Hacking-the-Cloud · Frichetten · Feb 2, 2026 · Feb 2, 2026
diff --git a/content/aws/post_exploitation/get_iam_creds_from_console_session.md b/content/aws/post_exploitation/get_iam_creds_from_console_session.md
@@ -1,9 +1,7 @@
 ---
-author_name: Nick Frichette
+author_name: Nick Frichette and Ben Stevens
 title: "Get IAM Credentials from a Console Session"
 description: Convert access to the AWS Console into IAM credentials.
-hide:
-  - toc
 ---
 
 # Get IAM Credentials from a Console Session
@@ -14,9 +12,15 @@ hide:
     ---
 
     <aside style="display:flex">
-    <p><a href="https://blog.christophetd.fr/retrieving-aws-security-credentials-from-the-aws-console/">Retrieving AWS security credentials from the AWS consoletitle</a> by <a href="https://blog.christophetd.fr/">Christophe Tafani-Dereeper</a></p>
+    <p><a href="https://blog.christophetd.fr/retrieving-aws-security-credentials-from-the-aws-console/">Retrieving AWS security credentials from the AWS console</a> by <a href="https://blog.christophetd.fr/">Christophe Tafani-Dereeper</a></p>
     <p><img src="/images/researchers/christophe_tafani-dereeper.jpg" alt="Christophe Tafani-Dereeper" style="width:44px;height:44px;margin:5px;border-radius:100%;max-width:unset"></img></p>
     </aside>
+
+-   :material-tools:{ .lg .middle } __Tools mentioned in this article__
+
+    ---
+    __Warning__: Always review source code before using an attack tool.  
+    [CLIer](https://github.com/AI-redteam/clier)
 </div>
 
 When performing a penetration test or red team assessment, it is not uncommon to gain access to a developer's machine. This presents an opportunity for you to jump into AWS infrastructure via credentials on the system. For a myriad of reasons you may not have access to credentials in the `.aws` folder, but instead have access to their browser's session cookies (for example via cookies.sqlite in FireFox).
@@ -69,11 +73,12 @@ Each AWS service in the Console has its own credential endpoint following the pa
 https://{region}.console.aws.amazon.com/{service}/tb/creds
 ```
 
-Examples:
-- `https://us-east-1.console.aws.amazon.com/s3/tb/creds`
-- `https://us-east-1.console.aws.amazon.com/ec2/tb/creds`
-- `https://us-east-1.console.aws.amazon.com/lambda/tb/creds`
-- `https://us-east-1.console.aws.amazon.com/console/tb/creds`
+Examples:  
+
+* `https://us-east-1.console.aws.amazon.com/s3/tb/creds` 
+* `https://us-east-1.console.aws.amazon.com/ec2/tb/creds` 
+* `https://us-east-1.console.aws.amazon.com/lambda/tb/creds` 
+* `https://us-east-1.console.aws.amazon.com/console/tb/creds` 
 
 These endpoints return JSON containing temporary credentials:
 
@@ -86,7 +91,6 @@ These endpoints return JSON containing temporary credentials:
 }
 ```
 
-
 *Each service endpoint returns credentials scoped to that specific service. The `/s3/tb/creds` endpoint returns credentials with S3 permissions, while `/ec2/tb/creds` returns EC2-scoped credentials. To obtain credentials for multiple services, you must request from each endpoint.*
 
 ### Manual Extraction via Browser DevTools
@@ -97,19 +101,16 @@ You can manually extract these credentials using your browser's Developer Tools:
 2. Open Developer Tools (F12) and go to the **Network** tab
 3. In the Console, perform an action that requires credentials (refresh the page or click on a resource)
 4. Filter network requests by `tb/creds`
-<img width="836" height="417" alt="image" src="https://github.com/user-attachments/assets/52111b5f-c67e-431f-80b3-081ca7a05ee4" />
+![Showing broswer creds](../../images/aws/post_exploitation/get_iam_creds_from_console_session/browser_creds.png)
 
 5. Click on the matching request and view the **Response** tab
-<img width="461" height="165" alt="image" src="https://github.com/user-attachments/assets/02890fff-fad2-4e17-a532-e31abce70ce1" />
-
-
+![Creds](../../images/aws/post_exploitation/get_iam_creds_from_console_session/creds.png)
 
 ### Automated Extraction with CLIer
 
 [CLIer](https://github.com/AI-redteam/clier) is a browser extension that automates the extraction of these credentials. It works by intercepting `fetch()` and `XMLHttpRequest` calls to the `/tb/creds` endpoints as you browse the AWS Console.
 
-<img width="458" height="571" alt="image" src="https://github.com/user-attachments/assets/1ab8e026-2f78-48fd-a05e-4a9b86382afa" />
-
+![CLIer](../../images/aws/post_exploitation/get_iam_creds_from_console_session/clier.png)
 
 **How it works:**
 
@@ -129,12 +130,10 @@ The AWS Console is a single-page application that needs IAM credentials to make
 
 This bypasses all controls that are generally used to restrict users from accessing STS creds. Every existing control can be in place and the console will still provide access to these creds.
 
-
 ### Detection Considerations
 
 From a defensive perspective, this technique:
 
 - Does not generate additional CloudTrail logs beyond normal Console usage
 - Uses the same endpoints the Console uses legitimately
 - Cannot be distinguished from normal Console activity at the API level
-
diff --git a/...ages/aws/post_exploitation/get_iam_creds_from_console_session/browser_creds.png b/...ages/aws/post_exploitation/get_iam_creds_from_console_session/browser_creds.png
diff --git a/content/images/aws/post_exploitation/get_iam_creds_from_console_session/clier.png b/content/images/aws/post_exploitation/get_iam_creds_from_console_session/clier.png
diff --git a/content/images/aws/post_exploitation/get_iam_creds_from_console_session/creds.png b/content/images/aws/post_exploitation/get_iam_creds_from_console_session/creds.png