From 967a945aa3a750e16c5c6dfa20d3d41469407fa7 Mon Sep 17 00:00:00 2001 From: Carlos Polop Date: Sat, 14 Feb 2026 15:50:33 +0100 Subject: [PATCH] f --- .../aws-kms-post-exploitation/README.md | 2 +- .../aws-iam-privesc/README.md | 26 +++++++++++++++++-- 2 files changed, 25 insertions(+), 3 deletions(-) diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-kms-post-exploitation/README.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-kms-post-exploitation/README.md index 635fe84ce..3d9d738d8 100644 --- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-kms-post-exploitation/README.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-kms-post-exploitation/README.md @@ -113,7 +113,7 @@ There is another way to perform a global KMS Ransomware, which would involve the ### Delete Keys via kms:DeleteImportedKeyMaterial -With the `kms:DeleteImportedKeyMaterial` permission, an actor can delete the imported key material from CMKs with `Origin=EXTERNAL` (CMKs that have imperted their key material), making them unable to decrypt data. This action is destructive and irreversible unless compatible material is re-imported, allowing an attacker to effectively cause ransomware-like data loss by rendering encrypted information permanently inaccessible. +With the `kms:DeleteImportedKeyMaterial` permission, an actor can delete the imported key material from CMKs with `Origin=EXTERNAL` (CMKs that have imported their key material), making them unable to decrypt data. This action is destructive and irreversible unless compatible material is re-imported, allowing an attacker to effectively cause ransomware-like data loss by rendering encrypted information permanently inaccessible. ```bash aws kms delete-imported-key-material --key-id diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc/README.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc/README.md index e0d89c3bf..66136d3e4 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc/README.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc/README.md @@ -35,7 +35,7 @@ aws iam set-default-policy-version --policy-arn --version-id **Impact:** Indirect privilege escalation by enabling more permissions. -### **`iam:CreateAccessKey`** +### **`iam:CreateAccessKey`, (`iam:DeleteAccessKey`)** Enables creating access key ID and secret access key for another user, leading to potential privilege escalation. @@ -47,6 +47,29 @@ aws iam create-access-key --user-name **Impact:** Direct privilege escalation by assuming another user's extended permissions. +Note that a user can only have 2 access keys created, so if a user already has 2 access keys you will need the permission `iam:DeleteAccessKey` to detele one of them to be able to create a new one: + +```bash +aws iam delete-access-key --uaccess-key-id +``` + +### **`iam:CreateVirtualMFADevice` + `iam:EnableMFADevice`** + +If you can create a new virtual MFA device and enable it on another user, you can effectively enroll your own MFA for that user and then request an MFA-backed session for their credentials. + +**Exploit:** + +```bash +# Create a virtual MFA device (this returns the serial and the base32 seed) +aws iam create-virtual-mfa-device --virtual-mfa-device-name + +# Generate 2 consecutive TOTP codes from the seed, then enable it for the user +aws iam enable-mfa-device --user-name --serial-number \ + --authentication-code1 --authentication-code2 +``` + +**Impact:** Direct privilege escalation by taking over a user's MFA enrollment (and then using their permissions). + ### **`iam:CreateLoginProfile` | `iam:UpdateLoginProfile`** Permits creating or updating a login profile, including setting passwords for AWS console login, leading to direct privilege escalation. @@ -308,4 +331,3 @@ aws iam put-role-permissions-boundary \ {{#include ../../../../banners/hacktricks-training.md}} -