AWS - IAM & STS Unauthenticated Enum
Tambua Majukumu & Majina ya Watumiaji katika akaunti
Kukadiria Majukumu kwa Nguvu
Mbinu hii haifanyi kazi tena kwani ikiwa jukumu lipo au la, kila wakati unapata ujumbe huu wa kosa:
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::947247140022:user/testenv is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::429217632764:role/account-balanceasdas
Unaweza kujaribu hii ukikimbia:
aws sts assume-role --role-arn arn:aws:iam::412345678909:role/superadmin --role-session-name s3-access-example
Kujaribu kuchukua jukumu bila ruhusa zinazohitajika kunasababisha ujumbe wa kosa la AWS. Kwa mfano, ikiwa hauna ruhusa, AWS inaweza kurudisha:
Hujumuhimu huu unathibitisha uwepo wa jukumu lakini unaonyesha kwamba sera yake ya kudhani haikuruhusu kudhani. Kinyume chake, kujaribu kudhani jukumu lisilokuwepo kunasababisha kosa tofauti:
Interestingly, this method of kuamua kati ya majukumu yaliyopo na yasiyokuwepo is applicable even across different AWS accounts. With a valid AWS account ID and a targeted wordlist, one can enumerate the roles present in the account without facing any inherent limitations.
You can use this script to enumerate potential principals abusing this issue.
Trust Policies: Brute-Force Cross Account roles and users
Configuring or updating an sera ya kuamini ya IAM inahusisha kufafanua ni rasilimali au huduma zipi za AWS zinazoruhusiwa kuchukua hiyo jukumu and obtain temporary credentials. If the specified resource in the policy ipo, the trust policy saves kwa mafanikio. However, if the resource haipo, an kosa linatokea, indicating that an invalid principal was provided.
Note that in that resource you could specify a cross account role or user:
arn:aws:iam::acc_id:role/role_name
arn:aws:iam::acc_id:user/user_name
This is a policy example:
GUI
Hiyo ni kosa utakalo pata ikiwa utatumia jukumu ambalo halipo. Ikiwa jukumu lipo, sera itakuwa imehifadhiwa bila makosa yoyote. (Kosa ni kwa ajili ya sasisho, lakini pia inafanya kazi wakati wa kuunda)
CLI
You can automate this process with https://github.com/carlospolop/aws_tools
bash unauth_iam.sh -t user -i 316584767888 -r TestRole -w ./unauth_wordlist.txt
Our using Pacu:
run iam__enum_users --role-name admin --account-id 229736458923 --word-list /tmp/names.txt
run iam__enum_roles --role-name admin --account-id 229736458923 --word-list /tmp/names.txt
The
admin
role used in the example is a role in your account to by impersonated by pacu to create the policies it needs to create for the enumeration
Privesc
Katika kesi ambapo jukumu lilikuwa limewekwa vibaya na linaruhusu mtu yeyote kulichukua:
Mshambuliaji anaweza tu kudhani hivyo.
Ushirikiano wa OIDC wa Tatu
Fikiria kwamba umeweza kusoma Github Actions workflow inayofikia role ndani ya AWS. Hii imani inaweza kutoa ufikiaji kwa role yenye trust policy ifuatayo:
Hii sera ya kuaminiana inaweza kuwa sahihi, lakini ukosefu wa masharti zaidi unapaswa kukufanya usiamini. Hii ni kwa sababu jukumu la awali linaweza kuchukuliwa na MTU YEYOTE kutoka Github Actions! Unapaswa kubainisha katika masharti pia mambo mengine kama jina la shirika, jina la repo, env, brach...
Kukosekana kwa usanidi mwingine kunaweza kuwa kuongeza sharti kama ifuatavyo:
Note that wildcard (*) before the colon (:). You can create an org such as org_name1 and assume the role from a Github Action.
References
Last updated