CloudGoat walkthrough series: IAM privilege escalation by rollback

This is the first in the walkthrough series of the CloudGoat scenarios. CloudGoat is a “vulnerable by design” deployment tool designed by Rhino Labs. It is used to deploy a vulnerable set of AWS resources and designed to teach and test security via issues commonly seen in real-life environments.

This walkthrough assumes you have CloudGoat set up on your Kali . You can use our post, Working with CloudGoat: The “vulnerable by design” AWS environment as a guide in deploying it.

Scenario summary

This scenario starts with an IAM user “Raynor” with limited privileges. The attacker is able to review previous IAM versions and restore one which allows full admin privileges, resulting in a privilege escalation .

The goal of the scenario is to acquire full administrative privileges in the AWS account.


To deploy the resources for each scenario on AWS:

./ create iam_privesc_by_rollback

Without Pacu Enumerate the policies and permissions attached to the user “Raynor” and see what privileges the user has.

Running the below revealed nothing.

aws iam list-user-policies –-user-name –profile

list-user-policies: Lists the names of inline policies embedded in

Read More: