Cloudgoat AWS CTF solution- Scenerio 6 (ec2_ssrf)

Scenario: ec2_ssrf


Add then add secrets to “/root/.aws/credentials” file with profile name “solus”

Scenario Resources

  • 1 VPC with:
  • EC2 x 1
  • 1 Lambda Function
  • 1 S3 Bucket

Scenario Start(s)

  1. IAM User “Solus”

Scenario Goal(s)

Invoke the “cg-lambda-[ CloudGoat ID ]” Lambda function.


Starting as the IAM user Solus, the attacker discovers they have ReadOnly permissions to a Lambda function, where hardcoded secrets lead them to an EC2 instance running a web application that is vulnerable to server-side request forgery (SSRF). After exploiting the vulnerable app and acquiring keys from the EC2 metadata service, the attacker gains access to a private S3 bucket with a set of keys that allow them to invoke the Lambda function and complete the scenario.

Exploitation Route(s)

Route Walkthrough — IAM User “Solus”

ec2 public IP:

  1. As the IAM user Solus, the attacker explores the AWS environment and discovers they can list Lambda functions in the account.

2. Listing lambda functions

arn:aws:lambda:us-east-1:864154101007:function:cg-lambda-ec2_ssrf_cgiddzghpaob13” running with role “arn:aws:iam::864154101007:role/cg-lambda-role-ec2_ssrf_cgiddzghpaob13-service-role

3. We have found 2 environment variables in lambda fucntion-

4. Within a Lambda function, the attacker finds AWS access keys belonging to a different user — the IAM user Wrex.

5. Now operating as Wrex, once again we enumerated current users’ (“wrex”) permissions-

6. The attacker discovers an EC2 instance running a web application vulnerable to an SSRF vulnerability.

a) Finding running ec2 instances.

Public IP:

b) Finding open TCP ports on ec2 accessible from internet-

c) Upon doing content discovery and parameter fuzzing we found a valid “GET” parameter named “url”.

7. Exploiting the SSRF vulnerability via the ?url=... parameter, the attacker is able to steal AWS keys from the EC2 metadata service.

8. Now using the keys from the EC2 instance, the attacker finds a private S3 bucket containing another set of AWS credentials for a more powerful user: Shepard.

a) Enumerating permissions of new aws creds found via ssrf-

b) Finding s3 buckets and listing contents-

c) Testing the new creds-

9. Now operating as Shepard, with full-admin final privileges, the attacker can invoke the original Lambda function to complete the scenario.




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store