AWS - STS Persistence

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

STS

Kwa taarifa zaidi angalia:

AWS - STS Enum

Assume role token

Temporary tokens haiwezi kuorodheshwa, hivyo kudumisha temporary token inayofanya kazi ni njia ya kudumisha persistence.

aws sts get-session-token --duration-seconds 129600

# With MFA
aws sts get-session-token \
--serial-number  \
--token-code 

# Hardware device name is usually the number from the back of the device, such as GAHT12345678
# SMS device name is the ARN in AWS, such as arn:aws:iam::123456789012:sms-mfa/username
# Vritual device name is the ARN in AWS, such as arn:aws:iam::123456789012:mfa/username


Role Chain Juggling


Role chaining is an acknowledged AWS feature, mara nyingi hutumika katika kudumisha stealth persistence. Inahusisha uwezo wa assume a role which then assumes another, na inaweza kurudi kwa role ya awali kwa cyclical manner. Kila mara role inapochukuliwa (assumed), uwanja wa muda wa kuisha wa credentials unasasishwa. Kwa hivyo, ikiwa roles mbili zimewekwa ili kuchukua kila mmoja, usanidi huu unaruhusu kuvusea credentials kwa mfululizo.


Unaweza kutumia tool ili kuendelea na role chaining:


./aws_role_juggler.py -h
usage: aws_role_juggler.py [-h] [-r ROLE_LIST [ROLE_LIST ...]]

optional arguments:
-h, --help            show this help message and exit
-r ROLE_LIST [ROLE_LIST ...], --role-list ROLE_LIST [ROLE_LIST ...]





Caution


Kumbuka kwamba find_circular_trust.py script kutoka kwenye Github repository hiyo haitambui njia zote ambazo role chain inaweza kusanidiwa.





Msimbo wa kufanya Role Juggling kutoka PowerShell
```bash
# PowerShell script to check for role juggling possibilities using AWS CLI

Check for AWS CLI installation


if (-not (Get-Command “aws” -ErrorAction SilentlyContinue)) {
Write-Error “AWS CLI is not installed. Please install it and configure it with ‘aws configure’.”
exit
}


Function to list IAM roles


function List-IAMRoles {
aws iam list-roles –query “Roles[*].{RoleName:RoleName, Arn:Arn}” –output json
}


Initialize error count


$errorCount = 0


List all roles


$roles = List-IAMRoles | ConvertFrom-Json


Attempt to assume each role


foreach ($role in $roles) {
$sessionName = “RoleJugglingTest-” + (Get-Date -Format FileDateTime)
try {
$credentials = aws sts assume-role –role-arn $role.Arn –role-session-name $sessionName –query “Credentials” –output json 2>$null | ConvertFrom-Json
if ($credentials) {
Write-Host “Successfully assumed role: $($role.RoleName)”
Write-Host “Access Key: $($credentials.AccessKeyId)”
Write-Host “Secret Access Key: $($credentials.SecretAccessKey)”
Write-Host “Session Token: $($credentials.SessionToken)”
Write-Host “Expiration: $($credentials.Expiration)”


Set temporary credentials to assume the next role


$env:AWS_ACCESS_KEY_ID = $credentials.AccessKeyId
$env:AWS_SECRET_ACCESS_KEY = $credentials.SecretAccessKey
$env:AWS_SESSION_TOKEN = $credentials.SessionToken


Try to assume another role using the temporary credentials


foreach ($nextRole in $roles) {
if ($nextRole.Arn -ne $role.Arn) {
$nextSessionName = “RoleJugglingTest-” + (Get-Date -Format FileDateTime)
try {
$nextCredentials = aws sts assume-role –role-arn $nextRole.Arn –role-session-name $nextSessionName –query “Credentials” –output json 2>$null | ConvertFrom-Json
if ($nextCredentials) {
Write-Host “Also successfully assumed role: $($nextRole.RoleName) from $($role.RoleName)”
Write-Host “Access Key: $($nextCredentials.AccessKeyId)”
Write-Host “Secret Access Key: $($nextCredentials.SecretAccessKey)”
Write-Host “Session Token: $($nextCredentials.SessionToken)”
Write-Host “Expiration: $($nextCredentials.Expiration)”
}
} catch {
$errorCount++
}
}
}


Reset environment variables


Remove-Item Env:\AWS_ACCESS_KEY_ID
Remove-Item Env:\AWS_SECRET_ACCESS_KEY
Remove-Item Env:\AWS_SESSION_TOKEN
} else {
$errorCount++
}
} catch {
$errorCount++
}
}


Output the number of errors if any


if ($errorCount -gt 0) {
Write-Host “$errorCount error(s) occurred during role assumption attempts.”
} else {
Write-Host “No errors occurred. All roles checked successfully.”
}


Write-Host “Role juggling check complete.”


</details>

> [!TIP]
> Jifunze na fanya mazoezi ya AWS Hacking:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Jifunze na fanya mazoezi ya GCP Hacking: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
> Jifunze na fanya mazoezi ya Azure Hacking: <img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://training.hacktricks.xyz/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
>
> <details>
>
> <summary>Support HackTricks</summary>
>
> - Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
> - **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
> - **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
>
> </details>