feat: add huawei cloud ecs ssrf scenario

README.md

@@ -23,16 +23,17 @@ Currently supported cloud vendors include Alibaba Cloud, Tencent Cloud, Huawei C
 |  10  |      Huawei Cloud      |      Object Storage       | [Special Bucket Policy](https://github.com/HuoCorp/TerraformGoat/tree/main/huaweicloud/object_storage_service/special_bucket_policy) |
 |  11  |      Huawei Cloud      |      Object Storage       | [Unrestricted File Upload](https://github.com/HuoCorp/TerraformGoat/tree/main/huaweicloud/object_storage_service/unrestricted_file_upload) |
 |  12  |      Huawei Cloud      |      Object Storage       | [Bucket Object Traversal](https://github.com/HuoCorp/TerraformGoat/tree/main/huaweicloud/object_storage_service/bucket_object_traversal) |
-|  13  |  Amazon  Web Services  |      Object Storage       | [Bucket Object Traversal](https://github.com/HuoCorp/TerraformGoat/tree/main/aws/object_storage_service/bucket_object_traversal) |
-|  14  |  Amazon  Web Services  |      Object Storage       | [Special Bucket Policy](https://github.com/HuoCorp/TerraformGoat/tree/main/aws/object_storage_service/special_bucket_policy) |
-|  15  |  Amazon  Web Services  |      Object Storage       | [Unrestricted File Upload](https://github.com/HuoCorp/TerraformGoat/tree/main/aws/object_storage_service/unrestricted_file_upload) |
-|  16  |  Amazon  Web Services  |      Object Storage       | [Object ACL Writable](https://github.com/HuoCorp/TerraformGoat/tree/main/aws/object_storage_service/object_acl_writable) |
-|  17  |  Amazon  Web Services  | Elastic Computing Service | [EC2 SSRF](https://github.com/HuoCorp/TerraformGoat/tree/main/aws/elastic_computing_service/ec2_ssrf) |
-|  18  | Google  Cloud Platform |      Object Storage       | [Bucket Object Traversal](https://github.com/HuoCorp/TerraformGoat/tree/main/gcp/object_storage_service/bucket_object_traversal) |
-|  19  | Google  Cloud Platform |      Object Storage       | [Object ACL Writable](https://github.com/HuoCorp/TerraformGoat/tree/main/gcp/object_storage_service/object_acl_writable) |
-|  20  | Google  Cloud Platform |      Object Storage       | [Bucket ACL Writable](https://github.com/HuoCorp/TerraformGoat/tree/main/gcp/object_storage_service/bucket_acl_writable) |
-|  21  | Google  Cloud Platform |      Object Storage       | [Unrestricted File Upload](https://github.com/HuoCorp/TerraformGoat/tree/main/gcp/object_storage_service/unrestricted_file_upload) |
-|  22  |    Microsoft  Azure    |      Object Storage       | [Blob  Public Access](https://github.com/HuoCorp/TerraformGoat/tree/main/azure/object_storage_service/blob_public_access/) |
+|  13  |     Huawei Cloud      | Elastic Computing Service | [ECS SSRF](https://github.com/HuoCorp/TerraformGoat/tree/main/huaweicloud/elastic_computing_service/ecs_ssrf) |
+|  14  |  Amazon  Web Services  |      Object Storage       | [Bucket Object Traversal](https://github.com/HuoCorp/TerraformGoat/tree/main/aws/object_storage_service/bucket_object_traversal) |
+|  15  |  Amazon  Web Services  |      Object Storage       | [Special Bucket Policy](https://github.com/HuoCorp/TerraformGoat/tree/main/aws/object_storage_service/special_bucket_policy) |
+|  16  |  Amazon  Web Services  |      Object Storage       | [Unrestricted File Upload](https://github.com/HuoCorp/TerraformGoat/tree/main/aws/object_storage_service/unrestricted_file_upload) |
+|  17  |  Amazon  Web Services  |      Object Storage       | [Object ACL Writable](https://github.com/HuoCorp/TerraformGoat/tree/main/aws/object_storage_service/object_acl_writable) |
+|  18  |  Amazon  Web Services  | Elastic Computing Service | [EC2 SSRF](https://github.com/HuoCorp/TerraformGoat/tree/main/aws/elastic_computing_service/ec2_ssrf) |
+|  19  | Google  Cloud Platform |      Object Storage       | [Bucket Object Traversal](https://github.com/HuoCorp/TerraformGoat/tree/main/gcp/object_storage_service/bucket_object_traversal) |
+|  20  | Google  Cloud Platform |      Object Storage       | [Object ACL Writable](https://github.com/HuoCorp/TerraformGoat/tree/main/gcp/object_storage_service/object_acl_writable) |
+|  21  | Google  Cloud Platform |      Object Storage       | [Bucket ACL Writable](https://github.com/HuoCorp/TerraformGoat/tree/main/gcp/object_storage_service/bucket_acl_writable) |
+|  22  | Google  Cloud Platform |      Object Storage       | [Unrestricted File Upload](https://github.com/HuoCorp/TerraformGoat/tree/main/gcp/object_storage_service/unrestricted_file_upload) |
+|  23  |    Microsoft  Azure    |      Object Storage       | [Blob  Public Access](https://github.com/HuoCorp/TerraformGoat/tree/main/azure/object_storage_service/blob_public_access/) |
 
