Welcome, Defender! As an incident responder, we're granting you access to the AWS account called "Security" as an IAM user. This account contains a copy of the logs during the time period of the incident and has the ability to assume the "Security" role in the target account so you can look around to spot the misconfigurations that allowed for this attack to happen.
Information
My Recommendations
Download it from CyberDefenders and verify it with sha1sum:
sha1sum /path/to/c65-flAWS2.zip
SHA1: 2dc9fc0deb94d18183f2762114812058
This is my personal preference, I like being organized and deleting a folder when I’m done with it .
mkdir Documents/CyberDefenders/Bucket && cd Documents/CyberDefenders/Bucket
Walkthrough
1. What is the full AWS CLI command used to configure credentials?
The AWS command is aws configure. To proceed with the challenge, we need to configure our current system. The credentials are provided in the Credentials.txt file:
The command aws configure asks for the region name, which we don’t know. We can log into the aws management console (the link next to Login) in a web-browser to find it. Under Settings, the default region will be displayed:
Now, we are ready to use aws configure to access information. Make sure to select json when choosing a Default output format.
Answer: aws configure
2. What is the 'creation' date of the bucket 'flaws2-logs'?
To list the buckets, we can use the following command:
aws s3api list-buckets
Answer: 2018-11-19 20:54:31
3. What is the name of the first generated event -according to time?
In order to view the logs, we can use the sync command, it will download the logs. Then, we just need to decompress them:
aws s3 sync s3://flaws2-logs .
find AWSLogs -type f -exec gunzip "{}" \;
Now that they are decompressed, we can grep for eventTime and sort it according to time:
find AWSLogs -type f -exec jq . "{}" \; | grep eventTime | sort | uniq
The first date returned is 2018-11-28T22:31:59. Now, we just need to find out which event it’s associated with:
grep -r -F '"eventTime":"2018-11-28T22:31:59Z"' AWSLogs
#returns one json file
jq . AWSLogs/653711331788/CloudTrail/us-east-1/2018/11/28/653711331788_CloudTrail_us-east-1_20181128T2235Z_cR9ra7OH1rytWyXY.json
The eventName is AssumeRole.
Answer: AssumeRole
4. What source IP address generated the event dated 2018-11-28 at 23:03:20 UTC?
We can grep for the date using the Json format of this date:
grep -r -l -F '"eventTime":"2018-11-28T23:03:20Z"' AWSLogs/
This returns two files. If we look at both files with JQ, the first one, ending in 20181128T2310Z_7J9NEIxrjJsrlXSd.json, shows an event for ‘CreateLogStream‘ requested by the IP Address 34.234.236.212:
On the other hand, the second file, ending in 20181128T2305Z_zKlMhON7EpHala9u.json, doesn’t provide an IP Address:
Answer: 34.234.236.212
5. Which IP address does not belong to Amazon AWS infrastructure?
First, let’s find which IP Addresses were logged:
find AWSLogs -type f -exec jq . "{}" \; | grep 'sourceIPAddress' | sort | uniq
whois '34.234.236.212' | grep 'Organization' -B 5 -A 5
whois '104.102.221.250' | grep 'Organization' -B 5 -A 5
IP Address 34.234.236.212 belongs to Amazon Technologies Inc. :
IP Address 104.102.221.250 however, belongs to Akamai Technologies, Inc:
Answer: 104.102.221.250
6. Which user issued the 'ListBuckets' request?
Using grep to find the log containing the request returns one file, ending in 20181128T2310Z_jQajCuiobojD8I4y.json.
If we parse it with jq we will see the full record:
Answer: level3
7. What was the first request issued by the user 'level1'?
We can use grep to find which Logs contain the username level1:
grep -r -F -l '"userName":"level1"' AWSLogs/
This returns four files:
Since the log files are named by datetime, we can assume that the third file returned, ending in 20181128T2305Z_83VTWZ8Z0kiEC7Lq.json will contain the first request, as the others are dated five minutes later:
jq . AWSLogs/653711331788/CloudTrail/us-east-1/2018/11/28/653711331788_CloudTrail_us-east-1_20181128T2305Z_83VTWZ8Z0kiEC7Lq.json
The request is dated at 2018-11-28 23:03:12, and is for CreateLogStream:
Answer: CreateLogStream
TLDR
– Install and use aws-cli to retrieve the logs.
– Pretty print the json files with jq and gather the necessary information to find how the attack unraveled.
