Loading
Loading Artifacts

Qays Sarayra Artifacts Qays Sarayra Artifacts

Portfolio

IMDSv1

Scenario

Lab Link: IMDSv1

On October 15, 2024, a security breach occurred involving a web application named "Visa Checker," which was hosted on an AWS EC2 instance. The attacker exploited a Server-Side Request Forgery (SSRF) vulnerability within the application, enabling them to steal IAM role credentials. With these compromised credentials, the attacker gained unauthorized access to sensitive information stored in Amazon S3 bucket. This S3 bucket contained data on approximately 20 million tourists.

The attacker leveraged the stolen credentials to perform various unauthorized actions within the AWS environment, including data exfiltration. To evade detection, the attacker routed their traffic through multiple Tor exit nodes, using anonymized IP addresses to obscure their true location, making it difficult to trace the source of the attack.

You have been given a PCAP file and CloudWatch Logs from the incident for analysis. The goal is to identify the attacker's actions, determine the compromised resources, and assess the overall scope and impact of the breach.

Tip: It's recommended to use jq for a clearer view of JSON logs and to apply filters effectively.

File Structure

├── Artifacts
│   ├── Visa Checker.pcap
│   └── cloudwatch
│       ├── 124355653975_CloudTrail_eu-central-1-logs.json
│       ├── 124355653975_CloudTrail_eu-central-1_2-logs.json
│       ├── 124355653975_CloudTrail_eu-central-1_3-logs.json
│       └── 124355653975_CloudTrail_eu-central-1_4-logs.json
├── BEFORE_YOU_START.txt
└── Tools
    ├── Command-Line Tools
    │   ├── Capinfos.desktop
    │   ├── Editcap.desktop
    │   ├── Scapy.desktop
    │   ├── TShark.desktop
    │   ├── Zeek.desktop
    │   ├── ngrep.desktop
    │   └── tcpdump.desktop
    ├── CyberChef.desktop
    ├── NetworkMiner.desktop
    ├── Wireshark.desktop
    └── Zui.desktop

Investigation Commands and Results

tshark -r "Visa Checker.pcap" -Y "http.request" -T fields -e frame.time -e http.host -e http.request.uri

Output:

Oct 15, 2024 10:15:35.774330000 UTC 18.196.254.140 /visa-status?check_url=http://www.google.com
Oct 15, 2024 10:15:35.777906000 UTC www.google.com /

Q1

The attacker tested the SSRF vulnerability by accessing an external website. What URL was used to conduct this test?

Answer:

http://www.google.com

Q2

The attacker exploited the vulnerable website to send requests, ultimately obtaining the IAM role credentials. What is the exact URI used in the request made by the webserver to acquire these credentials?

tshark -r "Visa Checker.pcap" -Y "http.request" -T fields -e frame.time -e http.host -e http.request.uri

Output:

Oct 15, 2024 10:18:41.825328000 UTC 169.254.169.254 /latest/meta-data/network/interfaces/macs/06:2a:98:eb:e5:fb/local-ipv4s
Oct 15, 2024 10:18:51.232427000 UTC 18.196.254.140 /visa-status?check_url=http://169.254.169.254/latest/meta-data/iam/security-credentials/EC2-S3-Visa

Answer:

http://169.254.169.254/latest/meta-data/iam/security-credentials/EC2-S3-Visa

Q3

The attacker executed an AWS CLI command, similar to whoami in traditional systems, to retrieve information about the IAM user or role associated with the operation. When exactly did he execute that command?

grep -h "GetCallerIdentity" *.json

Answer:

2024-10-15 10:20

Q4

During the investigation of the network traffic, we observed that the attacker attempted to retrieve the instance ID and subsequently tried to terminate or shut down the instance. What was the error code returned?

grep -h "errorCode" *.json | grep -i ec2

Answer: 

Client.UnauthorizedOperation

Q5

The attacker made an attempt to create a new user but lacked the necessary permissions. What was the username the attacker tried to create?

grep -h "CreateUser" *.json

Output:

"User: arn:aws:sts::124355653975:assumed-role/EC2-S3-Visa/i-035f09798d122e824 is not authorized to perform: iam:CreateUser on resource: arn:aws:iam::124355653975:user/H3ll because no identity-based policy allows the iam:CreateUser action"

Answer: 

H3ll

Q6

Which version of the AWS CLI did the attacker use?

"userAgent":"aws-cli/2.18.5 md/awscrt#0.21.2 ua/2.0 os/linux#6.8.0-1016-aws md/arch#x86_64 lang/python#3.12.6 ..."

Answer: 

aws-cli/2.18.5

Q7

After listing the available S3 buckets, the attacker proceeded to list the contents of one of them, Which bucket did the attacker list its contents?

grep -h "ListObjects" *.json

Answer: 

tourists-visa-info

Q8

The attacker subsequently began downloading data from the bucket. What was the total amount of data stolen, measured in bytes?

Note: Don't forget to use the right filters to get the right answer.

cat *.json | jq -r '.events[].message' | jq -r 'select(.eventName == "GetObject" and .userIdentity.type == "AssumedRole" and (.userIdentity.arn | contains("EC2-S3-Visa"))) | .additionalEventData.bytesTransferredOut' | awk '{sum += $1} END {print sum}'

Output:

2024-10-15T10:47:50Z - trsts_visa_info_atlnts_full_Sep_2023.csv - 8388608
2024-10-15T10:47:50Z - trsts_visa_info_atlnts_full_Sep_2023.csv - 3145728
5449252456

Answer: 

5449252456

Q9

After stealing the data, the attacker began deleting the contents of the bucket. What IP address was used during these deletion activities?

grep -h "DeleteObject" *.json

Answer: 

193.189.100.204

Q10

The attacker executed a deletion operation on the bucket, removing all of its contents. Every request in AWS is linked to a unique identifier for tracking purposes. What was the request ID associated with the bucket's deletion event?

cat *.json | jq -r '.events[].message' | jq -r 'select(.eventName == "DeleteBucket") | "\(.eventTime) - \(.eventName) - \(.requestID)"'

Output:

2024-10-15T10:50:05Z - DeleteBucket - XT27FP62J3ACKDNW

Answer: 

XT27FP62J3ACKDNW

Coming Soon

We're working on exciting content for this section. Check back soon!

0/1000
Loading comments...