AWS - STS Persistence

Tip

Učite i vežbajte AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Učite i vežbajte Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Podržite HackTricks

STS

Za više informacija pogledajte:

AWS - STS Enum

Assume role token

Privremeni tokeni se ne mogu izlistati, tako da održavanje aktivnog privremenog tokena predstavlja način za persistence.

aws sts get-session-token --duration-seconds 129600

# With MFA
aws sts get-session-token \
--serial-number  \
--token-code 

# Hardware device name is usually the number from the back of the device, such as GAHT12345678
# SMS device name is the ARN in AWS, such as arn:aws:iam::123456789012:sms-mfa/username
# Vritual device name is the ARN in AWS, such as arn:aws:iam::123456789012:mfa/username


Role Chain Juggling


Role chaining is an acknowledged AWS feature, često se koristi za održavanje stealth persistence-a. Podrazumeva mogućnost da assume a role which then assumes another, pri čemu se potencijalno može vratiti na početnu ulogu u cyclical manner. Svaki put kada se uloga preuzme, polje za isteka credentials-a se osvežava. Kao posledica, ako su dve uloge konfigurisane da međusobno assume-ju jedna drugu, ova postavka omogućava stalno obnavljanje credentials-a.


You can use this tool to keep the role chaining going:


./aws_role_juggler.py -h
usage: aws_role_juggler.py [-h] [-r ROLE_LIST [ROLE_LIST ...]]

optional arguments:
-h, --help            show this help message and exit
-r ROLE_LIST [ROLE_LIST ...], --role-list ROLE_LIST [ROLE_LIST ...]





Caution


Imajte na umu da skripta find_circular_trust.py iz tog Github repozitorijuma ne pronalazi sve načine na koje se lanac uloga može konfigurisati.





Kod za izvođenje Role Juggling pomoću PowerShell-a
```bash
# PowerShell script to check for role juggling possibilities using AWS CLI

Check for AWS CLI installation


if (-not (Get-Command “aws” -ErrorAction SilentlyContinue)) {
Write-Error “AWS CLI is not installed. Please install it and configure it with ‘aws configure’.”
exit
}


Function to list IAM roles


function List-IAMRoles {
aws iam list-roles –query “Roles[*].{RoleName:RoleName, Arn:Arn}” –output json
}


Initialize error count


$errorCount = 0


List all roles


$roles = List-IAMRoles | ConvertFrom-Json


Attempt to assume each role


foreach ($role in $roles) {
$sessionName = “RoleJugglingTest-” + (Get-Date -Format FileDateTime)
try {
$credentials = aws sts assume-role –role-arn $role.Arn –role-session-name $sessionName –query “Credentials” –output json 2>$null | ConvertFrom-Json
if ($credentials) {
Write-Host “Successfully assumed role: $($role.RoleName)”
Write-Host “Access Key: $($credentials.AccessKeyId)”
Write-Host “Secret Access Key: $($credentials.SecretAccessKey)”
Write-Host “Session Token: $($credentials.SessionToken)”
Write-Host “Expiration: $($credentials.Expiration)”


Set temporary credentials to assume the next role


$env:AWS_ACCESS_KEY_ID = $credentials.AccessKeyId
$env:AWS_SECRET_ACCESS_KEY = $credentials.SecretAccessKey
$env:AWS_SESSION_TOKEN = $credentials.SessionToken


Try to assume another role using the temporary credentials


foreach ($nextRole in $roles) {
if ($nextRole.Arn -ne $role.Arn) {
$nextSessionName = “RoleJugglingTest-” + (Get-Date -Format FileDateTime)
try {
$nextCredentials = aws sts assume-role –role-arn $nextRole.Arn –role-session-name $nextSessionName –query “Credentials” –output json 2>$null | ConvertFrom-Json
if ($nextCredentials) {
Write-Host “Also successfully assumed role: $($nextRole.RoleName) from $($role.RoleName)”
Write-Host “Access Key: $($nextCredentials.AccessKeyId)”
Write-Host “Secret Access Key: $($nextCredentials.SecretAccessKey)”
Write-Host “Session Token: $($nextCredentials.SessionToken)”
Write-Host “Expiration: $($nextCredentials.Expiration)”
}
} catch {
$errorCount++
}
}
}


Reset environment variables


Remove-Item Env:\AWS_ACCESS_KEY_ID
Remove-Item Env:\AWS_SECRET_ACCESS_KEY
Remove-Item Env:\AWS_SESSION_TOKEN
} else {
$errorCount++
}
} catch {
$errorCount++
}
}


Output the number of errors if any


if ($errorCount -gt 0) {
Write-Host “$errorCount error(s) occurred during role assumption attempts.”
} else {
Write-Host “No errors occurred. All roles checked successfully.”
}


Write-Host “Role juggling check complete.”


</details>

> [!TIP]
> Učite i vežbajte AWS Hacking:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Učite i vežbajte GCP Hacking: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
> Učite i vežbajte Azure Hacking: <img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://training.hacktricks.xyz/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
>
> <details>
>
> <summary>Podržite HackTricks</summary>
>
> - Proverite [**planove pretplate**](https://github.com/sponsors/carlospolop)!
> - **Pridružite se** 💬 [**Discord grupi**](https://discord.gg/hRep4RUj7f) ili [**telegram grupi**](https://t.me/peass) ili **pratite** nas na **Twitteru** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
> - **Podelite hakerske trikove slanjem PR-ova na** [**HackTricks**](https://github.com/carlospolop/hacktricks) i [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repozitorijume.
>
> </details>