How to Replicate

After a fresh clone following the README instructions when I attempted to run ./cloudgoat.py config profile I received a permissions error: eg.

~/Desktop/CloudGoat[master]: ./cloudgoat.py config profile
-bash: ./cloudgoat.py: Permission denied

I gave permissions a look:

~/Desktop/CloudGoat[master]: ls -la
total 56
drwxr-xr-x   9 andrewbrown  staff    288 29 Jun 12:40 .
drwx------+ 71 andrewbrown  staff   2272 29 Jun 12:40 ..
drwxr-xr-x  12 andrewbrown  staff    384 29 Jun 12:40 .git
-rw-r--r--   1 andrewbrown  staff    205 29 Jun 12:40 .gitignore
-rw-r--r--   1 andrewbrown  staff   1519 29 Jun 12:40 LICENSE
-rw-r--r--   1 andrewbrown  staff  14644 29 Jun 12:40 README.md
-rw-r--r--   1 andrewbrown  staff   3552 29 Jun 12:40 cloudgoat.py
drwxr-xr-x   4 andrewbrown  staff    128 29 Jun 12:40 core
drwxr-xr-x   7 andrewbrown  staff    224 29 Jun 12:40 scenarios

So I chmod u+x cloudgoat.py and this resolved the permission denied

~/Desktop/CloudGoat[master]: chmod u+x cloudgoat.py
~/Desktop/CloudGoat[master]: ls -la
total 56
drwxr-xr-x   9 andrewbrown  staff    288 29 Jun 12:40 .
drwx------+ 71 andrewbrown  staff   2272 29 Jun 12:40 ..
drwxr-xr-x  12 andrewbrown  staff    384 29 Jun 12:40 .git
-rw-r--r--   1 andrewbrown  staff    205 29 Jun 12:40 .gitignore
-rw-r--r--   1 andrewbrown  staff   1519 29 Jun 12:40 LICENSE
-rw-r--r--   1 andrewbrown  staff  14644 29 Jun 12:40 README.md
-rwxr--r--   1 andrewbrown  staff   3552 29 Jun 12:40 cloudgoat.py
drwxr-xr-x   4 andrewbrown  staff    128 29 Jun 12:40 core
drwxr-xr-x   7 andrewbrown  staff    224 29 Jun 12:40 scenarios

I don't have Terraform as of yet but did resolve permissions denied

~/Desktop/CloudGoat[master]: ./cloudgoat.py config profile
Terraform not found. Please install Terraform before using CloudGoat.

Recommended Suggestion

Update the Quick Start to include the step:

chmod u+x cloudgoat.py

https://github.com/RhinoSecurityLabs/cloudgoat/blob/master/scenarios/ec2_ssrf/cheat_sheet_solus.md

typo here in bold:

Then Add the EC2 instance credentials to your AWS CLI credentials file at ~/.aws/credentials) as shown below:

[ec2role]
aws_access_key_id = asdasdasd
aws_secret_access_key = asdasdsadas
aws_session_token = "asdasdasd"

aws s3 ls --profile cgec2role

When creating the environment with ./start.sh it runs as intended however the instance is later unreachable as the User-Data is not executed on the created instance. It required the instance to be rebooted, which then executed UserData as intended.

This was verified by removing #cloud-boothook from ec2.tf file, which will cause User data to execute on initial launch instead of every-other reboot.

I believe in the last step of this level, the shepard role only needs
"Action": [
"lambda:Get*",
"lambda:Invoke*",
"lambda:List*"
],

Right now, it has full access.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "shepard",
"Effect": "Allow",
"Action": "",
"Resource": ""
}
]
}
https://github.com/RhinoSecurityLabs/cloudgoat/blob/master/scenarios/ec2_ssrf/terraform/iam.tf

This led to some unfortunate usage on my AWS account.

Fantastic tool all, really helping me learn more than I though on AWS testing. Do you have any plans of releasing a tenant to tenant scenario of say compromising a "prod" tenant from a "dev" tenant?

Thanks again for this tool!

Hello!
I am getting the following errors for each lab that makes use of the S3 service:
I am using the terraform version: v1.0.4
And also my AWS version is: aws-cli/1.19.1 Python/3.9.2 botocore/1.20.0

LAB cloud_breach_s3
Error creating S3 bucket: InvalidBucketName: The specified bucket is not valid. │ status code: 400, request id: XXXXX, host id: XXXXX │ │ with aws_s3_bucket.cg-secret-s3-bucket, │ on s3.tf line 2, in resource "aws_s3_bucket" "cg-cardholder-data-bucket": │ 2: resource "aws_s3_bucket" "cg-cardholder-data-bucket"

LAB ec2_ssrf
Error creating S3 bucket: InvalidBucketName: The specified bucket is not valid. │ status code: 400, request id: XXXXX, host id: XXXXX │ │ with aws_s3_bucket.cg-secret-s3-bucket, │ on s3.tf line 2, in resource "aws_s3_bucket" "cg-secret-s3-bucket": │ 2: resource "aws_s3_bucket" "cg-secret-s3-bucket" {

