CloudGoat walkthrough series: Lambda Privilege Escalation

This is the third in our walkthrough of CloudGoat scenarios. CloudGoat is a “vulnerable by design” deployment tool designed by Rhino Labs. It is used to deploy a vulnerable set of AWS resources and is designed to teach and test penetration testing via issues commonly seen in real-life environments.

This walkthrough assumes you have CloudGoat setup on your Kali Linux. You can use our Working with CloudGoat: The “vulnerable by design” AWS environment post as a guide in deploying it.

Scenario summary

The scenario starts with the IAM user Chris, where the attacker discovers that they can assume a role that has full Lambda access and pass role permissions. The attacker can then perform privilege escalation to obtain full admin access.

The goal of the scenario is to download the confidential files from the S3 bucket.

Walkthrough

To deploy the resources for each scenario on AWS:

./cloudgoat.py create lambda_privesc

1. Deploying the resources gives the access key and secret key for Chris:

2. Save the credential to a profile – Chris:

./cloudgoat.py create lambda_privesc

3. Enumerate the policies and permissions attached to the user “Chris” and see what privileges the user

Read More: https://resources.infosecinstitute.com/topic/cloudgoat-walkthrough-lambda-privilege-escalation/