AWS - STS Enum

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

STS

AWS Security Token Service (STS) imeundwa hasa kutoa akreditivu za muda mfupi, zenye mamlaka finyu. Akreditivu hizi zinaweza kuombwa kwa AWS Identity and Access Management (IAM) watumiaji au kwa watumiaji walioidhinishwa (watumiaji wa shirikisho).

Kwa kuwa lengo la STS ni kutoa akreditivu za kuiga utambulisho, huduma hii ni ya thamani kubwa kwa kuongeza mamlaka na kudumisha uwepo, ingawa inaweza isiwe na chaguzi nyingi.

Assume Role Impersonation

Kitendo AssumeRole kinachotolewa na AWS STS ni muhimu kwani kinamruhusu mhusika kupata akreditivu za mhusika mwingine, kimsingi akimiga wao. Baada ya kuitwa, inajibu na kitambulisho cha ufikiaji, funguo ya siri, na tokeni ya kikao inayolingana na ARN iliyotolewa.

Kwa Wajaribu Upenyo au wanachama wa Timu Nyekundu, mbinu hii ni muhimu kwa kuongeza mamlaka (kama ilivyoelezwa hapa). Hata hivyo, inafaa kutambua kuwa mbinu hii ni wazi sana na inaweza isimkamate mshambuliaji kwa mshangao.

Assume Role Logic

Ili kuweza kuchukua jukumu katika akaunti hiyo hiyo ikiwa jukumu la kuchukua linaruhusu hasa ARN ya jukumu kama ilivyo:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<acc_id>:role/priv-role"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}

Jukumu priv-role katika kesi hii, halihitaji ruhusa maalum ili kuchukua jukumu hilo (ikiwa na ruhusa hiyo inatosha).

Hata hivyo, ikiwa jukumu linaruhusu akaunti kuchukua, kama ilivyo katika:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<acc_id>:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}

Ili kujaribu kuchukua jukumu, itahitaji idhini maalum ya sts:AssumeRole juu ya hilo jukumu ili kulichukua.

Ikiwa unajaribu kuchukua jukumu kutoka kwa akaunti tofauti, jukumu lililochukuliwa lazima liruhusu (kuashiria ARN ya jukumu au akaunti ya nje), na jukumu linalojaribu kuchukua jingine Lazima liwe na idhini za kulichukua (katika kesi hii hii si hiari hata kama jukumu lililochukuliwa linabainisha ARN).

Enumeration

# Get basic info of the creds
aws sts get-caller-identity
aws sts get-access-key-info --access-key-id <AccessKeyID>

# Get CLI a session token with current creds
## Using CLI creds
## You cannot get session creds using session creds
aws sts get-session-token
## MFA
aws sts get-session-token --serial-number <arn_device> --token-code <otp_code>

Privesc

Katika ukurasa ufuatao unaweza kuangalia jinsi ya kudhulumu ruhusa za STS ili kupandisha mamlaka:

Post Exploitation

Persistence

References

https://blog.christophetd.fr/retrieving-aws-security-credentials-from-the-aws-console/?utm_source=pocket_mylist

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousAWS - Step Functions Enum NextAWS - Other Services Enum

Last updated 3 days ago