Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixed some issues on guides to standardize with the rest of the project #196

Merged
merged 10 commits into from
Jan 16, 2025
4 changes: 2 additions & 2 deletions scenarios/codebuild_secrets/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@

## Scenario Start(s)

IAM User "Solo"
IAM User "Solo".

## Scenario Goal(s)

Expand Down Expand Up @@ -69,4 +69,4 @@ A cheat sheet for this route is available [here](./cheat_sheet_calrissian.md).
2. Using the RDS credentials and address recovered from the EC2 metadata service, the attacker is able to directly log in to the RDS database.
3. With full access to the RDS database, the attacker is able to recover the scenario's goal: A pair of secret strings!

A cheat sheet for this route is available [here](./cheat_sheet_solo.md).
A cheat sheet for this route is available [here](./cheat_sheet_solo.md).
43 changes: 15 additions & 28 deletions scenarios/detection_evasion/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -23,53 +23,40 @@

## Scenario Goal(s)

The goal of this scenario is to read out the values for both secrets without being detected. The secrets are both stored
in Secrets Manager, and their values have the following format (cg-secret-XXXXXX-XXXXXX).
The goal of this scenario is to read out the values for both secrets without being detected. The secrets are both stored in Secrets Manager, and their values have the following format (cg-secret-XXXXXX-XXXXXX).

## Summary (TLDR setup below)

This scenario is significantly different from the CloudGoat scenarios that have come before in how it plays.
In detection_evasion, your goals will be outlined for you more clearly, and the challenge is to complete them without
triggering alarms. There is more setup involved in this scenario, and it will take longer to play (you might want/need
to play it multiple times).
In detection_evasion, your goals will be outlined for you more clearly, and the challenge is to complete them without triggering alarms. There is more setup involved in this scenario, and it will take longer to play (you might want/need to play it multiple times).

For starters, you will need to provide an email address to which cloudgoat can send email alerts. When/If you are
detected by the automated mechanisms, an alert will be sent to this email address. If you don't want to use your
standard email address, you can consider a service such as https://temp-mail.org/ or https://www.fakemail.net/.
For starters, you will need to provide an email address to which cloudgoat can send email alerts. When/If you are detected by the automated mechanisms, an alert will be sent to this email address. If you don't want to use your standard email address, you can consider a service such as https://temp-mail.org/ or https://www.fakemail.net/.

After deployment is complete, you will need to wait about an hour before playing the scenario. This is, unfortunately,
necessary for the cloudwatch alerts to fully integrate with cloudtrails logs. It should also be kept in mind that there
can be a significant delay in alerts for actions that you take (10-15 minutes is not uncommon). So check your email
After deployment is complete, you will need to wait about an hour before playing the scenario. This is, unfortunately, necessary for the cloudwatch alerts to fully integrate with cloudtrails logs. It should also be kept in mind that there can be a significant delay in alerts for actions that you take (10-15 minutes is not uncommon). So check your email
periodically to see if you have triggered an alert.

## TLDR Setup

1. Set up a temporary email address if desired.
2. Deploy the cloudgoat scenario. You will need to enter your email when prompted, and it will subsequently be stored
in the 'config.yml' file at the top level of the repo.
3. Check your email address for SNS confirmation emails; there should be two. Confirm that you want to subscribe to the
topics.
4. Wait 30-60 minutes before working on the scenario. This is necessary because there is some lag between the time that
terraform finishes deploying all resources, and the time that your CLI actions will actually trigger the alerts that
result in email notifications.
5. Read the 'start.txt' file that is generated after deployment for some guidance. There will not be major spoilers in
this file (as there are in [cheat_sheet.md](cheat_sheet.md))
2. Deploy the cloudgoat scenario. You will need to enter your email when prompted, and it will subsequently be stored in the 'config.yml' file at the top level of the repo.
3. Check your email address for SNS confirmation emails; there should be two. Confirm that you want to subscribe to the topics.
4. Wait 30-60 minutes before working on the scenario. This is necessary because there is some lag between the time that terraform finishes deploying all resources, and the time that your CLI actions will actually trigger the alerts that result in email notifications.
5. Read the 'start.txt' file that is generated after deployment for some guidance. There will not be major spoilers in this file (as there are in [cheat_sheet.md](cheat_sheet.md))

# **SPOILER ALERT:** There are spoilers for the scenario below this point.

## Exploitation Route
## Exploitation Route(s)

![Scenario Route(s)](./detection_evasion_exploitation_route.png)

## Walkthrough Overview - Easy Path

1. discover that some of the credentials initially given to you are honeytokens, without triggering alerts.
2. install the aws cli on the instance
3. read the secret value of the corresponding secret from the ec2 instance to avoid detection.
1. Discover that some of the credentials initially given to you are honeytokens, without triggering alerts.
2. Install the aws cli on the instance.
3. Read the secret value of the corresponding secret from the ec2 instance to avoid detection.

## Walkthrough Overview - Hard Path

1. discover that some of the credentials initially given to you are honeytokens, without triggering alerts.
2. move onto the ec2 instance, and grab the credentials from IMDS
3. spoof the IP of the instance from which you grabbed the credentials, and read the secret value of the corresponding
4. secret.
1. Discover that some of the credentials initially given to you are honeytokens, without triggering alerts.
2. Move onto the ec2 instance, and grab the credentials from IMDS
3. Spoof the IP of the instance from which you grabbed the credentials, and read the secret value of the corresponding secret.
11 changes: 6 additions & 5 deletions scenarios/lambda_privesc/README.md
Original file line number Diff line number Diff line change
@@ -1,27 +1,28 @@

# Scenario: lambda_privesc

**Size:** Small
**Size:** Small

**Difficulty:** Easy

**Command:** `$ ./cloudgoat.py create lambda_privesc`

## Scenario Resources

1 IAM User
2 IAM Roles
- 1 IAM User
- 2 IAM Roles

## Scenario Start(s)

1. IAM User Chris
1. IAM User Chris

## Scenario Goal(s)

Acquire full admin privileges.

## Summary

Starting as the IAM user Chris, the attacker discovers that they can assume a role that has full Lambda access and pass role permissions. The attacker can then perform privilege escalation to obtain full admin access.
Starting as the IAM user Chris, the attacker discovers that they can assume a role that has full Lambda access and pass role permissions. The attacker can then perform privilege escalation to obtain full admin access.

Note: This scenario may require you to create some AWS resources, and because CloudGoat can only manage resources it creates, you should remove them manually before running `./cloudgoat destroy`.

Expand Down
17 changes: 9 additions & 8 deletions scenarios/vulnerable_cognito/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,34 +2,35 @@
# Scenario: vulnerable_cognito

**Size:** Small

**Difficulty:** Moderate

**Command:** `$ ./cloudgoat.py create vulnerable_cognito`

## Scenario Resources

1 S3 bucket
1 Cognito Userpool
1 Cognito IdentityPool
1 API Gateway REST API
1 Lambda
1 IAM role
- 1 S3 bucket
- 1 Cognito Userpool
- 1 Cognito IdentityPool
- 1 API Gateway REST API
- 1 Lambda
- 1 IAM role

## Scenario Start(s)

1. API Gateway URL

## Scenario Goal(s)

Get Cognito IdentityPool credentials
Get Cognito IdentityPool credentials.

## Summary

In this scenario, you are presented with a signup and login page with AWS Cognito in the backend.
You need to bypass restrictions and exploit misconfigurations in Amazon Cognito in order to
elevate your privileges and get Cognito Identity Pool credentials.

## Exploitation Route
## Exploitation Route(s)

![Lucidchart Diagram](exploitation_route.png "Exploitation Route")

Expand Down
21 changes: 11 additions & 10 deletions scenarios/vulnerable_lambda/README.md
Original file line number Diff line number Diff line change
@@ -1,21 +1,22 @@

# Scenario: vulnerable_lambda

**Size:** Small
**Size:** Small

**Difficulty:** Easy

**Command:** `$ ./cloudgoat.py create vulnerable_lambda`

## Scenario Resources

1 IAM User
1 IAM Role
1 Lambda
1 Secret
- 1 IAM User
- 1 IAM Role
- 1 Lambda
- 1 Secret

## Scenario Start(s)

1. IAM User 'bilbo'
1. IAM User 'bilbo'

## Scenario Goal(s)

Expand All @@ -25,9 +26,9 @@ Find the scenario's secret. (cg-secret-XXXXXX-XXXXXX)

In this scenario, you start as the 'bilbo' user. You will assume a role with more privileges, discover a
lambda function that applies policies to users, and exploit a vulnerability in the function to escalate
the privileges of the bilbo user in order to search for secrets.
the privileges of the bilbo user in order to search for secrets.

## Exploitation Route
## Exploitation Route(s)

![Lucidchart Diagram](exploitation_route.png "Exploitation Route")

Expand All @@ -41,7 +42,7 @@ the privileges of the bilbo user in order to search for secrets.
5. Assume the lambda invoker role.
6. Craft an injection payload to send through the CLI.
7. Base64 encode that payload. The single quote injection character is not compatible with the aws cli command otherwise.
8. Invoke the policy applier lambda function, passing the name of the bilbo user and the injection payload.
9. Now that Bilbo is an admin, use credentials for that user to list secrets from secretsmanager.
8. Invoke the policy applier lambda function, passing the name of the bilbo user and the injection payload.
9. Now that Bilbo is an admin, use credentials for that user to list secrets from secretsmanager.

A cheat sheet for this route is available [here](./cheat_sheet.md).