From 26a50a62d05050f44d6a95bdc07bb0de1f7ea829 Mon Sep 17 00:00:00 2001
From: SrFlipFlop <ferran.obiols.colomina@gmail.com>
Date: Thu, 22 Jan 2026 17:36:06 +0100
Subject: [PATCH] While I was doing the ARTE lab on Step Functions, I noticed
 that some Hacktricks commands were incorrect or should be using an earlier
 version of AWS CLI. Changed `aws states` for `aws stepfunctions`.

---
 .../aws-stepfunctions-privesc/README.md                | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-stepfunctions-privesc/README.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-stepfunctions-privesc/README.md
index cc42c375cd..42dd054686 100644
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-stepfunctions-privesc/README.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-stepfunctions-privesc/README.md
@@ -28,7 +28,7 @@ Or you could also go to the API AWS documentation and check each action docs:
 An attacker with the **`states:TestState`** & **`iam:PassRole`** permissions can test any state and pass any IAM role to it without creating or updating an existing state machine, potentially enabling unauthorized access to other AWS services with the roles' permissions. Combined, these permissions can lead to extensive unauthorized actions, from manipulating workflows to alter data to data breaches, resource manipulation, and privilege escalation.
 
 ```bash
-aws states test-state --definition <value> --role-arn <value> [--input <value>] [--inspection-level <value>] [--reveal-secrets | --no-reveal-secrets]
+aws stepfunctions test-state --definition <value> --role-arn <value> [--input <value>] [--inspection-level <value>] [--reveal-secrets | --no-reveal-secrets]
 ```
 
 The following examples show how to test an state that creates an access key for the **`admin`** user leveraging these permissions and a permissive role of the AWS environment. This permissive role should have any high-privileged policy associated with it (for example **`arn:aws:iam::aws:policy/AdministratorAccess`**) that allows the state to perform the **`iam:CreateAccessKey`** action:
@@ -73,14 +73,14 @@ An attacker with the **`states:CreateStateMachine`**& **`iam:PassRole`** would b
 
 ```bash
 # Create a state machine
-aws states create-state-machine --name <value> --definition <value> --role-arn <value> [--type <STANDARD | EXPRESS>] [--logging-configuration <value>]\
+aws stepfunctions create-state-machine --name <value> --definition <value> --role-arn <value> [--type <STANDARD | EXPRESS>] [--logging-configuration <value>]\
 [--tracing-configuration <enabled=true|false>] [--publish | --no-publish] [--version-description <value>]
 
 # Start a state machine execution
-aws states start-execution --state-machine-arn <value> [--name <value>] [--input <value>] [--trace-header <value>]
+aws stepfunctions start-execution --state-machine-arn <value> [--name <value>] [--input <value>] [--trace-header <value>]
 
 # Start a Synchronous Express state machine execution
-aws states start-sync-execution --state-machine-arn <value> [--name <value>] [--input <value>] [--trace-header <value>]
+aws stepfunctions start-sync-execution --state-machine-arn <value> [--name <value>] [--input <value>] [--trace-header <value>]
 ```
 
 The following examples show how to create an state machine that creates an access key for the **`admin`** user and exfiltrates this access key to an attacker-controlled S3 bucket, leveraging these permissions and a permissive role of the AWS environment. This permissive role should have any high-privileged policy associated with it (for example **`arn:aws:iam::aws:policy/AdministratorAccess`**) that allows the state machine to perform the **`iam:CreateAccessKey`** & **`s3:putObject`** actions.
@@ -160,7 +160,7 @@ Depending on how permissive is the IAM Role associated to the state machine is,
 2. **Not permissive IAM Role**: In contrast with the previous case, here an attacker would also require the **`iam:PassRole`** permission since it would be necessary to associate a permissive IAM Role to the state machine in addition to modify the state machine definition.
 
 ```bash
-aws states update-state-machine --state-machine-arn <value> [--definition <value>] [--role-arn <value>] [--logging-configuration <value>] \
+aws stepfunctions update-state-machine --state-machine-arn <value> [--definition <value>] [--role-arn <value>] [--logging-configuration <value>] \
 [--tracing-configuration <enabled=true|false>] [--publish | --no-publish] [--version-description <value>]
 ```