AWS Cloud Pentesting Notes

AWS GOAT PART 1 Solution

What is The AWSGoat?

AWSGoat is a Vulnerable AWS Infrastructure for teaching people to AWS cloud vulnerabilities and pentesting. It has some vulnerabilities like;

· XSS

· SQL Injection

· Insecure Direct Object Reference

· Server Side Request Forgery on Lambda Environment

· Sensitive Data Exposure and Password Reset

· S3 Misconfigurations

· IAM Privilege Escalations

· ECS Container Breakout

AWS goat has several scenerios. Please visit the github page for more information.

GitHub - ine-labs/AWSGoat: AWSGoat : A Damn Vulnerable AWS Infrastructure

In this web page as you see that when you search something it is printed to web page. It can be causes to basic reflected XSS.

When I used the <img src=’a’ onerror=alert(‘XSS’)> payload I have already seen the page is vulnerable against the XSS attacks.

I tried to search a user for testing SQL issues.

I tried very basic SQL payload for understanding the existence of the sql injection vulnerability and I could see the SQL injection vulnerability.

I tried to intercept request and send it to repeater. The first sight I realized the lamba function was used. It is clearly seen from the HTTP response.

Then I tried to sql injection basic payloads I can see the other information from database.

I navigated to another web page which is utilized for password reseting. IDOR vulnerability may be exist in here so I tried to manipılate is values and watched the responses. Reset action should be completed by using cross check mechanism.

It is the normal intercepted request but I manipulated id value as 22 and I took Internal Server error in the response.

When I changed the id value as 1 another accounts password (who has id 1) was changed. I detected IDOR vulnerabiity in here.

I tried to reset password for another user who has 3 id number.

I can successfully reset the pasword by using IDOR vulnerability. I navigated to Post page for testing SSRF. I tried to reach /etc/passwd file by using upload.

When I watch the Network activities of the web traffic frome Chrome debug, I saw the file was saved to server directory as accessible.

I downloaded the picture. I use the string tool for extracting the /etc/passwd file content.

/etc/passwd file was successfully extracted from image file.

I intercepted request for sending it to repeater. I tried to retriew the content of /proc/self/environ.

I can see the output file which is given under s3 bucket as png and I downloaded the file content with wget;

When I extracted the strings I have already grabbed the credentials for connecting AWS as programatically.

AWS Lambda provides an HTTP API for custom runtimes to receive invocation events from Lambda and send response data back within the Lambda execution environment. On the other hand I tried to access next invocation with lambda api.

I opened the related png file and I obtained jwt_tokens paths requestTimes and more information like Source IP addresses.

I intercepted request for sending it to repeater. I tried to retriew the content of /proc/self/environ again for compromising access key id, secret access key and security token.

I exported the values of the TOKEN, ACCESS KEY ID AND ACCESS SECRET KEY, for connecting AWS account as programatically.

I used sts get-callaer-identity for seeing whoami.

I tried to list users but I wasn’t authorized for this.

I decided to to follow lambda and I listed lambda functions.

After that I tried to list policies but I couldn’t be successfull.

I tried to get list-attached-role-policies and listed described instances but couldn’t be successfull due to privilige or authorization issues.

I reached the blog_users table content and I retriewed it. Password are hashed with bcrypypt so I decided to create a new bcrypt password and change the old one in the database.

I saved the table content as user_item and modify it with new user password which I want to reset or modify.

After modification the password, I upload the new file to dynomodb with put-item. Finally I could create different user and different password by manipulating the database.

For listing buckets I used aws s3 ls command;

I followed by inspecting the source of the website and I reached the bucket link for displaying bucket contents;

Dev-blog is useful for me. I saw ssh config files and some ssh keys in the output.

I downloaded ssh config and I retriewed the IP adderesses and hostnames. I also knew the ssh private key paths. Cool…

I found which IP adderess on the config has opened SSH port;

I downloaded SSH pem file;

Finally I can connect to the target via SSH.