 ## Install
 

README_CN.md

@@ -22,16 +22,17 @@ Cloud Platform、Microsoft Azure 六个云厂商的云场景漏洞搭建。
 |  10  |         华为云         |   对象存储   | [特殊的 Bucket 策略](https://github.com/HuoCorp/TerraformGoat/tree/main/huaweicloud/object_storage_service/special_bucket_policy) |
 |  11  |         华为云         |   对象存储   | [任意文件上传](https://github.com/HuoCorp/TerraformGoat/tree/main/huaweicloud/object_storage_service/unrestricted_file_upload) |
 |  12  |         华为云         |   对象存储   | [Bucket 对象遍历](https://github.com/HuoCorp/TerraformGoat/tree/main/huaweicloud/object_storage_service/bucket_object_traversal) |
-|  13  |  Amazon  Web Services  |   对象存储   | [Bucket 对象遍历](https://github.com/HuoCorp/TerraformGoat/tree/main/aws/object_storage_service/bucket_object_traversal) |
-|  14  |  Amazon  Web Services  |   对象存储   | [特殊的 Bucket 策略](https://github.com/HuoCorp/TerraformGoat/tree/main/aws/object_storage_service/special_bucket_policy) |
-|  15  |  Amazon  Web Services  |   对象存储   | [任意文件上传](https://github.com/HuoCorp/TerraformGoat/tree/main/aws/object_storage_service/unrestricted_file_upload) |
-|  16  |  Amazon  Web Services  |   对象存储   | [Object ACL 可写](https://github.com/HuoCorp/TerraformGoat/tree/main/aws/object_storage_service/object_acl_writable) |
-|  17  |  Amazon  Web Services  | 弹性计算服务 | [EC2 SSRF 漏洞环境](https://github.com/HuoCorp/TerraformGoat/tree/main/aws/elastic_computing_service/ec2_ssrf) |
-|  18  | Google  Cloud Platform |   对象存储   | [Bucket 对象遍历](https://github.com/HuoCorp/TerraformGoat/tree/main/gcp/object_storage_service/bucket_object_traversal) |
-|  19  | Google  Cloud Platform |   对象存储   | [Object ACL 可写](https://github.com/HuoCorp/TerraformGoat/tree/main/gcp/object_storage_service/object_acl_writable) |
-|  20  | Google  Cloud Platform |   对象存储   | [Bucket ACL 可写](https://github.com/HuoCorp/TerraformGoat/tree/main/gcp/object_storage_service/bucket_acl_writable) |
-|  21  | Google  Cloud Platform |   对象存储   | [任意文件上传](https://github.com/HuoCorp/TerraformGoat/tree/main/gcp/object_storage_service/unrestricted_file_upload) |
-|  22  |    Microsoft  Azure    |   对象存储   | [Blob 公开访问](https://github.com/HuoCorp/TerraformGoat/tree/main/azure/object_storage_service/blob_public_access/) |
+|  13  |  华为云  | 弹性计算服务 | [ECS SSRF 漏洞环境](https://github.com/HuoCorp/TerraformGoat/tree/main/huaweicloud/elastic_computing_service/ecs_ssrf) |
+|  14  |  Amazon  Web Services  |   对象存储   | [Bucket 对象遍历](https://github.com/HuoCorp/TerraformGoat/tree/main/aws/object_storage_service/bucket_object_traversal) |
+|  15  |  Amazon  Web Services  |   对象存储   | [特殊的 Bucket 策略](https://github.com/HuoCorp/TerraformGoat/tree/main/aws/object_storage_service/special_bucket_policy) |
+|  16  |  Amazon  Web Services  |   对象存储   | [任意文件上传](https://github.com/HuoCorp/TerraformGoat/tree/main/aws/object_storage_service/unrestricted_file_upload) |
+|  17  |  Amazon  Web Services  |   对象存储   | [Object ACL 可写](https://github.com/HuoCorp/TerraformGoat/tree/main/aws/object_storage_service/object_acl_writable) |
