The objective of this scenario was to gain access to an RDS instance. We were provided with the credentials of two different users.
The McDuck user had access to an S3 bucket that contained an SSH private key with which we could connect to the EC2 instance. The EC2 instance then has access to an S3 bucket with the credentials for the RDS instance.
The Lara user has access to an S3 bucket with logs for an ELB within the workload. This allows us to find a hidden directory within the application that contains an RCE vulnerability, thus allowing us to gain access to the EC2 instance.
00:00 - Video Context
01:12 - Configuring AWSealion and users
02:38 - McDuck - Enumeration
04:35 - McDuck - Finding S3 permission
06:41 - McDuck - SSH into instance
09:09 - McDuck - Finding RDS instance
11:12 - McDuck - Accessing RDS instance
13:45 - Lara - Enumeration
14:57 - Lara - Finding logs and discovering ELB
17:38 - Lara - Accessing webapp
18:56 - Lara - Gaining RCE and getting shel
The second video in the GCP series in which the threat actor must leverage an SSRF vulnerability to exploit a misconfigured application. The application supports the gopher protocol which can be abused to query the metadata service.
The first video in the GCP series features a scenario where participants are provided with a URL leading to a misconfigured storage bucket serving image files, prompting them to fuzz potential files, discover a backup zip file due to the entity being set to "Public" with "allUsers" granted Reader access, and completing the challenge by decrypting the zip file.
We gain access to the targeted AWS account by finding an SSRF and RCE vulnerability on an AWS-hosted webapp. We then pivot to other containers and use the metdata credentialso f both the compromised EC2 instance and other docker containers to obtain elevated access within the AWS workload.
