gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-03-12 21:22:57 -07:00
Code Issues Packages Projects Releases Wiki Activity

f

Browse Source
This commit is contained in:
Carlos Polop
2026-02-14 15:50:33 +01:00
parent 6e1f62369e
commit 967a945aa3
2 changed files with 25 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-kms-post-exploitation/README.md
View File

@@ -113,7 +113,7 @@ There is another way to perform a global KMS Ransomware, which would involve the
### Delete Keys via kms:DeleteImportedKeyMaterial
With the `kms:DeleteImportedKeyMaterial` permission, an actor can delete the imported key material from CMKs with `Origin=EXTERNAL` (CMKs that have imperted their key material), making them unable to decrypt data. This action is destructive and irreversible unless compatible material is re-imported, allowing an attacker to effectively cause ransomware-like data loss by rendering encrypted information permanently inaccessible.
With the `kms:DeleteImportedKeyMaterial` permission, an actor can delete the imported key material from CMKs with `Origin=EXTERNAL` (CMKs that have imported their key material), making them unable to decrypt data. This action is destructive and irreversible unless compatible material is re-imported, allowing an attacker to effectively cause ransomware-like data loss by rendering encrypted information permanently inaccessible.
```bash
aws kms delete-imported-key-material --key-id <Key_ID>

26
src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc/README.md
View File

@@ -35,7 +35,7 @@ aws iam set-default-policy-version --policy-arn <target_policy_arn> --version-id
**Impact:** Indirect privilege escalation by enabling more permissions.
### **`iam:CreateAccessKey`**
### **`iam:CreateAccessKey`, (`iam:DeleteAccessKey`)**
Enables creating access key ID and secret access key for another user, leading to potential privilege escalation.
@@ -47,6 +47,29 @@ aws iam create-access-key --user-name <target_user>
**Impact:** Direct privilege escalation by assuming another user's extended permissions.
Note that a user can only have 2 access keys created, so if a user already has 2 access keys you will need the permission `iam:DeleteAccessKey` to detele one of them to be able to create a new one:
```bash
aws iam delete-access-key --uaccess-key-id <key_id>
```
### **`iam:CreateVirtualMFADevice` + `iam:EnableMFADevice`**
If you can create a new virtual MFA device and enable it on another user, you can effectively enroll your own MFA for that user and then request an MFA-backed session for their credentials.
**Exploit:**
```bash
# Create a virtual MFA device (this returns the serial and the base32 seed)
aws iam create-virtual-mfa-device --virtual-mfa-device-name <mfa_name>
# Generate 2 consecutive TOTP codes from the seed, then enable it for the user
aws iam enable-mfa-device --user-name <target_user> --serial-number <serial> \
--authentication-code1 <code1> --authentication-code2 <code2>
```
**Impact:** Direct privilege escalation by taking over a user's MFA enrollment (and then using their permissions).
### **`iam:CreateLoginProfile` | `iam:UpdateLoginProfile`**
Permits creating or updating a login profile, including setting passwords for AWS console login, leading to direct privilege escalation.
@@ -308,4 +331,3 @@ aws iam put-role-permissions-boundary \
{{#include ../../../../banners/hacktricks-training.md}}