+|  18  |  Amazon  Web Services  | 弹性计算服务 | [EC2 SSRF 漏洞环境](https://github.com/HuoCorp/TerraformGoat/tree/main/aws/elastic_computing_service/ec2_ssrf) |
+|  19  | Google  Cloud Platform |   对象存储   | [Bucket 对象遍历](https://github.com/HuoCorp/TerraformGoat/tree/main/gcp/object_storage_service/bucket_object_traversal) |
+|  20  | Google  Cloud Platform |   对象存储   | [Object ACL 可写](https://github.com/HuoCorp/TerraformGoat/tree/main/gcp/object_storage_service/object_acl_writable) |
+|  21  | Google  Cloud Platform |   对象存储   | [Bucket ACL 可写](https://github.com/HuoCorp/TerraformGoat/tree/main/gcp/object_storage_service/bucket_acl_writable) |
+|  22  | Google  Cloud Platform |   对象存储   | [任意文件上传](https://github.com/HuoCorp/TerraformGoat/tree/main/gcp/object_storage_service/unrestricted_file_upload) |
+|  23  |    Microsoft  Azure    |   对象存储   | [Blob 公开访问](https://github.com/HuoCorp/TerraformGoat/tree/main/azure/object_storage_service/blob_public_access/) |
 
 ## 安装
 

huaweicloud/elastic_computing_service/ecs_ssrf/README.md

@@ -0,0 +1,76 @@
+# Huawei Cloud ECS SSRF Vulnerable Environment
+
+English | [中文](./README_CN.md)
+
+## Description
+
+This is a scenario used to build the Huawei Cloud ECS SSRF vulnerability environment.
+
+After building the environment with Terraform, users can obtain metadata and user data and other information on ECS through the SSRF vulnerabilities.
+
+## Deployment Environment
+
+Execute the following command in the container
+
+```shell
+cd /TerraformGoat/huaweicloud/elastic_computing_service/ecs_ssrf/
+```
+
+Edit the `terraform.tfvars` file and fill in the file with your `huaweicloud_access_key` and `huaweicloud_secret_key`.
+
+> The access key can be found in HUAWEI CLOUD [Console --> My Credentials]
+
+```shell
+vim terraform.tfvars
+```
+
+Deploy Vulnerable Environment
+
+```shell
+terraform init
+terraform apply
+```
+
+> When the terminal prompts `Enter a value:`, enter `yes`
+
+![img](../../../images/1652069131.png)
+
+After the environment is set up, You can see the access address of the scenario at Outputs, then access to the browser.
+
+## Vulnerability Utilization
+
+On ECS with SSRF vulnerabilities, we can use SSRF to read ECS metadata, user data and other information.
+
+read metadata
+
+```shell
+http://169.254.169.254/latest/meta-data/
+```
+
+![img](../../../images/1652069248.png)
+
+read user data
+
+> The premise is that the target has been configured with user data, otherwise will be disconnected.
+
+```shell
+http://169.254.169.254/latest/user-data/
+```
+
+![img](../../../images/1652069336.png)
+
+In the user data information, you can see that there is a flag file in the root directory of the scenario, try to use SSRF to read this file.
+
+```shell
+file:///flag69152201.txt
+```
+
+![img](../../../images/1651825032.png)
+
+Successfully read the flag file.
+
+## Destroy the environment
+
+```shell
+terraform destroy
+```

