Get Situational Awareness in AWS with Cloudfox by Pwned Labs
Lab Creator : Ritesh Gohil
Lab Solver: Tanmay
Lab Owner : Pwned lab / Ian
Scenario
On a red team engagement for our client Huge Logistics, you scanned their GitHub repositories for secrets using TruffleHog and found AWS keys committed in a .env file. Your mission is to see what this key gives you, and see how far you can go!
- Use Cloudfox to get situational awareness in AWS
- Retrieve the source code from a Lambda instance
- Retrieve data from a DynamoDB table
Real-world context
Getting situational awareness is an important step when assessing the security of unfamiliar cloud environments. While penetration testers and red teamers will do this on engagements, it’s also a good exercise for blue/purple teamers to undertake periodically, as the shifting permissions environment of the cloud can unintentionally expose secrets and open up unintended paths for resource and data access.
Let’s Enum for Pwned:
I found the AWS secret key and access key from the Github Recon
Access-key ID: AKIAUGV7JOGJTLTSYXGY
Secret-Access key : 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
I am using unix base system so I opened my terminal and let’s start
aws configure — profile pwnquest
AWS Access Key ID [None]: AKIAUGV7JOGJTLTSYXGY AWS Secret Access Key [None]: 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 Default region name [None]: Default output format [None]:
To get the whoami response follow the below command
aws sts get-caller-identity — profile pwnquest
{ “UserId”: “AIDAUGV7JOGJRH3DAZS4M”, “Account”: “289237725587”, “Arn”: “arn:aws:iam::289237725587:user/sarah” }
To check the vulnerabilities for this AWS account we will install now Cloudfox into my system
Now question arise here what is cloudfox
CloudFox helps you gain situational awareness in unfamiliar cloud environments. It’s an open source command line tool created to help penetration testers and other offensive security professionals find exploitable attack paths in cloud infrastructure.
For more tool exploration and understanding follow the refer link https://github.com/BishopFox/cloudfox
So here we are identifying the attack vectors used of TTP(Tactics, Technique and Procedure)
Here I am using mac os so I simple use command brew install cloudfox how it is simple.
Now ready for to identify the cloud misconfiguration through cloudfox custom policy and another good things about this tool that it is compatible for AWS and Azure but support planned for GCP and K8.
Provider CloudFox Commands AWS 33 Azure 4 GCP Support Planned Kubernetes Support Planned
Now time for WAR:
1st check the workload and understand cloud services where org used for their app set up or others
Perfect now we identified interesting result
cloudfox aws inventory — profile pwnquest
Identified access-key
Now check for lambda services
Now check for secret
Sabbash beta yeh toh khajana mil gaya
Cloudfox automatically creates loot files for each identifed vector, that have the commands we need to retrieve data pre-populated!
Now I bang bang org with cloudfox loot command
webadmin and K33pH4ck3rsOu7!
There is a lambda instances running so we are checking fetch something out from env-vars
so here is command
We see Lambda environment variables AWS keys, a DynamoDB table named db_logitrack and an S3 bucket named hl-file-uploads-6a9719fd6220 .
Note: the S3 bucket identifier appending to the name will be different in your lab instance.
Using the AWS CLI we can examine the Lambda instance. The first command returns all information about the Lambda instance, while the second command just returns the Code.Location value. This value is a URL that allows us to download a zip file of the code that's currently deployed on the Lambda instance.
Now play with lambda some command
aws lambda get-function — function-name logitrack-dev — profile pwnquest — region us-west-2
aws lambda get-function — function-name logitrack-dev — query ‘Code.Location’ — region us-west-2 — profile pwnquest
Download and extract the code as follows.
wget '<URL>' -O lambda_function.zip
unzip lambda_function.zip
The function also retrieves data from the DynamoDB table. We’re not able to list DynamoDB tables (or retrieve contents from this table) as our current user sarah .
aws dynamodb list-tablesNothing and now time to set new aws key which retrieved during lambda env-vars command
Found the creds file kya ho raha hain bhai yehhhhhhhh……………..
Attempting to assume the Lambda execution role as logitrack is successful, and we get temporary role credentials.
This is tricky part please take notes from the starting otherwise you got lost.
Set ALL:
Well apart from the DynamoDB database… see what you can scan and I hope we fetched-out lots of misconfigurations.
Mitigation:
- .gitignore: Ensure that files containing sensitive credentials are listed in your
.gitignorefile so that they are not accidentally committed to version control. - Environment Variables: Store your AWS keys in environment variables instead of hardcoding them in your source code. This way, they are not exposed in your version control system.
- Secrets Management: Use a secrets management tool like AWS Secrets Manager, HashiCorp Vault, or environment-specific solutions like dotenv for Node.js to manage and inject secrets into your application at runtime.
- Code Reviews: Implement a code review process where changes are reviewed for security issues, including the accidental inclusion of sensitive credentials, before being merged into your main codebase.
- Scan for Secrets: Use tools like GitGuardian, TruffleHog, or AWS CodeGuru Reviewer to scan your repository for accidentally committed secrets and credentials. Set up pre-commit hooks to automatically scan for secrets before code is committed.
- Access Control: Restrict access to your version control repositories to only those who need it, and regularly review access permissions.
- Rotate Credentials: If you suspect that credentials have been exposed, rotate them immediately. Regularly rotate credentials as a best practice, even if no exposure is suspected.
Reference Documents
https://www.trendmicro.com/cloudoneconformity/knowledge-base/