LAB rce_web_app
[cloudgoat] terraform init completed with no error code. ╷ │ Error: only alphanumeric characters and hyphens allowed in "name": "cg-lb-rce_web_app_cgid8lfijuwyg9" │ │ with aws_lb.cg-lb, │ on lb.tf line 28, in resource "aws_lb" "cg-lb": │ 28: name = "cg-lb-${var.cgid}" │ ╵ ╷ │ Error: "name" cannot be longer than 32 characters │ │ with aws_lb_target_group.cg-target-group, │ on lb.tf line 52, in resource "aws_lb_target_group" "cg-target-group": │ 52: name = "cg-target-group-${var.cgid}" │ ╵ ╷ │ Error: only alphanumeric characters and hyphens allowed in "name" │ │ with aws_lb_target_group.cg-target-group, │ on lb.tf line 52, in resource "aws_lb_target_group" "cg-target-group": │ 52: name = "cg-target-group-${var.cgid}" │ ╵ ╷ │ Error: only lowercase alphanumeric characters and hyphens allowed in "identifier" │ │ with aws_db_instance.cg-psql-rds, │ on rds.tf line 47, in resource "aws_db_instance" "cg-psql-rds": │ 47: identifier = "cg-rds-instance-${var.cgid}"

Ran into the following issue on a mac
Seems like an issue during the terraform variable script generation.

(cloudgoat) ~/D/A/cloudgoat ❯❯❯ ./cloudgoat.py create iam_privesc_by_rollback                                       master ✱ ◼
Using default profile "cloudgoat" from config.yml...
Loading whitelist.txt...
A whitelist.txt file was found that contains at least one valid IP address or range.
You already have an instance of iam_privesc_by_rollback deployed. Do you want to destroy and recreate it (y) or cancel (n)? [y/n]: y

No terraform.tfstate file was found in the scenario instance's terraform directory, so "terraform destroy" will not be run.

Successfully destroyed iam_privesc_by_rollback_cgidicp2zml7sv.
Scenario instance files have been moved to /Users/d/Desktop/AWS exploits/cloudgoat/trash/iam_privesc_by_rollback_cgidicp2zml7sv
There are some problems with the configuration, described below.

The Terraform configuration must be valid before initialization so that
Terraform can determine which modules and providers need to be installed.

Error: Error parsing /Users/d/Desktop/AWS exploits/cloudgoat/iam_privesc_by_rollback_cgidff1qjx40y3/terraform/variables.tf: At 15:10: Unknown token: 15:10 IDENT list

[cloudgoat] Error while running `terraform init`.
    exit code: 1
    stdout: None
    stderr: None

I want to create codebuild_secrets
but
Error: only lowercase alphanumeric characters and hyphens allowed in "identifier"
│
│ with aws_db_instance.cg-psql-rds,
│ on rds.tf line 51, in resource "aws_db_instance" "cg-psql-rds":
│ 51: identifier = "cg-rds-instance-${var.cgid}"
│
╵

[cloudgoat] Error while running terraform plan.
exit code: 1
stdout: None
stderr: None

this error happen
how to solve this error ??

Using aws-vault to authenticate, it would be useful if cloudgoat could take into account the environment variables already available to authenticate to AWS rather than having to specify a profile.

$ aws sts get-caller-identity
{
    "UserId": "XXXXX:[email protected]",
    "Account": "123456789123",
    "Arn": "arn:aws:sts::123456789123:assumed-role/XXX/[email protected]"
}
$ ./cloudgoat.py create cloud_breach_s3
The create command requires the use of the --profile flag, or a default profile defined in the config.yml file (try "config profile").

In the Calrission cheat sheet here, one of the commands is wrong:

aws describe-db-subnet-groups --profile Calrissian

should be

aws rds describe-db-subnet-groups --profile Calrissian

I start off by running the below command:

./start.sh 192.168.1.0/24

I use my public IP and terraform appears to apply the changes fine, but then I get this error:

Apply complete! Resources: 39 added, 0 changed, 0 destroyed.

The state of your infrastructure has been saved to the path
below. This state is required to modify and destroy your
infrastructure, so keep it safe. To inspect the complete state
use the `terraform show` command.

State path: terraform.tfstate
Traceback (most recent call last):
  File "./extract_creds.py", line 10, in <module>
    encryptpass = data['modules'][0]['resources']['aws_iam_user_login_profile.administrator']['primary']['attributes']['encrypted_password']
KeyError: 'modules'
root@ubuntu:/opt/cloudgoat# 

I'm on the newest version of Ubuntu:

root@ubuntu:/opt/cloudgoat# uname -a
Linux ubuntu 5.0.0-15-generic #16-Ubuntu SMP Mon May 6 17:41:33 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

So I really don't know what else to try other than downgrading and installing it from like a 14.04/16.04 box. Thoughts?

running on osx 10.13.6

$ terraform --version
Terraform v0.11.7

I tried a few times and it keeps erroring out here:

aws_s3_bucket.cloudgoat_private: Still creating... (1m0s elapsed)

Error: Error applying plan:

1 error(s) occurred:

• aws_s3_bucket.cloudgoat_private: 1 error(s) occurred:

• aws_s3_bucket.cloudgoat_private: Error putting S3 policy: MalformedPolicy: Policy has invalid resource
  status code: 400, request id: 7701E4DE13BAB6A4, host id: etGPXvw+2ym61N09FF3f3CHTM2jtCXPYO/mAUygUqdlkZkybmd1FfeuQMOjeWaSAq+VbYp57jmA=

[Background]
I was attempting to learn AWS cloud security via cloudgate. Hence I proceeded to follow the steps of installation at https://github.com/RhinoSecurityLabs/cloudgoathttps://github.com/RhinoSecurityLabs/cloudgoat.
However, after installing the requisite dependencies, and executing the command: ./cloudgoat.py create iam_privesc_by_rollback gives me error [cloudgoat] Error while running terraform apply.

