Post

Breach In The Cloud Writeup

This Challenge gives us a scenario where we have been alerted to a potential security threat. The Huge Logistics security team have provided you with AWS keys of an account that saw unusual activity, as well as AWS CloudTrail logs around the time of the activity. We need your expertise to confirm the breach by analyzing our CloudTrail logs, identifying the compromised AWS service and any data that was exfiltrated.

AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of AWS account.


Lets’ Start with the Challenge.

We have been given the following AWS Credentials at the start.

Exposed information while starting the challenge

Let’s Configure our aws-cli using these credentials.

1
2
3
4
5
6
7
┌──(kali㉿kali)-[~/Desktop/pwnedlabs/BreachInTheCloud]
└─$ aws sts get-caller-identity | jq
{
  "UserId": "AIDARSCCN4A3X2YWZ37ZI",
  "Account": "107513503799",
  "Arn": "arn:aws:iam::107513503799:user/temp-user"
}

I downloaded the log files from the discord server and unzipped them to get the following files.

1
2
3
4
5
6
┌──(kali㉿kali)-[~/Desktop/pwnedlabs/BreachInTheCloud]
└─$ ls    
107513503799_CloudTrail_us-east-1_20230826T2035Z_PjmwM7E4hZ6897Aq.json  107513503799_CloudTrail_us-east-1_20230826T2100Z_APB7fBUnHmiWjHtg.json
107513503799_CloudTrail_us-east-1_20230826T2040Z_UkDeakooXR09uCBm.json  107513503799_CloudTrail_us-east-1_20230826T2105Z_fpp78PgremAcrW5c.json
107513503799_CloudTrail_us-east-1_20230826T2050Z_iUtQqYPskB20yZqT.json  107513503799_CloudTrail_us-east-1_20230826T2120Z_UCUhsJa0zoFY3ZO0.json
107513503799_CloudTrail_us-east-1_20230826T2055Z_W0F5uypAbGttUgSn.json

Let’s breakdown the file format to understand the data.

1
2
3
4
5
6
7
107513503799_CloudTrail_us-east-1_20230826T2035Z_PjmwM7E4hZ6897Aq.json

107513503799 => Account ID
CloudTrail => Service Name
us-east-1 => Region
20230826T2035Z => Timestamp
PjmwM7E4hZ6897Aq => Random Identifier

File 1

On analyzing the first file 107513503799_CloudTrail_us-east-1_20230826T2035Z_PjmwM7E4hZ6897Aq.json, all the activities we’re realated to root only one of them was for the following temp-user to which we have access.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
{
      "eventVersion": "1.08",
      "userIdentity": {
        "type": "IAMUser",
        "principalId": "AIDARSCCN4A3X2YWZ37ZI",
        "arn": "arn:aws:iam::107513503799:user/temp-user",
        "accountId": "107513503799",
        "userName": "temp-user"
      },
      "eventTime": "2023-08-26T20:29:37Z",
      "eventSource": "sts.amazonaws.com",
      "eventName": "GetCallerIdentity",
      "awsRegion": "us-east-1",
      "sourceIPAddress": "84.32.71.19",
      "userAgent": "aws-cli/1.27.74 Python/3.10.6 Linux/5.15.90.1-microsoft-standard-WSL2 botocore/1.29.74",
      "requestParameters": null,
      "responseElements": null,
      "requestID": "3db296ab-c531-4b4a-a468-e1b05ec83246",
      "eventID": "ea6ae4b8-aae8-4fca-a495-2df427bdce46",
      "readOnly": true,
      "eventType": "AwsApiCall",
      "managementEvent": true,
      "recipientAccountId": "107513503799",
      "eventCategory": "Management",
      "tlsDetails": {
        "tlsVersion": "TLSv1.2",
        "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
        "clientProvidedHostHeader": "sts.amazonaws.com"
      }
    }

It just calls the GetCallerIdentity API.

File 2

In the next file 107513503799_CloudTrail_us-east-1_20230826T2040Z_UkDeakooXR09uCBm.json the temp-user tried to list objects inside the emergency-data-recovery s3 bucket and recieved an access denied error.

Access Denied on listing the s3 bucket.

File 3

The third file 107513503799_CloudTrail_us-east-1_20230826T2050Z_iUtQqYPskB20yZqT.json was a bunch of error messages made by the temp-user and recieved Access-Denied

Error messages on API Calls

File 4

The fourth file 107513503799_CloudTrail_us-east-1_20230826T2055Z_W0F5uypAbGttUgSn.json is also a bunch of error messages.

Error messages log file

File 5

In the fifth file 107513503799_CloudTrail_us-east-1_20230826T2100Z_APB7fBUnHmiWjHtg.json, We can see that the temp-user called the Assume Role API to which he was able to have access to AdminRole role for a limited duration.

File 6

In the last file 107513503799_CloudTrail_us-east-1_20230826T2120Z_UCUhsJa0zoFY3ZO0.json, We can see that the AdminRole user is able to make the API calls of ListObject and GetObject.

ListObject API Access by AdminRole user.

After analyzing the log files, Let’s try to retrace the steps and get access.

Retracing The Steps

I configured the aws-cli as per the credentials given in the starting point of the lab to have access as the temp-user.

1
$ aws sts get-caller-identity
Access to temp-user in aws-cli.

Now let’s check what policies are attached as a temp-user.

1
$ aws iam list-user-policies --user-name temp-user
Policies for the temp-user.

Let’s check the policy to see the actions we are able to make as a temp-user.

1
$ aws iam get-user-policy --user-name temp-user --policy-name test-temp-user
Actions for the policy of temp-user

Assuming the Role

1
$ aws sts assume-role --role-arn arn:aws:iam::107513503799:role/AdminRole --role-session-name hellosesssion
Details for the assumed role created.

Exported the values as environment variables to login into the AdminRole.

Exporting environment variables.

Let’s run get-caller-identity to check our role again.

1
$ aws sts get-caller-identity
Checking role after exporting variables.

We saw that there was a bucket named emergency-data-recovery. Let’s list contents of that bucket.

1
$ aws s3 ls s3://emergency-data-recovery
List contents of the s3 bucket.

Copy paste the content to our local machine.

1
2
3
$ aws s3 cp s3://emergency-data-recovery/emergency.txt .

$ aws s3 cp s3://emergency-data-recovery/message.txt .
Copy pasting the contents of the bucket to my machine.

Let’s read the content of message.txt

Reading the message in the text files.

The flag is in the emergency.txt file.

The Lab has been pwned!!

Thank you! Happy Hacking :D

This post is licensed under CC BY 4.0 by the author.