Links

AWS - Directory Services / WorkDocs Enum

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:

Directory Services

AWS Directory Service for Microsoft Active Directory is a managed service that makes it easy to set up, operate, and scale a directory in the AWS Cloud. It is built on actual Microsoft Active Directory and integrates tightly with other AWS services, making it easy to manage your directory-aware workloads and AWS resources. With AWS Managed Microsoft AD, you can use your existing Active Directory users, groups, and policies to manage access to your AWS resources. This can help simplify your identity management and reduce the need for additional identity solutions. AWS Managed Microsoft AD also provides automatic backups and disaster recovery capabilities, helping to ensure the availability and durability of your directory. Overall, AWS Directory Service for Microsoft Active Directory can help you save time and resources by providing a managed, highly available, and scalable Active Directory service in the AWS Cloud.

Options

Directory Services allows to create 5 types of directories:
  • AWS Managed Microsoft AD: Which will run a new Microsoft AD in AWS. You will be able to set the admin password and access the DCs in a VPC.
  • Simple AD: Which will be a Linux-Samba Active Directory–compatible server. You will be able to set the admin password and access the DCs in a VPC.
  • AD Connector: A proxy for redirecting directory requests to your existing Microsoft Active Directory without caching any information in the cloud. It will be listening in a VPC and you need to give credentials to access the existing AD.
  • Amazon Cognito User Pools: This is the same as Cognito User Pools.
  • Cloud Directory: This is the simpest one. A serverless directory where you indicate the schema to use and are billed according to the usage.
AWS Directory services allows to synchronise with your existing on-premises Microsoft AD, run your own one in AWS or synchronize with other directory types.

Lab

Here you can find a nice tutorial to create you own Microsoft AD in AWS: https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_tutorial_test_lab_base.html

Enumeration

# Get directories and DCs
aws ds describe-directories
aws ds describe-domain-controllers --directory-id <id>
# Get directory settings
aws ds describe-trusts
aws ds describe-ldaps-settings --directory-id <id>
aws ds describe-shared-directories --owner-directory-id <id>
aws ds get-directory-limits
aws ds list-certificates --directory-id <id>
aws ds describe-certificate --directory-id <id> --certificate-id <id>

Login

Note that if the description of the directory contained a domain in the field AccessUrl it's because a user can probably login with its AD credentials in some AWS services:
  • <name>.awsapps.com/connect (Amazon Connect)
  • <name>.awsapps.com/workdocs (Amazon WorkDocs)
  • <name>.awsapps.com/workmail (Amazon WorkMail)
  • <name>.awsapps.com/console (Amazon Management Console)
  • <name>.awsapps.com/start (IAM Identity Center)

Privilege Escalation

Persistence

Using an AD user

An AD user can be given access over the AWS management console via a Role to assume. The default username is Admin and it's possible to change its password from AWS console.
Therefore, it's possible to change the password of Admin, create a new user or change the password of a user and grant that user a Role to maintain access. It's also possible to add a user to a group inside AD and give that AD group access to a Role (to make this persistence more stealth).

Sharing AD (from victim to attacker)

It's possible to share an AD environment from a victim to an attacker. This way the attacker will be able to continue accessing the AD env. However, this implies sharing the managed AD and also creating an VPC peering connection.

Sharing AD (from attacker to victim)

It doesn't look like possible to grant AWS access to users from a different AD env to one AWS account.

WorkDocs

Amazon Web Services (AWS) WorkDocs is a cloud-based file storage and sharing service. It is part of the AWS suite of cloud computing services and is designed to provide a secure and scalable solution for organizations to store, share, and collaborate on files and documents.
AWS WorkDocs provides a web-based interface for users to upload, access, and manage their files and documents. It also offers features such as version control, real-time collaboration, and integration with other AWS services and third-party tools.

Enumeration

# Get AD users (Admin not included)
aws workdocs describe-users --organization-id <directory-id>
# Get AD groups (containing "a")
aws workdocs describe-groups --organization-id d-9067a0285c --search-query a
# Create user (created inside the AD)
aws workdocs create-user --username testingasd --given-name testingasd --surname testingasd --password <password> --email-address [email protected] --organization-id <directory-id>
# Get what each user has created
aws workdocs describe-activities --user-id "S-1-5-21-377..."
# Get what was created in the directory
aws workdocs describe-activities --organization-id <directory-id>
# Get folder content
aws workdocs describe-folder-contents --folder-id <fold-id>
# Get file (a url to access with the content will be retreived)
aws workdocs get-document --document-id <doc-id>
# Get resource permissions if any
aws workdocs describe-resource-permissions --resource-id <value>
# Add permission so anyway can see the file
aws workdocs add-resource-permissions --resource-id <id> --principals Id=anonymous,Type=ANONYMOUS,Role=VIEWER
## This will give an id, the file will be acesible in: https://<name>.awsapps.com/workdocs/index.html#/share/document/<id>

Privesc

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks: