Hacking in the Cloud - rce_web_app
The objective of this scenario was to gain access to an RDS instance. We were provided with the credentials of two different users, and exploited this AWS environment in two different ways.
Starting off as a low-privileged user, a misconfiguration in the Lambda service made lateral movement to a user with EC2 access was possible. This resulted in knowing the IP address of an EC2 instance running a vulnerable web application which contains an SSRF vulnerability. Exploiting this vulnerability gives the credentials for the role of the IAM instance profile attached to the EC2 instance, and the access key and secret access key could then be obtained via the S3 service.
00:00 - Video Context
01:06 - Configuring profile and AWSealion
01:30 - Enumerating Solus permissions
02:50 - Finding Lambda misconfiguration with EC2 user creds
04:12 - Enumerating EC2 user permissions and finding vulnerable EC2 instance
05:01 - Exploiting EC2 instance
06:15 - Configuring EC2 role creds and lateral movement
06:54 - Looking into Lambda function
08:31 - Privilege escalation to Admin user
12:10 - Showing off enumerate-iam tool