Bucket
Info
- Category : Digital Forensics
- SHA1SUM : fb393619f09c8e9d7272f305329601645e5aa952
- Published : Dec. 7, 2021
- Author : Scott Piper
- Size : 356 Bytes
- Tags : AWS cloud IR ’log analysis'
Unzip the challenge (pass: cyberdefenders.org)
Instructions
Use the provided credentials to access AWS cloud trail logs and Réponse the questions.
Scenario
Welcome, Defender! As a soc analyst, we’re granting you access to the AWS account called “Security” as an IAM user. This account contains a copy of the logs during the time period of the incident and has the ability to assume the “Security” role in the target account so you can look around to spot the misconfigurations that allowed for this attack to happen.
Credentials
Your IAM credentials for the Security account :
Environment
The credentials above give you access to the Security account, which can assume the role of “security” in the Target account. You also have access to an S3 bucket, named flaws2_logs, in the Security account, that contains the CloudTrail logs recorded during a successful compromise
Questions
1
2
3
4
5
6
|
aws configure
AWS Access Key ID [None]: AKIAIUFNQ2WCOPTEITJQ
AWS Secret Access Key [None]: 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
Default region name [None]:
Default output format [None]: json
|
Réponse : aws configure
Q2 - What is the ‘creation’ date of the bucket ‘flaws2-logs’?
Je me suis connecté à AWS Management Console. Nous devons sélectionner le service S3.
Réponse : 2018-11-19 20:54:31 UTC
Q3 - What is the name of the first generated event -according to time?
Télécharger le journal sur mon ordinateur :
1
|
aws s3 sync s3://flaws2-logs .
|
``shell
cd AWSLogs/653711331788/CloudTrail/us-east-1/2018/11/28/
gunzip 653711331788_CloudTrail_us-east-1_20181128T2235Z_cR9ra7OH1rytWyXY.json.gz
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
```shell
cat 653711331788_CloudTrail_us-east-1_20181128T2235Z_cR9ra7OH1rytWyXY.json | jq
{
"Records": [
{
"eventVersion": "1.05",
"userIdentity": {
"type": "AWSService",
"invokedBy": "ecs-tasks.amazonaws.com"
},
"eventTime": "2018-11-28T22:31:59Z",
"eventSource": "sts.amazonaws.com",
"eventName": "AssumeRole",
"awsRegion": "us-east-1",
"sourceIPAddress": "ecs-tasks.amazonaws.com",
"userAgent": "ecs-tasks.amazonaws.com",
"requestParameters": {
"roleSessionName": "d190d14a-2404-45d6-9113-4eda22d7f2c7",
"roleArn": "arn:aws:iam::653711331788:role/level3"
},
[...]
|
"eventName": "AssumeRole",
Réponse : AssumeRole
Q4 - What source IP address generated the event dated 2018-11-28 at 23:03:20 UTC?
J’ai fait un script python pour récupérer des informations dans les logs json :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
import json
import sys
def parse_logs(json_file):
with open(json_file) as file:
data = json.load(file)
for record in data['Records']:
event_time = record['eventTime']
source_ip = record['sourceIPAddress']
event_name = record['eventName']
print(f"Event Time: {event_time}")
print(f"Source IP Address: {source_ip}")
print(f"Event Name: {event_name}")
print()
if __name__ == "__main__":
if len(sys.argv) != 2:
print("Give a JSON file as argument")
else:
json_file = sys.argv[1]
parse_logs(json_file)
|
Obtenez des informations sur tous les fichiers :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
for file in AWSLogs/*.json; do python3 get_info.py "$file"; done | grep -i -C 5 2018-11-28T23:03:20
Event Time: 2018-11-28T23:03:11Z
Source IP Address: 104.102.221.250
Event Name: GetObject
Event Time: 2018-11-28T23:03:20Z
Source IP Address: apigateway.amazonaws.com
Event Name: Invoke
Event Time: 2018-11-28T23:03:50Z
Source IP Address: 34.234.236.212
--
Event Time: 2018-11-28T23:03:12Z
Source IP Address: lambda.amazonaws.com
Event Name: AssumeRole
Event Time: 2018-11-28T23:03:20Z
Source IP Address: 34.234.236.212
Event Name: CreateLogStream
Event Time: 2018-11-28T23:03:13Z
Source IP Address: 34.234.236.212
|
Réponse : 34.234.236.212
Q5 - Which IP address does not belong to Amazon AWS infrastructure?
Seulement 2 IPs sont dans les logs : 104.102.221.250 et 34.234.236.212
1
2
3
4
5
|
nslookup 34.234.236.212
212.236.234.34.in-addr.arpa name = ec2-34-234-236-212.compute-1.amazonaws.com.
nslookup 104.102.221.250
250.221.102.104.in-addr.arpa name = a104-102-221-250.deploy.static.akamaitechnologies.com.
|
Réponse : 104.102.221.250
Q6 - Which user issued the ‘ListBuckets’ request?
