Skip to content
All posts

Beginner's Guide to hunting for AWS IAM Privilege Escalations with Pacu

Join us as we get started with using Pacu - an AWS exploitation framework created by Rhino Security Labs that is designed for testing the security of Amazon Web Services environments.

Pacu is an open-source AWS exploitation framework, designed for offensive security testing against cloud environments. It uses a range of plug-in modules to assist penetration testers and red teamers in enumeration, privilege escalation, data exfiltration, service exploitation, and log manipulation within AWS environments. It's also a valuable tool for blue teamers to better understand their environments!


Ride-along scenario ๐Ÿ˜Ž


A new Security Engineer at Huge Logistics company, you're tasked with reviewing the IAM (Identity and Access Management) policy attached to an IAM user in a specific AWS (Amazon Web Services) account. It was observed that the IAM user's custom policy granted excessive permissions. The manager requested that the company security team analyze the policy to understand how a malicious actor, including an employee, could exploit it. You need to identify misconfigurations and excessive permissions and assess the possibility of privilege escalation.


There are two IAM users that we need to create in our AWS Account

  1. IAM user Dave with AdministratorAccess permissions
  2. IAM user Bob with a custom IAM policy attached


The terraform code on GitHub creates the two IAM users. AWS keys are created for one of the IAM users (Bob).


After cloning the repository we can rename it to e.g. pacu. Checking the terraform file IAM we see that it contains the following custom IAM policy that will be attached to the IAM user named bob.


 "Version": "2012-10-17",
 "Statement": [
            "Sid": "Statement1",
            "Effect": "Allow",
            "Action": [
            "Resource": "*"


We need to edit the Terraform file in the cloned repository to reference our own AWS profile. First we can run the command below to create a new profile named pwnedlabs that we can use for this lab. Note that the credentials you provide should have administrator access in your AWS account.

$ aws configure --profile pwnedlabs


Then edit the terraform file to it looks like the one below.



Next, run the Terraform commands below to provision the lab scenario and create the users.

$ terraform init
$ terraform plan
$ terraform apply -auto-approve 


We confirm in the AWS console that the users have been created.


Run the commands below in the terminal to output the keys for Bob.

$ terraform output -raw access_key_id
$ terraform output -raw secret_access_key



๐Ÿ’ก We could also have changed the terraform code so that it outputs the credentials directly to the terminal.

Credentials will not be displayed in the terminal after running terraform apply, but will exist in the terraform.tfstate file:

value     = aws_iam_access_key.bob_user_key.secret

Credentials will be displayed in the terminal after running terraform apply (and also in the terraform.tfstate file):

value       = nonsensitive(aws_iam_access_key.bob_user_key.secret)

Installing Pacu ๐Ÿฆˆ


Run the commands below to install Pacu.

$ mkdir pacu && cd pacu
$ pip3 install virtualenv
$ source venv/bin/activate
$ pip3 install pacu


Then start pacu

We can provide a name for the session, i.e. pwnedlabs.


Now we can set the AWS Access keys that we retrieved for the Bob IAM user with set_keys .


It's possible an a security assessment that we will compromise different identities, so at any point we can run the command
whoami to provide details about our current user, including the access key ID and secret key.

We can run the command ls to return a categorized list of all Pacu commands. Pacu is a comprehensive offensive AWS framework and has a lot of commands!


If we don't care too much about being noisy in an environment and just want to scan for potential IAM privilege escalation vectors, we can run the command iam__privesc_scan . Run help iam__privesc_scan to view information about the command. We see that "[t]his module will scan for permission misconfigurations to see where privilege escalation will be possible. Available attack paths will be presented to the user and executed on if chosen."

Examining the code for the iam__privesc_scan module we see a long list of checks covering IAM misconfigurations of various AWS services.

Execute the run iam__privesc_scan command to scan for permission misconfigurations in the environment and see what vectors might be available. Select "y" when prompted to run the module iam__enum_permissions.


The permissions are checked and it returns a privilege escalation vector! The iam:Put* privilege allows us to add or update an inline policy document that is embedded in the specified IAM user, allowing us to grant ourselves more permissions ๐Ÿ’ฅ



Press n or enter to skip adding a policy to a group, and Pacu will attempt to add an administrator policy to the current user. Privilege escalation was successful!


Running the whoami command again, we observe that the permissions have been escalated for our user Bob. We have "Allow" permissions to all resources.



Navigating to the IAM console page and clicking on Bob, we see a new custom inline IAM policy has been created and attached to the user, that gives them administrative access to all resources.



Based on the custom policy assigned to Bob IAM User, Pacu was able to escalate the privileges of the IAM account (Bob) to Administrator-level access. This was achieved by using the PutUserPolicy action, which directly attaches an inline policy to the user.

It's important for Huge Logistics company or any company to implement the principle of least privilege and minimize the risk of unauthorized access or actions within their AWS environment. This involves regularly reviewing and adjusting permissions to align with current roles and responsibilities, conducting audits to identify and remove unused permissions, and utilizing IAM tools and features, such as IAM policy simulators, to test and refine policies.