addeed details

Enumeration/AWS.md

@@ -435,6 +435,66 @@ A Unique ID is create through the following scheme
 arn:aws:<service>:<region>:<account_id>:<resource_type>/<resource_name>
 ```
 
+### IAM - Gain Access through Vulnerabilities
+
+#### Gathering Credentials
+
+Git repositories, especially on GitLab and Github but also other repositories,
+can be a source of found credentials. A tool to find sensitive data inside git
+repository is [Trufflesecurity's
+Trufflehog](https://github.com/trufflesecurity/trufflehog).
+
+Other repositories, like package repository for programming, are also prone to
+contain credentials unintentionally.
+
+#### Gain Access through CloudFormation
+
+It is possible to phish credentials through url manipulation and sending it to
+someone with higher privileges.
+
+This may be achieved through link manipulation. A link for a CloudFormation
+Stackset creation looks like this.
+
+```http
+https://console.aws.amazon.com/cloudformation/home?region=<region>#/stacks/new?stackName=<maliciousStackName>&templateURL=https://s3.amazonaws.com/<bucketname>/<templatename>.template
+```
+
+CloudFormation Stacks can be listed through aws cli.
+
+```sh
+aws cloudformation describe-stacks | jq .
+```
+
+#### Gaining Access through Metadata Service
+
+Metdata Service (IMDS) returns information about the EC2 instance and IAM it uses.
+Take a look at chapter [Metadata Service](#Metadata-Service) to get in to the details.
+
+To gain access from the web, you need something like an LFI or a SSRF to
+request the IMDS through the EC2 instance, indirectly. Goal is to gain access
+to the environment variables and as a result to `AWS_SESSION_TOKEN`,
+`AWS_SECRET_ACCESS_KEY` and `AWS_ACCESS_KEY_ID`.
+
+Query the the role name first. Use them to query the instance profile role afterwards.
+
+```http
+http://169.254.169.254/latest/meta-data/iam/security-credentials/
+http://169.254.169.254/latest/meta-data/iam/security-credentials/<FoundRoleName>
+```
+
+Export the variables and check if you got the instance profile permissions
+correctly via aws cli.
+
+```sh
+aws sts get-caller-identity
+```
+
+#### Credentials Gain through CI/CD
+
+Credentials can be found directly inside files of a bucket or through the use
+of the bucket by other services, which store credentials inside the bucket as a
+result of some executed scripts.
+
 ## Services
 
 An [action on an
@@ -1490,13 +1550,17 @@ inside these Lambda authorizer policies to get unexpected permissions.
 
 #### Use an API Gateway as a Reverse Proxy
 
-Rotation of IP addresses for an attack may bypass restrictions, like rate-limiting, set for an address.
+Rotation of IP addresses for an attack may bypass restrictions, like
-This can be done via VPNs, e.g. Tor or more suitable in this case using the AWS
+rate-limiting, set for an address. This can be done via VPNs, e.g. Tor or more
-API Gateway to rotate the IP address via FireProx. 
+suitable in this case using the AWS API Gateway to rotate the IP address via
+FireProx.
 
-Use the Cloudshell inside a browser to clone and install the [Fireprox repository](https://github.com/ustayready/fireprox). Start `fire.py` afterwards.
+Use the Cloudshell inside a browser to clone and install the [Fireprox
+repository](https://github.com/ustayready/fireprox). Start `fire.py`
+afterwards.
 
-You can use Fireprox externally from the AWS, but you have set an endpoint via a URL to achieve a connection.
+You can use Fireprox externally from the AWS, but you have set an endpoint via
+a URL to achieve a connection.
 
 ```sh
 ./fire.py --command create --url <URL>
@@ -1506,4 +1570,4 @@ Using any of these two lets you list existing APIs.
 
 ```sh
 ./fire.py --command list
-
+```