In this post we present Hailstorm, the BlackSky Cloud Hacking Lab scenario for Amazon Web Services by Hack The Box and our review of it.
Y-Security recently collaborated with Hack The Box and took the challenge of reviewing their BlackSky Cloud Hacking Labs. The main focus of the review was testing the created challenges and presented attack path against Y-Security’s experience of real-life attacks in cloud environments.
Overview of BlackSky Cloud Labs
The BlackSky Cloud Hacking Labs are separated into individual scenarios distributed within the environment of the most common cloud provider, namely Amazon Web Services, Google Cloud Platform and Microsoft Azure. Each of the environments contains a unique scenario and attack path to reach the goal of the assessment by chaining common cloud related vulnerabilities and misconfigurations.
BlackSky provides dedicated scenarios, allowing you to practice different attack techniques and exploitation of common vulnerabilities, in order to understand how cloud platforms can be compromised.
Hack The Box
Hailstorm: Amazon Web Services (AWS)
In the below section we give some feedback and insights into the Hailstorm: Amazon Web Services (AWS) scenario and our experience with realistic vulnerabilities in AWS cloud infrastructures. Y-Security followed its detailed Cloud Penetration Testing methodology while solving the Cloud Hacking Lab.
Scope of Hailstorm
The Hailstorm: Amazon Web Services (AWS) scenario aims at the below resources, which are also likely to be found in a real cloud project. Additionally Hack The Box promoted the scenario with the below attack techniques/outcome:
Hailstorm
Resources
- Amazon EC2 Metadata
- Amazon EC2 Snapshot
- Amazon S3 Buckets
- Amazon SageMaker Notebook
- AWS credentials
- AWS Elastic Beanstalk
- AWS Lambda Functions
- AWS Secrets Manager
- AWS Systems Manager
- IAM vectors
- Policies
- Source code review
- Web / DevOps vectors
Promoted Outcome
- AWS enumeration
- Exploitation of serverless applications
- Exploiting misconfigurations
- Lateral movement
- Local privilege escalation
- Mitigations and best practices
- Situational awareness
- Web application and API exploitation
Tips & Tricks
Attacking Cloud environments requires a deep logical understanding of used components and how they interact with each other. Unfortunately, there is no tool that solves all problems in a cloud assessment as the tools mostly depend on specific access rights to execute properly or the tools brute-force access rights by observing responses to commands. Especially in AWS a brute-force may take a lot of effort due to required parameters in a AWS command such as the region. The following list contains some references and tools used in this scenario:
- aws-cli: Provides a unified command line interface to Amazon Web Services
- aws-cli reference: Command reference of aws-cli and useful information about resources
- Prowler: Prowler is an Open Source security tool to perform AWS and Azure security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness
- AWS Consoler: A utility to convert your AWS CLI credentials into AWS console access
- awsenum: awsenum is a tool to identify what permissions your account has in AWS by bruteforcing the different operations and check what can you perform. It is only limited to read operations
- Enumerate IAM: Tool to enumerate IAM permissions
- Scout Suite: Scout Suite is an open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments
- WeirdAAL: AWS Attack Library
- Hacktricks Cloud AWS Pentesting: Collection of AWS attack vectors and methodologies
It should be noted that some of the tools are no longer maintained or do not implement the latest available commands and resources of AWS. However, they still provide useful information. Additionally, linked tools should be reviewed and executed with care.
The lab
The scenario started with a description of the target, an externally available IP-address and a list of flag names that could be found during the assessment to prove progress.
“Mega Multinational” is a global leader in the Freight Logistics industry. They are not cloud native, but are looking to transition more infrastructure to the cloud, in order to mitigate the perceived risks of hosting their own infrastructure. They have enlisted your services to perform an assessment of their cloud infrastructure, using the external IP address.“
Hack The Box
In total, 15 flags could be found during the assessment which were placed in the attacked components. Eleven flags were found at obvious locations during the exploitation process and another 4 were gathered after the final goal, access to the AWS console, was reached.
Attack path
The demonstrated attack path requires exploitation of common application vulnerabilities, enumeration of cloud access permissions, attacking Dev Ops environments, privilege escalation and situational awareness as information from different steps have to be combined. The exploitation process contains common vulnerabilities as they can be found in real-life applications and environments.
Y-Security followed its Cloud Penetration Testing methodology during the assessment which aligns and completes common methodologies and frameworks in particular the OWASP Web Security Testing Guide, the BSI Leitfaden IT-Sicherheits-Penetrationstest, applicable CIS Benchmarks, the MITRE ATT&CK® Framework and Cloud Provider specific security best practice guidelines.
The lab requires manual investigation and creative thinking to connect the dots, identify access permissions (especially as identified authorization credentials are locked down to specific functionality) and knowledge about a variety of lateral movement techniques and internal AWS knowledge. Some of the techniques match with basic reconnaissance actions on a compromised machine (e.g. reviewing the bash history), availability of other components, but also uncommon techniques (which we do not spoil in this post 🙂 ).
Conclusion
The BlackSky Cloud Hacking Labs – Hailstorm scenario and vulnerabilities are a realistic scenario that could even exist as part of a real organizations network. Overall, I would recommend the training for everyone having knowledge about the basics of Penetration Testing and who want to extend their knowledge about cloud specific attack paths and components.
Overall, the lab gives a good insight into cloud related vulnerabilities and requires manual exploitation and thinking to identify the next step and how to proceed in the exploitation process. The reviewed lab did not provide any further hints regarding the next steps that could be taken except the name of the flag which may point to a special AWS component. This may be a problem for someone stepping into Cloud Penetration Testing, especially if they get stuck at some point, but Hack The Box confirmed that the platform will include more information in the future.
We followed our detailed Cloud Penetration Testing methodology while solving the scenario. Even though not all checks of our methodology were demonstrated in a vulnerability, it still showed that the most common and even some niche vulnerabilities can be found and exploited in the scenario.
The presented scenario features a realistic cloud environment that allow users to gain situational awareness and pivot between services.
Christian
10/10 would take it again.
Further Reading
We would like to thank Hack The Box for providing us with access to have a deep dive into their professional offerings and benchmarking our cloud testing methodology against those sophisticated playbook exercises.
Author
Christian Becker
christian@y-security.de
Y-Security GmbH
28. February 2023