Size: Small
Difficulty: Moderate
Command: $ ./cloudgoat.py create cloud_breach_s3
- 1 VPC with:
- EC2 x 1
- S3 x 1
- The IP Address of an EC2 server that is running a misconfigured reverse proxy
Download the confidential files from the S3 bucket.
Starting as an anonymous outsider with no access or privileges, exploit a misconfigured reverse-proxy server to query the EC2 metadata service and acquire instance profile keys. Then, use those keys to discover, access, and exfiltrate sensitive data from an S3 bucket.
- The attacker finds the IP of an EC2 instance by shady means, and after some reconnaissance realizes that it is acting as a reverse-proxy server. This is common, especially for organizations in the process of moving from on-premise to the cloud.
- After some research, the attacker uses
CURLto send a request to the web server and set the host header to the IP address of EC2 metadata service. - The attacker's specially-crafted CURL command is successful, returning the Access Key ID, Secret Access Key, and Session Token of the IAM Instance Profile attached to the EC2 instance.
- With the IAM role's credentials in hand, the attacker is now able to explore the victim's cloud environment using the powerful permissions granted to the role.
- The attacker is then able to list, identify, and access a private S3 bucket.
- Inside the private S3 bucket, the attacker finds several files full of sensitive information, and is able to download these to their local machine for dissemination.
A cheat sheet for this route is available here.