Swahili - Ht Cloud
HackTricks TrainingTwitterLinkedinSponsor

AWS - IAM & STS Unauthenticated Enum

Support HackTricks

Tambua Majukumu & Majina ya Watumiaji katika akaunti

Kukadiria Majukumu kwa Nguvu

Mbinu hii haifanyi kazi tena kwani ikiwa jukumu lipo au la, kila wakati unapata ujumbe huu wa kosa:

An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::947247140022:user/testenv is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::429217632764:role/account-balanceasdas

Unaweza kujaribu hii ukikimbia:

aws sts assume-role --role-arn arn:aws:iam::412345678909:role/superadmin --role-session-name s3-access-example

Kujaribu kuchukua jukumu bila ruhusa zinazohitajika kunasababisha ujumbe wa kosa la AWS. Kwa mfano, ikiwa hauna ruhusa, AWS inaweza kurudisha:

An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::012345678901:user/MyUser is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::111111111111:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS

Hujumuhimu huu unathibitisha uwepo wa jukumu lakini unaonyesha kwamba sera yake ya kudhani haikuruhusu kudhani. Kinyume chake, kujaribu kudhani jukumu lisilokuwepo kunasababisha kosa tofauti:

An error occurred (AccessDenied) when calling the AssumeRole operation: Not authorized to perform sts:AssumeRole

Interestingly, this method of kuamua kati ya majukumu yaliyopo na yasiyokuwepo is applicable even across different AWS accounts. With a valid AWS account ID and a targeted wordlist, one can enumerate the roles present in the account without facing any inherent limitations.

You can use this script to enumerate potential principals abusing this issue.

Trust Policies: Brute-Force Cross Account roles and users

Configuring or updating an sera ya kuamini ya IAM inahusisha kufafanua ni rasilimali au huduma zipi za AWS zinazoruhusiwa kuchukua hiyo jukumu and obtain temporary credentials. If the specified resource in the policy ipo, the trust policy saves kwa mafanikio. However, if the resource haipo, an kosa linatokea, indicating that an invalid principal was provided.

Note that in that resource you could specify a cross account role or user:

  • arn:aws:iam::acc_id:role/role_name

  • arn:aws:iam::acc_id:user/user_name

This is a policy example:

{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":
{
"AWS":"arn:aws:iam::216825089941:role\/Test"
},
"Action":"sts:AssumeRole"
}
]
}

GUI

Hiyo ni kosa utakalo pata ikiwa utatumia jukumu ambalo halipo. Ikiwa jukumu lipo, sera itakuwa imehifadhiwa bila makosa yoyote. (Kosa ni kwa ajili ya sasisho, lakini pia inafanya kazi wakati wa kuunda)

CLI

### You could also use: aws iam update-assume-role-policy
# When it works
aws iam create-role --role-name Test-Role --assume-role-policy-document file://a.json
{
"Role": {
"Path": "/",
"RoleName": "Test-Role",
"RoleId": "AROA5ZDCUJS3DVEIYOB73",
"Arn": "arn:aws:iam::947247140022:role/Test-Role",
"CreateDate": "2022-05-03T20:50:04Z",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::316584767888:role/account-balance"
},
"Action": [
"sts:AssumeRole"
]
}
]
}
}
}

# When it doesn't work
aws iam create-role --role-name Test-Role2 --assume-role-policy-document file://a.json
An error occurred (MalformedPolicyDocument) when calling the CreateRole operation: Invalid principal in policy: "AWS":"arn:aws:iam::316584767888:role/account-balanceefd23f2"

You can automate this process with https://github.com/carlospolop/aws_tools

  • bash unauth_iam.sh -t user -i 316584767888 -r TestRole -w ./unauth_wordlist.txt

Our using Pacu:

  • run iam__enum_users --role-name admin --account-id 229736458923 --word-list /tmp/names.txt

  • run iam__enum_roles --role-name admin --account-id 229736458923 --word-list /tmp/names.txt

  • The admin role used in the example is a role in your account to by impersonated by pacu to create the policies it needs to create for the enumeration

Privesc

Katika kesi ambapo jukumu lilikuwa limewekwa vibaya na linaruhusu mtu yeyote kulichukua:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "sts:AssumeRole"
}
]
}

Mshambuliaji anaweza tu kudhani hivyo.

Ushirikiano wa OIDC wa Tatu

Fikiria kwamba umeweza kusoma Github Actions workflow inayofikia role ndani ya AWS. Hii imani inaweza kutoa ufikiaji kwa role yenye trust policy ifuatayo:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<acc_id>:oidc-provider/token.actions.githubusercontent.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
}
}
}
]
}

Hii sera ya kuaminiana inaweza kuwa sahihi, lakini ukosefu wa masharti zaidi unapaswa kukufanya usiamini. Hii ni kwa sababu jukumu la awali linaweza kuchukuliwa na MTU YEYOTE kutoka Github Actions! Unapaswa kubainisha katika masharti pia mambo mengine kama jina la shirika, jina la repo, env, brach...

Kukosekana kwa usanidi mwingine kunaweza kuwa kuongeza sharti kama ifuatavyo:

"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:org_name*:*"
}

Note that wildcard (*) before the colon (:). You can create an org such as org_name1 and assume the role from a Github Action.

References

Support HackTricks
PreviousAWS - Elasticsearch Unauthenticated EnumNextAWS - Identity Center & SSO Unauthenticated Enum

Last updated