DEV Community

Steven Smiley
Steven Smiley

Posted on

3

CTF Walkthrough: pentesting.cloud "Aurora Borealis"

The pentesting.cloud challenge Aurora Borealis asks us to understand the permissions and processes to connect to Aurora databases with AWS IAM authentication. It creates an Amazon Aurora DB based on a snapshot with unknown contents and configuration, an EC2 instance, and limited user permissions.

Finding a starting point

We examine the IAM roles and policies in the environment, and see that there's an EC2 instance role that can rds-db:* on arn:aws:rds-db:us-west-2:*:dbuser:*/us-west-2. The rds-db:* includes all RDS IAM actions, including connecting to the database. It's important to read that ARN carefully because it reveals the database username we'll need. The ARN format of a db-user is arn:${Partition}:rds-db:${Region}:${Account}:dbuser:${DbiResourceId}/${DbUserName}. That's right, the username is us-west-2, it's not referring to the region.

Since the permissions belong to the EC2 instance, we need to connect from there. Conveniently, pentesting-user can ssm:StartSession on that instance.

Connecting to the DB

We start an SSM session on the EC2 instance so we can use its permissions to connect to the RDS database using IAM authentication. We'll first need to install the mysql client, download the SSL certificate, and generate an authentication token for the user.

sh-4.2$ sudo yum install mysql
sh-4.2$ wget https://truststore.pki.rds.amazonaws.com/us-west-2/us-west-2-bundle.pem
sh-4.2$ RDSHOST="aurora-dbcluster-yjt22bb5xqez.cluster-cmugjtcpbuo6.us-west-2.rds.amazonaws.com"
sh-4.2$ TOKEN="$(aws rds generate-db-auth-token --hostname $RDSHOST --port 1337 --region us-west-2 --username us-west-2)"
sh-4.2$ mysql --host=$RDSHOST --port=1337 --ssl-ca=us-west-2-bundle.pem --user=us-west-2 --password=$TOKEN

Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 24
Server version: 5.7.12 MySQL Community Server (GPL)
MySQL [(none)]>
Enter fullscreen mode Exit fullscreen mode

With the MySQL connection, let's explore the database to find the flag.

MySQL [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| flags              |
+--------------------+

MySQL [(none)]> use flags;
Database changed

MySQL [flags]> show tables;
+-----------------+
| Tables_in_flags |
+-----------------+
| flag            |
+-----------------+

MySQL [flags]> describe flag;
+-------+--------------+------+-----+---------+-------+
| Field | Type         | Null | Key | Default | Extra |
+-------+--------------+------+-----+---------+-------+
| flag  | varchar(100) | YES  |     | NULL    |       |
+-------+--------------+------+-----+---------+-------+

MySQL [flags]> select * from flag;
+----------------------------------+
| flag                             |
+----------------------------------+
| xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx |
+----------------------------------+
Enter fullscreen mode Exit fullscreen mode

Improving AWS data protection

This challenge didn't involve many steps, but required understanding AWS IAM authentication to RDS. To improve data protection with RDS:

  • Be cognizant of the enabled authentication mechanisms
  • Grant users the minimum permissions to perform their duties
  • As much as possible, keep people away from data, limiting potential access vectors

Do your career a big favor. Join DEV. (The website you're on right now)

It takes one minute, it's free, and is worth it for your career.

Get started

Community matters

Top comments (0)

👋 Kindness is contagious

Dive into an ocean of knowledge with this thought-provoking post, revered deeply within the supportive DEV Community. Developers of all levels are welcome to join and enhance our collective intelligence.

Saying a simple "thank you" can brighten someone's day. Share your gratitude in the comments below!

On DEV, sharing ideas eases our path and fortifies our community connections. Found this helpful? Sending a quick thanks to the author can be profoundly valued.

Okay