AWS - IAM Post Exploitation

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

IAM

Kwa maelezo zaidi kuhusu ufikiaji wa IAM:

AWS - IAM, Identity Center & SSO Enum

Tatizo la Mwakilishi Aliyechanganyikiwa

Ikiwa unaruhusu akaunti ya nje (A) kufikia jukumu katika akaunti yako, huenda ukawa na 0 uelewa kuhusu nani hasa anaweza kufikia akaunti hiyo ya nje. Hii ni tatizo, kwa sababu ikiwa akaunti nyingine ya nje (B) inaweza kufikia akaunti ya nje (A) inawezekana kwamba B pia ataweza kufikia akaunti yako.

Hivyo basi, unaporuhusu akaunti ya nje kufikia jukumu katika akaunti yako inawezekana kubainisha ExternalId. Hii ni "nywila" ya siri ambayo akaunti ya nje (A) inahitaji kubainisha ili kuchukua jukumu katika shirika lako. Kwa kuwa akaunti ya nje B haitajui nywila hii, hata kama ana ufikiaji juu ya A hataweza kufikia jukumu lako.

Hata hivyo, kumbuka kwamba ExternalId hii "siri" sio siri, mtu yeyote anayeweza kusoma sera ya kuchukua jukumu ya IAM ataweza kuiona. Lakini kadri akaunti ya nje A inavyoijua, lakini akaunti ya nje B haijui, in azuia B kutumia A kufikia jukumu lako.

Mfano:

{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": {
"AWS": "Example Corp's AWS Account ID"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "12345"
}
}
}
}

Ili mshambuliaji aweze kutumia msaidizi aliyechanganyikiwa, itabidi apate kwa namna fulani ikiwa wakuu wa akaunti ya sasa wanaweza kujifanya kuwa majukumu katika akaunti nyingine.

Imani zisizotarajiwa

Wildcard kama mkuu

{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": { "AWS": "*" },
}

Hii sera inaruhusu wote AWS kuchukua jukumu.

Huduma kama kiongozi

{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Principal": { "Service": "apigateway.amazonaws.com" },
"Resource": "arn:aws:lambda:000000000000:function:foo"
}

Hii sera inaruhusu akaunti yoyote kuunda apigateway yao ili kuita hii Lambda.

S3 kama kiongozi

"Condition": {
"ArnLike": { "aws:SourceArn": "arn:aws:s3:::source-bucket" },
"StringEquals": {
"aws:SourceAccount": "123456789012"
}
}

Ikiwa S3 bucket inatolewa kama principal, kwa sababu S3 buckets haina Account ID, ikiwa ulifuta bucket yako na mshambuliaji akaunda hiyo katika akaunti yao, basi wanaweza kuitumia vibaya hii.

Not supported

{
"Effect": "Allow",
"Principal": {"Service": "cloudtrail.amazonaws.com"},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::myBucketName/AWSLogs/MY_ACCOUNT_ID/*"
}

Njia ya kawaida ya kuepuka matatizo ya Confused Deputy ni matumizi ya hali na AWS:SourceArn ili kuangalia ARN ya asili. Hata hivyo, huduma zingine huenda zisipokee hiyo (kama CloudTrail kulingana na vyanzo vingine).

Marejeleo

https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousAWS - Elastic Beanstalk Post Exploitation NextAWS - KMS Post Exploitation

Last updated 1 month ago