gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-01-18 23:55:38 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/README.md', 'src/banners/hacktricks-training.md', 'src/

Browse Source
This commit is contained in:
Translator
2024-12-31 20:26:13 +00:00
parent 44da2ea78f
commit 6f74ac1a76
245 changed files with 9102 additions and 11816 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sts-post-exploitation.md
View File

@@ -4,21 +4,20 @@
## STS
For more information:
Kwa maelezo zaidi:
{{#ref}}
../aws-services/aws-iam-enum.md
{{#endref}}
### From IAM Creds to Console
### Kutoka kwa IAM Creds hadi Console
If you have managed to obtain some IAM credentials you might be interested on **accessing the web console** using the following tools.\
Note that the the user/role must have the permission **`sts:GetFederationToken`**.
Ikiwa umeweza kupata baadhi ya akreditif za IAM huenda ukavutiwa na **kuingia kwenye web console** ukitumia zana zifuatazo.\
Kumbuka kwamba mtumiaji/role lazima iwe na ruhusa **`sts:GetFederationToken`**.
#### Custom script
The following script will use the default profile and a default AWS location (not gov and not cn) to give you a signed URL you can use to login inside the web console:
#### Skripti ya Kawaida
Skripti ifuatayo itatumia profaili ya kawaida na eneo la AWS la kawaida (sio gov na sio cn) kukupa URL iliyosainiwa ambayo unaweza kutumia kuingia ndani ya web console:
```bash
# Get federated creds (you must indicate a policy or they won't have any perms)
## Even if you don't have Admin access you can indicate that policy to make sure you get all your privileges
@@ -26,8 +25,8 @@ The following script will use the default profile and a default AWS location (no
output=$(aws sts get-federation-token --name consoler --policy-arns arn=arn:aws:iam::aws:policy/AdministratorAccess)
if [ $? -ne 0 ]; then
echo "The command 'aws sts get-federation-token --name consoler' failed with exit status $status"
exit $status
echo "The command 'aws sts get-federation-token --name consoler' failed with exit status $status"
exit $status
fi
# Parse the output
@@ -43,10 +42,10 @@ federation_endpoint="https://signin.aws.amazon.com/federation"
# Make the HTTP request to get the sign-in token
resp=$(curl -s "$federation_endpoint" \
--get \
--data-urlencode "Action=getSigninToken" \
--data-urlencode "SessionDuration=43200" \
--data-urlencode "Session=$json_creds"
--get \
--data-urlencode "Action=getSigninToken" \
--data-urlencode "SessionDuration=43200" \
--data-urlencode "Session=$json_creds"
)
signin_token=$(echo -n $resp | jq -r '.SigninToken' | tr -d '\n' | jq -sRr @uri)
@@ -55,11 +54,9 @@ signin_token=$(echo -n $resp | jq -r '.SigninToken' | tr -d '\n' | jq -sRr @uri)
# Give the URL to login
echo -n "https://signin.aws.amazon.com/federation?Action=login&Issuer=example.com&Destination=https%3A%2F%2Fconsole.aws.amazon.com%2F&SigninToken=$signin_token"
```
#### aws_consoler
You can **generate a web console link** with [https://github.com/NetSPI/aws_consoler](https://github.com/NetSPI/aws_consoler).
Unaweza **kuunda kiungo cha console ya wavuti** na [https://github.com/NetSPI/aws_consoler](https://github.com/NetSPI/aws_consoler).
```bash
cd /tmp
python3 -m venv env
@@ -67,27 +64,23 @@ source ./env/bin/activate
pip install aws-consoler
aws_consoler [params...] #This will generate a link to login into the console
```
> [!WARNING]
> Ensure the IAM user has `sts:GetFederationToken` permission, or provide a role to assume.
> Hakikisha mtumiaji wa IAM ana ruhusa ya `sts:GetFederationToken`, au toa jukumu la kukubali.
#### aws-vault
[**aws-vault**](https://github.com/99designs/aws-vault) is a tool to securely store and access AWS credentials in a development environment.
[**aws-vault**](https://github.com/99designs/aws-vault) ni chombo cha kuhifadhi na kufikia kwa usalama akreditivu za AWS katika mazingira ya maendeleo.
```bash
aws-vault list
aws-vault exec jonsmith -- aws s3 ls # Execute aws cli with jonsmith creds
aws-vault login jonsmith # Open a browser logged as jonsmith
```
> [!NOTE]
> You can also use **aws-vault** to obtain an **browser console session**
> Unaweza pia kutumia **aws-vault** kupata **kipindi cha mkondoni cha kivinjari**
### **Bypass User-Agent restrictions from Python**
If there is a **restriction to perform certain actions based on the user agent** used (like restricting the use of python boto3 library based on the user agent) it's possible to use the previous technique to **connect to the web console via a browser**, or you could directly **modify the boto3 user-agent** by doing:
### **Kupita vizuizi vya User-Agent kutoka Python**
Ikiwa kuna **kizuizi cha kufanya vitendo fulani kulingana na user agent** inayotumika (kama vile kupunguza matumizi ya maktaba ya python boto3 kulingana na user agent) inawezekana kutumia mbinu ya awali ili **kuungana na konsoli ya wavuti kupitia kivinjari**, au unaweza moja kwa moja **kubadilisha user-agent wa boto3** kwa kufanya:
```bash
# Shared by ex16x41
# Create a client
@@ -100,9 +93,4 @@ client.meta.events.register( 'before-call.secretsmanager.GetSecretValue', lambda
# Perform the action
response = client.get_secret_value(SecretId="flag_secret") print(response['SecretString'])
```
{{#include ../../../banners/hacktricks-training.md}}