1
2
3
|
grep -i ListBuckets 653711331788_CloudTrail_us-east-1_20181128T2*
653711331788_CloudTrail_us-east-1_20181128T2310Z_jQajCuiobojD8I4y.json:{"Records":[{"eventVersion":"1.05","userIdentity":....
|
Nous n’avons obtenu qu’un seul résultat avec le grep (plutôt cool) :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
cat 653711331788_CloudTrail_us-east-1_20181128T2310Z_jQajCuiobojD8I4y.json | jq
{
"Records": [
{
"eventVersion": "1.05",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAJQMBDNUMIKLZKMF64:d190d14a-2404-45d6-9113-4eda22d7f2c7",
"arn": "arn:aws:sts::653711331788:assumed-role/level3/d190d14a-2404-45d6-9113-4eda22d7f2c7",
"accountId": "653711331788",
"accessKeyId": "ASIAZQNB3KHGNXWXBSJS",
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2018-11-28T22:31:59Z"
},
"sessionIssuer": {
"type": "Role",
"principalId": "AROAJQMBDNUMIKLZKMF64",
"arn": "arn:aws:iam::653711331788:role/level3",
"accountId": "653711331788",
"userName": "level3"
}
}
},
"eventTime": "2018-11-28T23:09:28Z",
"eventSource": "s3.amazonaws.com",
"eventName": "ListBuckets",
"awsRegion": "us-east-1",
"sourceIPAddress": "104.102.221.250",
"userAgent": "[aws-cli/1.16.19 Python/2.7.10 Darwin/17.7.0 botocore/1.12.9]",
"requestParameters": null,
"responseElements": null,
"requestID": "4698593B9338B27F",
"eventID": "65e111a0-83ae-4ba8-9673-16291a804873",
"eventType": "AwsApiCall",
"recipientAccountId": "653711331788"
}
]
}
|
Réponse : level3
Q7 - What was the first request issued by the user ’level1’?
1
2
3
4
5
6
7
|
grep -rl "level1" AWSLogs/
AWSLogs/653711331788_CloudTrail_us-east-1_20181128T2305Z_83VTWZ8Z0kiEC7Lq.json
AWSLogs/653711331788_CloudTrail_us-east-1_20181128T2305Z_zKlMhON7EpHala9u.json
AWSLogs/653711331788_CloudTrail_us-east-1_20181128T2310Z_7J9NEIxrjJsrlXSd.json
AWSLogs/653711331788_CloudTrail_us-east-1_20181128T2310Z_A1lhv3sWzzRIBFVk.json
AWSLogs/653711331788_CloudTrail_us-east-1_20181128T2310Z_jJW5HfNtz7kOnvcP.json
|
Les fichiers journaux sont triés par date grâce à leur nom similaire et une partie spécifique liée à l’horodatage (*_20181128T2305Z_*) qui permet de savoir que la première requête est dans le premier fichier de la liste.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
|
cat AWSLogs/653711331788_CloudTrail_us-east-1_20181128T2305Z_83VTWZ8Z0kiEC7Lq.json | jq
{
"Records": [
{
"eventVersion": "1.04",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAIBATWWYQXZTTALNCE:level1",
"arn": "arn:aws:sts::653711331788:assumed-role/level1/level1",
"accountId": "653711331788",
"accessKeyId": "ASIAZQNB3KHGIGYQXVVG",
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2018-11-28T23:03:12Z"
},
"sessionIssuer": {
"type": "Role",
"principalId": "AROAIBATWWYQXZTTALNCE",
"arn": "arn:aws:iam::653711331788:role/service-role/level1",
"accountId": "653711331788",
"userName": "level1"
}
}
},
"eventTime": "2018-11-28T23:03:12Z",
"eventSource": "logs.amazonaws.com",
"eventName": "CreateLogStream",
"awsRegion": "us-east-1",
"sourceIPAddress": "34.234.236.212",
"userAgent": "awslambda-worker",
"errorCode": "AccessDenied",
"errorMessage": "User: arn:aws:sts::653711331788:assumed-role/level1/level1 is not authorized to perform: logs:CreateLogStream on resource: arn:aws:logs:us-east-1:653711331788:log-group:/aws/lambda/level1:log-stream:2018/11/28/[$LATEST]2d75b45ba94f495598fd2fed9f3ca60e",
"requestParameters": null,
"responseElements": null,
"requestID": "c80afb02-f361-11e8-b660-f9fa07f60344",
"eventID": "77b02a51-70c8-465b-94df-579c1fe42a5c",
"eventType": "AwsApiCall",
"recipientAccountId": "653711331788"
}
]
}
|
Réponse : CreateLogStream
