Scenario | ecs_privesc_evade_protection #233
Conversation
West-wise
changed the title
| source_arn = aws_cloudwatch_event_rule.guardduty_events.arn | ||
| } | ||
|
|
||
| resource "null_resource" "lambda_zip" { |
There was a problem hiding this comment.
Please switch this to use the archive provider.
https://registry.terraform.io/providers/hashicorp/archive/latest/docs/data-sources/file
| @@ -0,0 +1 @@ | |||
| cg-secret-bob12-gC9!+Xy#QJ37fa@H3D7Kd@2*a&#+Tp% | |||
There was a problem hiding this comment.
Assets used by the scenario should be moved to under the terraform directory. Like done here
| - The attacker exploits vulnerabilities in a web service to access the EC2's credentials. | ||
| - The attacker defines and executes an ECS task with the authority of the web developer to privesc or bypass mitigations. Perform a reverse shell attack to access the container been created. | ||
| - The attacker accesses S3 at the container to bypass GuardDuty detection. Gets the Secret String and exits the scenario. | ||
|
|
There was a problem hiding this comment.
Create a manifest.yml file.
example
| - The attacker exploits vulnerabilities in a web service to access the EC2's credentials. | ||
| - The attacker defines and executes an ECS task with the authority of the web developer to privesc or bypass mitigations. Perform a reverse shell attack to access the container been created. | ||
| - The attacker accesses S3 at the container to bypass GuardDuty detection. Gets the Secret String and exits the scenario. | ||
|
|
There was a problem hiding this comment.
Once we have the size & difficulty, add you scenario to the main readme file.
| } | ||
|
|
||
| # Wait a little for ec2 be created in ASG. | ||
| resource "time_sleep" "wait_for_instance" { |
There was a problem hiding this comment.
Move the resources and data to dedicated files
| @@ -0,0 +1,4 @@ | |||
| provider "aws" { | |||
There was a problem hiding this comment.
Add required providers for aws, time, and null (archive see other comment)
| @@ -0,0 +1,4 @@ | |||
| provider "aws" { | |||
There was a problem hiding this comment.
Add required version (or minimum)
Missing commit about user-email input for SES is reflected.
PR requirements reflected.
|
We have addressed all the requirements. Please let us know if there are any other requests or suggestions. :) |
Add vpc.tf & resolve an issue about tf version.
|
Terraform version >= 2.0 was definitely a misnomer. and I added vpc.tf reflecting the feedback. |
| ``` | ||
| http://<ec2_ip_address>/?url=http://[::ffff:a9fe:a9fe]/latest/meta-data/iam/security-credentials/<role> | ||
| aws configure --profile attacker | ||
| echo "aws_session_token = <token>" >> ~/.aws/credentials`echo "aws_session_token = <token>" >> ~/.aws/credentials`echo "aws_session_token = <token>" >> ~/.aws/credentials`echo "aws_session_token = <token>" >> ~/.aws/credentials`echo "aws_session_token = <token>" >> ~/.aws/credentials`echo "aws_session_token = <token>" >> ~/.aws/credentials`echo "aws_session_token = <token>" >> ~/.aws/credentials`echo "aws_session_token = <token>" >> ~/.aws/credentials`echo "aws_session_token = <token>" >> ~/.aws/credentials`echo "aws_session_token = <token>" >> ~/.aws/credentials`echo "aws_session_token = <token>" >> ~/.aws/credentials`echo "aws_session_token = <token>" >> ~/.aws/credentials |
There was a problem hiding this comment.
Should there be this many echo commands?
|
The following data sources are now unused
I would also recommend adding a required version for the archive & time providers |
|
Have the scenario create the CloudWatch group that the lambda will write to. Then when the scenario is destroyed it is also cleaned up |
…>" >> ~/.aws/credentials`
- data "aws_vpc" "default" - data "aws_subnets" "all_subnets"
- flag.txt is now for easy path. - secret-string.txt is for hard path. - refresh README.md & cheat_sheet.md.
|
I was thinking about adding an easy path and decided to create a separate secret-string file for each path. |
There was a problem hiding this comment.
LGTM
@jdearmas could you review this. There also is a thread in discord about this scenario
…c_evade_protection # Conflicts: # README.md
3iuy-prog
force-pushed
the
scenario/ecs_privesc_evade_protection
branch
from
3c01de3
to
0dca220
Compare
3iuy-prog
force-pushed
the
scenario/ecs_privesc_evade_protection
branch
from
0dca220
to
928ad74
Compare
| @@ -0,0 +1,6 @@ | |||
| # Using CloudTrail for GuardDuty | |||
| resource "aws_cloudtrail" "cloudtrail" { | |||
There was a problem hiding this comment.
Add a depends on for the bucket policy aws_s3_bucket_policy.trail_bucket_policy
| provisioner "local-exec" { | ||
| when = create | ||
| on_failure = fail | ||
| command = "python ./push-dockerfile.py --dockerfile_path ../assets/ssrf-web/ --repository ${aws_ecr_repository.repository.name} --region ${var.region} --profile ${var.profile} --image_tag latest" |
There was a problem hiding this comment.
Switch out python to python3 not all systems come with python/ an alias to 3 (osx)
Python3 is already defined to be used in cloudgoat.py
The files could also be made executable and then define the env in the top of the files
| provisioner "local-exec" { | ||
| when = destroy | ||
| on_failure = fail | ||
| command = "python ./pop-dockerfile.py --repository ${self.triggers.repository_name} --region ${self.triggers.region} --profile ${self.triggers.profile} --image_tag all" |
|
|
||
| def docker_build_and_push(repository_uri, image_tag, path): | ||
| # Build the Docker image | ||
| subprocess.run(f"docker build -t {repository_uri}:{image_tag} {path}", shell=True, check=True) |
There was a problem hiding this comment.
Add --platform linux/amd64 to the build subprocess, I'm on a apple silicon machine which is based on arm
Logs from the ecs server
[root@ip-192-168-150-41 ~]# docker logs 6d265c0e1c35
exec /usr/local/bin/docker-php-entrypoint: exec format error| import subprocess | ||
|
|
||
|
|
||
| def get_docker_login_cmd(client, region): |
There was a problem hiding this comment.
Is this function necessary for removing the images from ecr?
| @@ -227,16 +227,13 @@ Starting with access the "ruse" EC2 the user leverages the instace profile to ba | |||
|
|
|||
| [Visit Scenario Page.](scenarios/ecs_efs_attack/README.md) | |||
|
|
|||
| ### glue_privesc(Large / Moderate) | |||
| ### ecs_privesc_evade_protection (Medium / Moderate) | |||
There was a problem hiding this comment.
Overwriting glue_privesc
| @@ -0,0 +1,61 @@ | |||
| # Scenario: ecs_privesc_evade_protection | |||
There was a problem hiding this comment.
Could you make a note that this scenario needs docker to run
|
All changes are submitted. :) |
|
The change to the platform are still building as arm, the ECS tasks then fails. I think the only thing needed to be added is the platform tag to force it to be amd64 docker_build_cmd = f"docker build --platform=linux/amd64 -t {repository_uri}:{image_tag} {path}"Everything else looks great 🙌 |
Add a new scenario which abuses an ECS & reverse shell to escalate privileges.