Starting off as a low-privileged user, a misconfiguration in the Lambda service made lateral movement to a user with EC2 access was possible. This resulted in knowing the IP address of an EC2 instance running a vulnerable web application which contains an SSRF vulnerability. Exploiting this vulnerability gives the credentials for the role of the IAM instance profile attached to the EC2 instance, and the access key and secret access key could then be obtained via the S3 service.
00:00 - Video Context
01:06 - Configuring profile and AWSealion
01:30 - Enumerating Solus permissions
02:50 - Finding Lambda misconfiguration with EC2 user creds
04:12 - Enumerating EC2 user permissions and finding vulnerable EC2 instance
05:01 - Exploiting EC2 instance
06:15 - Configuring EC2 role creds and lateral movement
06:54 - Looking into Lambda function
08:31 - Privilege escalation to Admin user
12:10 - Showing off enumerate-iam tool
The first video in the GCP series features a scenario where participants are provided with a URL leading to a misconfigured storage bucket serving image files, prompting them to fuzz potential files, discover a backup zip file due to the entity being set to "Public" with "allUsers" granted Reader access, and completing the challenge by decrypting the zip file.
The objective of this scenario was to gain access to an RDS instance. We were provided with the credentials of two different users, and exploited this AWS environment in two different ways.
We gain access to the targeted AWS account by finding an SSRF and RCE vulnerability on an AWS-hosted webapp. We then pivot to other containers and use the metdata credentialso f both the compromised EC2 instance and other docker containers to obtain elevated access within the AWS workload.
