We start off as a fairly high-privileged user who can perform multiple IAM and EC2 API calls. Using these permissions, it was possible to obtain full control over the AWS account by creating an EC2 instance with a high-privileged instance profile.
00:00 - Video context
01:07 - Configuring profile & AWSealion
03:31 - Enumerating environment
05:25 - Finding privesc pathway
07:31 - Starting EC2 instance creation process
11:35 - Modifying instance profile
16:53 - Creating EC2 instance
18:41 - SSH to instance
19:54 - Configuring AWS CLI
22:28 - Enumerating “mighty” role permissions
23:28 - Discussing the misconfiguration & remediation
The second video in the GCP series in which the threat actor must leverage an SSRF vulnerability to exploit a misconfigured application. The application supports the gopher protocol which can be abused to query the metadata service.
The first video in the GCP series features a scenario where participants are provided with a URL leading to a misconfigured storage bucket serving image files, prompting them to fuzz potential files, discover a backup zip file due to the entity being set to "Public" with "allUsers" granted Reader access, and completing the challenge by decrypting the zip file.
The objective of this scenario was to gain access to an RDS instance. We were provided with the credentials of two different users, and exploited this AWS environment in two different ways.
