rootđź’€senseicat:~#
Hack. Eat. Sleep. Repeat!!!
Project maintained by SENSEiXENUS Hosted on GitHub Pages — Theme by mattgraham
Enumeratimg IAM
Vulnerable Lab( Cloudgoat)
- Command
cloudgoat create iam_enum_basics
- Configure bob creds as provided-:
-
Enumerate attached managed policies and read their metadata-:
-
User-:
aws iam list-users --profile bob | jq
- Group-:
aws iam list-groups --profile bob | jq
- Roles-:
aws iam list-roles --profile bob | jq
- Enumerating groups that a specific user belongs to-:
aws iam list-groups-for-user --user-name <u> --profile <p>
- Using query -:
aws iam list-roles --profile <u> --query "Roles[*].[RoleName,Path]" --output table
Roles explanation-: Resource Explorer (Resource discovery and indexing) AWS SUPPORT: (Enabling Support Related Diagnostics and Indexing) Trusted Advisor (Allowing automated health and best practice checks)
Enumerating Policies
- Inline user policies-:
aws iam list-user-policies --user-name <u> --profile <p>
- Managed user policiees-:
aws iam list-attached-user-policies --user-name <u> --profile <p>
- Group/Role policies-:
#Inline group policies
aws iam list-group-policies --group-name <u> --profile <p>
#attached group policies
aws iam list-attached-group-policies --group-name <u> --profile <p>
#Inline role policies
aws iam list-role-policies --role-name <u> --profile <p>
#attached role policies
aws iam list-attached-role-policies --role-name <u> --profile <p>
Examining User Policy Rules
- We exposed that there is one inline and two managed policies for our user
cg-bob-*as well as one one role policy for rolecg-flag4-role-* - Let’s look at the metadata for the policy name and the ARN (Amazon Resource Name) but have not looked at the metadata or policy document.
- Inspecitng a custom managed policy-:
#Metadata about a managed Iam policy
aws iam get-policy --policy-arn <arn> --profile <p>
# Get Json policy document
aws iam get-policy-version --policy-arn <arn> --version-id <v> --profile <p>
Investigating user, role, group inline policy
- Inspecting an inline role policy
aws iam get-user-policy --user-name <u> --policy-name <p> --profile <p>
aws iam get-group-policy --group-name <u> --policy-name <p> --profile <p>
aws iam get-role-policy --role-name <u> --policy-name <p> --profile <p>
- Investigating the metadata-:
aws iam get-role --role-name cg-flag4-role-c --profile bob | jq
aws iam get-user --user-name cg-bob-c --profile bob | jq
aws iam get-group --group-name cg-bob- --profile bob | jq