From 7a8496123107c7b5aae2cb057cab253f41177819 Mon Sep 17 00:00:00 2001 From: galoget Date: Mon, 5 Jun 2023 13:19:58 -0500 Subject: [PATCH 1/8] Fix Typo in README.md --- scenarios/vulnerable_lambda/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scenarios/vulnerable_lambda/README.md b/scenarios/vulnerable_lambda/README.md index d00e5c15..d49a788e 100644 --- a/scenarios/vulnerable_lambda/README.md +++ b/scenarios/vulnerable_lambda/README.md @@ -25,7 +25,7 @@ Find the scenario's secret. (cg-secret-XXXXXX-XXXXXX) In this scenario, you start as the 'bilbo' user. You will assume a role with more privileges, discover a lambda function that applies policies to users, and exploit a vulnerability in the function to escalate -the prrivileges of the bilbo user in order to search for secrets. +the privileges of the bilbo user in order to search for secrets. ## Exploitation Route From b6055f5de440c65671a28d2e89dd184eb32f94fa Mon Sep 17 00:00:00 2001 From: galoget Date: Wed, 7 Jun 2023 04:43:28 -0500 Subject: [PATCH 2/8] Delete trailing spaces from README.md Deleted trailing whitespaces and added bullets in the "Scenario Resources" section to standardize with the rest of the project (other levels contain bullets and this allows to list the elements as items in an ordered way, so they are easier to read). --- scenarios/vulnerable_lambda/README.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/scenarios/vulnerable_lambda/README.md b/scenarios/vulnerable_lambda/README.md index d49a788e..393fad43 100644 --- a/scenarios/vulnerable_lambda/README.md +++ b/scenarios/vulnerable_lambda/README.md @@ -1,21 +1,21 @@ # Scenario: vulnerable_lambda -**Size:** Small +**Size:** Small **Difficulty:** Easy **Command:** `$ ./cloudgoat.py create vulnerable_lambda` ## Scenario Resources -1 IAM User -1 IAM Role -1 Lambda -1 Secret +- 1 IAM User +- 1 IAM Role +- 1 Lambda +- 1 Secret ## Scenario Start(s) -1. IAM User 'bilbo' +1. IAM User 'bilbo' ## Scenario Goal(s) @@ -25,7 +25,7 @@ Find the scenario's secret. (cg-secret-XXXXXX-XXXXXX) In this scenario, you start as the 'bilbo' user. You will assume a role with more privileges, discover a lambda function that applies policies to users, and exploit a vulnerability in the function to escalate -the privileges of the bilbo user in order to search for secrets. +the privileges of the bilbo user in order to search for secrets. ## Exploitation Route @@ -41,7 +41,7 @@ the privileges of the bilbo user in order to search for secrets. 5. Assume the lambda invoker role. 6. Craft an injection payload to send through the CLI. 7. Base64 encode that payload. The single quote injection character is not compatible with the aws cli command otherwise. -8. Invoke the policy applier lambda function, passing the name of the bilbo user and the injection payload. -9. Now that Bilbo is an admin, use credentials for that user to list secrets from secretsmanager. +8. Invoke the policy applier lambda function, passing the name of the bilbo user and the injection payload. +9. Now that Bilbo is an admin, use credentials for that user to list secrets from secretsmanager. A cheat sheet for this route is available [here](./cheat_sheet.md). From d731633a205acb08fa3228c3d703681880ed6154 Mon Sep 17 00:00:00 2001 From: galoget Date: Wed, 7 Jun 2023 04:45:22 -0500 Subject: [PATCH 3/8] Added bullets to Scenario Resources in README.md Added bullets in the "Scenario Resources" section to standardize with the rest of the project (other levels contain bullets and this allows to view the elements as items in an ordered way, so they are easier to read). --- scenarios/vulnerable_cognito/README.