We would like to share our experience using ChatGPT for a cloud security assessment. Our team had a chance to evaluate its effectiveness during the recent HTB Business CTF 2023 event.
Challenge
HTB Business CTF 2023 presented a unique set of challenges divided into several categories: Web, Crypto, Cloud, Full Pwn, Forensics, and Reversing. This article will cover one of the Cloud challenges called Unveiled. Players were given an IP of the instance where the challenge was deployed. To start work on the challenge, participants were tasked to connect to a VPN. The next step was identifying and exploiting vulnerabilities in an already deployed AWS environment.
The ultimate goal was to retrieve the hidden flag (string in a predefined format), testing proficiency in cloud security.
Solution
To kick off the challenge, we applied our standard scanning and enumeration approach to collect as much information as possible about the target. It turned out to be a simple web application with limited functionality. So we started inspecting the submitted requests made by the application using the Network tab in DevTools. Among the requests, we noticed an intriguing failed request to the resource s3.unveiled.htb.
To further investigate, we attempted to access s3.unveiled.htb in a new tab, but it resulted in a DNS resolve error. Resourceful, the team overcame this obstacle by adding an entry in the /etc/hosts file to resolve the domain to the provided IP address.
With the domain accessible, we swiftly utilized the AWS Command Line Interface (CLI) to assess potential misconfigurations.
The command AWS s3 ls –endpoint-URL http://s3.unveiled.htb – profile test was employed to list the S3 buckets associated with the environment. During exploration, we successfully identified the "unveiled-backup" bucket, which was readable and contained two files: index.html and Main.tf. Additional aws-cli commands were executed to gather more information about the discovered resources. In particular, we managed to identify that each of the files had two versions available. There was another bucket called “website-assets” but it had access limitations.
Careful examination of the files revealed an AWS Credentials pair within one of the Main.tf versions.
Using the extracted credentials, we established a new AWS-CLI profile and successfully accessed the "website-assets" bucket. This bucket contained files related to the hosted website. Then we decided to use ChaptGPT and see what it could suggest regarding further AWS account enumeration. It can be especially useful for those who have little to no experience with Cloud Security Assessments.
We used the following prompts: Act like an experienced Cloud Security Engineer. Please consider the following situation: I am doing a security assessment of my AWS account resources to reveal possible security issues and later fix them. So, I need a list of checks that should be performed against discovered S3 bucket. Please provide a generated S3 pen-testing checklist in the form of an ordered list.
The next step was to ask ChatGPT if it could generate the appropriate aws-cli commands for the provided security checks.
Prompt: Please provide a list of commands for aws-cli that allow us to perform these checks using aws-cli. Commands should be printed out as an ordered list
As you can see from the above screenshots, ChatGPT can be used to understand better the next steps that can be done to investigate possible attack vectors further and assess the security of the tested environment. Now let’s return to the challenge.
To progress further, we tried to utilize the “enumerate-iam” tool. Still, it did not bring us any results because, in our case, it was required to set the endpoint-URL parameter to use queries against the provided platform environment. A tiny modification of the tool’s source code allowed us to fix this. At the same time, we also decided to explore ChatGPT capabilities and generate a custom bash script that would allow us to enumerate the AWS Account Services and could be customized according to our needs.
Here is the prompt that our team has used: Act like an experienced Cloud Security Engineer. Please write a bash script that satisfies the following requirements:
- performs enumeration of all available AWS services using aws-cli commands
- conducts checks in all AWS regions
- has error handling
- logs results of enumeration
- can save all the output into a specified file
The initial version of the script, generated by the ChatGPT, contained several issues, so the team's next steps were to improve the script. They used the following prompts to achieve this:
!/bin/bash
Set the output file path
output_file="aws_enumeration_results.txt"
Initialize the output file
echo "AWS Enumeration Results" > "$output_file"
Function to log the output and errors
log_output() {
echo "[$(date +"%Y-%m-%d %H:%M:%S")] $1" >> "$output_file"
}
Function to check AWS services and resources in a specific region
check_aws_services_in_region() {
region="$1"
log_output "Checking AWS services in region: $region"
Enumerate AWS services in the region
services=$(aws --region "$region" ec2 describe-regions --query "Regions[].RegionName" --output text)
Perform checks for each service
for service in $services; do
Add more checks for other AWS services as needed
if [[ "$service" == "s3" ]]; then
log_output "Checking S3 buckets in region: $region"
aws --region "$region" s3 ls --no-sign-request >> "$output_file" 2>&1
fi
Add more checks for other AWS services here...
done
}
Main script
Check if AWS CLI is installed and configured
if ! command -v aws &>/dev/null; then
echo "AWS CLI not found. Please install and configure AWS CLI."
exit 1
fi
Get a list of all AWS regions
regions=$(aws ec2 describe-regions --query "Regions[].RegionName" --output text)
Iterate through each region
for region in $regions; do
Perform checks for AWS services in the region
check_aws_services_in_region "$region"
done
echo "AWS enumeration completed. Results saved to $output_file"
There is an error in the check_aws_services_in_region
function because it does not retrieve a list of services for a specific region.
Extend the check_aws_services_in_region
function code and add checks for other AWS resources. Please add checks for the following services: SecretsManagers, SSM, ParameterStore, Lambda, Cloudfront, CodeBuild, CodePipeline, ECR, ECS, IAM, SNS, SES, SQS, Access Keys, File systems.
As a result, we had an improved script that covered base enumeration steps for the mentioned AWS services. To extend checks, the team used service-specific requests like the following one:
Here is a command:
aws --region "$region" kms list-backups --profile ctf --endpoint-url http://s3.custom.url >> "$output_file" 2>&1
Please write a list of the same commands but replace "list-backups" with each value from the following list:
- list-aliases
- list-grants
- list-key-policies
- list-keys
Finally, the team created a comprehensive enumeration script to enumerate all the services that could be queried with the detected AWS access keys. (click here to retrieve a full version of the script).
Despite obtaining root access credentials, we could not find additional resources or hints to uncover the flag. The missed opportunity was not uploading a Reverse PHP Shell to the "website-assets" bucket, which could have provided a remote shell and allowed flag exfiltration. Despite not finding the flag, the experience gained during HTB Business 2023 was incredibly valuable for future endeavors in cloud security.
Summing Up: How Does ChatGPT Help in This Case?
The team's successful approach, guided partly by ChatGPT, involved a meticulous and systematic examination of the environment, from valuable insights and generated ideas to developing custom tools for enumerating AWS resources. This flexibility allowed us to tailor the approach to the specific task faster and more efficiently, identifying and addressing vulnerabilities within cloud environments.
Here are some key benefits of the AI tool ChatGPT:
- quickly generates custom scripts and tools tailored to specific cloud assessment tasks
- assists in enumerating cloud resources comprehensively, identifying potential misconfigurations and security gaps that might be used for further exploitation vectors
- provides valuable insights and ideas to cybersecurity professionals during brainstorming sessions to explore different angles and attack vectors that might not have been considered otherwise
Top comments (0)