CloudGoat walkthrough series: IAM privilege escalation by attachment

This is the fourth in the walkthrough of the CloudGoat scenarios. CloudGoat is a “vulnerable by design” deployment tool designed by Rhino Labs. It is used to deploy a vulnerable set of AWS resources and is designed to teach and test penetration testing via issues commonly seen in real-life environments.

This walkthrough assumes you have CloudGoat set up on your Kali Linux. You can use our post on Working with CloudGoat: The “Vulnerable by Design” AWS Environment as a guide in deploying it.

Scenario summary

The scenario starts with an IAM user, Kerrigan, with limited set of permissions. The attacker is able to leverage the instance-profile-attachment permissions to create a new EC2 instance with significantly greater privileges than their own. With access to this new EC2 instance, the attacker gains full administrative powers within the target account.

Goal: Delete the “cg-super-critical security-server”.


To deploy the resources for each scenario on AWS:

./ create iam_privesc_by_attachment

1. Deploying the resources gives the access key and secret key for Kerrigan. [CLICK IMAGES TO ENLARGE]

2. Save the credential to a profile — Kerrigan.

aws configure –profile Kerrigan

3. Perform reconnaissance on the user

Read More: