HHC 2022 - Cloud Ring Walkthrough

4.1 AWS CLI Intro

Objective

Try out some basic AWS command line skills in this terminal. Talk to Jill Underpole in the Cloud Ring for hints.

Walkthrough

elf@8bf7f588136b:~$ aws configure
AWS Access Key ID [None]: AKQAAYRKO7A5Q5XUY2IY 
AWS Secret Access Key [None]: qzTscgNdcdwIo/soPKPoJn9sBrl5eMQQL19iO5uf
Default region name [None]: us-east-1
Default output format [None]: 
elf@8bf7f588136b:~$ 

Step 2

Excellent! To finish, please get your caller identity using the AWS command line. For more details please reference:
$ aws sts help
or reference:
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sts/index.html

Answer

elf@8bf7f588136b:~$ aws sts get-caller-identity
{
    "UserId": "AKQAAYRKO7A5Q5XUY2IY",
    "Account": "602143214321",
    "Arn": "arn:aws:iam::602143214321:user/elf_helpdesk"
}

4.2 Find the Next Objective

Talk to Jill Underpole for the next objective.

As with all the other "Find the Next Objective" tasks, find the character in the hall, and chat with them to find the next objective.

4.3 Trufflehog Search

Objective

Use Trufflehog to find secrets in a Git repo. Work with Jill Underpole in the Cloud Ring for hints. What's the name of the file that has AWS credentials?

Hints

  • You can search for secrets in a Git repo with trufflehog git https://some.repo/here.git
  • If you want to look at an older code commit with git, you can git checkout CommitNumberHere

Walkthrough

Use Trufflehog to find credentials in the Gitlab instance at https://haugfactory.com/asnowball/aws_scripts.git.

Configure these credentials for us-east-1 and then run:
``$ aws sts get-caller-identity`

Commands

Run trufflehog, pointing towards the git repository. ย It mentions a specific commit to look at.

elf@6103cc444d71:~/aws_scripts$ trufflehog git https://haugfactory.com/asnowball/aws_scripts.gi
t                                                                                              
๐Ÿท๐Ÿ”‘๐Ÿท  TruffleHog. Unearth your secrets. ๐Ÿท๐Ÿ”‘๐Ÿท                                               5/338]
                                                                                               
Found unverified result ๐Ÿท๐Ÿ”‘โ“                                                                 38]
Detector Type: AWS                                                                             
Decoder Type: PLAIN                                                                            
Raw result: AKIAAIDAYRANYAHGQOHD                                                               
Line: 6                                                                                        
Commit: 106d33e1ffd53eea753c1365eafc6588398279b5                                               
File: put_policy.py                                                                            
Email: asnowball <alabaster@northpolechristmastown.local>                                      
Repository: https://haugfactory.com/asnowball/aws_scripts.git                                  
Timestamp: 2022-09-07 07:53:12 -0700 -0700    

Checkout that commit (106d33e1ffd53eea753c1365eafc6588398279b5) mentioned in the trufflehog output.


elf@6103cc444d71:~/aws_scripts$ git checkout 106d33e1ffd53eea753c1365eafc6588398279b5          
Note: switching to '106d33e1ffd53eea753c1365eafc6588398279b5'.                                 

<--  Truncated for Brevity -->

Read the file mentioned from the trufflehog output, put_policy.py, which provides the necessary credentials to run aws configure

elf@6103cc444d71:~/aws_scripts$ cat put_policy.py 
import boto3
import json


iam = boto3.client('iam',
    region_name='us-east-1',
    aws_access_key_id="AKIAAIDAYRANYAHGQOHD",
    aws_secret_access_key="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",
)
# arn:aws:ec2:us-east-1:accountid:instance/*
response = iam.put_user_policy(
    PolicyDocument='{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["ssm:SendC
ommand"],"Resource":["arn:aws:ec2:us-east-1:748127089694:instance/i-0415bfb7dcfe279c5","arn:aws
:ec2:us-east-1:748127089694:document/RestartServices"]}]}',
    PolicyName='AllAccessPolicy',
    UserName='nwt8_test',
)


elf@6103cc444d71:~/aws_scripts$ aws configure
AWS Access Key ID [None]: AKIAAIDAYRANYAHGQOHD
AWS Secret Access Key [None]: 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
Default region name [None]: us-east-1
Default output format [None]:

