Open in app

Sign in

Write

Sign in

Cloudgoat AWS CTF solution- Scenerio 6 (ec2_ssrf)

n00๐Ÿ”‘
4 min readOct 21, 2022

Scenario: ec2_ssrf

Deployment:

git clone https://github.com/RhinoSecurityLabs/cloudgoat.git
cd cloudgoat
chmod +x cloudgoat.py 
./cloudgoat.py create ec2_ssrf
~/.aws/credentials

Add then add secrets to โ€œ/root/.aws/credentialsโ€ file with profile name โ€œsolusโ€

Scenario Resources

  • 1 VPC with:
  • EC2 x 1
  • 1 Lambda Function
  • 1 S3 Bucket

Scenario Start(s)

  1. IAM User โ€œSolusโ€

Scenario Goal(s)

Invoke the โ€œcg-lambda-[ CloudGoat ID ]โ€ Lambda function.

Summary

Starting as the IAM user Solus, the attacker discovers they have ReadOnly permissions to a Lambda function, where hardcoded secrets lead them to an EC2 instance running a web application that is vulnerable to server-side request forgery (SSRF). After exploiting the vulnerable app and acquiring keys from the EC2 metadata service, the attacker gains access to a private S3 bucket with a set of keys that allow them to invoke the Lambda function and complete the scenario.

Exploitation Route(s)

--

--

n00๐Ÿ”‘

Written by n00๐Ÿ”‘

458 Followers

Computer Security Enthusiast. Usually plays HTB (ID-23862). https://www.youtube.com/@pswalia2u https://www.linkedin.com/in/pswalia2u/ Instagram @pswalia4u

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams