This scenario is based off of a real cloud breach regarding Capital One’s 2019 data breach that affected over 100 million customers.
This scenario starts off by providing a public IP address for the targeted EC2 instance. After querying the instance’s metadata service, the credentials can be used to obtain sensitive data in S3 buckets.
We go over how to mitigate this misconfiguration, how to exfiltrate credentials stealthily, and we look into the GuardDuty findings and CloudTrail logs to see what our activity looks like from a defender standpoint.
00:00 - Video Context
00:44 - Querying EC2 Metadata Service
03:35 - Bypassing GuardDuty Alerts
06:52 - SneakyEndpoints GuardDuty Bypass
09:14 - Retrieving Sensitive Data in S3
10:42 - Viewing CloudTrail Logs
13:07 - Potential for New GuardDuty Finding
14:29 - Looking at GuardDuty Findings
16:12 - Hardening EC2 Instance (IMDSv2)
The first video in the GCP series features a scenario where participants are provided with a URL leading to a misconfigured storage bucket serving image files, prompting them to fuzz potential files, discover a backup zip file due to the entity being set to "Public" with "allUsers" granted Reader access, and completing the challenge by decrypting the zip file.
The objective of this scenario was to gain access to an RDS instance. We were provided with the credentials of two different users, and exploited this AWS environment in two different ways.
We gain access to the targeted AWS account by finding an SSRF and RCE vulnerability on an AWS-hosted webapp. We then pivot to other containers and use the metdata credentialso f both the compromised EC2 instance and other docker containers to obtain elevated access within the AWS workload.