huaweicloud/elastic_computing_service/ecs_ssrf/README_CN.md

@@ -0,0 +1,76 @@
+# 华为云 ECS SSRF 漏洞环境
+
+[English](./README.md) | 中文
+
+## 描述信息
+
+这是一个用于构建华为云 ECS SSRF 漏洞环境的靶场。
+
+使用 Terraform 构建环境后，用户可以通过 SSRF 漏洞获取到 ECS 上的元数据、用户数据等信息。
+
+## 环境搭建
+
+在容器中执行以下命令
+
+```shell
+cd /TerraformGoat/huaweicloud/elastic_computing_service/ecs_ssrf/
+```
+
+编辑 `terraform.tfvars` 文件，在文件中填入你的 `huaweicloud_access_key` 和 `huaweicloud_secret_key`
+
+> 在华为云「控制台 --》我的凭证」处可以找到访问密钥
+
+```shell
+vim terraform.tfvars
+```
+
+部署靶场
+
+```shell
+terraform init
+terraform apply
+```
+
+> 在终端提示 `Enter a value:` 时，输入 `yes` 即可
+
+![img](../../../images/1652069131.png)
+
+环境搭建完后，在 Outputs 处可以看到靶场的访问地址，打开浏览器访问即可。
+
+## 漏洞利用
+
+在存在 SSRF 漏洞的 ECS 上，我们可以利用 SSRF 读取 ECS 的元数据、用户数据等信息。
+
+读取元数据
+
+```shell
+http://169.254.169.254/latest/meta-data/
+```
+
+![img](../../../images/1652069248.png)
+
+读取用户数据
+
+> 前提是目标已经配置了用户数据，不然会返回 404
+
+```shell
+http://169.254.169.254/latest/user-data/
+```
+
+![img](../../../images/1652069336.png)
+
+在用户数据信息中，可以看到在靶场的根目录下有个 flag 文件，尝试利用 SSRF 读取这个文件
+
+```shell
+file:///flag69152201.txt
+```
+
+![img](../../../images/1651825032.png)
+
+成功读取到 flag 文件
+
+## 销毁环境
+
+```shell
+terraform destroy
+```

