Author: Rudy "Rudem" Mendoza

Source:  https://github.com/RhinoSecurityLabs

INTRO

So, I will start with how I got to writing this. I am currently transitioning out of the military, and my goal is to land a Pentesting gig. I have been active on HacktheBox, VulnHub and even went for my OSCP. The thing is that these sources mostly touch on network, host, and web vulnerabilities which is great and all, but I have forgotten one important thing the CLOUD!! The question that makes me stumble in interviews is “Have you worked with cloud environments before?” or “What do you know about AWS or Azure?”. Pfft, I don’t know I haven’t run into that in hackthebox or any hacking learning resources. So, I go searching for materials, and there are a few videos out there, but a 2 hour talk about S3 buckets, EC2 configs and so on just goes over my head. I need to get my hands dirty. Low and behold I came across Rhino Security Labs CloudGoat 2.0!

“CloudGoat is Rhino Security Labs' "Vulnerable by Design" AWS deployment tool. It allows you to hone your cloud cybersecurity skills by creating and completing several "capture-the-flag" style scenarios. Each scenario is composed of AWS resources arranged together to create a structured learning experience. Some scenarios are easy, some are hard, and many offer multiple paths to victory.”

INSTALLATION

Installing it was pretty simple, I just ran into a couple hiccups because 1. I have never worked with AWS and 2. I didn’t have an AWS account. Luckily, creating an account is free. This link helped with the AWS steps (https://rhinosecuritylabs.com/aws/introducing-cloudgoat-2/)

(https://github.com/RhinoSecurityLabs/cloudgoat)

Requirements

  • Linux or MacOS. Windows is not officially supported.
  • Argument tab-completion requires bash 4.2+ (Linux, or OSX with some difficulty).
  • Python3.6+ is required.
  • Terraform 0.12 installed and in your $PATH.
  • The AWS CLI installed and in your $PATH, and an AWS account with sufficient privileges to create and destroy resources.

Quick Start

To install CloudGoat, make sure your system meets the requirements above, and then run the following commands:

$ git clone git@github.com:RhinoSecurityLabs/cloudgoat.git ./CloudGoat
$ cd CloudGoat
$ pip3 install -r ./core/python/requirements.txt
$ chmod u+x cloudgoat.py

You may also want to run some quick configuration commands - it will save you some time later:

$ ./cloudgoat.py config profile
$ ./cloudgoat.py config whitelist --auto

SCENARIO

There are 5 scenarios available, each seem to focus on different vulnerabilities. I decided to try “iam_privesc_by_rollback” it is rated as easy and right now I am a n00b. If you go to the git hub page there is a basic summary for each scenario. (https://github.com/RhinoSecurityLabs/cloudgoat/tree/master/scenarios/iam_privesc_by_rollback)

To deploy the scenario all you have to do is run

./ cloudgoat.py create iam_privesc_by_rollback –profile <profilename>

Once deployed you will find access keys for user named raynor in a file called start.txt

Disclaimer: Getting a key handed to you like this is not a real-life scenario, but it is not uncommon to find a key stored somewhere or embedded in some code.

Once I had the key, I configured it to my local machine.

This aws-cli is very similar to PowerShell, which I hated at first, but I have grown to love it. To verify I can pull some data I ran a get-user.

I am super new to this so I went into aws help to see what I can do with this thing. In the scenario page on GitHub there was a mention of 5 policy versions, so I will see what I can do to pull policies.

First:

aws iam list-attached-user-policies --user-name raynor-cgidbnyidkyp2z --profile raynor

Second:

I can list policy versions using the “PolicyArn” from the attached policy

aws iam list-policy-versions --policy-arn arn:aws:iam::319846955429:policy/cg-raynor-policy-cgidbnyidkyp2z --profile raynor

There are the 5 policies, now how do I see what the policies are? I found a command name “get-policy-version” Let’s see if it works.

aws iam get-policy-version --policy-arn arn:aws:iam::319846955429:policy/cg-raynor-policy-cgidbnyidkyp2z --version-id v1 --profile raynor

From what I can see this is the default version for this user, which means these are the permissions I currently have. I am trying to make sense of these policies, so “iam:get*” and “iam:list*” means that I can do any iam get and iam list which I was able to do earlier. I haven’t used “SetDefaultPolicyVersion” though, but to me it seems like I have permission to set any of the 5 policies as my default.

After going through each version 1 by 1 and trying to figure out what permissions I could get, “v4” caught my eye!

If I am reading that right, I would have permission to any command. So, I tried the “SetDefaultPolicyVersion” command that I currently have access to.

aws iam set-default-policy-version --policy-arn arn:aws:iam::319846955429:policy/cg-raynor-policy-cgidbnyidkyp2z --version-id v4 --profile raynor

I didn’t get anything back, so im guessing it worked? Ill try to create a user.

aws iam create-user --user-name rudem_sec --profile raynor

Boom! I basically have God rights on this thing!

SUMMARY

This was my first experience with anything cloud related and I must say I feel a bit more comfortable, I am not saying I am a “Cloud Haxor”, but the cloud was something that seemed so foreign to me and now I am starting to understand it. This scenario reminded me a lot of Active Directory exploits. The challenge was fairly simple, after you figure out what you can do with the AWS-cli and get all the syntax correct (syntax, syntax, syntax). I will do the other scenarios soon and try to post the write-up for them.