AWS - IAM & STS Unauthenticated Enum

Jifunze & fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Jifunze & fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au fuata sisi kwenye Twitter 🐦 @hacktricks_live.
Shiriki hila za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Tambua Majukumu & Majina ya Watumiaji katika akaunti

Chukua Jukumu kwa Nguvu

Teknolojia hii haifanyi kazi tena kwani ikiwa jukumu lipo au la, kila wakati unapata ujumbe huu wa kosa:

An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::947247140022:user/testenv is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::429217632764:role/account-balanceasdas

Unaweza kujaribu hii ukikimbia:

aws sts assume-role --role-arn arn:aws:iam::412345678909:role/superadmin --role-session-name s3-access-example

Kujaribu kuchukua jukumu bila ruhusa zinazohitajika kunasababisha ujumbe wa kosa kutoka AWS. Kwa mfano, ikiwa hauna ruhusa, AWS inaweza kurudisha:

An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::012345678901:user/MyUser is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::111111111111:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS

Hujumuhimu huu unathibitisha uwepo wa jukumu lakini unaonyesha kwamba sera yake ya kudhani jukumu haikuruhusu kudhani. Kinyume chake, kujaribu kudhani jukumu lisilokuwepo kunasababisha kosa tofauti:

An error occurred (AccessDenied) when calling the AssumeRole operation: Not authorized to perform sts:AssumeRole

Interestingly, this method of kuamua kati ya majukumu yaliyopo na yasiyokuwepo is applicable even across different AWS accounts. With a valid AWS account ID and a targeted wordlist, one can enumerate the roles present in the account without facing any inherent limitations.

You can use this script to enumerate potential principals abusing this issue.

Trust Policies: Brute-Force Cross Account roles and users

Configuring or updating an sera ya kuamini ya IAM inahusisha kufafanua ni rasilimali au huduma zipi za AWS zinazoruhusiwa kuchukua hiyo jukumu and obtain temporary credentials. If the specified resource in the policy ipo, the trust policy saves kwa mafanikio. However, if the resource haipo, an kosa linatokea, indicating that an invalid principal was provided.

Note that in that resource you could specify a cross account role or user:

arn:aws:iam::acc_id:role/role_name
arn:aws:iam::acc_id:user/user_name

This is a policy example:

{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":
{
"AWS":"arn:aws:iam::216825089941:role\/Test"
},
"Action":"sts:AssumeRole"
}
]
}

GUI

Hiyo ni kosa utakalo pata ikiwa utatumia jukumu ambalo halipo. Ikiwa jukumu lipo, sera itakuwa imehifadhiwa bila makosa yoyote. (Kosa ni kwa ajili ya sasisho, lakini pia inafanya kazi wakati wa kuunda)

CLI

### You could also use: aws iam update-assume-role-policy
# When it works
aws iam create-role --role-name Test-Role --assume-role-policy-document file://a.json
{
"Role": {
"Path": "/",
"RoleName": "Test-Role",
"RoleId": "AROA5ZDCUJS3DVEIYOB73",
"Arn": "arn:aws:iam::947247140022:role/Test-Role",
"CreateDate": "2022-05-03T20:50:04Z",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::316584767888:role/account-balance"
},
"Action": [
"sts:AssumeRole"
]
}
]
}
}
}

# When it doesn't work
aws iam create-role --role-name Test-Role2 --assume-role-policy-document file://a.json
An error occurred (MalformedPolicyDocument) when calling the CreateRole operation: Invalid principal in policy: "AWS":"arn:aws:iam::316584767888:role/account-balanceefd23f2"

You can automate this process with https://github.com/carlospolop/aws_tools

bash unauth_iam.sh -t user -i 316584767888 -r TestRole -w ./unauth_wordlist.txt

Our using Pacu:

run iam__enum_users --role-name admin --account-id 229736458923 --word-list /tmp/names.txt
run iam__enum_roles --role-name admin --account-id 229736458923 --word-list /tmp/names.txt
The admin role used in the example is a role in your account to by impersonated by pacu to create the policies it needs to create for the enumeration

Privesc

Katika kesi ambapo jukumu lilikuwa limewekwa vibaya na linaruhusu mtu yeyote kulichukua:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "sts:AssumeRole"
}
]
}

The attacker could just assume it.

Third Party OIDC Federation

Fikiria kwamba umeweza kusoma Github Actions workflow inayofikia role ndani ya AWS. Hii imani inaweza kutoa ufikiaji kwa role yenye trust policy ifuatayo:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<acc_id>:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
}
}
}
]
}

Hii sera ya kuaminiana inaweza kuwa sahihi, lakini ukosefu wa masharti zaidi unapaswa kukufanya usiamini. Hii ni kwa sababu jukumu la awali linaweza kuchukuliwa na MTU YEYOTE kutoka Github Actions! Unapaswa kubainisha katika masharti pia mambo mengine kama jina la shirika, jina la repo, env, brach...

Kukosekana kwa usanidi mwingine kunaweza kuwa kuongeza sharti kama ifuatavyo:

"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:org_name*:*"
}

Note that wildcard (*) before the colon (:). You can create an org such as org_name1 and assume the role from a Github Action.

References

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousAWS - Elasticsearch Unauthenticated Enum NextAWS - Identity Center & SSO Unauthenticated Enum

Last updated 3 days ago