What is CloudGoat?
CloudGoat is a “vulnerable by design” AWS deployment tool designed by Rhino Security Labs. It is used to deploy a vulnerable set of AWS resources. It is designed to teach and test cloud security penetration testing via issues commonly seen in real-life environments. Each scenario is designed in a Capture the Flag (CTF) style where AWS resources are deployed to an existing environment. In each scenario, you’ll need to explore the AWS environment and its resources, demonstrate understanding of the issue by exploiting the vulnerabilities. Currently, there are seven (7) scenarios which explores various attack vectors and vulnerabilities such as:
IAM permissions Misconfigured EC2 instances, lambda functions and elastic load balancers Misconfigured web applications Evading detection Default settings, configurations and software
The goals when exploiting the CloudGoat environment are:
Privilege escalation Logging/monitoring evasion Data and information enumeration Data exfiltration Persistent access
Pacu AWS
Pacu is a comprehensive open-source AWS exploitation framework designed by Rhino Security Labs for penetration testing on AWS environments. Pacu is designed to be the Metasploit equivalent. Pacu allows penetration testers to exploit configuration flaws within an AWS account, using modules. Pacu modules were designed to be used against the CloudGoat environment.
Set up CloudGoat
CloudGoat uses a deployment script via Terraform to launch and destroy the resources into an existing AWS environment automatically. I recommend creating a new AWS account (preferably free tier) just for this purpose. Deploy the environment and destroy it as soon as you are done so as to avoid unexpected charges. Warning #1: CloudGoat creates intentionally vulnerable AWS resources into your account. DO NOT deploy CloudGoat in a production environment or alongside any environment with sensitive AWS resources or data. Warning #2: CloudGoat can only manage resources it creates. If you create any resources yourself in the course of a scenario, you should remove them manually before running the “destroy” command.
Docker
The easiest way to use CloudGoat is to make use of the Docker images. Assuming you have Docker installed, execute the following command: docker run -it rhinosecuritylabs/cloudgoat:latest
From Source
Requirements
Linux OS (I used Kali Linux) Python 3.6 or a later version Terraform 0.12 or a later version AWS CLI
Clone it from Rhino Security Labs Github page:
git clone https://github.com/RhinoSecurityLabs/cloudgoat.git ./CloudGoat
Compile
cd CloudGoat pip3 install -r ./core/python/requirements.txt chmod u+x cloudgoat.py
Usage
IAM user creation
In your existing AWS environment, create an IAM user with “AdministratorAccess” policy attached to it. Note: It is best practice to use your root user (the account used to create the AWS account) to only create your first IAM user.
Save the access key ID and the secret access key, as you’ll need it to configure AWS CLI.
AWS CLI configuration
Configure the AWS environment variables for the user via AWS CLI. On Kali Linux, run the following commands:
Create configure the IAM user on AWS CLI:
aws configure –profile
To configure the configuration:
aws sts get-caller-identity –profile
CloudGoat configuration
On Kali Linux, run the following commands:
Create a CloudGoat profile:
./cloudgoat.py configure profile
Whitelist the IP address of your machine:
./cloudgoat.py configure whitelist –auto
Running each scenario
To deploy the resources for each scenario on AWS:
./cloudgoat.py create
To destroy the resources for each scenario on AWS:
./cloudgoat.py destroy
Conclusion
CloudGoat is a great learning platform which can be used to hone one’s cloud security skills. It is also great for people with all skill levels, from beginners to experts.
Sources
CloudGoat: The ‘Vulnerable by Design’ AWS Environment, Rhino Security Labs Pacu: The Open Source AWS Exploitation Framework, Rhino Security Labs AWS account root user, AWS Creating your first IAM admin user and group, AWS AWS Command Line Interface, AWS Environment variables to configure the AWS CLI, AWS Pacu, Rhino Security Labs GitHub CloudGoat, Rhino Security Labs GitHub
