GITBOOK-684: No subject

Author: carlospolop

.gitbook/assets/telegram-cloud-photo-size-4-6044191430395675441-x.jpg

@@ -234,7 +234,7 @@ To **login** you **need** to know:
 
 {% hint style="info" %}
 In order to be **able to login with this method** that application must allow to login with `ALLOW_ADMIN_USER_PASSWORD_AUTH`.\
-Moreover, to perform this action you need credentials with the permissions\*\*`cognito-idp:AdminInitiateAuth`\*\*and **`cognito-idp:AdminRespondToAuthChallenge`**
+Moreover, to perform this action you need credentials with the permissions **`cognito-idp:AdminInitiateAuth`** and **`cognito-idp:AdminRespondToAuthChallenge`**
 {% endhint %}
 
 ```python

pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-user-pools.md

@@ -25,15 +25,26 @@ For basic info about Cognito check:
 [aws-cognito-enum](../aws-services/aws-cognito-enum/)
 {% endcontent-ref %}
 
+### Identity Pool ID
+
+Identity Pools can grant **IAM roles to unauthenticated users** that just **know the Identity Pool ID** (which is fairly common to **find**), and attacker with this info could try to **access that IAM rol**e and exploit it.\
+Moreoever, IAM roles could also be assigned to **authenticated users** that access the Identity Pool. If an attacker can **register a user** or already has **access to the identity provider** used in the identity pool you could access to the **IAM role being given to authenticated** users and abuse its privileges.
+
+[**Check how to do that here**](../aws-services/aws-cognito-enum/cognito-identity-pools.md).
+
+### User Pool ID
+
+By default Cognito allows to **register new user**. Being able to register a user might give you **access** to the **underlaying application** or to the **authenticated IAM access role of an Identity Pool** that is accepting as identity provider the Cognito User Pool. [**Check how to do that here**](../aws-services/aws-cognito-enum/cognito-user-pools.md#registration).
+
 ### Pacu modules for pentesting and enumeration
 
 [Pacu](https://github.com/RhinoSecurityLabs/pacu), the AWS exploitation framework, now includes the "cognito\_\_enum" and "cognito\_\_attack" modules that automate enumeration of all Cognito assets in an account and flag weak configurations, user attributes used for access control, etc., and also automate user creation (including MFA support) and privilege escalation based on modifiable custom attributes, usable identity pool credentials, assumable roles in id tokens, etc.
 
 For a description of the modules' functions see part 2 of the [blog post](https://rhinosecuritylabs.com/aws/attacking-aws-cognito-with-pacu-p2). For installation instructions see the main [Pacu](https://github.com/RhinoSecurityLabs/pacu) page.
 
-### Usage
+#### Usage
 
-Sample cognito\_\_attack usage to attempt user creation and all privesc vectors against a given identity pool and user pool client:
+Sample `cognito__attack` usage to attempt user creation and all privesc vectors against a given identity pool and user pool client:
 
 ```bash
 Pacu (new:test) > run cognito__attack --username randomuser --email XX+sdfs2@gmail.com --identity_pools 
@@ -47,17 +58,6 @@ Sample cognito\_\_enum usage to gather all user pools, user pool clients, identi
 Pacu (new:test) > run cognito__enum
 ```
 
-### Identity Pool ID
-
-Identity Pools can grant **IAM roles to unauthenticated users** that just **know the Identity Pool ID** (which is fairly common to **find**), and attacker with this info could try to **access that IAM rol**e and exploit it.\
-Moreoever, IAM roles could also be assigned to **authenticated users** that access the Identity Pool. If an attacker can **register a user** or already has **access to the identity provider** used in the identity pool you could access to the **IAM role being given to authenticated** users and abuse its privileges.
-
-[**Check how to do that here**](../aws-services/aws-cognito-enum/cognito-identity-pools.md).
-
-### User Pool ID
-
-By default Cognito allows to **register new user**. Being able to register a user might give you **access** to the **underlaying application** or to the **authenticated IAM access role of an Identity Pool** that is accepting as identity provider the Cognito User Pool. [**Check how to do that here**](../aws-services/aws-cognito-enum/cognito-user-pools.md#registration).
-
 {% hint style="success" %}
 Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1).png" alt="" data-size="line">\
 Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cognito-unauthenticated-enum.md

@@ -193,6 +193,14 @@ However, it's also possible to create and attach to resources **custom service a
 SERVICE_ACCOUNT_NAME@PROJECT_NAME.iam.gserviceaccount.com
 ```
 
+### **Keys & Tokens**
+
+There are 2 main ways to access GCP as a service account:
+
+* **Via OAuth tokens**: These are tokens that you will get from places like metadata endpoints or stealing http requests and they are limited by the **access scopes**.
+* **Keys**: These are public and private key pairs that will allow you to sign requests as the service account and even generate OAuth tokens to perform actions as the service account. These keys are dangerous because they are more complicated to limit and control, that's why GCP recommend to not generate them.
+  * Note that every-time a SA is created, **GCP generates a key for the service account** that the user cannot access (and won't be listed in the web application). According to [**this thread**](https://www.reddit.com/r/googlecloud/comments/f0ospy/service\_account\_keys\_observations/) this key is **used internally by GCP** to give metadata endpoints access to generate the accesible OAuth tokens.
+
 ### **Access scopes**
 
 Access scope are **attached to generated OAuth tokens** to access the GCP API endpoints. They **restrict the permissions** of the OAuth token.\