# AWS - STS Persistence

{{#include ../../../../banners/hacktricks-training.md}}

## STS

詳細は以下を参照：

{{#ref}}
../../aws-services/aws-sts-enum.md
{{#endref}}

### Assume role token

一時トークンは一覧表示できないため、アクティブな一時トークンを維持することが persistence を保つ一つの方法です。

<pre class="language-bash"><code class="lang-bash">aws sts get-session-token --duration-seconds 129600

# With MFA
aws sts get-session-token \
--serial-number <mfa-device-name> \
--token-code <code-from-token>

# Hardware device name is usually the number from the back of the device, such as GAHT12345678
<strong># SMS device name is the ARN in AWS, such as arn:aws:iam::123456789012:sms-mfa/username
</strong># Vritual device name is the ARN in AWS, such as arn:aws:iam::123456789012:mfa/username
</code></pre>

### Role Chain Juggling

[**Role chaining is an acknowledged AWS feature**](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#Role%20chaining)、これはステルス的な persistence を維持するためにしばしば利用されます。これは、**assume a role which then assumes another** 機能を含み、場合によっては初期の role に **cyclical manner** で戻る可能性があります。role が assume されるたびに、credentials の有効期限フィールドが更新されます。したがって、2つの role が相互に assume できるように設定されている場合、その構成により credentials の永続的な更新が可能になります。

role chaining を維持するために、この [**tool**](https://github.com/hotnops/AWSRoleJuggler/) を使用できます：
```bash
./aws_role_juggler.py -h
usage: aws_role_juggler.py [-h] [-r ROLE_LIST [ROLE_LIST ...]]

optional arguments:
-h, --help            show this help message and exit
-r ROLE_LIST [ROLE_LIST ...], --role-list ROLE_LIST [ROLE_LIST ...]
```
> [!CAUTION]
> その Github リポジトリにある [find_circular_trust.py](https://github.com/hotnops/AWSRoleJuggler/blob/master/find_circular_trust.py) スクリプトは、role chain が構成されるすべての方法を検出するわけではないことに注意してください。

<details>

<summary>PowerShellからRole Jugglingを実行するCode</summary>
```bash
# PowerShell script to check for role juggling possibilities using AWS CLI

# Check for AWS CLI installation
if (-not (Get-Command "aws" -ErrorAction SilentlyContinue)) {
Write-Error "AWS CLI is not installed. Please install it and configure it with 'aws configure'."
exit
}

# Function to list IAM roles
function List-IAMRoles {
aws iam list-roles --query "Roles[*].{RoleName:RoleName, Arn:Arn}" --output json
}

# Initialize error count
$errorCount = 0

# List all roles
$roles = List-IAMRoles | ConvertFrom-Json

# Attempt to assume each role
foreach ($role in $roles) {
$sessionName = "RoleJugglingTest-" + (Get-Date -Format FileDateTime)
try {
$credentials = aws sts assume-role --role-arn $role.Arn --role-session-name $sessionName --query "Credentials" --output json 2>$null | ConvertFrom-Json
if ($credentials) {
Write-Host "Successfully assumed role: $($role.RoleName)"
Write-Host "Access Key: $($credentials.AccessKeyId)"
Write-Host "Secret Access Key: $($credentials.SecretAccessKey)"
Write-Host "Session Token: $($credentials.SessionToken)"
Write-Host "Expiration: $($credentials.Expiration)"

# Set temporary credentials to assume the next role
$env:AWS_ACCESS_KEY_ID = $credentials.AccessKeyId
$env:AWS_SECRET_ACCESS_KEY = $credentials.SecretAccessKey
$env:AWS_SESSION_TOKEN = $credentials.SessionToken

# Try to assume another role using the temporary credentials
foreach ($nextRole in $roles) {
if ($nextRole.Arn -ne $role.Arn) {
$nextSessionName = "RoleJugglingTest-" + (Get-Date -Format FileDateTime)
try {
$nextCredentials = aws sts assume-role --role-arn $nextRole.Arn --role-session-name $nextSessionName --query "Credentials" --output json 2>$null | ConvertFrom-Json
if ($nextCredentials) {
Write-Host "Also successfully assumed role: $($nextRole.RoleName) from $($role.RoleName)"
Write-Host "Access Key: $($nextCredentials.AccessKeyId)"
Write-Host "Secret Access Key: $($nextCredentials.SecretAccessKey)"
Write-Host "Session Token: $($nextCredentials.SessionToken)"
Write-Host "Expiration: $($nextCredentials.Expiration)"
}
} catch {
$errorCount++
}
}
}

# Reset environment variables
Remove-Item Env:\AWS_ACCESS_KEY_ID
Remove-Item Env:\AWS_SECRET_ACCESS_KEY
Remove-Item Env:\AWS_SESSION_TOKEN
} else {
$errorCount++
}
} catch {
$errorCount++
}
}

# Output the number of errors if any
if ($errorCount -gt 0) {
Write-Host "$errorCount error(s) occurred during role assumption attempts."
} else {
Write-Host "No errors occurred. All roles checked successfully."
}

Write-Host "Role juggling check complete."
```
</details>

{{#include ../../../../banners/hacktricks-training.md}}