AWS - STS Persistence

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

STS

Za više informacija pristupite:

AWS - STS Enum

Assume role token

Privremeni tokeni ne mogu biti navedeni, tako da održavanje aktivnog privremenog tokena predstavlja način za održavanje postojanosti.

aws sts get-session-token --duration-seconds 129600

# Sa MFA
aws sts get-session-token \
--serial-number <mfa-device-name> \
--token-code <code-from-token>

# Ime hardverskog uređaja obično je broj sa zadnje strane uređaja, kao što je GAHT12345678
# Ime SMS uređaja je ARN u AWS, kao što je arn:aws:iam::123456789012:sms-mfa/username
# Ime virtuelnog uređaja je ARN u AWS, kao što je arn:aws:iam::123456789012:mfa/username

Role Chain Juggling

Role chaining je priznata AWS funkcija, često korišćena za održavanje stealth postojanosti. Uključuje sposobnost da se preuzme uloga koja zatim preuzima drugu, potencijalno se vraćajući na početnu ulogu na cikličan način. Svaki put kada se preuzme uloga, polje isteka kredencijala se osvežava. Kao rezultat, ako su dve uloge konfigurisane da međusobno preuzimaju jedna drugu, ova postavka omogućava večnu obnovu kredencijala.

Možete koristiti ovaj alat da nastavite sa preuzimanjem uloga:

./aws_role_juggler.py -h
usage: aws_role_juggler.py [-h] [-r ROLE_LIST [ROLE_LIST ...]]

optional arguments:
-h, --help            show this help message and exit
-r ROLE_LIST [ROLE_LIST ...], --role-list ROLE_LIST [ROLE_LIST ...]

Napomena da find_circular_trust.py skripta iz tog Github repozitorijuma ne pronalazi sve načine na koje se lanac uloga može konfigurisati.

Kod za izvođenje Role Juggling iz PowerShell-a

```powershell # PowerShell script to check for role juggling possibilities using AWS CLI

Check for AWS CLI installation

if (-not (Get-Command "aws" -ErrorAction SilentlyContinue)) { Write-Error "AWS CLI is not installed. Please install it and configure it with 'aws configure'." exit }

Function to list IAM roles

function List-IAMRoles { aws iam list-roles --query "Roles[*].{RoleName:RoleName, Arn:Arn}" --output json }

Initialize error count

$errorCount = 0

List all roles

$roles = List-IAMRoles | ConvertFrom-Json

Attempt to assume each role

foreach ($role in $roles) { $sessionName = "RoleJugglingTest-" + (Get-Date -Format FileDateTime) try { $credentials = aws sts assume-role --role-arn $role.Arn --role-session-name $sessionName --query "Credentials" --output json 2>$null | ConvertFrom-Json if ($credentials) { Write-Host "Successfully assumed role: $($role.RoleName)" Write-Host "Access Key: $($credentials.AccessKeyId)" Write-Host "Secret Access Key: $($credentials.SecretAccessKey)" Write-Host "Session Token: $($credentials.SessionToken)" Write-Host "Expiration: $($credentials.Expiration)"

Set temporary credentials to assume the next role

$env:AWS_ACCESS_KEY_ID = $credentials.AccessKeyId $env:AWS_SECRET_ACCESS_KEY = $credentials.SecretAccessKey $env:AWS_SESSION_TOKEN = $credentials.SessionToken

Try to assume another role using the temporary credentials

foreach ($nextRole in $roles) { if ($nextRole.Arn -ne $role.Arn) { $nextSessionName = "RoleJugglingTest-" + (Get-Date -Format FileDateTime) try { $nextCredentials = aws sts assume-role --role-arn $nextRole.Arn --role-session-name $nextSessionName --query "Credentials" --output json 2>$null | ConvertFrom-Json if ($nextCredentials) { Write-Host "Also successfully assumed role: $($nextRole.RoleName) from $($role.RoleName)" Write-Host "Access Key: $($nextCredentials.AccessKeyId)" Write-Host "Secret Access Key: $($nextCredentials.SecretAccessKey)" Write-Host "Session Token: $($nextCredentials.SessionToken)" Write-Host "Expiration: $($nextCredentials.Expiration)" } } catch { $errorCount++ } } }

Reset environment variables

Remove-Item Env:\AWS_ACCESS_KEY_ID Remove-Item Env:\AWS_SECRET_ACCESS_KEY Remove-Item Env:\AWS_SESSION_TOKEN } else { $errorCount++ } } catch { $errorCount++ } }

Output the number of errors if any

if ($errorCount -gt 0) { Write-Host "$errorCount error(s) occurred during role assumption attempts." } else { Write-Host "No errors occurred. All roles checked successfully." }

Write-Host "Role juggling check complete."

</details>

<div data-gb-custom-block data-tag="hint" data-style='success'>

Učite i vežbajte AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Učite i vežbajte GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Podržite HackTricks</summary>

* Proverite [**planove pretplate**](https://github.com/sponsors/carlospolop)!
* **Pridružite se** 💬 [**Discord grupi**](https://discord.gg/hRep4RUj7f) ili [**telegram grupi**](https://t.me/peass) ili **pratite** nas na **Twitteru** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Podelite hakerske trikove slanjem PR-ova na** [**HackTricks**](https://github.com/carlospolop/hacktricks) i [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repozitorijume.

</details>

</div>

PreviousAWS - Step Functions Persistence NextAWS - Post Exploitation

Last updated 3 days ago