PwnedLabs Intro to Aws IAM enumeration

PwnedLabs Intro to Aws IAM enumeration

Jun 25, 2024
Linux

aws configure

ssh_command.

aws sts get-caller-identity | jq

ssh_command.

aws iam get-user | jq

ssh_command.

Desafortunadamente no tengo permisos para ver detalles de mi cuenta

aws iam get-account-authorization-details

ssh_command.

aws -iam list-users

ssh_command.

aws iam list-access-keys

ssh_command.

aws iam list-user-policies --user-name dev01

ssh_command.

aws iam get-user-policy --user-name dev01 --policy-name S3_Access | jq

ssh_command.

Podemos ver que la poliza solo permite dos acciones: s3:ListBucket s3:GetObject

aws iam list-attached-user-policies --user-name dev01

ssh_command.

aws iam list-groups-for-user --user-name dev01

ssh_command.

aws iam list-policy-versions --policy-arn arn:aws:iam::aws:policy/AmazonGuardDutyReadOnlyAccess

ssh_command.

aws iam get-policy-version --policy-arn arn:aws:iam::aws:policy/AmazonGuardDutyReadOnlyAccess --version-id v4

ssh_command.

aws iam list-policy-versions --policy-arn arn:aws:iam::794929857501:policy/dev01

ssh_command.

aws iam get-policy-version --policy-arn arn:aws:iam::794929857501:policy/dev01 --version-id v7

ssh_command.

aws iam list-attached-role-policies --role-name BackendDev | jq

ssh_command.

aws iam get-role --role-name BackendDev | jq

ssh_command.

aws iam get-policy --policy-arn arn:aws:iam::794929857501:policy/BackendDevPolicy | jq

ssh_command.

aws iam get-policy-version --policy-arn arn:aws:iam::794929857501:policy/BackendDevPolicy v1 | jq

ssh_command.

aws s3 ls s3://hl-dev-artifacts

ssh_command.

aws s3 sync s3://hl-dev-artifacts .

ssh_command.

cat flag.txt

ssh_command.