        },
                        "Action": "sts:AssumeRole"
                    }
                ]
            },
            "MaxSessionDuration": 3600
        },
        {
            "Path": "/",
            "RoleName": "TheOracle",
            "RoleId": "AROA23X2D5M732KK7F4EK",
            "Arn": "arn:aws:iam::746775112511:role/TheOracle",
            "CreateDate": "2022-08-04T14:10:45+00:00",
            "AssumeRolePolicyDocument": {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Effect": "Allow",
                        "Principal": {
                            "AWS": [
                                "arn:aws:iam::002763723555:root",
                                "arn:aws:iam::719592403832:root"
                            ]
                        },
                        "Action": "sts:AssumeRole"
                    }
                ]
            },
            "MaxSessionDuration": 3600
        }
    ]
}
(END)
                                                                                                      
┌──(kali㉿kali)-[~]

                                                                                                      
┌──(kali㉿kali)-[~]
└─$ aws iam list-role-policies --role-name lab12CFDeployRole
{
    "PolicyNames": [
        "terraform-20230512181255112200000003"
    ]
}
                                                                                                      
┌──(kali㉿kali)-[~]
└─$ aws iam get-role-policy --role-name lab12CFDeployRole --policy-name terraform-20230512181255112200000003
{
    "RoleName": "lab12CFDeployRole",
    "PolicyName": "terraform-20230512181255112200000003",
    "PolicyDocument": {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Action": [
                    "iam:PutUserPolicy"
                ],
                "Effect": "Allow",
                "Resource": "*"
            }
        ]
    }
}