Follow the question's initial instructions, and run get-caller-identity

elf@6103cc444d71:~/aws_scripts$ aws sts get-caller-identity
{
    "UserId": "AIDAJNIAAQYHIAAHDDRA",
    "Account": "602123424321",
    "Arn": "arn:aws:iam::602123424321:user/haug"
}

4.4 Find the Next Objective

Talk to Gerty Snowburrow to find the next objective

4.5 Exploitation via AWS CLI

Objective

Flex some more advanced AWS CLI skills to escalate privileges! Help Gerty Snowburrow in the Cloud Ring to get hints for this challenge.

Walkthrough

Open the Raspberry Pi next to Gerty, and begin to answer the questions in the upper pane. ย Each successful command run will load the next question.

Managed (think: shared) policies can be attached to multiple users. Use the AWS CLI to find any policies attached to your user.

elf@6103cc444d71:~/aws_scripts$ aws iam list-attached-user-policies --user-name haug
{
    "AttachedPolicies": [
        {
            "PolicyName": "TIER1_READONLY_POLICY",
            "PolicyArn": "arn:aws:iam::602123424321:policy/TIER1_READONLY_POLICY"
        }
    ],
    "IsTruncated": false
}
elf@6103cc444d71:~/aws_scripts$ 

Now, view or get the policy that is attached to your user.

elf@6103cc444d71:~/aws_scripts$ aws iam get-policy --policy-arn "arn:aws:iam::602123424321:policy/TIER1_READONLY_POLICY"
{
    "Policy": {
        "PolicyName": "TIER1_READONLY_POLICY",
        "PolicyId": "ANPAYYOROBUERT7TGKUHA",
        "Arn": "arn:aws:iam::602123424321:policy/TIER1_READONLY_POLICY",
        "Path": "/",
        "DefaultVersionId": "v1",
        "AttachmentCount": 11,
        "PermissionsBoundaryUsageCount": 0,
        "IsAttachable": true,
        "Description": "Policy for tier 1 accounts to have limited read only access to certain resources in IAM, S3, and LAMBDA.",
        "CreateDate": "2022-06-21 22:02:30+00:00",
        "UpdateDate": "2022-06-21 22:10:29+00:00",
        "Tags": []
    }
}

Attached policies can have multiple versions. View the default version of this policy.

elf@6103cc444d71:~/aws_scripts$ aws iam get-policy-version --policy-arn "arn:aws:iam::602123424321:policy/TIER1_READONLY_POLICY" --version-id "v1"                                            
{                                                                                              
    "PolicyVersion": {                                                                         
        "Document": {   
            "Version": "2012-10-17",                                                   [23/827]
            "Statement": [                                                                     
                {                                                                              
                    "Effect": "Allow",                                                         
                    "Action": [                                                                
                        "lambda:ListFunctions",                                                
                        "lambda:GetFunctionUrlConfig"                                          
                    ],                                                                         
                    "Resource": "*"                                                            
                },                                                                             
                {                                                                              
                    "Effect": "Allow",                                                         
                    "Action": [                                                                
                        "iam:GetUserPolicy",                                                   
                        "iam:ListUserPolicies",                                                
                        "iam:ListAttachedUserPolicies"                                         
                    ],                                                                         
                    "Resource": "arn:aws:iam::602123424321:user/${aws:username}"               
                },                                                                             
                {                                                                              
                    "Effect": "Allow",  
                   "Action": [                                                         [2/827]
                        "iam:GetPolicy",                                                       
                        "iam:GetPolicyVersion"                                                 
                    ],
                    "Resource": "arn:aws:iam::602123424321:policy/TIER1_READONLY_POLICY"
                },
                {
                    "Effect": "Deny",
                    "Principal": "*",
                    "Action": [
                        "s3:GetObject",
                        "lambda:Invoke*"
                    ],
                    "Resource": "*"
                }
            ]
        },
        "VersionId": "v1",
        "IsDefaultVersion": false,
        "CreateDate": "2022-06-21 22:02:30+00:00"
    }
}

Inline policies are policies that are unique to a particular identity or resource. Use the AWS CLI to list the inline policies associated with your user.

elf@6103cc444d71:~/aws_scripts$ aws iam list-user-policies --user-name haug
{
    "PolicyNames": [
        "S3Perms"
    ],
    "IsTruncated": false
}

Now, use the AWS CLI to get the only inline policy for your user.

elf@b3b29f0abc10:~/aws_scripts$ aws iam get-user-policy --user-name haug --policy-name S3Perms
{
    "UserPolicy": {
        "UserName": "haug",
        "PolicyName": "S3Perms",
        "PolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Effect": "Allow",
                    "Action": [
                        "s3:ListObjects"
                    ],
                    "Resource": [
                        "arn:aws:s3:::smogmachines3",
                        "arn:aws:s3:::smogmachines3/*"
                    ]
                }
            ]
        }
    },
    "IsTruncated": false
}

The inline user policy named S3Perms disclosed the name of an S3 bucket that you have permissions to list objects. ย List those objects!

The aws s3 command to list functions can be found here:
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/index.html

elf@b3b29f0abc10:~/aws_scripts$ aws s3api list-objects --bucket smogmachines3                  
{                                                                                              
    "IsTruncated": false,                                                                      
    "Marker": "",                                                                              
    "Contents": [                                                                              
        {                                                                                      
            "Key": "coal-fired-power-station.jpg",                                             
            "LastModified": "2022-09-23 20:40:44+00:00",                                       
            "ETag": "\"1c70c98bebaf3cff781a8fd3141c2945\"",                                    
            "Size": 59312,                                                                     
            "StorageClass": "STANDARD",                                                        
            "Owner": {                                                                         
                "DisplayName": "grinchum",                                                     
                "ID": "15f613452977255d09767b50ac4859adbb2883cd699efbabf12838fce47c5e60"       
            }                                                                                  
        },                                                                                     
        {                                                                                      
            "Key": "industry-smog.png",                                                        
            "LastModified": "2022-09-23 20:40:47+00:00",                                       
            "ETag": "\"c0abe5cb56b7a33d39e17f430755e615\"",                                    
            "Size": 272528,                                                                    
            "StorageClass": "STANDARD",                                                        
            "Owner": {                                                                         
                "DisplayName": "grinchum",                                                     
                "ID": "15f613452977255d09767b50ac4859adbb2883cd699efbabf12838fce47c5e60"       
            }                                                                                  
        },                                                                                     
        {                                                                                      
            "Key": "pollution-smoke.jpg",                                                      
            "LastModified": "2022-09-23 20:40:43+00:00",                                       
            "ETag": "\"465b675c70d73027e13ffaec1a38beec\"",
            "Size": 33064,
            "StorageClass": "STANDARD",
            "Owner": {
                "DisplayName": "grinchum",
                "ID": "15f613452977255d09767b50ac4859adbb2883cd699efbabf12838fce47c5e60"
            }
        },
        {
            "Key": "pollution.jpg",
            "LastModified": "2022-09-23 20:40:45+00:00",
            "ETag": "\"d40d1db228c9a9b544b4c552df712478\"",
            "Size": 81775,
            "StorageClass": "STANDARD",
            "Owner": {
                "DisplayName": "grinchum",
                "ID": "15f613452977255d09767b50ac4859adbb2883cd699efbabf12838fce47c5e60"
            }
        },
       {
            "Key": "power-station-smoke.jpg",
            "LastModified": "2022-09-23 20:40:48+00:00",
            "ETag": "\"2d7a8c8b8f5786103769e98afacf57de\"",
            "Size": 45264,
            "StorageClass": "STANDARD",
            "Owner": {
                "DisplayName": "grinchum",
                "ID": "15f613452977255d09767b50ac4859adbb2883cd699efbabf12838fce47c5e60"
            }
        },
        {
            "Key": "smog-power-station.jpg",
            "LastModified": "2022-09-23 20:40:46+00:00",
            "ETag": "\"0e69b8d53d97db0db9f7de8663e9ec09\"",
            "Size": 32498,
            "StorageClass": "STANDARD",
            "Owner": {
                "DisplayName": "grinchum",
                "ID": "15f613452977255d09767b50ac4859adbb2883cd699efbabf12838fce47c5e60"
            }
        },
        {
            "Key": "smogmachine_lambda_handler_qyJZcqvKOthRMgVrAJqq.py",
            "LastModified": "2022-09-26 16:31:33+00:00",
            "ETag": "\"fd5d6ab630691dfe56a3fc2fcfb68763\"",
            "Size": 5823,
            "StorageClass": "STANDARD",
            "Owner": {
                "DisplayName": "grinchum",
                "ID": "15f613452977255d09767b50ac4859adbb2883cd699efbabf12838fce47c5e60"
            }
        }
    ],
    "Name": "smogmachines3",
    "Prefix": "",
    "MaxKeys": 1000,
    "EncodingType": "url"
}

The attached user policy provided you several Lambda privileges. Use the AWS CLI to list Lambda functions.

The aws lambda command to list functions can be found here:
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/index.html

elf@b3b29f0abc10:~/aws_scripts$ aws lambda list-functions
{
    "Functions": [
        {
            "FunctionName": "smogmachine_lambda",
            "FunctionArn": "arn:aws:lambda:us-east-1:602123424321:function:smogmachine_lambda",
            "Runtime": "python3.9",
            "Role": "arn:aws:iam::602123424321:role/smogmachine_lambda",
            "Handler": "handler.lambda_handler",
            "CodeSize": 2126,
            "Description": "",
            "Timeout": 600,
            "MemorySize": 256,
            "LastModified": "2022-09-07T19:28:23.634+0000",
            "CodeSha256": "GFnsIZfgFNA1JZP3TgTI0tIavOpDLiYlg7oziWbtRsa=",
            "Version": "$LATEST",
            "VpcConfig": {
                "SubnetIds": [
                    "subnet-8c80a9cb8b3fa5505"
                ],
                "SecurityGroupIds": [
                    "sg-b51a01f5b4711c95c"
                ],
                "VpcId": "vpc-85ea8596648f35e00"
            },
            "Environment": {
                "Variables": {
                    "LAMBDASECRET": "975ceab170d61c75",
                    "LOCALMNTPOINT": "/mnt/smogmachine_files"
                }
            },
            "TracingConfig": {
                "Mode": "PassThrough"
            },
            "RevisionId": "7e198c3c-d4ea-48dd-9370-e5238e9ce06e",
            "FileSystemConfigs": [
                {
                    "Arn": "arn:aws:elasticfilesystem:us-east-1:602123424321:access-point/fsap-db3277b03c6e975d2",
                    "LocalMountPath": "/mnt/smogmachine_files"
                }
            ],
            "PackageType": "Zip",
            "Architectures": [
                "x86_64"
            ],
            "EphemeralStorage": {
                "Size": 512
            }
        }
    ]
}

Lambda functions can have public URLs from which they are directly accessible. Use the AWS CLI to get the configuration containing the public URL of the Lambda function.

The aws lambda command to get the function URL config can be found here:
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/index.html

elf@b3b29f0abc10:~/aws_scripts$ aws lambda get-function-url-config --function-name smogmachine_lambda
{
    "FunctionUrl": "https://rxgnav37qmvqxtaksslw5vwwjm0suhwc.lambda-url.us-east-1.on.aws/",
    "FunctionArn": "arn:aws:lambda:us-east-1:602123424321:function:smogmachine_lambda",
    "AuthType": "AWS_IAM",
    "Cors": {
        "AllowCredentials": false,
        "AllowHeaders": [],
        "AllowMethods": [
            "GET",
            "POST"
        ],
        "AllowOrigins": [
            "*"
        ],
        "ExposeHeaders": [],
        "MaxAge": 0
    },
    "CreationTime": "2022-09-07T19:28:23.808713Z",
    "LastModifiedTime": "2022-09-07T19:28:23.808713Z"

GLORRYYYYY

Completing the Exploitation via AWS CLI Command line is the last objective and allows us to recover the Cloud Ring!!! GLORY!!!!

More Walkthroughs

Below are the other walkthroughs for the 2022 Holiday Hack Challenge: