Secrets in the cloud #189
Secrets in the cloud #189
Conversation
| @@ -0,0 +1,13 @@ | |||
| --- | |||
There was a problem hiding this comment.
Can you add a single comment at the top of the file that explains what this file does in plain English?
For example:
# This 'manifest.yml' file provides configuration variables for the Cloudgoat scenario.
| @@ -0,0 +1,2 @@ | |||
| #!/bin/bash | |||
There was a problem hiding this comment.
Can you add a single comment at the almost top of the file that explains what this file does in plain English?
There was a problem hiding this comment.
unnecessary file for my scenario so I deleted it.
| @@ -0,0 +1,51 @@ | |||
| locals { | |||
There was a problem hiding this comment.
Can you add a single comment at the top of the file that explains what this file does in plain English?
There was a problem hiding this comment.
Example:
# This is a Terraform file that creates three resources:
# 1. An AWS DynamoDB Table
# 2. An AWS DynamoDB Entry (for the Access ID)
# 3. An AWS DynamoDB Entry (for the Secret Key)
| @@ -0,0 +1,95 @@ | |||
| data "aws_ami" "amazon_linux_2" { | |||
There was a problem hiding this comment.
Can you add a single comment at the top of the file that explains what this file does in plain English?
There was a problem hiding this comment.
Example:
# This is a Terraform file that creates several AWS EC2 resources:
# 1. A Data Source for an AWS Amazon Machine Image.
# 2. A TLS Private Key Resource
# 3. An AWS Key Pair Resource
# 4. An AWS Instance Resource
# 5. An AWS Security Group Resource
| @@ -0,0 +1,199 @@ | |||
| resource "aws_iam_user" "low_priv_user" { | |||
There was a problem hiding this comment.
Can you add a single comment at the top of the file that explains what this file does in plain English?
There was a problem hiding this comment.
Example:
# This Terraform file creates several resources for AWS Identity and Access Management (IAM):
# - An IAM User
# - An IAM Access Key
#
# For AWS Simple Storage Service (S3):
# - An IAM Policy
# - An IAM User Policy Attachment
#
# For AWS Lambda:
# - An IAM Policy
# - An IAM User Policy Attachment
# - An IAM Role Policy
#
# For AWS DynamoDB:
# - An IAM Policy
# - An IAM Role
# - An IAM Role Policy Attachment
# - An IAM Instance Profile
#
# For AWS Secrets Manager:
# - An IAM User
# - An IAM Access Key
# - An IAM Role
# - An IAM User Policy
| resource "aws_iam_instance_profile" "ec2_instance_profile" { | ||
| name = "EC2InstanceProfile" | ||
| role = aws_iam_role.ec2_dynamodb_role.name | ||
| resource "aws_iam_instance_profile" "dynamodb_instance_profile" { |
There was a problem hiding this comment.
The example comment from my initial review should be updated to reflect this change.
| 8. After enumerating the EC2 metadata service, the attacker decides to list available DynamoDB tables and discovers a table containing IAM user credentials specific to the scenario. | ||
| 9. Utilizing the newly acquired IAM user credentials, the attacker retrieves the final secret from the Secrets Manager, successfully completing the scenario. | ||
|
|
||
| A cheat sheet for the scenario is available [here](./cheat_sheet.md). |
There was a problem hiding this comment.
yea, that's super weird. Might be related to terminal or some random key press I did. It can be deleted.
There was a problem hiding this comment.
this should be fixed now.
| @@ -142,3 +137,13 @@ vault kv put secret/tylers_seekrit value='TylerTantalizingTacosTangleToucans' | |||
| vault kv put secret/brads_seekrit value='BradBefriendsBouncingBlueberryBison' | |||
| export SSH_PRIVATE_KEY="${private_key}" | |||
| vault kv put secret/id_rsa value="$SSH_PRIVATE_KEY" | |||
|
|
|||
| # Update MOTD with a hint | |||
There was a problem hiding this comment.
https://en.wikipedia.org/wiki/Message_of_the_day - basically the message users see when they log on.
| 2. The attacker enumerates the web application and uncovers an admin page that prompts for an API key. | ||
| 3. While examining the admin page's HTML comments, the attacker finds information about environment variables and a HashiCorp endpoint. | ||
| 4. By enumerating the scenario's Lambda function, the attacker locates the web application's API key and uses it to obtain the HashiCorp vault token. | ||
| 5. The attacker exploits the vault token to log in to the HashiCorp endpoint and acquires the id_rsa key, which grants SSH access to the EC2 instance hosting the web application. |
There was a problem hiding this comment.
After starting the scenario and using the cheat sheet, I'm unable to identify the HashiCorp endpoint. Can you add the steps need to identify the HashiCorp endpoint?
There was a problem hiding this comment.
updated step 3 to clarify the port number and location of the endpoint.
| 3. While examining the admin page's HTML comments, the attacker finds information about environment variables and a HashiCorp endpoint. | ||
| 4. By enumerating the scenario's Lambda function, the attacker locates the web application's API key and uses it to obtain the HashiCorp vault token. | ||
| 5. The attacker exploits the vault token to log in to the HashiCorp endpoint and acquires the id_rsa key, which grants SSH access to the EC2 instance hosting the web application. | ||
| 6. Intrigued by the login message, the attacker queries the EC2 metadata service and discovers that IMDSv2 is in use. |
There was a problem hiding this comment.
Can you add the commands needed to perform these steps in the cheat sheet?
There was a problem hiding this comment.
I think we decided to skip this one
There was a problem hiding this comment.
I made some changes to the README walk through and the cheat sheet so they're more descriptive.
| @@ -35,12 +35,12 @@ As an IAM user with limited privileges, the attacker initiates their journey by | |||
|
|
|||
| 1. As the IAM user "low-priv-user", the attacker explores the AWS environment, discovering an S3 bucket containing the URL to a web application hosted on an EC2 instance. | |||
| 2. The attacker enumerates the web application and uncovers an admin page that prompts for an API key. | |||
| 3. While examining the admin page's HTML comments, the attacker finds information about environment variables and a HashiCorp endpoint. | |||
| 3. While examining the admin page's HTML comments, the attacker finds information about environment variables and a HashiCorp endpoint (located on port 8200 of the EC2 instance). | |||
| 4. By enumerating the scenario's Lambda function, the attacker locates the web application's API key and uses it to obtain the HashiCorp vault token. | |||
| 5. The attacker exploits the vault token to log in to the HashiCorp endpoint and acquires the id_rsa key, which grants SSH access to the EC2 instance hosting the web application. | |||
There was a problem hiding this comment.
Can you add the link to where the user will need to download the vault command to the cheat sheet? https://developer.hashicorp.com/vault/downloads
There was a problem hiding this comment.
Downloading this tool might be tricky for Docker-only users (aka me). I'll look into how to get around it and add the steps here.
There was a problem hiding this comment.
I had to download and mount into the docker container this zip file (https://releases.hashicorp.com/vault/1.13.2/vault_1.13.2_linux_amd64.zip). I would add it as a note for docker-users.
| owners = ["amazon"] | ||
| } | ||
|
|
||
| provider "tls" {} |
There was a problem hiding this comment.
The provider should be moved into the provider.tf file
|
|
||
| resource "aws_instance" "web_app" { | ||
| ami = data.aws_ami.amazon_linux_2.id | ||
| instance_type = "t2.micro" |
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
There was a problem hiding this comment.
Thanks for the suggestion! While t3.micro is slightly cheaper, it’s not free-tier eligible in most regions, unlike t2.micro, which might be better for CloudGoat’s learning and testing use cases.
| filename = "lambda_function_payload.zip" | ||
| source_code_hash = filebase64sha256("lambda_function_payload.zip") | ||
|
|
||
| runtime = "python3.8" |
There was a problem hiding this comment.
Python version should be updated to latest (python3.13)
There was a problem hiding this comment.
The Terraform should manage the zipping of the code
| @@ -0,0 +1,6 @@ | |||
| # This Terraform file initializes the Terraform AWS provider (aka plugin). | |||
There was a problem hiding this comment.
Default AWS tags and provider versions should be defined
| # - An AWS S3 Bucket | ||
| # - An AWS S3 Object | ||
|
|
||
| locals { |
| @@ -0,0 +1,165 @@ | |||
| #!/bin/bash | |||
There was a problem hiding this comment.
Optional
Move to a templates directory like how ansible does it
| @@ -0,0 +1,42 @@ | |||
| # This Terraform file creates the following variables: | |||
There was a problem hiding this comment.
Add variable description and types.
You can probably copy this from another scenario that has then updated
|
Hi all, I ran into an issue while working on this pull request. I accidentally synced my fork with the upstream repository, which caused the branch originally associated with this PR to lose the changes. To recover, I created a new branch (restore-changes) and pushed all the updated changes there. You can find the updated branch here: https://github.com/j0eblow/cloudgoat/tree/restore-changes Please let me know how you’d prefer to proceed, whether I should update this pull request with the recovered changes or create a new pull request. |
…heat sheet, and updated the global readme to reflect the addition of the new scenario.
Replaced [id] with [web_app_id]
Better word choice for step 5
jdearmas
force-pushed
the
secrets_in_the_cloud
branch
from
9096961 to
3d7b2af
Compare
Thank you, Mr. De Armas! I truly appreciate your time and effort in reviewing and approving the pull request. It means a lot and I’m glad to have contributed to CloudGoat! |
have fun