In this blog, I’ll be showing how we can perform cloud security auditing and assessment using ScoutSuite, Pacu and Prowler, and analyzing the report generated by these tools. I will demonstrate the privilege escalation attack on misconfigured policy of AWS.

Note: The AWS access_key_id, access_secret_key used in the screenshot will not work and was only created for this writing this blog. If you want to test it, please make sure you are authorized to perform the assessment in targeted cloud.

Prerequisites

Configure AWS

Amazon Web Services (AWS) is cloud computing services which will be a target cloud infrastructure for the assessment. To perform this activity, I created AWS account from my own account. To continue follow the given instructions:

• Navigate to Identity Access Management (IAM) Service

• Go to Users > Create user to create a user named kaliuser

• Next, Go to User groups > Create group to create a user group testing.

  • Add the kaliuser in a group while creating.
  • Attach Policy SecurityAudit and SecurityAudit to providing permissions.

• Then, navigate to User > kaliuser > Security credentials > Access keys > Create access key > Select Command Line Interface (CLI) > Next > Create access key. This will generate programmatic access key and secret key.

• Finally, configure your shell running aws configure, enter the access_key_id and access_secret_key in the terminal.

  $ aws configure
  AWS Access Key ID [****************TKIZ]:
  AWS Secret Access Key [****************/G0w]:
  Default region name [us-east-2]:
  Default output format [None]:
  

Note: I will further configure additional Policy for Pacu in next section.

ScoutSuite

Scout Suite is an open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments.

git clone git@github.com:nccgroup/ScoutSuite.git

virtualenv -p python3 venv # Create virtual environment
source venv/bin/activate   # Activate virtual environment in shell

cd ScoutSuite
pip install                # Install dependencies

Setup Pacu

Pacu is an open-source AWS exploitation framework, designed for offensive security testing against cloud environments

git clone git@github.com:RhinoSecurityLabs/pacu.git
source venv/bin/activate   # Activate virtual environment in shell

cd pacu
./install.sh               # Install Dependencies

Setup Prowler

Prowler is an Open Source security tool to perform AWS, GCP and Azure security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness.

git clone git@github.com:prowler-cloud/prowler.git
source venv/bin/activate   # Activate virtual environment in shell

cd prowler
pip install prowler # Install prowler and its dependencies

./prowler.py aws -f us-east-2 -s {s3,iam,cloudtrail,cloudwatch} # Running

ScoutSuite Assessment

Navigate to cloned folder, activate the environment and run the scout suite.

cd ScoutSuite

python3 scout.py           # Start auditing using scout.py

Running Scout Suite will take some minutes to complete.

After completion, you’ll see html file as an output stored inside scoutsuite-report folder. Go to the folder and open it in your browser.

Cloudwatch Recommendation

Here, CloudTrail is not configured in dashboard signifies it is a crucial issue and vulnerability as AWS CloudTrail plays a critical role in monitoring and auditing AWS resources and API activities. Without it being configured, we will lack visibility into actions taken within AWS environment, making it difficult to detect and investigate security incidents.

To address this, we should create a CloudTrail trail to log events in all AWS Regions. This trail should deliver log files to an Amazon S3 bucket which is storage service of AWS. As per the best practices documentation, we also need to enable CloudTrail log file integrity and integrate it with Amazon CloudWatch Logs for monitoring to make sure the file is not changed. Additionally, it is considered good practice to use AWS Security Hub to monitor CloudTrail resources.

IAM Recommendation

In general, it shows two different types of vulnerabilities:

• Password Policies: The vulnerabilities related to inadequate password length, expiration, and reuse signify a weak password policy in your AWS environment.

  To remediate these issues, we need to enforce stronger password policies that require longer passwords, implement regular password expiration intervals (e.g., 90 days), and disallow password reuse to enhance security.

• Root Account Security: The vulnerabilities regarding root account usage and the absence of Multi-Factor Authentication (MFA) highlight the need for securing the root AWS account.

  To address these issues, we need to ensure that IAM policies are attach only the users and groups, enable hardware-based MFA for the root account, and enforce MFA for all users accessing the AWS environment. Additionally, limit the use of the root account and establish individual IAM user accounts with appropriate permissions to reduce security risks associated with the root account.

Pacu Exploitation

In Pacu, I will try to escalate the privilege by using the tool command. To do this, I have to add custom policy referred as misconfigured customer managed policy. Practically, it is possible someone can add hazardous policy without knowing the consequences and human error or misconfiguration can happen. To do this follow these steps:

Adding custom policy

• Navigate to Identity Access Management (IAM) Service

• Go to Policies > Create policy > JSON to create new policy PacuExploitPolicy.

• Copy and paste following lines in Policy Editor > Next > Create Policy.

  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Sid": "VisualEditor1",
        "Effect": "Allow",
        "Action": "s3:*",
        "Resource": "arn:aws:s3:::cybr-pacu-lab-example"
      },
      {
        "Sid": "Statement1",
        "Effect": "Allow",
        "Action": [
          "iam:Get*",
          "iam:List*",
          "iam:Put*",
          "iam:AttachRolePolicy",
          "iam:SimulateCustomPolicy",
          "iam:SimulatePrincipalPolicy"
        ],
        "Resource": "*"
      }
    ]
  }
  

  Source: intro to AWS PENTESTING (with Pacu)

• Next, attach the custom policy to the testing group or kaliuser user directly. I attached for user group.

Note: In the custom policy, iam:Put* is risky attribute which allow to add new Policies leading to escalate the policy. You’ll see how that can be achieved in the next section.

Running Pacu

cd pacu

./cli.sh                   # Start Pacu.

Setting up AWS credentials

First, we need to setup the AWS keys using set_keys and set_regions command.

Begin Exploitation

Before beginning exploitation, you can enumerate the IAM permissions using command run iam__enum_permissions. Now, I run command run iam__privesc_scan, you’ll see output something like this:

You can see escalation method PutGroupPolicy and PutUserPolicy is used to attempt the privilege escalation. In the highlighted section, new administrator policy to the current user has been added with policy named o7go7jwhnq.

You can verify by running run iam__enum_permissions command in pacu terminal where you’ll notice, objects with escalated admin permissions.

Takeaways

Pacu provides several commands for pen testers to enumerate, privilege escalate, reconnaissance, exfiltration, exploitation, and persistence on the given AWS account. In this activity, I used iam__privesc_scan which is a command designed to scan for and exploit privilege escalation vulnerabilities in AWS Identity and Access Management (IAM) policies. If the policy is weak or vulnerable, this command can look for multiple approach to escalate privilege to a current AWS user. This command can be used in penetration testing for following purposes:

• Identify Weak IAM Policies that can be potentially exploited for privilege escalation.
• Demonstrate impact of weak policies by creating, modifying, and deleting AWS resources.
• Assessing the Security Posture is a great advantage as it can help identify and highlight areas where IAM policies need to be improved.

Prowler Assessment

cd prowler

./prowler.py aws -f us-east-2 -s {s3,iam,cloudtrail,cloudwatch} # Run Prowler

Here, I used prowler to scan for specific services like S3, IAM, Cloudtrail, Cloudwatch.

The output is summarized in the terminal or we can open the html file for detailed results in browser.

From the Prowler result the custom policy that we created is identified as vulnerable with high severity:

• Severity: High
• Service Name: IAM (Identity and Access Management)
• Region: us-east-2
• Check ID: iam_policy_allows_privilege_escalation
• Check Title: Ensure no Customer Managed IAM policies allow actions that may lead to Privilege Escalation
• Resource ID: Custom Policy arn:aws:iam::201368012826:policy/PacuExploitPolicy allows privilege escalation using the following actions: {‘iam:AttachRolePolicy’}.
• Status: FAIL
• Risk: Users with some IAM permissions are allowed to elevate their privileges up to administrator rights.
• Associated with: MITRE ATT&CK and AWS Well-Architected Framework (Security Pillar)
• Recommendations:
  • Granting usage permission on a per-resource basis
  • Applying the least privilege principle.
  • The best practice is to review and adjust the polices to remove the risky permissions.
  • Regular auditing and assessment of IAM policies is also important to figure out the security posture.

Conclusion

We covered three powerful open-source cloud assessment tools - ScoutSuite, Pacu and Prowler.

• Scoutsuite allowed us to perform a comprehensive scan of AWS, identifying vulnerabilities, misconfigurations, and potential security risks.
• Pacu enabling us to simulate attacks and assess the security of our AWS environment from an attacker’s perspective
• Prowler with more robust assessment by conducting security best practice checks and compliance checks based on industry standards.

Furthermore, I demonstrated how a simple misconfiguration could be exploited using these Pacu to gain higher privilege access. By regularly conducting assessments and adhering to best practices when creating policies and configurations, we can improve our defenses and minimize the potential for such cloud security breaches.

Resources

• AWS Pentesting (with pacu) by Cybr

Important Note: Always follow ethical guidelines. Never use these skills for illegal activities.

You can find competition galleries here 👈.

Familiarization

The preparation journey led me to platforms like Hack The Box, TryHackMe, and CyberQ, all of which offered a free tier Capture the Flag resources and challenges, it helped me get started.

I began solving basic challenges and gradually familiarized with the platforms, gaining fundamental skills in port scanning and network discovery done for enumeration as part of the reconnaissance process. As I progressed, I gained knowledge about potential network port specific misconfigurations that could potentially bypass authentication. In most challenges, password cracking, directory traversal, reverse shell and achieving privilege escalation were intermediate steps crucial for capturing the flags. I realized the importance of becoming proficient in these concepts in ethical hacking.

Understanding all the concepts and tools was challenging, so I began to compile reference notes. This not only helped me memorize but also served as a handy guide. You can refer here 👈.

Building Mindset

CTF challenges and competitions can vary based on different cloud platforms. Here are the basic strategy to help you start building a mindset for cracking CTFs:

Enumeration

• Discover networks to find the IP address of active hosts in the given network.
• Scan for operating system, open service ports with versions and look for common misconfigurations that could lead to bypass the authentication process.
• Use a browser to explore the application or perform directory traversal to find unsecured hidden paths.

Exploitation

• If password locking is an issue, there are many ways to crack passwords using dictionary or brute force attacks. Depending on the situation and target platform, decide which tools will be most effective for cracking password.
• Familiarize with the concept of reverse shell and tools that can generate the reverse shell file. This file will help us redirect to the target computer’s shell, granting remote access.
• This file can be injected either after connecting through open ports or from cracked password.
• Once attacker get into the target system, there’s a likelihood of further more misconfigurations. These can allow attacker to perform privilege escalation, potentially granting elevated access to resources.

Competition

Context

We were given a scenario with instructions and vulnerable cloud system in EC-Council’s CyberQ platform. There were seven flags in total to capture, with the final one being the most challenging. Each flag was linked to the previous one, either directly or indirectly, and the seventh flag couldn’t be captured without finding the first six. In this challenge, we had to demonstrate scanning network skills, password cracking skills, reverse shell and privilege escalation in a Linux based target system.

The Pain

Unfortunately, many of us faced difficulties as the virtual machine (VM) provided for the competition was hosted on a server in Singapore. Accessing it from North America resulted in a slow server response, keyboard input lag, and key bouncing. Despite the intense competitive environment and the server frustration, I successfully captured all the flags in just 38 minutes.

Answer Hint

Tips

• CyberQ Tip: To overcome the key bouncing issue, I typed commands in my system’s notepad and then copied them to the CyberQ VM using the Paste Clipboard Text button.

• Troubleshooting Tip: Reset your VM, if you face black screen of death or any OS issue.

• Submission Tip: It is specific to CyberQ, even if you submit all your flags correctly, the time doesn’t stop unless you Ends/Terminates the running by the VM using the red power button. Then, finish lab by clicking Finish button.