Hackers of India

AWSGoat : A Damn Vulnerable AWS Infrastructure

By  Jeswin Mathai   Shantanu Kale   Sanjeev Mahunta  on 28 Sep 2022 @ Rootcon

This talk covers following tools where the speaker has contributed or authored
AWSGOAT

Presentation Material

Abstract

Compromising an organization’s cloud infrastructure is like sitting on a gold mine for attackers. And sometimes, a simple misconfiguration or a vulnerability in web applications, is all an attacker needs to compromise the entire infrastructure. Since cloud is relatively new, many developers are not fully aware of the threatscape and they end up deploying a vulnerable cloud infrastructure. When it comes to web application pentesting on traditional infrastructure, deliberately vulnerable applications such as DVWA and bWAPP have helped the infosec community in understanding the popular web attack vectors. However, at this point in time, we do not have a similar framework for the cloud environment.

In this talk, we will be presenting AWSGoat, a vulnerable by-design infrastructure on AWS featuring the latest released OWASP Top 10 web application security risks (2021) and other misconfiguration based on services such as IAM, S3, API Gateway, Lambda, EC2, and ECS. AWSGoat mimics real-world infrastructure but with added vulnerabilities. The idea behind AWSGoat is to provide security enthusiasts and pen-testers with an easy-to-deploy/destroy vulnerable infrastructure where they can learn how to enumerate cloud applications, identify vulnerabilities, and chain various attacks to compromise the AWS account.

AI Generated Summarymay contain errors

Here is a summarized version of the content:

The speaker discusses the AWS Goat project, the Identity and Access Management (IAM) exploitation in AWS. They explain how an insecurely configured S3 bucket was discovered, on the production blog AWS Goat bucket. The bucket contained sensitive files,201including SSH config files with IP addresses and associated key files used by developers as a backup.

Using one of the SSH key files, the speaker gained access to a development instance with limited IAM permissions. They created a new role with escalation policies, allowing them to access all resources in the AWS account.

The presentation also covers future plans for AWS Goat, including:

  1. Compromising applications across multiple accounts within an organization.
  2. Adding modules for different application stacks like EKS and Beanstalk.
  3. Introducing Infrastructure as Code (IAC) based misconfigurations.
  4. Focusing on secure coding aspects and providing guidance on performing checks and fixing bugs.

The speaker concludes by inviting the community to contribute feedback, share their experience with real-world pen testing in cloud and web applications, and help grow the project.