This is the fifth in the walkthrough series of the CloudGoat scenarios. CloudGoat is a “vulnerable by design” aws deployment tool designed by Rhino security Labs. It is used to deploy a vulnerable set of AWS resources and is designed to teach and test cloud security penetration testing via issues commonly seen in real-life environments.
This walkthrough assumes you have CloudGoat setup on your Kali linux. You can use our post on Working with CloudGoat: The “Vulnerable by Design” AWS Environment as a guide in deploying it.
The scenario starts with an IAM user Solus. The attacker discovers they have ReadOnly permissions to a Lambda function, where hardcoded secrets lead them to an EC2 instance running a web application that is vulnerable to SSRF. After exploiting the vulnerable app and acquiring keys from the EC2 metadata service, the attacker gains access to a private S3 bucket with a set of keys that allow them to invoke the Lambda function and complete the scenario.
Goal: Invoke the Lambda function.
To deploy the resources for each scenario on AWS.
./cloudgoat.py create ec2_ssrf
Deploying the resources gives us the access key and secret key for Solus.