Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

There are many, many ways to login to AWS. The console and the CLI via Access Keys and Secret Keys is one of them.

Multi Factor Authentication (MFA) can be setup to work on the CLI as well. To do this, a user needs to get temporary credentials via the AWS STS service, as documented in the AWS official documentation.

There's a slight oversight with the IAM policy being used for this though: a user can call iam:CreateVirtualMFADevice on the user being logged in! This is the capability to add an MFA device for the user.

The author of the post bought a Hardware OTP and enabled this. Now, they had just bypassed the AWS CLI based MFA from the default policy in the documentation. Principle of least principle really bit them on this one. It's a good reminder how important writing tight permissions is.

Overall, good string of tweets for a interesting MFA bypass on AWS.