Release Module 2 Manuals, Bug Fixes

README.md

@@ -133,7 +133,7 @@ Escalation Path:
 
 # Pricing
 
-The resources created with the deployment of AWSGoat will not incur any charges if the AWS account is under the free tier/trial period. However, upon exhaustion/ineligibility of the free tier/trial, the following charges will apply: 
+The resources created with the deployment of AWSGoat will not incur any charges if the AWS account is under the free tier/trial period. However, upon exhaustion/ineligibility of the free tier/trial, the following charges will apply for the US-East region: 
 
 Module 1: **$0.0125/hour**
 
@@ -208,11 +208,9 @@ Module 2:
 
 # License
 
-This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License v2 as published by the Free Software Foundation.
+This program is free software: you can redistribute it and/or modify it under the terms of the MIT License.
 
-This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
-
-You should have received a copy of the GNU General Public License along with this program. If not, see https://www.gnu.org/licenses/.
+You should have received a copy of the MIT License along with this program. If not, see https://opensource.org/licenses/MIT.
 
 # Sister Projects
 

modules/module-1/main.tf

@@ -3452,7 +3452,7 @@ resource "aws_iam_policy" "goat_inline_policy_2" {
           "iam:AttachRolePolicy"
         ],
         "Effect" : "Allow",
-        "Resource" : ["${aws_lambda_function.lambda_ba_data.arn}", "${aws_iam_role.blog_app_lambda.arn}"],
+        "Resource" : ["${aws_lambda_function.lambda_ba_data.arn}", "${aws_iam_role.blog_app_lambda_python.arn}"],
         "Sid" : "Pol0"
       },
       {

modules/module-2/main.tf

@@ -379,11 +379,21 @@ data "template_file" "user_data" {
 resource "aws_ecs_task_definition" "task_definition" {
   container_definitions = data.template_file.task_definition_json.rendered
   family                = "ECS-Lab-Task-definition"
-  #  network_mode             = "bridge"
+  network_mode             = "bridge"
   memory                   = "512"
   cpu                      = "512"
   requires_compatibilities = ["EC2"]
   task_role_arn            = aws_iam_role.ecs-task-role.arn
+
+  pid_mode = "host"
+  volume {
+    name      = "modules"
+    host_path = "/lib/modules"
+  }
+  volume {
+    name      = "kernels"
+    host_path = "/usr/src/kernels"
+  }
 }
 
 data "template_file" "task_definition_json" {

modules/module-2/resources/ecs/task_definition.json

@@ -16,14 +16,23 @@
         "linuxParameters": {
             "capabilities": {
                 "add": [
-                    "SYS_ADMIN"
+                    "SYS_PTRACE"
                 ]
             },
             "initProcessEnabled": true
         },
         "cpu": 0,
         "image": "public.ecr.aws/p3q0v3y2/aws-goat-m2:latest",
         "name": "aws-goat-m2",
-        "privileged": true
+        "mountPoints": [
+            {
+                "sourceVolume": "modules",
+                "containerPath": "/lib/modules"
+            },
+            {
+                "sourceVolume": "kernels",
+                "containerPath": "/usr/src/kernels"
+            }
+        ]
     }
 ]

modules/module-2/resources/ecs/user_data.tpl

@@ -1,5 +1,32 @@
+Content-Type: multipart/mixed; boundary="==BOUNDARY=="
+MIME-Version: 1.0
+
+--==BOUNDARY==
+Content-Type: text/cloud-boothook; charset="us-ascii"
+
+# Set iptables configuration
+
+yum install iptables-services -y
+
+cat <<EOF > /etc/sysconfig/iptables 
+*filter
+:DOCKER-USER - [0:0]
+-A DOCKER-USER -d 169.254.169.254/32 -j DROP
+COMMIT
+EOF
+
+systemctl enable iptables && systemctl start iptables
+
+--==BOUNDARY==
+Content-Type: text/x-shellscript; charset="us-ascii"
+
 #!/bin/bash
 
-#Adding cluster name in ecs config
-echo ECS_CLUSTER=ecs-lab-cluster >> /etc/ecs/ecs.config
-cat /etc/ecs/ecs.config | grep "ECS_CLUSTER"
+# Update all packages
+sudo yum install kernel-devel-$(uname -r) -y
+
+# Set any ECS agent configuration options
+echo "ECS_CLUSTER=ecs-lab-cluster" >> /etc/ecs/ecs.config
+
+python3 -m http.server 31452 &> /dev/null & pid=$!
+--==BOUNDARY==--

modules/module-2/resources/src/Dockerfile → modules/module-2/src/Dockerfile

@@ -3,7 +3,7 @@ FROM php:8.0-apache
 RUN docker-php-ext-install mysqli && docker-php-ext-enable mysqli
 RUN apt-get update && apt-get upgrade -y
 RUN apt-get install mariadb-client-10.5 -y
-RUN apt-get install -y python3 sudo vim libcap2-bin fdisk
+RUN apt-get install -y python3 sudo vim libcap2-bin fdisk net-tools netcat
 
 COPY ./src /var/www/html
 COPY ./script /usr/local/bin
@@ -15,5 +15,5 @@ RUN echo "www-data ALL=NOPASSWD:/usr/bin/vim /var/www/html/documents" >> /etc/su
 
 RUN chmod 774 -R /var/www/html/documents
 
-CMD ["startup.sh"]
+CMD ["/usr/local/bin/startup.sh"]
 EXPOSE 80

modules/module-2/resources/README.md → modules/module-2/src/README.md

@@ -3,12 +3,12 @@
 ## Steps to build application code
 
 
-1. Make changes to the source code in ``src/src``.
+1. Make changes to the source code in ``src/``.
 
 2. Create a Public Repository in AWS ECR, and follow the push commands to build and push the updated image.
 
 3. Retrieve the image URI from the ECR repository on AWS console.
 
-4. Replace the image value, in ``ecs/task_definition.json`` with the image uri.
+4. Replace the image value, in ``../resources/ecs/task_definition.json`` with the image uri.
 
 5. Run the terraform apply action.

modules/module-2/resources/src/src/login.php → modules/module-2/src/src/login.php

@@ -26,19 +26,20 @@
 		$_SESSION['id'] = $row['id'];
 		$_SESSION['isadmin']  = $row['isadmin'];
 		$isadmin = $row['isadmin'];
-
+		$_SESSION['organization_id'] = $row['organization_id'];
+
 		if($result->num_rows > 1){
 			while($row = $result->fetch_assoc()){
 				$_SESSION['username'] = $row['username'];
 				$_SESSION['id'] = $row['id'];
 				$_SESSION['isadmin']  = $row['isadmin'];
 				$isadmin = $row['isadmin'];
+				$_SESSION['organization_id'] = $row['organization_id'];
 			}
 		}
 		if ($isadmin == 0)
 			header("Location: ./user/index.php");
 		else if($isadmin == 1){
-			$_SESSION['organization_id'] = $row['organization_id'];
 			header("Location: ./admin/admin-index.php");
 		}
 		else if($isadmin == 2){

solutions/module-1/07-IAM Privilege Escalation.md

@@ -117,17 +117,17 @@ Now, run the below-mentioned command to get the policy details of the policy, wh
 aws iam get-policy --policy-arn arn:aws:iam::928880666574:policy/dev-ec2-lambda-policies
 ```
 
-![](https://user-images.githubusercontent.com/65826354/179529009-87328ddd-d604-422d-bc93-74474d0b7e05.png)
+![](https://user-images.githubusercontent.com/65826354/197143548-32f53670-8c84-4254-9759-84a0272cec39.png)
 
 Run the below-mentioned command to get the specified version of the policy
 
 Command:
 
 ```bash
-aws iam get-policy-version --policy-arn arn:aws:iam::928880666574:policy/dev-ec2-lambda-policies --version-id v2
+aws iam get-policy-version --policy-arn arn:aws:iam::928880666574:policy/dev-ec2-lambda-policies --version-id v1
 ```
 
-![](https://user-images.githubusercontent.com/65826354/179529016-e1845c5c-ddd8-44d4-9cfe-a97da5d7bc58.png)
+![](https://user-images.githubusercontent.com/65826354/197149071-9e54d83e-a62a-457d-a0a1-75e13ef354b9.png)
 
 We have a few IAM get & list permissions along with fairly permissive lambda permissions too.
 Now, run the below-mentioned command to list the lambda functions in the specified region. 
@@ -160,19 +160,19 @@ Command:
 aws iam get-policy --policy-arn arn:aws:iam::928880666574:policy/lambda-data-policies
 ```
 
-![](https://user-images.githubusercontent.com/65826354/179529032-d4479fd9-5321-45d4-bf24-0e80a1935672.png)
+![](https://user-images.githubusercontent.com/65826354/197149800-ddc61398-d32e-49dd-a49f-b743f19dc220.png)
 
 To get the specific version of the specified policy, run the following command
 
 Command:
 
 ```bash
-aws iam get-policy-version --policy-arn arn:aws:iam::928880666574:policy/lambda-data-policies --version-id v2
+aws iam get-policy-version --policy-arn arn:aws:iam::928880666574:policy/lambda-data-policies --version-id v1
 ```
 
 You will get the following output
 
-![](https://user-images.githubusercontent.com/65826354/179529040-2724076d-925d-4ace-ba48-16d2bea6bdd5.png)
+![](https://user-images.githubusercontent.com/65826354/197150176-1a397ad9-bf52-473e-981f-2198de82be6d.png)
 
 These are restrictive policies, we will try to attach a more generous policy.
 Now, create a new file, *full_policy.json* with the help of nano editor. Run-
@@ -222,7 +222,7 @@ Command:
 aws iam attach-role-policy --role-name blog_app_lambda_data --policy-arn arn:aws:iam::928880666574:policy/escalation_policy
 ```
 
-Open a new terminal and check for AWS account id with the help of the below-mentioned command
+Move to the terminal with the blog-application-data functions' aws credentials and verify the current identity. The Arn should look like the image below (with a different account number).
 
 Command:
 

solutions/module-2/01-SQL Injection.md

@@ -0,0 +1,150 @@
+# Objectives
+
+Perform SQL Injection and log into the web application 
+
+# Solution
+
+* Go to the login page of the web application.
+
+* Now, we can find **Email** as an injection point to perform the SQLi.
+
+    ![](./images/01/01.png)
+
+*  Let's try the most commonly used command in SQLi attacks, i.e. :
+    ```sql
+    ' OR 'x'='x
+    ```
+
+* Use the above payload in the **Email** and **Password** fields
+
+    ![](./images/01/02.png)
+
+* Here, we are passing an OR statement and passing a condition, x=x which will always be true. Hence we will be able to dump all the rows from the queried table. To pass our input as a SQL command rather than a simple string, we are using a single quote. Single quotes in SQL are generally used to indicate beginning and end of strings in input fields. So by adding a single quote (') we are past the email input parameter and can add SQL code after that.
+
+    ![](./images/01/03.png)
+
+
+* As we can see, there is a front-end check for the **Email** field. To get around that, we need to change the input field's type from **email** to **text** and then perform the injection. This should work if there is no backend email verification.
+
+    ![](./images/01/04.png)
+
+    ![](./images/01/05.png)
+
+* After changing the field type, submit the login form by clicking on **Login** button.
+
+    ![](./images/01/06.png)
+
+* This Payload fails, let's try another payload
+    ```sql
+    ' or '1'='1'#
+    ```
+
+* Use the above payload in the **Email** field. We can again use anything in the **Password** field since it will eventually get commented out.
+
+    ![](./images/01/07.png)
+
+* **Voila! we are into the application!**
+
+    ![](./images/01/08.png)
+
+* On exploring the application we can find a file upload field for user Mark, we will revisit this later.
+
+    ![](./images/01/09.png)
+
+# What's happening?
+
+* Since, this is a **PHP** application we are assuming that the backend SQL query might be something like this:
+    ```php
+    select * from [TABLE_NAME] where email = '$[EMAIL_INPUT]' and password = '$[PASSWORD_INPUT]';
+    ```
+* Now, when we use our payload the query will be converted into this:
+    ```php
+    select * from [TABLE_NAME] where email = '' or '1'='1'#' and password = '$[PASSWORD_INPUT]'; 
+    ```
+* If we look at the above code snippet, our payload  `'or '1'='1' #`  is replaced in the `$[EMAIL_INPUT]`, and the password field is commented out. Hence, we can get all the rows from the table where users are stored! 
+
+* Now let's explore this page.
+
+# Further Modifications
+
+* This seems to be a **Normal User** login. Let's see if we can log in to a different user by making modifications to the payload.
+
+* Since everything after the "**#**" gets commented out, we can add some **SQL** conditions before the "**#**" in the payload to modify the output! 
+
+* When dumping all the table rows the SQL LIMIT clause can be helpful to control the number of rows returned by SQL. Let's use the payload below: 
+
+    ```sql
+    'or '1'='1' LIMIT 5 #
+    ```
+
+    ![](./images/01/10.png)
+
+* This worked but logged us back in to the same user. Let's try changing the `LIMIT 5` to `LIMIT 4`
+
+* We can now see that the username has indeed changed, but this one too looks like a normal user.
+
+    ![](./images/01/11.png)
+
+* Let's try changing the `LIMIT 4` to `LIMIT 3`.
+
+    ![](./images/01/12.png)
+
+* Now we can see that this is another account and if we carefully examine this doesn't seem like a normal user. This is a managers' account!
+
+    ![](./images/01/13.png)
+
+    ![](./images/01/14.png)
+
+* And this user has a different file upload field, to upload payslips.
+
+    ![](./images/01/15.png)
+
+* Let's now try using another SQL clause ORDER BY, used to sort the query output in the payload:
+
+    ```sql
+    'or '1'='1' ORDER BY id#
+    ```
+
+* Here in the above payload, we are assuming that the DBMS table consists of a column named `id`, let's check if it can fetch anything useful.
+
+    ![](./images/01/16.png)
+
+
+* We are logged back into the same normal user. By this point we can guess the structure of the table where this user data is stored. The id field will let us access the users with the highest and lowest id using the `ORDER BY` clause.
+
+    | id | email | password |
+    | -- | --- | ----------- |
+    | 1 | user1 | password1 |
+    | 2 | user2 | password2 |
+
+* Let's try adding `DESC` and see if anything different comes up.
+
+    ![](./images/01/17.png)
+
+* Here if you examine, you can see we logged into a different user and this time it's neither a normal user nor a manager but it's the admin!
+
+    ![](./images/01/18.png)
+
+* Explore further to find the functionalities of the respective user types.
+
+# Key Findings
+
+* The **Email** field is injectable.
+
+* This is a **PHP** based web application.
+
+* We can use `'or '1'='1'#` payload to login into the web application.
+
+* There exists an ``id`` field along with the email and password in the database table.
+
+* We can further modify the payload to add additional constraints and log into the web application using different users!
+
+* There seem to be 3 types of users:
+    * Normal User
+    * Manager
+    * Admin
+
+* There are 4 ways a user can upload a file:
+    * Normal user > Reimbursements page.
+    * Manager > Payslips page & Reimbursements page.
+    * Admin > Payslips page.