The objective of this scenario was to gain access to an RDS instance. We were provided with the credentials of two different users.
The McDuck user had access to an S3 bucket that contained an SSH private key with which we could connect to the EC2 instance. The EC2 instance then has access to an S3 bucket with the credentials for the RDS instance.
The Lara user has access to an S3 bucket with logs for an ELB within the workload. This allows us to find a hidden directory within the application that contains an RCE vulnerability, thus allowing us to gain access to the EC2 instance.
We gain access to the targeted AWS account by finding an SSRF and RCE vulnerability on an AWS-hosted webapp. We then pivot to other containers and use the metdata credentialso f both the compromised EC2 instance and other docker containers to obtain elevated access within the AWS workload.
As a low-privileged user, we compromised multiple other users and moved laterally within the environment. We then found a vulnerable EC2 instance which, when exploited, revealed the credentials for the role of the instance profile, which contained permissions to list and download credentials from a confidential S3 bucket.
We start off as a fairly high-privileged user who can perform multiple IAM and EC2 API calls. Using these permissions, it was possible to obtain full control over the AWS account by creating an EC2 instance with a high-privileged instance profile.