Breaking and Pwning Apps and Servers on AWS and Azure - Free Training Courseware and Labs
Introduction
The world is changing right in front of our eyes. The way we have been learning is going to be radically transformed by the time we all have eradicated the COVID19 from our lives.
While we figure out what is the best way to transfer our knowledge to you, we realise that by the time world is out of the lockdown, a cloud focussed pentesting training is likely going to be obsolete in parts.
So as a contribution towards the greater security community, we decided to open source the complete training.
Hope you enjoy this release and come back to us with questions, comments, feedback, new ideas or anything else that you want to let us know! Looking forward to hacking with all of you!
Description
Amazon Web Services (AWS) and Azure run the most popular and used cloud infrastructure and boutique of services. There is a need for security testers, Cloud/IT admins and people tasked with the role of DevSecOps to learn on how to effectively attack and test their cloud infrastructure. In this tools and techniques based training we cover attack approaches, creating your attack arsenal in the cloud, distilled deep dive into AWS and Azure services and concepts that should be used for security.
The training covers a multitude of scenarios taken from our vulnerability assessment, penetration testing and OSINT engagements which take the student through the journey of discovery, identification and exploitation of security weaknesses, misconfigurations and poor programming practices that can lead to complete compromise of the cloud infrastructure.
The training is meant to be a hands-on training with guided walkthroughs, scenario based attacks, coverage of tool that can be used for attacking and auditing. Due to the attack, focused nature of the training, not a lot of documentation is around security architecture, defence in depth etc. Additional references are provided in case further reading is required.
To proceed, you will need
- An AWS account, activated for payments (you should be able to open and view the Services > EC2 page)
- An Azure account, you should be able to login to the Azure console
About this repo
This repo contains all the material from our 3 day hands on training that we have delivered at security conferences and to our numerous clients.
The primary things in this repo are:
documentation
- all documentation in markdown format that is to be used to go through the trainingsetup-files
- files required to create astudent
virtual machine that will be used to create the cloud labsextras
- any additional files that are relevant during the training
Getting started
- Clone this repo
- Setup the student VM
- Host the documentation locally using gitbook
- Follow the docs :)
Step 1 - Setup the student VM
- the documentation to setup your own student virtual machine, which is required for the training, is under
documentation/setting-up/setup-student-virtual-machine.md
- this needs to be done first
Step 2 - Documentation
- As all documentation is in markdown format, you can use Gitbook to host a local copy while walking through the training
Steps to do this
- install gitbook-cli (
npm install gitbook-cli -g
) - cd into the
documentation
folder gitbook serve
- browse to
http://localhost:4000
License
- Documentation and Gitbook are released under Creative Commons Attribution Share Alike 4.0 International
- Lab material including any code, script are release under MIT License
About Appsecco
At Appsecco we provide advice, testing and training around software, infra, web and mobile apps, especially that are cloud hosted. We also specialise in auditing AWS environments as per the AWS CIS Foundations Benchmark to create a picture of the current state of security in your AWS environment. Our experience has led us to creating multiple hands on training courses like the very popular "Breaking and Pwning Apps and Servers on AWS and Azure" and "Automated Defence using Cloud Services for AWS, Azure and GCP".
no such file or directory in: ${file("~/.ssh/id_rsa.pub")}
Hi,
Hoping you can assist with the below issue I've run into.
I was able to to run the following commands successfully: eval
ssh-agent -s
ssh-checker ssh-add -lBut then received the below error when running 'deploy-cloudhacker': Error: aws_key_pair.cloudhackerlabkey: 1 error(s) occurred:
${file("~/.ssh/id_rsa.pub")}
Thank you.
Getting error while running deploy-cloudhacker
While setting up the attacker machine in AWS by running deploy-cloudhacker script. I am getting error.
The error seems to be related with permission, so tried to run with sudo command but it's failing as well as it was suppose to be run as non root user.
{"Code":"InternalServerError","Message":"An internal server error occurred."}
Hi appsecco,
Thank you for your help with previous queries. I faced another one during the testing of Lambda.
