Secrets in the cloud #189
Secrets in the cloud #189
Conversation
…heat sheet, and updated the global readme to reflect the addition of the new scenario.
| @@ -0,0 +1,13 @@ | |||
| --- | |||
There was a problem hiding this comment.
Can you add a single comment at the top of the file that explains what this file does in plain English?
For example:
# This 'manifest.yml' file provides configuration variables for the Cloudgoat scenario.
| @@ -0,0 +1,2 @@ | |||
| #!/bin/bash | |||
There was a problem hiding this comment.
Can you add a single comment at the almost top of the file that explains what this file does in plain English?
There was a problem hiding this comment.
unnecessary file for my scenario so I deleted it.
| @@ -0,0 +1,51 @@ | |||
| locals { | |||
There was a problem hiding this comment.
Can you add a single comment at the top of the file that explains what this file does in plain English?
There was a problem hiding this comment.
Example:
# This is a Terraform file that creates three resources:
# 1. An AWS DynamoDB Table
# 2. An AWS DynamoDB Entry (for the Access ID)
# 3. An AWS DynamoDB Entry (for the Secret Key)
| @@ -0,0 +1,95 @@ | |||
| data "aws_ami" "amazon_linux_2" { | |||
There was a problem hiding this comment.
Can you add a single comment at the top of the file that explains what this file does in plain English?
There was a problem hiding this comment.
Example:
# This is a Terraform file that creates several AWS EC2 resources:
# 1. A Data Source for an AWS Amazon Machine Image.
# 2. A TLS Private Key Resource
# 3. An AWS Key Pair Resource
# 4. An AWS Instance Resource
# 5. An AWS Security Group Resource
| @@ -0,0 +1,199 @@ | |||
| resource "aws_iam_user" "low_priv_user" { | |||
There was a problem hiding this comment.
Can you add a single comment at the top of the file that explains what this file does in plain English?
There was a problem hiding this comment.
Example:
# This Terraform file creates several resources for AWS Identity and Access Management (IAM):
# - An IAM User
# - An IAM Access Key
#
# For AWS Simple Storage Service (S3):
# - An IAM Policy
# - An IAM User Policy Attachment
#
# For AWS Lambda:
# - An IAM Policy
# - An IAM User Policy Attachment
# - An IAM Role Policy
#
# For AWS DynamoDB:
# - An IAM Policy
# - An IAM Role
# - An IAM Role Policy Attachment
# - An IAM Instance Profile
#
# For AWS Secrets Manager:
# - An IAM User
# - An IAM Access Key
# - An IAM Role
# - An IAM User Policy
| resource "aws_iam_instance_profile" "ec2_instance_profile" { | ||
| name = "EC2InstanceProfile" | ||
| role = aws_iam_role.ec2_dynamodb_role.name | ||
| resource "aws_iam_instance_profile" "dynamodb_instance_profile" { |
There was a problem hiding this comment.
The example comment from my initial review should be updated to reflect this change.
| 8. After enumerating the EC2 metadata service, the attacker decides to list available DynamoDB tables and discovers a table containing IAM user credentials specific to the scenario. | ||
| 9. Utilizing the newly acquired IAM user credentials, the attacker retrieves the final secret from the Secrets Manager, successfully completing the scenario. | ||
|
|
||
| A cheat sheet for the scenario is available [here](./cheat_sheet.md). |
There was a problem hiding this comment.
yea, that's super weird. Might be related to terminal or some random key press I did. It can be deleted.
There was a problem hiding this comment.
this should be fixed now.
| @@ -142,3 +137,13 @@ vault kv put secret/tylers_seekrit value='TylerTantalizingTacosTangleToucans' | |||
| vault kv put secret/brads_seekrit value='BradBefriendsBouncingBlueberryBison' | |||
| export SSH_PRIVATE_KEY="${private_key}" | |||
| vault kv put secret/id_rsa value="$SSH_PRIVATE_KEY" | |||
|
|
|||
| # Update MOTD with a hint | |||
There was a problem hiding this comment.
https://en.wikipedia.org/wiki/Message_of_the_day - basically the message users see when they log on.
| 2. The attacker enumerates the web application and uncovers an admin page that prompts for an API key. | ||
| 3. While examining the admin page's HTML comments, the attacker finds information about environment variables and a HashiCorp endpoint. | ||
| 4. By enumerating the scenario's Lambda function, the attacker locates the web application's API key and uses it to obtain the HashiCorp vault token. | ||
| 5. The attacker exploits the vault token to log in to the HashiCorp endpoint and acquires the id_rsa key, which grants SSH access to the EC2 instance hosting the web application. |
There was a problem hiding this comment.
After starting the scenario and using the cheat sheet, I'm unable to identify the HashiCorp endpoint. Can you add the steps need to identify the HashiCorp endpoint?
There was a problem hiding this comment.
updated step 3 to clarify the port number and location of the endpoint.
| 3. While examining the admin page's HTML comments, the attacker finds information about environment variables and a HashiCorp endpoint. | ||
| 4. By enumerating the scenario's Lambda function, the attacker locates the web application's API key and uses it to obtain the HashiCorp vault token. | ||
| 5. The attacker exploits the vault token to log in to the HashiCorp endpoint and acquires the id_rsa key, which grants SSH access to the EC2 instance hosting the web application. | ||
| 6. Intrigued by the login message, the attacker queries the EC2 metadata service and discovers that IMDSv2 is in use. |
There was a problem hiding this comment.
Can you add the commands needed to perform these steps in the cheat sheet?
There was a problem hiding this comment.
I think we decided to skip this one
There was a problem hiding this comment.
I made some changes to the README walk through and the cheat sheet so they're more descriptive.
Replaced [id] with [web_app_id]
Better word choice for step 5
| @@ -35,12 +35,12 @@ As an IAM user with limited privileges, the attacker initiates their journey by | |||
|
|
|||
| 1. As the IAM user "low-priv-user", the attacker explores the AWS environment, discovering an S3 bucket containing the URL to a web application hosted on an EC2 instance. | |||
| 2. The attacker enumerates the web application and uncovers an admin page that prompts for an API key. | |||
| 3. While examining the admin page's HTML comments, the attacker finds information about environment variables and a HashiCorp endpoint. | |||
| 3. While examining the admin page's HTML comments, the attacker finds information about environment variables and a HashiCorp endpoint (located on port 8200 of the EC2 instance). | |||
| 4. By enumerating the scenario's Lambda function, the attacker locates the web application's API key and uses it to obtain the HashiCorp vault token. | |||
| 5. The attacker exploits the vault token to log in to the HashiCorp endpoint and acquires the id_rsa key, which grants SSH access to the EC2 instance hosting the web application. | |||
There was a problem hiding this comment.
Can you add the link to where the user will need to download the vault command to the cheat sheet? https://developer.hashicorp.com/vault/downloads
There was a problem hiding this comment.
Downloading this tool might be tricky for Docker-only users (aka me). I'll look into how to get around it and add the steps here.
There was a problem hiding this comment.
I had to download and mount into the docker container this zip file (https://releases.hashicorp.com/vault/1.13.2/vault_1.13.2_linux_amd64.zip). I would add it as a note for docker-users.
have fun