[Installed software]
OS: MacOS 11.3 beta
AWS: aws-cli/2.1.38 Python/3.8.8 Darwin/20.4.0 exe/x86_64 prompt/off
Terraform: Terraform v0.15.0

[Output just before the error]
[cloudgoat] terraform plan completed with no error code.
aws_iam_user.cg-raynor: Creating...
aws_iam_policy.cg-raynor-policy: Creating...
aws_iam_user.cg-raynor: Creation complete after 2s [id=raynor-cgid3ngisyr6xx]
aws_iam_access_key.cg-raynor: Creating...
aws_iam_access_key.cg-raynor: Creation complete after 1s [id=AKIATWRLSQ74V4REKXN4]
aws_iam_policy.cg-raynor-policy: Creation complete after 4s [id=arn:aws:iam::254568204281:policy/cg-raynor-policy-cgid3ngisyr6xx]
null_resource.cg-create-iam-user-policy-version-2: Creating...
aws_iam_user_policy_attachment.cg-raynor-attachment: Creating...
null_resource.cg-create-iam-user-policy-version-4: Creating...
null_resource.cg-create-iam-user-policy-version-5: Creating...
null_resource.cg-create-iam-user-policy-version-3: Creating...
null_resource.cg-create-iam-user-policy-version-2: Provisioning with 'local-exec'...
null_resource.cg-create-iam-user-policy-version-4: Provisioning with 'local-exec'...
null_resource.cg-create-iam-user-policy-version-2 (local-exec): Executing: ["/bin/sh" "-c" "aws iam create-policy-version --policy-arn arn:aws:iam::254568204281:policy/cg-raynor-policy-cgid3ngisyr6xx --policy-document file://../assets/policies/v2.json --no-set-as-default --profile cloudgoat --region us-east-1"]
null_resource.cg-create-iam-user-policy-version-4 (local-exec): Executing: ["/bin/sh" "-c" "aws iam create-policy-version --policy-arn arn:aws:iam::254568204281:policy/cg-raynor-policy-cgid3ngisyr6xx --policy-document file://../assets/policies/v4.json --no-set-as-default --profile cloudgoat --region us-east-1"]
null_resource.cg-create-iam-user-policy-version-5: Provisioning with 'local-exec'...
null_resource.cg-create-iam-user-policy-version-5 (local-exec): Executing: ["/bin/sh" "-c" "aws iam create-policy-version --policy-arn arn:aws:iam::254568204281:policy/cg-raynor-policy-cgid3ngisyr6xx --policy-document file://../assets/policies/v5.json --no-set-as-default --profile cloudgoat --region us-east-1"]
null_resource.cg-create-iam-user-policy-version-3: Provisioning with 'local-exec'...
null_resource.cg-create-iam-user-policy-version-3 (local-exec): Executing: ["/bin/sh" "-c" "aws iam create-policy-version --policy-arn arn:aws:iam::254568204281:policy/cg-raynor-policy-cgid3ngisyr6xx --policy-document file://../assets/policies/v3.json --no-set-as-default --profile cloudgoam::254568204281:policy/cg-raynor-policy-cgid3ngisyr6xx --policy-document file://../assets/policies/v3.json --no-set-as-default --profile cloudgoat --region us-east-1"]

null_resource.cg-create-iam-user-policy-version-5 (local-exec): Unknown output type:

null_resource.cg-create-iam-user-policy-version-4 (local-exec): Unknown output type:
aws_iam_user_policy_attachment.cg-raynor-attachment: Creation complete after 2s [id=raynor-cgid3ngisyr6xx-20210417171258177400000001]

null_resource.cg-create-iam-user-policy-version-3 (local-exec): Unknown output type:

null_resource.cg-create-iam-user-policy-version-2 (local-exec): Unknown output type:
╷
│ Error: Error running command 'aws iam create-policy-version --policy-arn arn:aws:iam::254568204281:policy/cg-raynor-policy-cgid3ngisyr6xx --policy-document file://../assets/policies/v5.json --no-set-as-default --profile cloudgoat --region us-east-1': exit status 255. Output:
│ Unknown output type:
│
│
│
╵
╷
│ Error: Error running command 'aws iam create-policy-version --policy-arn arn:aws:iam::254568204281:policy/cg-raynor-policy-cgid3ngisyr6xx --policy-document file://../assets/policies/v4.json --no-set-as-default --profile cloudgoat --region us-east-1': exit status 255. Output:
│ Unknown output type:
│
│
│
╵
╷
│ Error: Error running command 'aws iam create-policy-version --policy-arn arn:aws:iam::254568204281:policy/cg-raynor-policy-cgid3ngisyr6xx --policy-document file://../assets/policies/v3.json --no-set-as-default --profile cloudgoat --region us-east-1': exit status 255. Output:
│ Unknown output type:
│
│
│
╵
╷
│ Error: Error running command 'aws iam create-policy-version --policy-arn arn:aws:iam::254568204281:policy/cg-raynor-policy-cgid3ngisyr6xx --policy-document file://../assets/policies/v2.json --no-set-as-default --profile cloudgoat --region us-east-1': exit status 255. Output:
│ Unknown output type:
│
│
│
╵

[cloudgoat] Error while running terraform apply.
exit code: 1
stdout: None
stderr: None

Not sure of the root cause, perhaps a nodejs parsing issue, but the = sign that is always present at the end of a public key (1 or 2 = signs) works as a truncation when passed through the input, and I didn't find any way to echo it or add it to the authorized_keys file.

To solve the problem, I did the following:
ssh-keygen -b 2048 -t rsa -f /tmp/sshkey -q -N ""
cp /tmp/sshkey.pub /home/ubuntu/.ssh/authorized_keys
cat /tmp/sshkey and put it in a file on my machine and chmod 400
then we can ssh in

Hey guys,
When I run the terraform destroy command I get the following error.

This happens for all of the scenarios. Do you know this can be?

Destroy "lambda_privesc"? [y/n]: y
╷
│ Error: Failed to parse command-line flags
│
│ flag provided but not defined: -force
╵

For more help on using this command, run:
terraform destroy -help

[cloudgoat] Error while running terraform destroy.
exit code: 1
stdout: None
stderr: None

Destruction complete.
0 scenarios successfully destroyed
2 destroys failed
0 skipped

In attempting to go through this level, I get the EC2 instance credentials, but when I try to use them, I get an AccessKeyId does not exist error. I believe this is because of a missing iam.tf file in this scenario that doesn't create the "erratic" user in IAM that is associated with the key.

Output shown below...
(env) wuchang@mashimaro % curl http://52.205.207.234/latest/meta-data/iam/security-credentials/cg-banking-WAF-Role-cgidv6re74mqg9 -H 'Host: 169.254.169.254'
{
"Code" : "Success",
"LastUpdated" : "2019-12-03T21:39:53Z",
"Type" : "AWS-HMAC",
"AccessKeyId" : "ASIATAIYWS4KQHVW2NM7",
"SecretAccessKey" : "FnaI8mgszLNC42k6SGOcAkWFLObdRNRhwRup4YPB",
"Token" : "IQoJb3JpZ2luX2VjEO7//////////wEaCXVzLWVhc3QtMSJIMEYCIQCA/YpRlDzIKwMPgvSwIW5suGgJp0aWjFMrd8Q/iR+yygIhAOnF4jphA6C112X6Ovbc8oUlrF0UWX3tfWftDR8hOwSYKs8CCDcQARoMMjA2NzQ3MTEzMjM3IgyFeoT/tEILGpLRkncqrAIQyglkQplk0GV/Li9EfUgSV6K9sg5YN0kyp5MmSkBnjN3I0E3UmAuaCM80Qtv7g/16e/eeyl1RULKozWXCl8f3zuRXyCtqLLFcLa5IiukcIt/tRL1ug7z19vFrZkNR2n78AiYbnA1LrpxwE/8l9B5UOHqE0yszcbkWeSipag+o8jeYtwh4SJ1psZJ5I1fzT5nmHisZOEgLAMq1+mBhL7el82j6AkNtr5CY/G35zBxm6PIt2lxDBYOH35WlkXrhZRNKBpRdTuR9gsvBNilf/LskzmY37R6OweUAK3faqPLlYZkdfkMUfuM0PgFDOQMVcjLciTOhbUkytzkoL+0bMDoPYw/OjRU+lIsLkis11IdnsScxAKIH76G9p6p6IOCL+PYsR1EmY7XgrmF4M/cwuKyb7wU6zwKYCJAtvm74mwynUw83ssPRkHnoMCS4InokKI2rw+WX0Z+UdhpCr8BJW1Pi8JFHd/QiFmktcshvX1gMO7jaYIy4L4DOi3QZ8jTJ796cmdq1ChhBDNhy0+eL9pXvLiELMjnMHZH76ONrs+fpHrsN0l8nnzV1IPtx7JxmBsGM9+tz4fc57sJY4dj6jBBcjhTNPw5bqfJvdjfzBtg092632MmIsov9mlmPhE05oOJmKPEcuNj/4gMaCfm5cRw8v1jh8EEv9Pk9HOmpVKRvj4NKadbk7zbWsSpIHtMxCFfJ/MScGe6VuCImmly/kvmJfbfwe1pwJMYHofoTwq+9mQoLxBR8tOmfPw0ed62V3OIiYhE8GktGvLwWRwRHGSM0LkR2Ey8rDP5uNAtaD6BBmvXSu4334zNL/Zvvl9YzNr7fr9cauSWq6AKEhwYsQC1Y+3lC1A==",
"Expiration" : "2019-12-04T04:15:08Z"
}%

