AWS - STS Persistence

Tip

Aprende y practica AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Aprende y practica GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Aprende y practica Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Apoya a HackTricks

STS

Para más información consulta:

AWS - STS Enum

Assume role token

Los tokens temporales no pueden listarse, por lo que mantener un token temporal activo es una forma de mantener persistencia.

aws sts get-session-token --duration-seconds 129600

# With MFA
aws sts get-session-token \
--serial-number  \
--token-code 

# Hardware device name is usually the number from the back of the device, such as GAHT12345678
# SMS device name is the ARN in AWS, such as arn:aws:iam::123456789012:sms-mfa/username
# Vritual device name is the ARN in AWS, such as arn:aws:iam::123456789012:mfa/username


Role Chain Juggling


Role chaining is an acknowledged AWS feature, a menudo utilizado para mantener persistencia sigilosa. Implica la capacidad de assume a role which then assumes another, potencialmente regresando al role inicial de manera cyclical manner. Cada vez que se asume un role, el campo de expiración de las credentials se renueva. En consecuencia, si dos roles están configurados para asumirse mutuamente, esta configuración permite la renovación perpetua de las credentials.


You can use this tool to keep the role chaining going:


./aws_role_juggler.py -h
usage: aws_role_juggler.py [-h] [-r ROLE_LIST [ROLE_LIST ...]]

optional arguments:
-h, --help            show this help message and exit
-r ROLE_LIST [ROLE_LIST ...], --role-list ROLE_LIST [ROLE_LIST ...]





Caution


Tenga en cuenta que el script find_circular_trust.py de ese repositorio de Github no encuentra todas las formas en que se puede configurar una cadena de roles.





Código para realizar Role Juggling desde PowerShell
```bash
# PowerShell script to check for role juggling possibilities using AWS CLI

Check for AWS CLI installation


if (-not (Get-Command “aws” -ErrorAction SilentlyContinue)) {
Write-Error “AWS CLI is not installed. Please install it and configure it with ‘aws configure’.”
exit
}


Function to list IAM roles


function List-IAMRoles {
aws iam list-roles –query “Roles[*].{RoleName:RoleName, Arn:Arn}” –output json
}


Initialize error count


$errorCount = 0


List all roles


$roles = List-IAMRoles | ConvertFrom-Json


Attempt to assume each role


foreach ($role in $roles) {
$sessionName = “RoleJugglingTest-” + (Get-Date -Format FileDateTime)
try {
$credentials = aws sts assume-role –role-arn $role.Arn –role-session-name $sessionName –query “Credentials” –output json 2>$null | ConvertFrom-Json
if ($credentials) {
Write-Host “Successfully assumed role: $($role.RoleName)”
Write-Host “Access Key: $($credentials.AccessKeyId)”
Write-Host “Secret Access Key: $($credentials.SecretAccessKey)”
Write-Host “Session Token: $($credentials.SessionToken)”
Write-Host “Expiration: $($credentials.Expiration)”


Set temporary credentials to assume the next role


$env:AWS_ACCESS_KEY_ID = $credentials.AccessKeyId
$env:AWS_SECRET_ACCESS_KEY = $credentials.SecretAccessKey
$env:AWS_SESSION_TOKEN = $credentials.SessionToken


Try to assume another role using the temporary credentials


foreach ($nextRole in $roles) {
if ($nextRole.Arn -ne $role.Arn) {
$nextSessionName = “RoleJugglingTest-” + (Get-Date -Format FileDateTime)
try {
$nextCredentials = aws sts assume-role –role-arn $nextRole.Arn –role-session-name $nextSessionName –query “Credentials” –output json 2>$null | ConvertFrom-Json
if ($nextCredentials) {
Write-Host “Also successfully assumed role: $($nextRole.RoleName) from $($role.RoleName)”
Write-Host “Access Key: $($nextCredentials.AccessKeyId)”
Write-Host “Secret Access Key: $($nextCredentials.SecretAccessKey)”
Write-Host “Session Token: $($nextCredentials.SessionToken)”
Write-Host “Expiration: $($nextCredentials.Expiration)”
}
} catch {
$errorCount++
}
}
}


Reset environment variables


Remove-Item Env:\AWS_ACCESS_KEY_ID
Remove-Item Env:\AWS_SECRET_ACCESS_KEY
Remove-Item Env:\AWS_SESSION_TOKEN
} else {
$errorCount++
}
} catch {
$errorCount++
}
}


Output the number of errors if any


if ($errorCount -gt 0) {
Write-Host “$errorCount error(s) occurred during role assumption attempts.”
} else {
Write-Host “No errors occurred. All roles checked successfully.”
}


Write-Host “Role juggling check complete.”


</details>

> [!TIP]
> Aprende y practica AWS Hacking:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://hacktricks-training.com/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Aprende y practica GCP Hacking: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://hacktricks-training.com/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Aprende y practica Az Hacking: <img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://hacktricks-training.com/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
>
> <details>
>
> <summary>Apoya a HackTricks</summary>
>
> - Consulta los [**subscription plans**](https://github.com/sponsors/carlospolop)!
> - **Únete al** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) o al [**telegram group**](https://t.me/peass) o **síguenos** en **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
> - **Comparte trucos de hacking enviando PRs a los** [**HackTricks**](https://github.com/carlospolop/hacktricks) y [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
>
> </details>