AWSGoat(ine) AWS CTF solution Module 2

n00πŸ”‘
10 min readFeb 15, 2023

Overview/Agenda

https://github.com/ine-labs/AWSGoat

- Exploiting SQLi for login bypass
- Finding and Abusing file upload functionality to upload web shell
- Getting a reverse shell using python3 payload and listening using pwncat
- Finding DB creds in config file
- Finding out that we are in a container
- Enumerating container using linpeas
- Finding out processes of host are visible(means hosts PID namespace is shared with container process)
- Abusing misconfigured sudo permissions for privesc(gtfobin for vim)
- Found a python3 simple http.server running on host on port 31452
- Abusing CAP_SYS_PTRACE capability and root privs of container for container breakout
- Using metadata api to get ecs container role credentials(ecs-task-role)
- Enumerating permissions of ecs-task-role using enumerate-iam
- Reading secrets
- Enumerating permissions of EC2(ecs-intance-role) using enumerate-iam
- Enumerating permissions of ecs-instance-role(ec2)
- Finding out there is permissions boundary in place
- Starting a new ec2 instance with privileged role
- Checking if openssl binary is present in ec2 and using it for reverse shell
- Using metadata api to get credentials of high privileged role with which new ec2(ec2-Deployer-role) is running.

--

--