CTF Walkthrough: pentesting.cloud "Aurora Borealis"

stevensmiley

Steven Smiley

Posted on January 22, 2023

CTF Walkthrough: pentesting.cloud "Aurora Borealis"

The pentesting.cloud challenge Aurora Borealis asks us to understand the permissions and processes to connect to Aurora databases with AWS IAM authentication. It creates an Amazon Aurora DB based on a snapshot with unknown contents and configuration, an EC2 instance, and limited user permissions.

Finding a starting point

We examine the IAM roles and policies in the environment, and see that there's an EC2 instance role that can rds-db:* on arn:aws:rds-db:us-west-2:*:dbuser:*/us-west-2. The rds-db:* includes all RDS IAM actions, including connecting to the database. It's important to read that ARN carefully because it reveals the database username we'll need. The ARN format of a db-user is arn:${Partition}:rds-db:${Region}:${Account}:dbuser:${DbiResourceId}/${DbUserName}. That's right, the username is us-west-2, it's not referring to the region.

Since the permissions belong to the EC2 instance, we need to connect from there. Conveniently, pentesting-user can ssm:StartSession on that instance.

Connecting to the DB

We start an SSM session on the EC2 instance so we can use its permissions to connect to the RDS database using IAM authentication. We'll first need to install the mysql client, download the SSL certificate, and generate an authentication token for the user.

sh-4.2$ sudo yum install mysql
sh-4.2$ wget https://truststore.pki.rds.amazonaws.com/us-west-2/us-west-2-bundle.pem
sh-4.2$ RDSHOST="aurora-dbcluster-yjt22bb5xqez.cluster-cmugjtcpbuo6.us-west-2.rds.amazonaws.com"
sh-4.2$ TOKEN="$(aws rds generate-db-auth-token --hostname $RDSHOST --port 1337 --region us-west-2 --username us-west-2)"
sh-4.2$ mysql --host=$RDSHOST --port=1337 --ssl-ca=us-west-2-bundle.pem --user=us-west-2 --password=$TOKEN

Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 24
Server version: 5.7.12 MySQL Community Server (GPL)
MySQL [(none)]>
Enter fullscreen mode Exit fullscreen mode

With the MySQL connection, let's explore the database to find the flag.

MySQL [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| flags              |
+--------------------+

MySQL [(none)]> use flags;
Database changed

MySQL [flags]> show tables;
+-----------------+
| Tables_in_flags |
+-----------------+
| flag            |
+-----------------+

MySQL [flags]> describe flag;
+-------+--------------+------+-----+---------+-------+
| Field | Type         | Null | Key | Default | Extra |
+-------+--------------+------+-----+---------+-------+
| flag  | varchar(100) | YES  |     | NULL    |       |
+-------+--------------+------+-----+---------+-------+

MySQL [flags]> select * from flag;
+----------------------------------+
| flag                             |
+----------------------------------+
| xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx |
+----------------------------------+
Enter fullscreen mode Exit fullscreen mode

Improving AWS data protection

This challenge didn't involve many steps, but required understanding AWS IAM authentication to RDS. To improve data protection with RDS:

  • Be cognizant of the enabled authentication mechanisms
  • Grant users the minimum permissions to perform their duties
  • As much as possible, keep people away from data, limiting potential access vectors
💖 💪 🙅 🚩
stevensmiley
Steven Smiley

Posted on January 22, 2023

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related