CloudGoat walkthrough series: IAM privilege escalation by rollback

This is the first in the walkthrough series of the CloudGoat scenarios. CloudGoat is a “vulnerable by design” AWS deployment tool designed by Rhino Security Labs. It is used to deploy a vulnerable set of AWS resources and designed to teach and test cloud security penetration testing via issues commonly seen in real-life environments.

This walkthrough assumes you have CloudGoat set up on your Kali Linux. You can use our post, Working with CloudGoat: The “vulnerable by design” AWS environment as a guide in deploying it.

Scenario summary

This scenario starts with an IAM user “Raynor” with limited privileges. The attacker is able to review previous IAM policy versions and restore one which allows full admin privileges, resulting in a privilege escalation exploit.

The goal of the scenario is to acquire full administrative privileges in the AWS account.


To deploy the resources for each scenario on AWS:

./ create iam_privesc_by_rollback

Without Pacu Enumerate the policies and permissions attached to the user “Raynor” and see what privileges the user has.

Running the below revealed nothing.

aws iam list-user-policies –-user-name <insert username here> –profile <insert profile name here>

list-user-policies: Lists the names of inline policies embedded in

Read More: