Last updated
Last updated
I originally learned of this from Christophe Tafani-Dereeper's
When performing pentesting or red teaming, we may encounter a user with console access or gain access to an existing console session
By retrieving AWS Access Keys, we can leverage this for further enumeration from our command line and tools
CloudShell provides a ready-to-use CLI environment for the logged-on user/role without needing to set up credentials like you would on say your computer
It's able to do this because it's retrieving credentials each time a command is run (see screenshot) from the instance metadata service
Now that we know the endpoint, we can ourselves and get the plaintext credentials
Using an undocumented endpoint, we can leverage CloudShell from the AWS Console and create AWS Access Keys for the logged on user.
aws iam list-users --debug