Level Up Your Lab Envs!

Transcript

1. https:// .Security Version 1.0 Copyright 2022 by Stage 2 Security

   Outplay Your Adversary! Bryce Kunz // @TweekFawkes

2. https:// .Security Version 1.0 Copyright 2022 by Stage 2 Security

   Level Up Your Lab Envs! Bryce Kunz // @TweekFawkes

3. Copyright 2022 by Stage 2 Security https:// .Security Bryce Kunz

   @TweekFawkes - Cloud Lab Envs Agenda

4. Copyright 2022 by Stage 2 Security https:// .Security Defense DHS

   SOC Offense NSA Red Team Adobe Digital Exp. (DX) Bryce Kunz; @TweekFawkes Services • Hack (Pentest) • Hunt (Splunk ES) • Train (Cloud Sec.)

5. Copyright 2022 by Stage 2 Security https:// .Security BSidesSLC.org Hardware

   Badge by @professor__plum Friday Dec. 16th 2022! Sandy UT Conference Center at Miller Campus https://BSidesSLC.org

6. Copyright 2022 by Stage 2 Security https:// .Security Cloud Lab

   Envs Overview

7. Copyright 2022 by Stage 2 Security https:// .Security Why? TL;DR:

   • Learn by Hands-on Experience • Be Able to Talk To Experience in Interviews • Be Able to Mentor Others on Common TTPs ◦ Tactics, Techniques, and Procedures (TTPs)

8. Copyright 2022 by Stage 2 Security https:// .Security Why? TL;DR:

   • Learn by Hands-on Experience • Be Able to Talk To Experience in Interviews • Be Able to Mentor Others on Common TTPs ◦ Tactics, Techniques, and Procedures (TTPs)

9. Copyright 2022 by Stage 2 Security https:// .Security AiTM Evilginx2

   • https://cloud.hacktricks.xyz/pentesting-cloud/aws-security • https://github.com/BishopFox/iam-vulnerable • https://github.com/RhinoSecurityLabs/cloudgoat • https://github.com/bridgecrewio/terragoat • https://github.com/nccgroup/sadcloud • https://hackingthe.cloud/aws/capture_the_flag/cicdont • https://github.com/ine-labs/AWSGoat Vulnerable Lab Environments CloudGoat

10. Copyright 2022 by Stage 2 Security https:// .Security TL;DR: •

    Focused on AWS’s IAM Service ◦ Identity and Access Management (IAM) • Deploys via Terraform • 31 Privilege Escalation Paths • GitHub Links to Solutions • Great for Testing GraphDB Tools (e.g. AWSpx, PMapper, etc.) • REF: https://github.com/BishopFox/iam-vulnerable Iam Vulnerable

11. Copyright 2022 by Stage 2 Security https:// .Security CloudGoat TL;DR:

    • Focused on AWS ◦ Resources: Lambda, EC2, S3, etc. ◦ + Identity and Access Management (IAM) • Deploys via Terraform • 12 Scenarios • Solutions are easily Google-able • Great for Reference or Testing Specific Technique/Tools (e.g. Pacu) • REF: https://github.com/RhinoSecurityLabs/cloudgoat CloudGoat

12. Copyright 2022 by Stage 2 Security https:// .Security SadCloud TL;DR:

    • Focused on AWS ◦ Resources: Lambda, EC2, S3, etc. ◦ + Identity and Access Management (IAM) • Deploys via Terraform • 84 Misconfigurations • Great for Testing Cloud Vuln Scan Tools (e.g. ScoutSuite) • REF: https://github.com/nccgroup/sadcloud

13. Copyright 2022 by Stage 2 Security https:// .Security AzureGoat TL;DR:

    • Focused on Azure • REF: https://github.com/ine-labs/AzureGoat

14. Copyright 2022 by Stage 2 Security https:// .Security GCPGoat TL;DR:

    • Focused on GCP • Good for 101 Basics… Needs More Complex Scenarios • REF: https://gcpgoat.joshuajebaraj.com/

