AWS - STS Post Exploitation
STS
For more information:
pageAWS - IAM, Identity Center & SSO EnumFrom IAM Creds to Console
If you have managed to obtain some IAM credentials you might be interested on accessing the web console using the following tools.
Note that the the user/role must have the permission sts:GetFederationToken
.
Custom script
The following script will use the default profile and a default AWS location (not gov and not cn) to give you a signed URL you can use to login inside the web console:
aws_consoler
You can generate a web console link with https://github.com/NetSPI/aws_consoler.
Ensure the IAM user has sts:GetFederationToken
permission, or provide a role to assume.
aws-vault
aws-vault is a tool to securely store and access AWS credentials in a development environment.
You can also use aws-vault to obtain an browser console session
From Console to IAM Creds
Originally discovered in this post, If you manage to compromise some access to a web console (maybe you stole cookies and could't access the .aws folder), you can obtain some IAM token credentials for that user through CloudShell.
CloudShell exposes IAM credentials via an undocumented endpoint on port 1338. After loading session cookies from the victim into your browser, you can navigate to CloudShell and issue the following commands to get IAM credentials.
Last updated