Starting with no access to the AWS account, we compromise a webapp hosted in an EC2 instance by finding both an SSRF and RCE vulnerability. This webapp was hosted inside of a privileged docker container with the host’s docker socket mounted on it. We were therefore able to pivot to other containers, and using the EC2 instance metadata role coupled with the container metadata credentials of other containers, it was possible to gain access to other containers outside of the compromised container instance.
00:00 - Video Context
00:51 - Configuring AWSealion and accessing EC2 webapp
01:27 - Finding SSRF and exfiltrating credentials
03:40 - Enumerating EC2 instance role permissions
04:28 - Finding RCE in the webapp and getting a reverse shell
07:50 - Internal enumeration of EC2 instance
08:55 - Escaping out of privileged webapp container
12:29 - Pivoting to privileged ECS container
15:45 - Performing enumeration to find privilege escalation path
19:43 - Finding potential ECS task exploitation pathway
21:48 - Analyzing task definitions
25:51 - Draining container instance to get the vault container
30:45 - Viewing contents of vault container
32:58 - Post-Exploitation Analysis
37:58 - Checking GuardDuty findings
The first video in the GCP series features a scenario where participants are provided with a URL leading to a misconfigured storage bucket serving image files, prompting them to fuzz potential files, discover a backup zip file due to the entity being set to "Public" with "allUsers" granted Reader access, and completing the challenge by decrypting the zip file.
The objective of this scenario was to gain access to an RDS instance. We were provided with the credentials of two different users, and exploited this AWS environment in two different ways.
As a low-privileged user, we compromised multiple other users and moved laterally within the environment. We then found a vulnerable EC2 instance which, when exploited, revealed the credentials for the role of the instance profile, which contained permissions to list and download credentials from a confidential S3 bucket.