15. Copyright 2022 by Stage 2 Security https:// .Security Others REFs

    • https://hackingthe.cloud/aws/capture_the_flag/cicdont/ • https://github.com/nccgroup/sadcloud • https://github.com/bridgecrewio/terragoat • https://github.com/ine-labs/AWSGoat • http://flaws.cloud/ • http://flaws2.cloud/

16. Copyright 2022 by Stage 2 Security https:// .Security Tools &

    Techniques Overview

17. Copyright 2022 by Stage 2 Security https:// .Security Guides •

    https://cloud.hacktricks.xyz/pentesting-cloud/ • https://pentestbook.six2dez.com/enumeration/cloud/ • https://github.com/dafthack/CloudPentestCheatsheets • PayloadsAllTheThings: ◦ https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology %20and%20Resources/Cloud%20-%20AWS%20Pentest.md ◦ https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology %20and%20Resources/Cloud%20-%20Azure%20Pentest.md • https://github.com/vengatesh-nagarajan/Cloud-pentest • https://github.com/CyberSecurityUP/Awesome-Cloud-PenTest • https://github.com/kh4sh3i/cloud-penetration-testing

18. Copyright 2022 by Stage 2 Security https:// .Security … Visualization

    Tools • https://github.com/nccgroup/PMapper • https://github.com/Azure/Stormspotter • https://github.com/duo-labs/cloudmapper • https://github.com/WithSecureLabs/awspx • https://github.com/SygniaLabs/security-cloud-scout • https://github.com/BloodHoundAD/BloodHound • https://pentestbook.six2dez.com/enumeration/cloud/azure Steps: 1. Collection 2. Processing 3. Analysis

19. Copyright 2022 by Stage 2 Security https:// .Security Tailored Collection

    & Processing + Neo4j GraphDB Aws Cloud Capability Tool (ACCT)

20. Copyright 2022 by Stage 2 Security https:// .Security Walkthrough Overview

21. Copyright 2022 by Stage 2 Security https:// .Security Why Graph

    DBs?

22. Copyright 2022 by Stage 2 Security https:// .Security … Quickly

    Find Priv Esc Paths

23. Copyright 2022 by Stage 2 Security https:// .Security … 1.

    Set The Goal

24. Copyright 2022 by Stage 2 Security https:// .Security … 2.

    Generate Inbound Paths

25. Copyright 2022 by Stage 2 Security https:// .Security … 3.

    Analyze the Paths for Access Vectors

26. Copyright 2022 by Stage 2 Security https:// .Security But How

    Are All Those Lines Useful?

27. Copyright 2022 by Stage 2 Security https:// .Security

28. Copyright 2022 by Stage 2 Security https:// .Security IAM Roles

29. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    Identity and Access Management (IAM) IAM Users Permissions Policy Action sts:AssumeRole Resource arn…role/rds-ro IAM User joe AWS IAM Users & AWS Service RDS, &... Relational Database Service (RDS) DB Cluster Secrets

30. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    Identity and Access Management (IAM) IAM Users Permissions Policy Action sts:AssumeRole Resource arn…role/rds-ro IAM User joe AWS IAM Users & AWS Service RDS, &... Relational Database Service (RDS) DB Cluster Secrets Blocked! Requires… Action rds:Describe*

31. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    Identity and Access Management (IAM) IAM Roles Permissions Policy What can be done with the role Action rds:Describe* Resource * Role rds-ro AWS IAM Roles & Policies

32. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    Identity and Access Management (IAM) IAM Roles Permissions Policy What can be done with the role Action rds:Describe* Resource * Role rds-ro AWS IAM Roles & Policies Relational Database Service (RDS) DB Cluster Secrets

33. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    Identity and Access Management (IAM) IAM Roles Trust Policy aka “AssumeRolePolicy” Who can assume the role Principal arn…user/joe Action sts:AssumeRole Permissions Policy What can be done with the role Action rds:Describe* Resource * Role rds-ro AWS IAM Roles & Policies

34. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    Identity and Access Management (IAM) IAM Roles Trust Policy aka “AssumeRolePolicy” Who can assume the role Principal arn…user/joe Action sts:AssumeRole Permissions Policy What can be done with the role Action rds:Describe* Resource * Role rds-ro AWS IAM Roles & Policies Relational Database Service (RDS) DB Cluster Secrets

35. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    Identity and Access Management (IAM) IAM Users IAM Roles Trust Policy aka “AssumeRolePolicy” Who can assume the role Principal arn…user/joe Action sts:AssumeRole Permissions Policy What can be done with the role Action rds:Describe* Resource * Role rds-ro Permissions Policy Action sts:AssumeRole Resource arn…role/rds-ro IAM User joe AWS IAM Users & IAM Roles

36. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    Identity and Access Management (IAM) IAM Users IAM Roles Trust Policy aka “AssumeRolePolicy” Who can assume the role Principal arn…user/joe Action sts:AssumeRole Permissions Policy What can be done with the role Action rds:Describe* Resource * Role rds-ro Permissions Policy Action sts:AssumeRole Resource arn…role/rds-ro IAM User joe AWS IAM Users, IAM Roles, & AWS Services Relational Database Service (RDS) DB Cluster Secrets

37. Copyright 2022 by Stage 2 Security https:// .Security iam:PassRole

38. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    Identity and Access Management (IAM) IAM Users Permissions Policy AmazonEC2FullAccess Resource * IAM User rydia App on EC2 Instance, Needs S3 Objects, &... Simple Storage Service (S3) AWS EC2 Instances App Objects S3 Bucket Secrets

39. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    Identity and Access Management (IAM) IAM Users Permissions Policy AmazonEC2FullAccess Resource * IAM User rydia App on EC2 Instance, Needs S3 Objects, &... Simple Storage Service (S3) AWS EC2 Instances App Objects S3 Bucket Secrets Blocked! Requires… Action s3:Get*

40. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    IAM Users Permissions Policy AmazonEC2FullAccess Resource * IAM User rydia Attach Role to Instance, &… Simple Storage Service (S3) AWS EC2 Instances App Objects S3 Bucket Secrets IAM Instance Profile Instance Profile ec2-s3-ro Role ec2-s3-ro Identity and Access Management (IAM)

41. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    Identity and Access Management (IAM) IAM Users IAM Roles Trust Policy aka “AssumeRolePolicy” Who can assume the role Principal Service EC2 Action sts:AssumeRole Permissions Policy What can be done with the role AmazonS3ReadOnlyAccess Resource * Role ec2-s3-ro Permissions Policy AmazonEC2FullAccess Resource * IAM User rydia Attach Role to Instance, &… Simple Storage Service (S3) AWS EC2 Instances App Objects S3 Bucket Secrets IAM Instance Profile Instance Profile ec2-s3-ro Role ec2-s3-ro

42. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    Identity and Access Management (IAM) IAM Users IAM Roles Trust Policy aka “AssumeRolePolicy” Who can assume the role Principal Service EC2 Action sts:AssumeRole Permissions Policy What can be done with the role AmazonS3ReadOnlyAccess Resource * Role ec2-s3-ro Permissions Policy AmazonEC2FullAccess Resource * IAM User rydia Attach Role to Instance, &… Simple Storage Service (S3) AWS EC2 Instances App Objects S3 Bucket Secrets IAM Instance Profile Instance Profile ec2-s3-ro Role ec2-s3-ro Blocked! Requires… Action iam:PassRole*

43. Copyright 2022 by Stage 2 Security https:// .Security Create a

    Policy Allowing Pass Role Instances

44. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    Identity and Access Management (IAM) IAM Users IAM Roles Trust Policy aka “AssumeRolePolicy” Who can assume the role Principal Service EC2 Action sts:AssumeRole Permissions Policy What can be done with the role AmazonS3ReadOnlyAccess Resource * Role ec2-s3-ro Permissions Policy AmazonEC2FullAccess Resource * IAM User rydia Attach Role to Instance, &… Simple Storage Service (S3) AWS EC2 Instances App Objects S3 Bucket Secrets IAM Instance Profile Instance Profile ec2-s3-ro Role ec2-s3-ro New Policy pass-ec2-s3-ro

45. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    Identity and Access Management (IAM) IAM Users IAM Roles Trust Policy aka “AssumeRolePolicy” Who can assume the role Principal Service EC2 Action sts:AssumeRole Permissions Policy What can be done with the role AmazonS3ReadOnlyAccess Resource * Role ec2-s3-ro Permissions Policy AmazonEC2FullAccess Resource * pass-ec2-s3-ro IAM User rydia S3 Bucket Policies & S3 ACLs S3 AWS EC2 Instances App Objects Secrets IAM Instance Profile Instance Profile ec2-s3-ro Role ec2-s3-ro S3 Bucket Policies S3 ACLs S3 Bucket

46. Copyright 2022 by Stage 2 Security https:// .Security AWS Account

    Identity and Access Management (IAM) IAM Users IAM Roles Trust Policy aka “AssumeRolePolicy” Who can assume the role Principal Service EC2 Action sts:AssumeRole Permissions Policy What can be done with the role AmazonS3ReadOnlyAccess Resource * Role ec2-s3-ro Permissions Policy AmazonEC2FullAccess Resource * pass-ec2-s3-ro IAM User rydia Attach Role to Instance, &… AWS EC2 Instances App Objects S3 Bucket Secrets IAM Instance Profile Instance Profile ec2-s3-ro Role ec2-s3-ro S3 S3 Bucket Policies S3 ACLs

47. Copyright 2022 by Stage 2 Security https:// .Security S3 AWS

    Account Identity and Access Management (IAM) IAM Users IAM Roles Trust Policy aka “AssumeRolePolicy” Who can assume the role Principal Service EC2 Action sts:AssumeRole Permissions Policy What can be done with the role AmazonS3ReadOnlyAccess Resource * Role ec2-s3-ro Permissions Policy AmazonEC2FullAccess Resource * pass-ec2-s3-ro IAM User rydia Attach Role to Instance, &… AWS EC2 Instances App Objects S3 Bucket Secrets IAM Instance Profile Instance Profile ec2-s3-ro Role ec2-s3-ro S3 Bucket Policies S3 ACLs

48. Copyright 2022 by Stage 2 Security https:// .Security Scott P.

    Shout Out! …

49. Copyright 2022 by Stage 2 Security https:// .Security Basic Priv

    Esc Example via Graph DB

50. Copyright 2022 by Stage 2 Security https:// .Security … 1.

    Set The Goal

51. Copyright 2022 by Stage 2 Security https:// .Security … 2.

    Generate Inbound Paths

52. Copyright 2022 by Stage 2 Security https:// .Security … 3.

    Analyze the Paths for Access Vectors

53. Copyright 2022 by Stage 2 Security https:// .Security … IAM

    Policy with * Permissions!

54. Copyright 2022 by Stage 2 Security https:// .Security … Role

    w/ Trust Policy allowing EC2

55. Copyright 2022 by Stage 2 Security https:// .Security … Instance

    Profile to Role

56. Copyright 2022 by Stage 2 Security https:// .Security … iam:PasRole

    Permissions within Policy

57. Copyright 2022 by Stage 2 Security https:// .Security … IAM

    User with Permissions Policy

58. Copyright 2022 by Stage 2 Security https:// .Security … Compromise

    of “privesc3-…” User… To Admin Access!

59. Copyright 2022 by Stage 2 Security https:// .Security … Compromise

    of “privesc3-…” User… To Admin Access!

60. Copyright 2022 by Stage 2 Security https:// .Security … Compromise

    of “privesc3-…” User… To Admin Access!

61. Copyright 2022 by Stage 2 Security https:// .Security … Compromise

    of “privesc3-…” User… To Admin Access!

