Cloud Forensic Write-up Investigating Serverless and Container Attacks Cado CTF on AWS
Cites from the website, Captured by Cado is a Capture the Flag (CTF) challenge series designed to educate incident responders on how to investigate attacks on cloud-based systems. This challenge is specifically focused on investigating three attack scenarios in Lambda serverless functions and ECS container systems. (Cado, 2022).
Pre-Requisites
- Basic Knowledge of Cloud Computing (and basic how to use AWS)
- Basic Knowledge of Forensic Investigation
- Basic Knowledge of Linux
- Aws Free Tier Account
Overview Platform Installation
First you must register on this website : Webinar: Captured by Cado — Serverless & Container Attack Investigation (cadosecurity.com)
then it will show you the steps and the replied email like this picture below.
We have 2 CTF, first using Lambda services and the second is using ECS CTF.
Step by step Install the CTF Platform
- Open CloudFormation in AWS Console, then import the CloudFormation template. (You can follow the tutorial : https://vimeo.com/734144691)
2. Then Fill the blank name and next
3. In another tab, create your key pairs in EC2
4. Allow access from any IP. Fill the box with 0.0.0.0/0 which mean accessible from anywhere.
5. Check the acknowledgement then submit.
6. Then wait the Stacks until the status finished
7. After completed, view the outputs > CadoURL.
That is the url to access the CTF platform. Copy the instanceID for the next step (first-time password change use the InstanceID).
8. Login with username admin and the password is InstanceId
9. Accept
10. Change your password for the first time
11. Open your Community License from your email like this. Then Save as json format.
12. Upload to your CADO platform then submit.
13. CADO platform dashboard view.
14. Download the ctf files. Link : https://github.com/cado-security/ctf-lambda-containers/releases/tag/v1.0
15. Download both of them
16. Upload the file to your S3 Bucket
17. Create 2 Projects named Lambda CTF and ECS CTF.
18. Result of Creation Project
19. Import the Artifact from from S3
20. Choose and import the object
21. It will be running automatically.
Lambda CTF Writeup
Looking in the AWS Console, you discover a Lambda function that nobody knows anything about.
You use Cado Response to acquire the Lambda function and its associated logs and immediately find that it’s a cryptominer running in Lambda.
Questions :
- What are the three URLs embedded in the script?
the step to get the answer is just read the source code
https://github.com/xmrig/xmrig/releases/download/v6.12.2/xmrig-6.12.2-linux-x64.tar.gz
https://cloudflare-dns.com/dns-query?name=gw.denonia.xyz
- When was the first time this function was run?
GMT: Tuesday, June 28, 2022 3:47:30 PM
Your time zone: Tuesday, June 28, 2022 10:47:30 PM GMT+07:00
ECS CTF
The AWS Console also shows some containers that request way more vCPU resources than your standard containers do.
You use Cado Response to acquire the container, and again, you find that someone installed a cryptominer.
Questions :
- What users did the attacker create?
evil_account, drevil
- What command did the attacker run from Pastebin.com?
echo Hello World- How did the attacker find out what the external IP address of the system was?
- BONUS: What might be some additional data you want to collect to understand more?
if there is audit.d installed it will be better and must be collect.
References :
GitHub — cado-security/ctf-lambda-containers
https://offers.cadosecurity.com/serverless-container-attack-investigation