huaweicloud/elastic_computing_service/ecs_ssrf/main.tf

@@ -0,0 +1,101 @@
+provider "huaweicloud" {
+  region     = "cn-north-4"
+  access_key = var.huaweicloud_access_key
+  secret_key = var.huaweicloud_secret_key
+}
+
+resource "huaweicloud_compute_instance" "web" {
+  name               = "huoxian_terraform_goat_instance"
+  image_id           = data.huaweicloud_images_image.myimage.id
+  flavor_id          = data.huaweicloud_compute_flavors.myflavor.ids[0]
+  security_group_ids = [huaweicloud_networking_secgroup.secgroup.id]
+  availability_zone  = "cn-north-4a"
+  user_data          = <<EOF
+#!/bin/bash
+sudo apt-get -y update
+sudo apt-get -y install apache2
+sudo apt-get -y install php
+sudo apt-get -y install php-curl
+sudo sed -i 's/Listen 80/Listen 8080/' /etc/apache2/ports.conf
+sudo /etc/init.d/apache2 restart
+cd /var/www/html
+sudo apt-get -y install wget
+sudo wget https://huocorp-oss.oss-cn-beijing.aliyuncs.com/terraform-goat-dependency-files/ssrf-lab.zip
+sudo apt-get -y install unzip
+sudo unzip ssrf-lab.zip
+sudo mv ./ssrf-lab/static/flag69152201.txt /
+EOF
+
+  network {
+    uuid = huaweicloud_vpc_subnet.subnet.id
+  }
+  depends_on = [
+    huaweicloud_networking_secgroup.secgroup,
+    huaweicloud_vpc_subnet.subnet
+  ]
+}
+
+resource "huaweicloud_networking_secgroup" "secgroup" {
+  name = "huoxian_terraform_goat_secgroup"
+}
+
+resource "huaweicloud_networking_secgroup_rule" "allow" {
+  security_group_id = huaweicloud_networking_secgroup.secgroup.id
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 8080
+  port_range_max    = 8080
+  remote_ip_prefix  = "0.0.0.0/0"
+  depends_on = [
+    huaweicloud_networking_secgroup.secgroup
+  ]
+}
+
+resource "huaweicloud_vpc" "vpc" {
+  name = "huoxian_terraform_goat_vpc"
+  cidr = "10.77.0.0/16"
+}
+
+resource "huaweicloud_vpc_subnet" "subnet" {
+  name       = "huoxian_terraform_goat_subnet"
+  cidr       = "10.77.0.0/24"
+  gateway_ip = "10.77.0.1"
+  vpc_id     = huaweicloud_vpc.vpc.id
+  depends_on = [
+    huaweicloud_vpc.vpc
+  ]
+}
+
+resource "huaweicloud_vpc_eip" "eip" {
+  publicip {
+    type = "5_bgp"
+  }
+  bandwidth {
+    name        = "huoxian_terraform_goat_eip"
+    size        = 8
+    share_type  = "PER"
+    charge_mode = "traffic"
+  }
+}
+
+resource "huaweicloud_compute_eip_associate" "associated" {
+  public_ip   = huaweicloud_vpc_eip.eip.address
+  instance_id = huaweicloud_compute_instance.web.id
+  depends_on = [
+    huaweicloud_vpc_eip.eip,
+    huaweicloud_compute_instance.web
+  ]
+}
+
+data "huaweicloud_compute_flavors" "myflavor" {
+  availability_zone = "cn-north-4a"
+  performance_type  = "normal"
+  cpu_core_count    = 1
+  memory_size       = 1
+}
+
+data "huaweicloud_images_image" "myimage" {
+  name        = "Ubuntu 18.04 server 64bit"
+  most_recent = true
+}

huaweicloud/elastic_computing_service/ecs_ssrf/outputs.tf

@@ -0,0 +1,4 @@
+output "ssrf_lab_address_link" {
+  value       = "http://${huaweicloud_compute_eip_associate.associated.public_ip}:8080/ssrf-lab"
+  description = "ssrf lab address link."
+}

huaweicloud/elastic_computing_service/ecs_ssrf/terraform.tfvars

@@ -0,0 +1,2 @@
+huaweicloud_access_key = "xxx"
+huaweicloud_secret_key = "xxx"

huaweicloud/elastic_computing_service/ecs_ssrf/variables.tf

@@ -0,0 +1,13 @@
+variable "huaweicloud_access_key" {
+  type        = string
+  description = "Set HuaweiCloud access key."
+  sensitive   = true
+  nullable    = false
+}
+
+variable "huaweicloud_secret_key" {
+  type        = string
+  description = "Set HuaweiCloud secret key."
+  sensitive   = true
+  nullable    = false
+}

huaweicloud/elastic_computing_service/ecs_ssrf/versions.tf

@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    huaweicloud = {
+      source  = "huaweicloud/huaweicloud"
+      version = "1.35.1"
+    }
+  }
+}