62. Copyright 2022 by Stage 2 Security https:// .Security … Compromise

    of “privesc3-…” User… To Admin Access!

63. Copyright 2022 by Stage 2 Security https:// .Security Create New

    EC2 Instance w/ Role Attached Instance Role Temporary Credentials Policies Instance Profile Simple Storage Service (S3) Objects S3 Bucket Secrets Elastic Compute Cloud (EC2) AWS IAM

64. Copyright 2022 by Stage 2 Security https:// .Security … Compromise

    of “privesc3-…” User… To Admin Access!

65. Copyright 2022 by Stage 2 Security https:// .Security Get Access

    To EC2 Instance via Connect Back to NC Instance Role Temporary Credentials Policies Instance Profile User Data Launch Script Simple Storage Service (S3) Objects S3 Bucket Secrets Elastic Compute Cloud (EC2) AWS IAM NetCat Listener

66. Copyright 2022 by Stage 2 Security https:// .Security C2 via

    NetCat Instance Role Temporary Credentials Policies Instance Profile Simple Storage Service (S3) Objects S3 Bucket Secrets C2 Elastic Compute Cloud (EC2) AWS IAM NetCat Listener

67. Copyright 2022 by Stage 2 Security https:// .Security …

68. Copyright 2022 by Stage 2 Security https:// .Security Elastic Compute

    Cloud (EC2) Access Metadata via Curl 169.254. 169.254 Instance AWS IAM Role Temporary Credentials Policies Instance Profile NetCat Listener Metadata Service Simple Storage Service (S3) Objects S3 Bucket Secrets C2

69. Copyright 2022 by Stage 2 Security https:// .Security Elastic Compute

    Cloud (EC2) Access Metadata via Curl 169.254. 169.254 To Collect Creds! Instance AWS IAM Role Temporary Credentials Policies Instance Profile NetCat Listener Metadata Service Temporary Credentials Simple Storage Service (S3) Objects S3 Bucket Secrets C2

70. Copyright 2022 by Stage 2 Security https:// .Security … Compromise

    of “privesc3-…” User… To Admin Access!

71. Copyright 2022 by Stage 2 Security https:// .Security Elastic Compute

    Cloud (EC2) Configure aws cli Instance AWS IAM Role Temporary Credentials Policies Instance Profile NetCat Listener Metadata Service Temporary Credentials Simple Storage Service (S3) Objects S3 Bucket Secrets C2

72. Copyright 2022 by Stage 2 Security https:// .Security … Compromise

    of “privesc3-…” User… To Admin Access!

73. Copyright 2022 by Stage 2 Security https:// .Security Elastic Compute

    Cloud (EC2) Reuse Creds for S3 Access! Instance AWS IAM Role Temporary Credentials Policies Instance Profile NetCat Listener Metadata Service Temporary Credentials Simple Storage Service (S3) Objects S3 Bucket Secrets C2

74. Copyright 2022 by Stage 2 Security https:// .Security … Compromise

    of “privesc3-…” User… To Admin Access!

75. Copyright 2022 by Stage 2 Security https:// .Security Common Priv

    Esc Access Vectors

76. Copyright 2022 by Stage 2 Security https:// .Security Common Priv

    Esc Access Vectors IAM Permissions Manipulating Resources

77. Copyright 2022 by Stage 2 Security https:// .Security Common Priv

    Esc Access Vectors IAM Permissions Manipulating Resources Users iam:CreateAccessKey iam:UpdateLoginProfile iam:AddUserToGroup etc…

78. Copyright 2022 by Stage 2 Security https:// .Security Common Priv

    Esc Access Vectors IAM Permissions Manipulating Resources Users iam:CreateAccessKey iam:UpdateLoginProfile iam:AddUserToGroup etc… Permissions Policies iam:CreatePolicyVersion iam:SetDefaultPolicyVersion iam:Attach*Policy iam:Put*Policy etc…