I've successfully deployed lambda using: deploy-awslambda When i try to query it i get following: {"Code":"InternalServerError","Message":"An internal server error occurred."}
My query: curl "https://something-api.us-east-1.amazonaws.com/api/string"
`deploy-cloudhacker` command fails with errors
ubuntu @ adorable-street :$ deploy-cloudhacker
Initializing provider plugins...
Error installing provider "aws": failed to create plugin dir .terraform/plugins/linux_amd64: mkdir .terraform: permission denied.
Terraform analyses the configuration and state and automatically downloads plugins for the providers used. However, when attempting to download this plugin an unexpected error occured.
This may be caused if for some reason Terraform is unable to reach the plugin repository. The repository may be unreachable if access is blocked by a firewall.
If automatic installation is not possible or desirable in your environment, you may alternatively manually install plugins by downloading a suitable distribution package and placing the plugin's executable file in the following directory: terraform.d/plugins/linux_amd64
Plugin reinitialization required. Please run "terraform init". Reason: Could not satisfy plugin requirements.
Plugins are external binaries that Terraform uses to access and manipulate resources. The configuration provided requires plugins which can't be located, don't satisfy the version constraints, or are otherwise incompatible.
1 error(s) occurred:
Originally posted by @D33van in https://github.com/appsecco/breaking-and-pwning-apps-and-servers-aws-azure-training/issues/5#issuecomment-616925127
SSH password for deploy-compute-target (EC2)
Hi,
can you share ssh password for AWS EC2 that is be deployed using "deploy-compute-target" from cloudhacker.
I want to ssh to the machine to practice locally from that machine
Can't add hostname for "Domain Takeover exercise"
Hi, I'm doing following exercise based on : http://localhost:4000/bapazure/other-services/azure-app-services-subdomain-takeover.html
I stuck at the "Add a custom domain to the App Service" section on following step: "2. Click on Add hostname and type XXXXXXXXXX.galaxybutter.co. Replace XXXXXXXXXX with your team name."
There is no hostname button. I have add custom domain and getting an error on "domain ownership" section
* provider.aws: error using credentials to get account ID: error calling sts:GetCallerIdentity: SignatureDoesNotMatch: Signature expired: 20200531T052050Z is now earlier than 20200531T052308Z (20200531T053808Z - 15 min.) status code: 403, request id:
Error: Error refreshing state: 1 error(s) occurred:
Failed to load backend: This plan was created against an older state than is current. Please create a new plan file against the latest state and try again.
Terraform doesn't allow you to run plans that were created from older states since it doesn't properly represent the latest changes Terraform may have made, and can result in unsafe behavior.
Plan Serial: 0 Current Serial: 2
chalice/python version complications
The current version of setup-files/bin/deploy-awslambda tries to deploy a python2 compatible lamda function to AWS. Chalice uses the version of python under which it is running to determine what runtime the lambda should use. So if you are running chalice under python v2, all is good (the lambda will execute in a v2 runtime). If you are running chalice under python v3 it will deploy the lambda with a v3 runtime, which is incompatible with the lambda code.
So either:
update setup-files/terraform/cloudlambda/md5sum/app.py to python v3 and add "pip3 install chalice" to documentation/setting-up/setup-student-virtual-machine.md
OR
leave the code as python v2 and add "sudo apt install python-pip" and "pip2 install chalice" to documentation/setting-up/setup-student-virtual-machine.md
missing instructions for ff/burp config
somewhere around line 36, we need some instructions like:
ami in all the scripts are not working.
I was setting this application look like cloudhacker TF script and other script need to get updated there ami version
example :
ami = "ami-04580aa96a68a006c" <== line 130 in /setup-files/terraform/cloudhacker/setup)/cloudhacker.tf
other ami are also outdated not in used anymore
please update the script.
plz fix SSH issue also change ami with different one but having other issue like ssh denied :/
Accessing the source of Lambda using stolen creds - no aws creds?
Hi, based on the guide "http://localhost:4000/cloud-compute/attacking-serverless-lambda-endpoints.html", Lambda should have stored credentials aws credentials. I checked on ~/. aws/credentials but there is nothing. This is my request: curl "https://asd22sds3.execute-api.us-east-1.amazonaws.com/api/hack;cat%20~%2F.aws%2Fcredentials;w"
The guide says that when you have AWS creds you can access via "aws configure". But i have only creds from /etc/passwd There is no aws creds