AWS - Directory Services Privesc

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Directory Services

For more info about directory services check:

AWS - Directory Services / WorkDocs Enum

`ds:ResetUserPassword`

This permission allows to change the password of any existent user in the Active Directory. By default, the only existent user is Admin.

aws ds reset-user-password --directory-id <id> --user-name Admin --new-password Newpassword123.

AWS Management Console

It's possible to enable an application access URL that users from AD can access to login:

And then grant them an AWS IAM role for when they login, this way an AD user/group will have access over AWS management console:

There isn't apparently any way to enable the application access URL, the AWS Management Console and grant permission

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousAWS - Datapipeline Privesc NextAWS - DynamoDB Privesc

Last updated 9 days ago