79. Copyright 2022 by Stage 2 Security https:// .Security Common Priv

    Esc Access Vectors IAM Permissions Manipulating Resources Users iam:CreateAccessKey iam:UpdateLoginProfile iam:AddUserToGroup etc… Permissions Policies iam:CreatePolicyVersion iam:SetDefaultPolicyVersion iam:Attach*Policy iam:Put*Policy etc… AssumeRole Policies iam:UpdateAssumeRolePolicy + sts:AssumeRole

80. Copyright 2022 by Stage 2 Security https:// .Security Common Priv

    Esc Access Vectors IAM Permissions Manipulating Resources Users iam:CreateAccessKey iam:UpdateLoginProfile iam:AddUserToGroup etc… Permissions Policies iam:CreatePolicyVersion iam:SetDefaultPolicyVersion iam:Attach*Policy iam:Put*Policy etc… AssumeRole Policies iam:UpdateAssumeRolePolicy + sts:AssumeRole PassRole Policies iam:PassRole + Processing Data

81. Copyright 2022 by Stage 2 Security https:// .Security Common Priv

    Esc Access Vectors IAM Permissions Manipulating Resources Users iam:CreateAccessKey iam:UpdateLoginProfile iam:AddUserToGroup etc… Permissions Policies iam:CreatePolicyVersion iam:SetDefaultPolicyVersion iam:Attach*Policy iam:Put*Policy etc… AssumeRole Policies iam:UpdateAssumeRolePolicy + sts:AssumeRole Resources Processing Data PassRole Policies iam:PassRole + Processing Data Create New Affect Inputs

82. Copyright 2022 by Stage 2 Security https:// .Security Common Priv

    Esc Access Vectors IAM Permissions Manipulating Resources Users iam:CreateAccessKey iam:UpdateLoginProfile iam:AddUserToGroup etc… Permissions Policies iam:CreatePolicyVersion iam:SetDefaultPolicyVersion iam:Attach*Policy iam:Put*Policy etc… AssumeRole Policies iam:UpdateAssumeRolePolicy + sts:AssumeRole Resources Processing Data PassRole Policies iam:PassRole + Processing Data Create New Affect Inputs Lambda lambda:UpdateFunctionCode lambda:PublishLayerVersion + Function w/ Role

83. Copyright 2022 by Stage 2 Security https:// .Security Common Priv

    Esc Access Vectors IAM Permissions Manipulating Resources Users iam:CreateAccessKey iam:UpdateLoginProfile iam:AddUserToGroup etc… Permissions Policies iam:CreatePolicyVersion iam:SetDefaultPolicyVersion iam:Attach*Policy iam:Put*Policy etc… AssumeRole Policies iam:UpdateAssumeRolePolicy + sts:AssumeRole Resources Processing Data PassRole Policies iam:PassRole + Processing Data Create New Affect Inputs SSM & EC2 SendCommand StartSession + Instance Profile w/ Role Lambda lambda:UpdateFunctionCode lambda:PublishLayerVersion + Function w/ Role

84. Copyright 2022 by Stage 2 Security https:// .Security Common Priv

    Esc Access Vectors IAM Permissions Manipulating Resources Users iam:CreateAccessKey iam:UpdateLoginProfile iam:AddUserToGroup etc… Permissions Policies iam:CreatePolicyVersion iam:SetDefaultPolicyVersion iam:Attach*Policy iam:Put*Policy etc… AssumeRole Policies iam:UpdateAssumeRolePolicy + sts:AssumeRole Resources Processing Data PassRole Policies iam:PassRole + Processing Data Create New Affect Inputs SSM & EC2 SendCommand StartSession + Instance Profile w/ Role Lambda lambda:UpdateFunctionCode lambda:PublishLayerVersion + Function w/ Role AWS Services Numerous… e.g. w/ a Role

85. Copyright 2022 by Stage 2 Security https:// .Security Trainings @

    BlackHat & On-Site! Thank You! [email protected] .sh @TweekFawkes

86. Copyright 2022 by Stage 2 Security https:// .Security End Overview