Hacking in the Cloud - Cloudgoat: rce_web_app

The objective of this scenario was to gain access to an RDS instance. We were provided with the credentials of two different users. The McDuck user had access to an S3 bucket that contained an SSH private key with which we could connect to the EC2 instance. The EC2 instance then has access to an S3 bucket with the credentials for the RDS instance. The Lara user has access to an S3 bucket with logs for an ELB within the workload. This allows us to find a hidden directory within the application that contains an RCE vulnerability, thus allowing us to gain access to the EC2 instance. 00:00 - Video Context 01:12 - Configuring AWSealion and users 02:38 - McDuck - Enumeration 04:35 - McDuck - Finding S3 permission 06:41 - McDuck - SSH into instance 09:09 - McDuck - Finding RDS instance 11:12 - McDuck - Accessing RDS instance 13:45 - Lara - Enumeration 14:57 - Lara - Finding logs and discovering ELB 17:38 - Lara - Accessing webapp 18:56 - Lara - Gaining RCE and getting shell * Relevant Links * https://github.com/0xd4y/AWSealion https://github.com/andresriancho/enumerate-iam * Contact Info * LinkedIn: https://www.linkedin.com/in/Segev-Eliezer My Website: https://0xd4y.com GitHub: https://github.com/0xd4y Twitter: https://twitter.com/0xd4y