Senior Penetration Tester | Red Teamer | Global Top 0.1% at TryHackMe and HackTheBox
As a low-privileged user, we compromised multiple other users and moved laterally within the environment. We then found a vulnerable EC2 instance which, when exploited, revealed the credentials for the role of the instance profile, which contained permissions to list and download credentials from a confidential S3 bucket.
We start off as a fairly high-privileged user who can perform multiple IAM and EC2 API calls. Using these permissions, it was possible to obtain full control over the AWS account by creating an EC2 instance with a high-privileged instance profile.
In this video we compromise an EC2 instance's metadata service, obtain credentials that result in exfiltrating sensitive data, and we do all of this while being completely undetected!
Compiled notes I read from additional blogs and posts about GCP penetration testing.
Notes I wrote while reading a blog post written about GCP penetration testing techniques and methodologies by Chris Moberly.
These are my notes for the Hands on AWS Penetration Testing book by Benjamin Caudill and Karl Gilbert.
We start off as a low-privileged user who can perform IAM Get and IAM List on all resources. In addition, this user can assume a role which has lambda:* and iam:PassRole on all resources. Using this permission, it was possible to create a function with another role that had AdministratorAccess attached to it. Therefore, we were able to attach AdministratorAccess on the low-privileged user.
This is the second scenario in the CloudGoat series, and it is the simplest one at the time of writing. We start off as a high-privileged user who can change their defualt policy version. One of the versions of this user's managed policy allows for performing any action on any resource. The user can therefore change their default version to this policy version and obtain Administrator access.