(env) wuchang@mashimaro% aws configure --profile erratic
AWS Access Key ID [****************FFNP]: ASIATAIYWS4KQHVW2NM7
AWS Secret Access Key [****************hdxQ]: FnaI8mgszLNC42k6SGOcAkWFLObdRNRhwRup4YPB
Default region name [None]:
Default output format [None]:
(env) wuchang@mashimaro% aws s3 ls --profile erratic

An error occurred (InvalidAccessKeyId) when calling the ListBuckets operation: The AWS Access Key Id you provided does not exist in our records.

how to solve this error ??
I want to create cloud_breach_s3

Error: Error creating S3 bucket: InvalidBucketName: The specified bucket is not valid.
│ status code: 400, request id: [ ], host id: [ ]
│
│ with aws_s3_bucket.cg-cardholder-data-bucket,
│ on s3.tf line 2, in resource "aws_s3_bucket" "cg-cardholder-data-bucket":
│ 2: resource "aws_s3_bucket" "cg-cardholder-data-bucket" {
│
╵

[cloudgoat] Error while running terraform apply.
exit code: 1
stdout: None
stderr: None

./cloudgoat.py --profile test create iam_privesc_by_rollback
Loading whitelist.txt...
A whitelist.txt file was found that contains at least one valid IP address or range.
You already have an instance of iam_privesc_by_rollback deployed. Do you want to destroy and recreate it (y) or cancel (n)? [y/n]: y

No terraform.tfstate file was found in the scenario instance's terraform directory, so "terraform destroy" will not be run.

Successfully destroyed iam_privesc_by_rollback_cgidqog4aruu76.
Scenario instance files have been moved to /home/ubuntu/cloudgoat/trash/iam_privesc_by_rollback_cgidqog4aruu76
Usage: terraform init [options] [DIR]

Initialize a new or existing Terraform working directory by creating
initial files, loading any remote state, downloading modules, etc.

This is the first command that should be run for any new or existing
Terraform configuration per machine. This sets up all the local data
necessary to run Terraform that is typically not committed to version
control.

This command is always safe to run multiple times. Though subsequent runs
may give errors, this command will never delete your configuration or
state. Even so, if you have important information, please back it up prior
to running this command, just in case.

If no arguments are given, the configuration in this working directory
is initialized.

Options:

-backend=true Configure the backend for this configuration.

-backend-config=path This can be either a path to an HCL file with key/value
assignments (same format as terraform.tfvars) or a
'key=value' format. This is merged with what is in the
configuration file. This can be specified multiple
times. The backend type must be in the configuration
itself.

-force-copy Suppress prompts about copying state data. This is
equivalent to providing a "yes" to all confirmation
prompts.

-from-module=SOURCE Copy the contents of the given module into the target
directory before initialization.

-get=true Download any modules for this configuration.

-get-plugins=true Download any missing plugins for this configuration.

-input=true Ask for input if necessary. If false, will error if
input was required.

-lock=true Lock the state file when locking is supported.

-lock-timeout=0s Duration to retry a state lock.

-no-color If specified, output won't contain any color.

-plugin-dir Directory containing plugin binaries. This overrides all
default search paths for plugins, and prevents the
automatic installation of plugins. This flag can be used
multiple times.

-reconfigure Reconfigure the backend, ignoring any saved
configuration.

-upgrade=false If installing modules (-get) or plugins (-get-plugins),
ignore previously-downloaded objects and install the
latest version allowed within configured constraints.

-verify-plugins=true Verify the authenticity and integrity of automatically
downloaded plugins.

[cloudgoat] Error while running terraform init.
exit code: 1
stdout: None
stderr: None

Terraform version = v0.12.23

Page Unable to connect

Firefox can’t establish a connection to the server at ec2-3-XXXXXXXX.compute-1.amazonaws.com.

The site could be temporarily unavailable or too busy. Try again in a few moments.
If you are unable to load any pages, check your computer’s network connection.
If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.

Hi guys!

I see that after deploying the Cloadgoat, the EC2 instance has only "cloudgoat_ec2_sg" security group assigned, what allows only for inbound SSH traffic. I guess it should also be assigned to "cloudgoat_lb_sg" group to allow for HTTP traffic by default.

P.S.
But also have to say that (at least so far) Cloudgoat works like a charm and I really enjoy it - awesome job guys!

It looks like the default page of the EC2 instance results in the following error:

TypeError: URL must be a string, not undefined
    at new Needle (/node_modules/needle/lib/needle.js:172:11)
    at Function.module.exports.(anonymous function) [as get] (/node_modules/needle/lib/needle.js:818:12)
    at /home/ubuntu/app/ssrf-demo-app.js:32:12
    at Layer.handle [as handle_request] (/node_modules/express/lib/router/layer.js:95:5)
    at next (/node_modules/express/lib/router/route.js:137:13)
    at Route.dispatch (/node_modules/express/lib/router/route.js:112:3)
    at Layer.handle [as handle_request] (/node_modules/express/lib/router/layer.js:95:5)
    at /node_modules/express/lib/router/index.js:281:22
    at Function.process_params (/node_modules/express/lib/router/index.js:335:12)
    at next (/node_modules/express/lib/router/index.js:275:10)

The following URL does however work, just difficult to get to this step when the main page is broken.

http://<ec2 url>/?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/

See attached screenshot

nodejs doesn't not start automatically without adding

    echo '* libraries/restart-without-asking boolean true' | debconf-set-selections

after
user_data = <<-EOF
#!/bin/bash

in ec2.tf file.

So basically you cannot access the web app and you cannot perform the ssrf.
Please fix because having to troubleshoot something that was supposed to work has already spoiled two scenarios for me, and possibly for other people.

Thanks

Hi,

I've experienced an issue where ELB was put to the AZ us-west-2a whereas EC2 into us-west-2b. Because of that, ELB kept reporting that Instance is in the ec2 availability zone for which load balancer is not configured.

After couple of Health checks passed from ELB, it's status started switching among:

• "Instance has not passed the configured HealthyThreshold number of health checks consecutively"
• "Instance has failed at least the UnhealthyThreshold number of health checks consecutively"

As a fix for that I used below two commands:

aws --region us-west-2 elb enable-availability-zones-for-load-balancer --load-balancer-name cloudgoat-elb --availability-zones us-west-2a
aws --region us-west-2 elb enable-availability-zones-for-load-balancer --load-balancer-name cloudgoat-elb --availability-zones us-west-2b

Also, I think that this particular information should be added to repo's README, because people might easily resignate due to inability to reach out for the web server:

The EC2 instance is only given inbound access over SSH on purpose, as part of CloudGoat is figuring out a way to open that port on that instance, so you can access the web server.

I found some unintended way to get the flag of the "ecs_efs_attack".
But I think it must be patched so I write the issue about this vulnerability.

After command $ ./cloudgoat.py create ecs_efs_attack , I can access to the EC2 instance by using the given private key.
In that situation, I tried to mount EFS data. When I tried to mount, some error occur but I can solve that error by install nfs package.
$ sudo apt-get install nfs-common
After that, I can mount the data and I can see the flag.

I run the following:

./cloudgoat.py create iam_privesc_by_rollback --profile cloudgoat

This is the error that results:

data.local_file.v5: Refreshing state...
data.local_file.v2: Refreshing state...
data.local_file.v4: Refreshing state...
data.local_file.v1: Refreshing state...
data.local_file.v3: Refreshing state...

Error: error validating provider credentials: error calling sts:GetCallerIdentity: NoCredentialProviders: no valid providers in chain. Deprecated.
	For verbose messaging see aws.Config.CredentialsChainVerboseErrors

  on provider.tf line 1, in provider "aws":
   1: provider "aws" {

Looking into the terraform script variables.tf looks like the following:

#Required: AWS Profile
variable "profile" {

}
#Required: AWS Region
variable "region" {
  default = "us-east-1"
}
#Required: CGID Variable for unique naming
variable "cgid" {

}
#Required: User's Public IP Address(es)
variable "cg_whitelist" {
  type = list

}

I am not familiar enough with Terraform and uncertain if I should see the variables correctly set here.

I did setup in my ~/.aws/credentials a profile and I did also run

./cloudgoat.py config profile

The EC2 Instance and the ELB are part of a VPC, but all the other services (s3, Lambda, Lightsail) are not. It would be nice to also have them displayed in Cloudmapper, but Cloudmapper only displays instances with a VPN-Endpoint.

1234567

After executing a set-default-policy-version API call against IAM, in order to change the default policy version from v1 to v2 and complete the scenario, I do not see any changes.

The response I get from the CLI is aws-cli/1.16.19 Python/3.7.3 Darwin/18.6.0 botocore/1.12.9 and yet, when I list the policy versions, I still see v1 as the default.

aws> iam list-policy-versions --policy-arn "arn:aws:iam::xxxxxxxxxx:policy/cg-raynor-policy" --profile goat1

{
    "Versions": [
        {
            "VersionId": "v5",
            "IsDefaultVersion": false,
            "CreateDate": "2019-07-03T20:12:36Z"
        },
        {
            "VersionId": "v4",
            "IsDefaultVersion": false,
            "CreateDate": "2019-07-03T20:12:36Z"
        },
        {
            "VersionId": "v3",
            "IsDefaultVersion": false,
            "CreateDate": "2019-07-03T20:12:36Z"
        },
        {
            "VersionId": "v2",
            "IsDefaultVersion": false,
            "CreateDate": "2019-07-03T20:12:36Z"
        },
        {
            "VersionId": "v1",
            "IsDefaultVersion": true,
            "CreateDate": "2019-07-03T20:12:34Z"
        }
    ]
}

aws> iam set-default-policy-version --policy-arn "arn:aws:iam::xxxxxxxxxx:policy/cg-raynor-policy" --version v2

aws-cli/1.16.19 Python/3.7.3 Darwin/18.6.0 botocore/1.12.9

Re-listing the policy versions still indicates that the default is v1, and not v2 as I requested it be.
aws> iam list-policy-versions --policy-arn "arn:aws:iam::115754076533:policy/cg-raynor-policy" --profile goat1

{
    "Versions": [
        {
            "VersionId": "v5",
            "IsDefaultVersion": false,
            "CreateDate": "2019-07-03T20:12:36Z"
        },
        {
            "VersionId": "v4",
            "IsDefaultVersion": false,
            "CreateDate": "2019-07-03T20:12:36Z"
        },
        {
            "VersionId": "v3",
            "IsDefaultVersion": false,
            "CreateDate": "2019-07-03T20:12:36Z"
        },
        {
            "VersionId": "v2",
            "IsDefaultVersion": false,
            "CreateDate": "2019-07-03T20:12:36Z"
        },
        {
            "VersionId": "v1",
            "IsDefaultVersion": true,
            "CreateDate": "2019-07-03T20:12:34Z"
        }
    ]
}

Checked CloudTrail logs for all actions by the public key of this user, and there are not calls logged outside of List and Get API calls.

Perhaps this functionality has been removed and this scenario is no longer applicable?

Details in #95.

I'm running on osx 10.13.6
with brew installed gpg

$ gpg --version
gpg (GnuPG) 2.2.4
libgcrypt 1.8.2
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later https://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /Users/kbroughton/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

Here is the error:

gpg: encrypted with 2048-bit RSA key, ID 2F5443323CA9803B, created 2018-08-01
"CloudGoat"
Traceback (most recent call last):
File "./extract_creds.py", line 14, in
credfile.write("Administrator Password: " + clearpass + '\n')
TypeError: must be str, not bytes

It would be great if resources created by CloudGoat included some tag like application: cloudgoat for filtering, cost allocation, etc.

Hello there, first of all kudos for such an amazing tool!
I have been playing around with most of the challenges so far but I have noticed that there might be an issue with the EC2 SSRF scenario (I have also heard someone else having the exact same problem). It seems to be related to the ZIP file needed for the lambda function deployment.
I am including a few details of my software version(s) if that helps

OS: Kali Linux
AWS CLI: aws-cli/1.18.80 Python/3.7.6 Linux/5.4.0-kali3-amd64 botocore/1.17.3
Terraform: v0.12.26

./cloudgoat.py create ec2_ssrf
[...SNIP...]
aws_instance.cg-ubuntu-ec2: Provisioning with 'file'...
[...SNIP...]
Error: timeout - last error: dial tcp 18.206.93.239:22: i/o timeout
[...SNIP...]
[cloudgoat] Error while running terraform apply.
exit code: 1
stdout: None
stderr: None

Hello I cloned the repository, I already installed all the requirements, but when running the configuration part I'm taking the following error:

root@kali:~/CloudGoat# ./cloudgoat.py config profile
Traceback (most recent call last):
File "./cloudgoat.py", line 112, in
from core.python.commands import CloudGoat
ModuleNotFoundError: No module named 'core.python'

Can you help me?

I'm showing cloudgoat to some colleagues and we are using a company AWS org.
The multitenancy desired is:
shared AWS org
separate cloudgoat envs per user

This causes some problems:

cloudgoat_key is created once by the first user and others don't have access to the private key

• workaround: choose a distinct region for the second user to upload a key to
• fix: have the cloudgoat_key read from ~/.ssh/rsa and create a session id
  cloudgoat_key-12345

administrator user is generated by the first user. Subsequent users don't have the pwd.

• workaround: share the admin user pwd
• fix: generate a session suffix for administrator-12345 at terraform plan time.

Same issue for joe and bob users.

Hi, I want to design a new logo for the project completely free...

After some troubleshooting and creating and destroying multiple times, I found out that node.js on the ec2 instance was not started. Result: 502 bad gateway in browser when opening the elb url.
I connected via ssh by downloading cloudgoat private key from the related keystore bucket, I went to the home folder, unzipped app.zip, and run: node .
Not sure of the root cause.

Changes required:

• Line-13: Write created key pair pwned to private key file pwned.pem and set permissions
• Line-19: Set --instance-type t2.micro
• Line-20: SSH to created EC2 instance

Observed on Win10 1903 with Python 3.7:

PS D:\cloudgoat> .\cloudgoat.py config whitelist
CloudGoat requires Python 3.6+ to run.
PS D:\cloudgoat> python --version
Python 3.7.2

Could you provide a bare minimum IAM security policy file that can be imported into an instance and assigned to the user CloudGoat is running under? I'd rather not create a full administrator user to run this, nor do most of our corporate sandbox instances allow for such a thing anyways. If you know what specific roles/permissions are needed to run the scenarios, that would make deployment much easier. As far as I can see, the only guidance is to grant the ability to create/destroy objects, but that isn't that specific.

Thanks! We are looking forward to using this.

Hi,
How can i stop terraform from checking
Checking for available provider plugins...
Downloading plugin for provider "AWS" (hashicorp/aws)
and making it use only the existing plugins

I am trying to install the Rhino Security Labs CloudGoat on my AWS Ubuntu 18.04 LTS Free-tier EC2 instance. I followed the directions for setting up an admin user and configuring the AWS CLI and also set up terraform v0.12 per the directions. I also configured my instance's security group to allow All traffic.

However, when I run the git clone command I get "Permission denied" error. See below for full output:

sudo git clone [email protected]:RhinoSecurityLabs/cloudgoat.git ./CloudGoat
Cloning into './CloudGoat'...
The authenticity of host 'github.com ()' can't be established.
RSA key fingerprint is SHA256:.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'github.com,' (RSA) to the list of known hosts.
[email protected]: Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists

Do I need to associate an SSH key on GitHub to my account and if so how do I do that? I'm not sure what else to try at this point. Thanks.

Everything was working good (rce_web_app) but when I got the public IP and tried to access the following error I got "This site can’t be reached"
Is there any misconfiguration coz I did everything accurately? 😅
Can some1 help me out???

whenever i am executing below command i am getting the error like below any solutions thanx in advance.. This i happening with in all challenges.even i tried on normal user and root level user as well still getting this error.
Or is there anything to setup before starting this challenge

Error: No valid credential sources found for AWS Provider.
Please see https://terraform.io/docs/providers/aws/index.html for more information on
providing credentials for the AWS Provider

on provider.tf line 1, in provider "aws":
1: provider "aws" {

[cloudgoat] Error while running terraform plan.
exit code: 1
stdout: None
stderr: None

Not able to do any of these challenges because of the AWS provider error, using Kali...

Currently trying the iam_privesc_by_rollback...

I've set/used environment variables for the AWS credentials; tried to use the credentials file; I've verified the access keys work; but still getting the error:
│
│ Please see https://registry.terraform.io/providers/hashicorp/aws
│ for more information about providing credentials.
│
│ Error: NoCredentialProviders: no valid providers in chain. Deprecated.
│ For verbose messaging see aws.Config.CredentialsChainVerboseErrors
│
│
│ with provider["registry.terraform.io/hashicorp/aws"],
│ on provider.tf line 1, in provider "aws":
│ 1: provider "aws" {
│
╵

[cloudgoat] Error while running terraform plan.
exit code: 1
stdout: None
stderr: None

└─$ cat credentials
[cloudgoat]
aws_access_key_id = 123123123132123132
aws_secret_access_key =
region = us-east-1
role_arn = arn:aws:iam::123123123123:user/cloudgoat
source_profile = default
[default]
aws_access_key_id = 123123123132123132
aws_secret_access_key =

I even tried to modify the provider.tf file for the specific scenario:
└─$ cat /opt/cloudgoat/scenarios/iam_privesc_by_rollback/terraform/provider.tf 254 ⨯
provider "aws" {
profile = "cloudgoat"
region = "${var.region}"
}

Not sure what else I can do to get this to work.....

test

Hi there,

I am getting the following error:

Error: error configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found.

Is there a Terraform config file I need to adjust?

Thanks!

Hello please help me. I can't create this scenarios. When I create that show the error.

$ ./cloudgoat.py create [SCENARIO_NAME] --profile [PROFILE]

• cloud_breach_s3
• ec2_ssrf
• rce_web_app

This is warning for 3 above.

Note: You didn't specify an "-out" parameter to save this plan, so Terraform
can't guarantee that exactly these actions will be performed if
"terraform apply" is subsequently run.

Warning: Interpolation-only expressions are deprecated

on ec2.tf line 21, in resource "aws_iam_role" "cg-banking-WAF-Role":
21: Stack = "${var.stack-name}"

Terraform 0.11 and earlier required all non-constant expressions to be
provided via interpolation syntax, but this pattern is now deprecated. To
silence this warning, remove the "${ sequence from the start and the }"
sequence from the end of this expression, leaving just the inner expression.

Template interpolation syntax is still used to construct strings from
expressions when the template includes multiple interpolation sequences or a
mixture of literal strings and interpolations. This deprecation applies only
to templates that consist entirely of a single interpolation sequence.

(and 58 more similar warnings elsewhere)

And this is error for 3 above.

Error: timeout - last error: dial tcp 52.xxx.xxx.xxx:22: i/o timeout

[cloudgoat] Error while running `terraform apply`.
exit code: 1
stdout: None
stderr: None

• ecs_efs_attack

This is error for ecs_efs_attack scenario.

Error: Failed getting task definition ClientException: Unable to describe task definition. "webapp"

[cloudgoat] Error while running `terraform plan`.
exit code: 1
stdout: None
stderr: None

AWS CLI : 2.1.6
Terraform : v0.13.5

./cloudgoat.py create rce_web_app
Using default profile "cloudgoat" from config.yml...
Loading whitelist.txt...
A whitelist.txt file was found that contains at least one valid IP address or range.

Now running rce_web_app's start.sh...
There are some problems with the configuration, described below.

The Terraform configuration must be valid before initialization so that
Terraform can determine which modules and providers need to be installed.

Error: Error parsing /Users/<****>/cloudgoat/rce_web_app_cgirwmfal/terraform/ec2.tf: At 67:21: Unknown token: 67:21 IDENT var.cg_whitelist

[cloudgoat] Error while running terraform init.
exit code: 1
stdout: None
stderr: None

Opening for tracking - it would be great to have a mapping of each scenario to ATT&CK cloud, to

1. Understand the overall coverage of CloudGoat
2. For a specific scenario, have a high-level overview of the attack techniques that are used