Cloudgoat AWS CTF solution- Scenerio 8 (rce_web_app)

Scenerio 8 — rce_web_app

Deployment:

Scenario Resources

1 VPC with:

  • ELB x 1
  • EC2 x 1
  • S3 x 3
  • RDS x 1

2 IAM Users

Scenario Start(s)

  1. IAM User “Lara”
  2. IAM User “McDuck”

Scenario Goal(s)

Find a secret stored in the RDS database.

Summary

Starting as the IAM user Lara, the attacker explores a Load Balancer and S3 bucket for clues to vulnerabilities, leading to an RCE exploit on a vulnerable web app which exposes confidential files and culminates in access to the scenario’s goal: a highly-secured RDS database instance.

Alternatively, the attacker may start as the IAM user McDuck and enumerate S3 buckets, eventually leading to SSH keys that grant direct access to the EC2 server and the database beyond.

Exploitation Route(s)

Route Walkthrough — IAM User “Lara”

  1. We have been provided with access to the account of “mcduck” user. We start by enumerating its permissions-

2. Listing files in bucket “cg-logs-s3-bucket-rce-web-app-cgid0kyrstov20

Downloading the log file “555555555555_elasticloadbalancing_us-east-1_app.cg-lb-cgidp347lhz47g.d36d4f13b73c2fe7_20190618T2140Z_10.10.10.100_5m9btchz.log

Found endpoint “mkja1xijqf0abo1h9glg.html

3. The logs which we got are from ELB. Let us try to see available load balancers-

Opening the dnsname-

4. Apendding the endpoint found in logs to the URL http://cg-lb-rce-web-app-cgid0kyrstov20-1666991724.us-east-1.elb.amazonaws.com/mkja1xijqf0abo1h9glg.html-

5. Getting reverse shell-

a. It has functionality allowing us to run OS commands-

b. Generating python3 rev shell-

We have used this tool which generates a base64 encoded python3 rev shell.

c. Getting reverse shell-

Branch A

6. Rest steps(6–8) are the same from below Route Walkthrough — IAM User “McDuck”

Branch B

  1. Found db connection info and creds in metadata api-

Route Walkthrough — IAM User “McDuck”

  1. We have been provided with access to the account of “mcduck” user. We start by enumerating its permissions-

2. The attacker explores the AWS environment and discovers they are able to list S3 buckets using their starting keys-

3. Enumerating s3 buckets-

a. cg-keystore-s3-bucket-rce-web-app-cgidckqt6c2yi0

b. cg-logs-s3-bucket-rce-web-app-cgidckqt6c2yi0

c. cg-secret-s3-bucket-rce-web-app-cgidckqt6c2yi0

4. We discovered that the SSH keys found in the S3 bucket enabled us to log into the EC2 instance.

a. Determining running ec2 instances and their public IPs-

b. Logging into ec2 instance-

5. Now working through the EC2 instance (and therefore operating with its role instead of McDuck’s), we are able to discover and access a private S3 bucket.

a. Getting creds and logging in with the role cg-ec2-role-rce_web_app_cgidckqt6c2yi0-

6. Enumerating permissions of this ec2’s role-

7. Again trying to read s3 buckets cg-logs-s3-bucket-rce-web-app-cgidckqt6c2yi0 and cg-secret-s3-bucket-rce-web-app-cgidckqt6c2yi0

Downloading and db.txt with ec2_role(cg-ec2-role-rce_web_app_cgidckqt6c2yi0)

8. Finding and accessing the database using these creds-

a. Finding database-

cg-rds-instance-rce-web-app-cgidckqt6c2yi0.czksqkjfewb6.us-east-1.rds.amazonaws.com:5432

b. Database is accessible only via ec2 instance-

c. Finding secret in DB-

V!C70RY-4hy2809gnbv40h8g4b

References-

https://github.com/RhinoSecurityLabs/cloudgoat/blob/master/scenarios/rce_web_app/README.md

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store