AWS - IAM & STS Orodheshi Isiyothibitishwa

Reading time: 6 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Orodhesha Roles & Majina ya watumiaji katika akaunti

Assume Role Brute-Force

caution

Teknika hii haifanyi kazi tena; iwe role ipo au la, kila wakati utapata hitilafu hii:

An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::947247140022:user/testenv is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::429217632764:role/account-balanceasdas

Unaweza kujaribu hili kwa kuendesha:

aws sts assume-role --role-arn arn:aws:iam::412345678909:role/superadmin --role-session-name s3-access-example

Kujaribu assume a role bila ruhusa zinazohitajika husababisha ujumbe wa kosa wa AWS. Kwa mfano, ikiwa huna idhini, AWS inaweza kurudisha:

ruby
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::012345678901:user/MyUser is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::111111111111:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS

Ujumbe huu unathibitisha kuwepo kwa role lakini unaonyesha kwamba sera yake ya assume role haitaruhusu wewe kuichukua. Kinyume chake, kujaribu kuichukua role isiyokuwepo kunasababisha kosa tofauti:

less
An error occurred (AccessDenied) when calling the AssumeRole operation: Not authorized to perform sts:AssumeRole

Kwa kushangaza, njia hii ya kutofautisha kati ya roles zilizopo na zisizopo inaweza kutumika hata kati ya akaunti tofauti za AWS. Kwa AWS account ID halali na wordlist iliyolengwa, mtu anaweza kuorodhesha roles zilizopo kwenye akaunti bila kukutana na vikwazo vya kimsingi.

Unaweza kutumia script to enumerate potential principals kwa kutumia udhaifu huu.

Trust Policies: Brute-Force Cross Account roles and users

Kusanidi au kusasisha IAM role's trust policy kunahusisha kufafanua ni AWS resources au services zipi zinazoruhusiwa kuchukua role hiyo na kupata temporary credentials. Ikiwa rasilimali iliyotajwa katika sera ipo, trust policy inahifadhiwa kwa mafanikio. Hata hivyo, ikiwa rasilimali haipo, hitilafu inatokea, ikionyesha kwamba principal batili ilitolewa.

warning

Kumbuka kwamba katika rasilimali hiyo unaweza kubainisha cross account role au user:

  • arn:aws:iam::acc_id:role/role_name
  • arn:aws:iam::acc_id:user/user_name

Hii ni mfano wa sera:

json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::216825089941:role/Test"
},
"Action": "sts:AssumeRole"
}
]
}

GUI

Huo ndiko kosa utakalokutana nalo ikiwa utatumia role ambayo haipo. Ikiwa role ipo, policy itahifadhiwa bila makosa. (Kosa hili ni kwa sasisho, lakini pia hufanya kazi wakati wa kuunda)

CLI

bash
### You could also use: aws iam update-assume-role-policy
# When it works
aws iam create-role --role-name Test-Role --assume-role-policy-document file://a.json
{
"Role": {
"Path": "/",
"RoleName": "Test-Role",
"RoleId": "AROA5ZDCUJS3DVEIYOB73",
"Arn": "arn:aws:iam::947247140022:role/Test-Role",
"CreateDate": "2022-05-03T20:50:04Z",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::316584767888:role/account-balance"
},
"Action": [
"sts:AssumeRole"
]
}
]
}
}
}

# When it doesn't work
aws iam create-role --role-name Test-Role2 --assume-role-policy-document file://a.json
An error occurred (MalformedPolicyDocument) when calling the CreateRole operation: Invalid principal in policy: "AWS":"arn:aws:iam::316584767888:role/account-balanceefd23f2"

Unaweza kuendesha mchakato huu kiotomatiki kutumia https://github.com/carlospolop/aws_tools

  • bash unauth_iam.sh -t user -i 316584767888 -r TestRole -w ./unauth_wordlist.txt

Au kutumia Pacu:

  • run iam__enum_users --role-name admin --account-id 229736458923 --word-list /tmp/names.txt
  • run iam__enum_roles --role-name admin --account-id 229736458923 --word-list /tmp/names.txt
  • Role ya admin iliyotumika kwenye mfano ni role katika akaunti yako itakayekuwa impersonated na pacu ili kuunda policies zinazohitajika kwa ajili ya enumeration

Privesc

Katika kesi role ilipangwa vibaya na inaruhusu mtu yeyote ku-assume:

json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "sts:AssumeRole"
}
]
}

Mshambuliaji anaweza kuichukua tu.

Ushirikiano wa OIDC wa Watu wa Tatu

Fikiria kwamba umeweza kusoma Github Actions workflow inayofikia role ndani ya AWS.
Uaminifu huu unaweza kutoa ufikiaji kwa role yenye sera ya uaminifu ifuatayo:

json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<acc_id>:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
}
}
}
]
}

Sera hii ya kuamini inaweza kuwa sahihi, lakini ukosefu wa masharti zaidi unapaswa kukufanya usiamini.
Hii ni kwa sababu role iliyotangulia inaweza kuchukuliwa na ANYONE kutoka Github Actions! Unapaswa pia kutaja katika masharti vitu vingine kama org name, repo name, env, brach...

Ukosefu mwingine wa usanidi unaowezekana ni kuongeza sharti kama ifuatavyo:

json
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:org_name*:*"
}

Kumbuka kwamba wildcard (*) iko kabla ya colon (:). Unaweza kuunda org kama org_name1 na assume the role kutoka kwa Github Action.

Marejeo

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks