This is the fourth in the walkthrough series of the CloudGoat scenarios. CloudGoat is a “vulnerable by design” aws deployment tool designed by Rhino security Labs. It is used to deploy a vulnerable set of AWS resources and is designed to teach and test cloud security penetration testing via issues commonly seen in real-life environments.
This walkthrough assumes you have CloudGoat set up on your Kali Linux. You can use our post on Working with CloudGoat: The “Vulnerable by Design” AWS Environment as a guide in deploying it.
The scenario starts with an IAM user, Kerrigan, with limited set of permissions. The attacker is able to leverage the instance-profile-attachment permissions to create a new EC2 instance with significantly greater privileges than their own. With access to this new EC2 instance, the attacker gains full administrative powers within the target account.
Goal: Delete the “cg-super-critical security-server”.
To deploy the resources for each scenario on AWS:
./cloudgoat.py create iam_privesc_by_attachment
1. Deploying the resources gives us the access key and secret key for Kerrigan. [CLICK IMAGES TO ENLARGE]
2. Save the credential to a profile — Kerrigan.
3. Perform reconnaissance on the user