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/scenarios/vulnerable_cognito/README.md b/scenarios/vulnerable_cognito/README.md index 5fe99841..82cd10d8 100644 --- a/scenarios/vulnerable_cognito/README.md +++ b/scenarios/vulnerable_cognito/README.md @@ -8,12 +8,12 @@ ## Scenario Resources -1 S3 bucket -1 Cognito Userpool -1 Cognito IdentityPool -1 API Gateway REST API -1 Lambda -1 IAM role +- 1 S3 bucket +- 1 Cognito Userpool +- 1 Cognito IdentityPool +- 1 API Gateway REST API +- 1 Lambda +- 1 IAM role ## Scenario Start(s) @@ -21,7 +21,7 @@ ## Scenario Goal(s) -Get Cognito IdentityPool credentials +Get Cognito IdentityPool credentials. ## Summary From 4e6a9bbb202c4d4e84ac59f03ff30aeab6d233f2 Mon Sep 17 00:00:00 2001 From: galoget Date: Wed, 7 Jun 2023 04:48:42 -0500 Subject: [PATCH 4/8] Delete trailing spaces from README.md - Deleted trailing whitespaces. - Added bullets in the "Scenario Resources" section to standardize with the rest of the project (other levels contain bullets and this allows to view the elements as items in an ordered way, so they are easier to read). - Corrected the extra new line between Size and Difficulty to look like the rest of the challenges. --- scenarios/lambda_privesc/README.md | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/scenarios/lambda_privesc/README.md b/scenarios/lambda_privesc/README.md index 06e74f36..a475f9e4 100644 --- a/scenarios/lambda_privesc/README.md +++ b/scenarios/lambda_privesc/README.md @@ -1,26 +1,28 @@ # Scenario: lambda_privesc -**Size:** Small +**Size:** Small + **Difficulty:** Easy **Command:** `$ ./cloudgoat.py create lambda_privesc` ## Scenario Resources -1 IAM User -2 IAM Roles +- 1 IAM User +- 2 IAM Roles ## Scenario Start(s) -1. IAM User Chris +1. IAM User Chris ## Scenario Goal(s) Acquire full admin privileges. + ## Summary -Starting as the IAM user Chris, the attacker discovers that they can assume a role that has full Lambda access and pass role permissions. The attacker can then perform privilege escalation to obtain full admin access. +Starting as the IAM user Chris, the attacker discovers that they can assume a role that has full Lambda access and pass role permissions. The attacker can then perform privilege escalation to obtain full admin access. Note: This scenario may require you to create some AWS resources, and because CloudGoat can only manage resources it creates, you should remove them manually before running `./cloudgoat destroy`. From 0cfe6cb21dab12a27bf89368ba6a544da3ba35b3 Mon Sep 17 00:00:00 2001 From: galoget Date: Wed, 7 Jun 2023 04:51:38 -0500 Subject: [PATCH 5/8] Update README.md Standardize the guide as in the rest of the levels. - Applied same titles. - Applied same new lines (spacing), so markdown is rendered correctly. --- scenarios/vulnerable_lambda/README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/scenarios/vulnerable_lambda/README.md b/scenarios/vulnerable_lambda/README.md index 393fad43..41ef4747 100644 --- a/scenarios/vulnerable_lambda/README.md +++ b/scenarios/vulnerable_lambda/README.md @@ -2,6 +2,7 @@ # Scenario: vulnerable_lambda **Size:** Small + **Difficulty:** Easy **Command:** `$ ./cloudgoat.py create vulnerable_lambda` @@ -27,7 +28,7 @@ In this scenario, you start as the 'bilbo' user. You will assume a role with mor lambda function that applies policies to users, and exploit a vulnerability in the function to escalate the privileges of the bilbo user in order to search for secrets. -## Exploitation Route +## Exploitation Route(s) ![Lucidchart Diagram](exploitation_route.png "Exploitation Route") From 69dff8c95a49eb911d3105f1bf28d892b6942b09 Mon Sep 17 00:00:00 2001 From: galoget Date: Wed, 7 Jun 2023 04:52:52 -0500 Subject: [PATCH 6/8] Standardize the README.md guide as in the rest of the levels. Standardize the guide as in the rest of the levels. - Applied same titles. - Applied same new lines (spacing), so markdown is rendered correctly. --- scenarios/vulnerable_cognito/README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/scenarios/vulnerable_cognito/README.md b/scenarios/vulnerable_cognito/README.md index 82cd10d8..265f8b0c 100644 --- a/scenarios/vulnerable_cognito/README.md +++ b/scenarios/vulnerable_cognito/README.md @@ -2,6 +2,7 @@ # Scenario: vulnerable_cognito **Size:** Small + **Difficulty:** Moderate **Command:** `$ ./cloudgoat.py create vulnerable_cognito` @@ -29,7 +30,7 @@ In this scenario, you are presented with a signup and login page with AWS Cognit You need to bypass restrictions and exploit misconfigurations in Amazon Cognito in order to elevate your privileges and get Cognito Identity Pool credentials. -## Exploitation Route +## Exploitation Route(s) ![Lucidchart Diagram](exploitation_route.png "Exploitation Route") From ed4930b247c493cc71b7e089b82c8bd69386abd6 Mon Sep 17 00:00:00 2001 From: galoget Date: Wed, 7 Jun 2023 04:55:20 -0500 Subject: [PATCH 7/8] Added bullets in the "Scenario Resources" section Added bullets in the "Scenario Resources" section to standardize with the rest of the project (other levels contain bullets and this allows to view the elements as items in an ordered way, so they are easier to read). --- scenarios/codebuild_secrets/README.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/scenarios/codebuild_secrets/README.md b/scenarios/codebuild_secrets/README.md index 47a1bdf4..725b2ed0 100644 --- a/scenarios/codebuild_secrets/README.md +++ b/scenarios/codebuild_secrets/README.md @@ -8,19 +8,19 @@ ## Scenario Resources -1 CodeBuild Project +- 1 CodeBuild Project -1 Lambda function +- 1 Lambda function -1 VPC with: - * RDS x 1 - * EC2 x 1 +- 1 VPC with: + * RDS x 1 + * EC2 x 1 -2 IAM Users +- 2 IAM Users ## Scenario Start(s) -IAM User "Solo" +IAM User "Solo". ## Scenario Goal(s) @@ -71,4 +71,4 @@ A cheat sheet for this route is available [here](./cheat_sheet_calrissian.md). 2. Using the RDS credentials and address recovered from the EC2 metadata service, the attacker is able to directly log in to the RDS database. 3. With full access to the RDS database, the attacker is able to recover the scenario's goal: A pair of secret strings! -A cheat sheet for this route is available [here](./cheat_sheet_solo.md). \ No newline at end of file +A cheat sheet for this route is available [here](./cheat_sheet_solo.md). From 8913e3885371c0cbbf555878ea87b9518adaa88b Mon Sep 17 00:00:00 2001 From: galoget Date: Wed, 7 Jun 2023 04:59:51 -0500 Subject: [PATCH 8/8] Add bullets to Scenario Resources and Fixed paragraphs Added bullets in the "Scenario Resources" section to standardize with the rest of the project (other levels contain bullets and this allows to view the elements as items in an ordered way, so they are easier to read). Fixed paragraphs to be one-liners. --- scenarios/detection_evasion/README.md | 54 ++++++++++----------------- 1 file changed, 19 insertions(+), 35 deletions(-) diff --git a/scenarios/detection_evasion/README.md b/scenarios/detection_evasion/README.md index 1c03ac09..07696e0e 100644 --- a/scenarios/detection_evasion/README.md +++ b/scenarios/detection_evasion/README.md @@ -8,13 +8,10 @@ ## Scenario Resources (High Level) -4 IAM Users - -2 EC2 instances - -2 SecretsManager secrets - -A suite of detection mechanisms +- 4 IAM Users +- 2 EC2 instances +- 2 SecretsManager secrets +- A suite of detection mechanisms ## Scenario Start(s) @@ -22,53 +19,40 @@ A suite of detection mechanisms ## Scenario Goal(s) -The goal of this scenario is to read out the values for both secrets without being detected. The secrets are both stored -in Secrets Manager, and their values have the following format (cg-secret-XXXXXX-XXXXXX). +The goal of this scenario is to read out the values for both secrets without being detected. The secrets are both stored in Secrets Manager, and their values have the following format (cg-secret-XXXXXX-XXXXXX). ## Summary (TLDR setup below) This scenario is significantly different from the CloudGoat scenarios that have come before in how it plays. -In detection_evasion, your goals will be outlined for you more clearly, and the challenge is to complete them without -triggering alarms. There is more setup involved in this scenario, and it will take longer to play (you might want/need -to play it multiple times). +In detection_evasion, your goals will be outlined for you more clearly, and the challenge is to complete them without triggering alarms. There is more setup involved in this scenario, and it will take longer to play (you might want/need to play it multiple times). -For starters, you will need to provide an email address to which cloudgoat can send email alerts. When/If you are -detected by the automated mechanisms, an alert will be sent to this email address. If you don't want to use your -standard email address, you can consider a service such as https://temp-mail.org/ or https://www.fakemail.net/. +For starters, you will need to provide an email address to which cloudgoat can send email alerts. When/If you are detected by the automated mechanisms, an alert will be sent to this email address. If you don't want to use your standard email address, you can consider a service such as https://temp-mail.org/ or https://www.fakemail.net/. -After deployment is complete, you will need to wait about an hour before playing the scenario. This is, unfortunately, -necessary for the cloudwatch alerts to fully integrate with cloudtrails logs. It should also be kept in mind that there -can be a significant delay in alerts for actions that you take (10-15 minutes is not uncommon). So check your email +After deployment is complete, you will need to wait about an hour before playing the scenario. This is, unfortunately, necessary for the cloudwatch alerts to fully integrate with cloudtrails logs. It should also be kept in mind that there can be a significant delay in alerts for actions that you take (10-15 minutes is not uncommon). So check your email periodically to see if you have triggered an alert. ## TLDR Setup 1. Set up a temporary email address if desired. -2. Deploy the cloudgoat scenario. You will need to enter your email when prompted, and it will subsequently be stored - in the 'config.yml' file at the top level of the repo. -3. Check your email address for SNS confirmation emails; there should be two. Confirm that you want to subscribe to the - topics. -4. Wait 30-60 minutes before working on the scenario. This is necessary because there is some lag between the time that - terraform finishes deploying all resources, and the time that your CLI actions will actually trigger the alerts that - result in email notifications. -5. Read the 'start.txt' file that is generated after deployment for some guidance. There will not be major spoilers in - this file (as there are in [cheat_sheet.md](cheat_sheet.md)) +2. Deploy the cloudgoat scenario. You will need to enter your email when prompted, and it will subsequently be stored in the 'config.yml' file at the top level of the repo. +3. Check your email address for SNS confirmation emails; there should be two. Confirm that you want to subscribe to the topics. +4. Wait 30-60 minutes before working on the scenario. This is necessary because there is some lag between the time that terraform finishes deploying all resources, and the time that your CLI actions will actually trigger the alerts that result in email notifications. +5. Read the 'start.txt' file that is generated after deployment for some guidance. There will not be major spoilers in this file (as there are in [cheat_sheet.md](cheat_sheet.md)) # **SPOILER ALERT:** There are spoilers for the scenario below this point. -## Exploitation Route +## Exploitation Route(s) ![Scenario Route(s)](./detection_evasion_exploitation_route.png) ## Walkthrough Overview - Easy Path -1. discover that some of the credentials initially given to you are honeytokens, without triggering alerts. -2. install the aws cli on the instance -3. read the secret value of the corresponding secret from the ec2 instance to avoid detection. +1. Discover that some of the credentials initially given to you are honeytokens, without triggering alerts. +2. Install the aws cli on the instance. +3. Read the secret value of the corresponding secret from the ec2 instance to avoid detection. ## Walkthrough Overview - Hard Path -1. discover that some of the credentials initially given to you are honeytokens, without triggering alerts. -2. move onto the ec2 instance, and grab the credentials from IMDS -3. spoof the IP of the instance from which you grabbed the credentials, and read the secret value of the corresponding -4. secret. +1. Discover that some of the credentials initially given to you are honeytokens, without triggering alerts. +2. Move onto the ec2 instance, and grab the credentials from IMDS +3. Spoof the IP of the instance from which you grabbed the credentials, and read the secret value of the corresponding secret.