CloudGoat walkthrough series: EC2 server-side request forgery (SSRF)
This is the fifth in the walkthrough series of the CloudGoat scenarios. CloudGoat is a “vulnerable by design” AWS deployment tool designed by Rhino Security Labs. It is used to deploy a vulnerable set of AWS resources and is designed to teach and test cloud security penetration testing via issues commonly seen in real-life environments.
This walkthrough assumes you have CloudGoat setup on your Kali Linux. You can use our post on Working with CloudGoat: The “Vulnerable by Design” AWS Environment as a guide in deploying it.
Learn Cloud Security
Scenario summary
The scenario starts with an IAM user Solus. The attacker discovers they have ReadOnly permissions to a Lambda function, where hardcoded secrets lead them to an EC2 instance running a web application that is vulnerable to SSRF. After exploiting the vulnerable app and acquiring keys from the EC2 metadata service, the attacker gains access to a private S3 bucket with a set of keys that allow them to invoke the Lambda function and complete the scenario.
Goal: Invoke the Lambda function.
Walkthrough
To deploy the resources for each scenario on AWS.
./cloudgoat.py create ec2_ssrf
- Deploying the resources gives us the access key and secret key for Solus.
- Save the credential to a profile – Solus.
aws configure --profile Solus
We tried running the usual commands, such as “list-user-policies”, “list-attached-user-policies” and “list roles”, and we noticed we were not authorized to carry out those actions.
aws iam list-user-policies –-user-name <insert username here> --profile <insert profile name here>
list-user-policies: Lists the names of inline policies embedded in the specified IAM user.
aws iam list-attached-user-policies –-user-name <insert username here> --profile <insert profile name here>
list-attached-user-policies: Lists all managed policies that are attached to the specified IAM user.
aws iam list-roles --profile <insert profile name here>
list-roles: Lists the IAM roles that have the specified path prefix.
aws lambda list-functions --region us-east-1 --profile <insert profile name here>
list-function: Returns a list of Lambda functions, with the version-specific configuration of each. Lambda returns up to 50 functions per call.
We notice that the Lambda function has an access key and a secret key stored in the environment variables. We want to find out more information about this Lambda function.
aws lambda get-function --function-name <insert function name here> --region us-east-1 --profile <insert profile name here>
get-function: Returns information about the function or function version, with a link to download the deployment package that's valid for 10 minutes. If you specify a function version, only details that are specific to that version are returned.
This leads us to an S3 bucket. Accessing the S3 bucket via the link provided in the location variable downloads the source code for the Lambda function.
aws configure --profile Lambda_Solus
We can assume it was assigned to a user “Wrex”. We tried running the usual commands: “list-user-policies”, “list-attached-user-policies” and “list-roles”. We were not authorized to carry out those actions.
aws ec2 describe-instances --region us-east-1 --profile <insert profile name here>
describe-instances: Describes the specified instances or all instances.
We immediately notice an error. Since we already know the scenario has to do with SSRF, we manipulate the server to make HTTP requests to an arbitrary domain (in our case, the localhost).
SSRF is a vulnerability that tricks the web applications into making HTTP requests on behalf of the bad actor to a URL. This allows the bad actor to gain access to sensitive information or data that are directly exposed or the bad actor does not have access to such as the AWS metadata, other web applications based within the organization’s infrastructure or external web services. In some cases, the bad actor is also able to perform arbitrary command execution.
We exploit this vulnerability by querying the instance metadata API to obtain the credentials to reveal the role name of the EC2 instance. The instance metadata contains data about the EC2 instance that you can use to configure or manage the running instance.
This returns the access key ID, secret access key and the session token of the IAM role attached to the EC2 instance. This credential is a temporary one, as it has an expiration date.
aws s3 ls --profile <insert profile name here>
Accessing the S3 bucket reveals that it has an admin file stored with an access key and secret key ID.
aws configure --profile AdminUser
We can assume it was assigned to a user named “Shepard”.
We tried running the usual commands — “list-attached-user-policies”, “list-user-policies” and “list-roles” — to gain more information about the permissions assigned to the user.
aws iam list-attached-user-policies –-user-name <insert username here> --profile <insert profile name here>
list-attached-user-policies: Lists all managed policies that are attached to the specified IAM user.
aws iam get-policy –policy-arn <insert the policy arn here>
aws iam get-policy-version –policy-arn <insert the policy arn here> --version-id <insert version id here>
We have full admin privileges with this credential.
aws lambda invoke --function-name <insert lambda function name here> ./<insert output file name here>.txt --region us-east-1 --profile <insert profile name here>
./cloudgoat.py destroy ec2_ssrf
Learn Cloud Security
Summary
In this scenario, we were able to exploit a number of misconfigurations and bad practices to gain access to the sensitive data.
- Credentials (access key and a secret key) were stored in the environment variables of a Lambda function.
- Due to the SSRF vulnerability on the web application, we were able to gain access to yet another set of credentials via the AWS metadata API.
- Admin credentials were also stored in an S3 bucket, which eventually gave us full privileges.
Sources
AWS CLI Command Reference - IAM, AWS
Well, that escalated quickly, Bishop Fox
AWS IAM Privilege Escalation Methods, Rhino Security Labs
Server Side Request Forgery, OWASP
Server-side request forgery (SSRF), PortSwigger