I am wondering about the situation that someone can try to scan and find application urls for AWS Goat deployment and then through Privilege escalation get Admin account rights on my AWS tenant. I just want to understand if this deployment would be safe from outside threat.
PS - I am quite new to Cloud Security and I think your project has nailed it. Its exactly what I was looking for breaking into Cloud Security . Thank you.

Hi,

Recently I was trying to install the AWS goat in my Linux machine and despite providing the creds for Administrator access user I was getting the following error again and again

 AccessControlListNotSupported: The bucket does not allow ACLs

Maybe It's because of this can you please confirm from your side?

https://aws.amazon.com/about-aws/whats-new/2022/12/amazon-s3-automatically-enable-block-public-access-disable-access-control-lists-buckets-april-2023/

Thanks

I tried the manual installation (not via Github action) and it works fine, however, when you destroy the same project and re-apply it again, the frontend will point to the wrong (old / previous) API_GATEWAY_URL, as it has already been replaced in the first run, due to:

main.tf:
3624: sed -i "s,API_GATEWAY_URL,${aws_api_gateway_deployment.apideploy_ba.invoke_url},g" modules/module-1/resources/s3/webfiles/build/static/js/main.5e35cae6.js
3625: sed -i "s,API_GATEWAY_URL,${aws_api_gateway_deployment.apideploy_ba.invoke_url},g" modules/module-1/resources/s3/webfiles/build/static/js/main.5e35cae6.js.map

Just mentioning it here in case others are wondering about the same. Feel free to close if it's not intended to be used like this (destroyed and re-applie).

Seems the SSRF part 1 does not work as per the guide. The response is 'Invalid Authorization'. I think its expected this will be done using a self registered user, I don't see alternate credentials for this elsewhere or referred to in the guide. The error is the same trying to upload an image as in normal, non exploitation activity.

Can Security Hub detect those resources created? I am trying to run the Security Hub but it did not detect anything.

Hi there,

Is it possible to list down IAM required privileges/permissions to deploy this app? The README.md says:

AWS Access Key with Administrative Privileges

but I'm afraid is not concise enough and is not recommended to have API key for root user.

I run into this error "Error deploying Module 1 on main.tf line 3553" when running deploying Mod1. I have deployed this using a Amazon Linux 2 instances. I verified the the secrets are valid. Has anyone run into this?

Error: local-exec provisioner error
│
│ with null_resource.populate_table,
│ on main.tf line 3553, in resource "null_resource" "populate_table":
│ 3553: provisioner "local-exec" {
│
│ Error running command 'sed -i 's/replace-bucket-name/production-blog-awsgoat-bucket-888888888/g' resources/dynamodb/blog-posts.json
│ python3 resources/dynamodb/populate-table.py
│ ': exit status 1. Output: Traceback (most recent call last):
│ File "/home/ubuntu/AWSGoat-DubLearn/modules/module-1/resources/dynamodb/populate-table.py", line 6, in
│ session=boto3.Session(aws_access_key_id=os.environ['AWS_ACCESS_KEY_ID'], aws_secret_access_key=os.environ['AWS_SECRET_ACCESS_KEY'])
│ File "/usr/lib/python3.10/os.py", line 679, in getitem
│ raise KeyError(key) from None
│ KeyError: 'AWS_ACCESS_KEY_ID'

The main.tf file does not match the intention of the environment exercise. This is reflected in the solution documentation and video. Line 3455 on main.tf contains the following line:

"${aws_iam_role.blog_app_lambda.arn}"

This will input "blog_app_lambda" role into this policy. However, this will not allow you to escalate privileges in the way the solution documentation shows. Reference this image from the solutions documentation which clearly shows that this role arn should actually be for the "blog_app_lambda_data" role.

In fact, the dev-ec2-lambda-policies only has 1 version created by the main.tf template, which means "--version-id v2" of the aws iam get-policy-version command will not work.

A simple change to line 3455 instead to:

"${aws_iam_role.blog_app_lambda_python.arn}"

Would give the desired result of inputting "blog_app_lambda_role" to this policy. This would allow privilege escalation in the method shown as a solution. The version would still remain as v1 unless further edits are made to main.tf.

Hi there,

I am getting this when applying the terraform:

│ Error: creating IAM instance profile AWS_GOAT_ec2_profile: EntityAlreadyExists: Instance Profile AWS_GOAT_ec2_profile already exists.
│ 	status code: 409, request id: ca6<snipped>
│ 
│   with aws_iam_instance_profile.goat_iam_profile,
│   on main.tf line 3484, in resource "aws_iam_instance_profile" "goat_iam_profile":
│ 3484: resource "aws_iam_instance_profile" "goat_iam_profile" {
│ 
╵
Error: Process completed with exit code 1.

I can destroy created resources with terraform destroy successfully though. Can someone have a look? Do we have duplicated command somewhere?

i m trying to run the AWSGoat but the Terroform took long time to load and i end up end the workflow.

Any idea why this happen?

Hello,

I made some simple changes to the login.php file in /modules/module-2/src/src/login.php file.

I created a new ECS repo and used push commands to build a new Docker image and replaced the uri in the .json file as mentioned. However when i run terraform apply i am not seeing any changes on the Web App. Am i missing any step?

Hi there,

I am getting this ERROR when applying terraform on module-1:

aws_lambda_function.react_lambda_app: Creating...
╷
│ Error: error creating Lambda Function (1): InvalidParameterValueException: The runtime parameter of nodejs14.x is no longer supported for creating or updating AWS Lambda functions. We recommend you use the new runtime (nodejs20.x) while creating or updating functions.
│ {
│   RespMetadata: {
│     StatusCode: 400,
│     RequestID: "<snip>"
│   },
│   Message_: "The runtime parameter of nodejs14.x is no longer supported for creating or updating AWS Lambda functions. We recommend you use the new runtime (nodejs20.x) while creating or updating functions.",
│   Type: "User"
│ }
|   with aws_lambda_function.react_lambda_app,
│   on main.tf line 23, in resource "aws_lambda_function" "react_lambda_app":
│   23: resource "aws_lambda_function" "react_lambda_app" {

Minor issue on the solution docs - the 02-SQL Injection.md states:

Check the response, you will see that we have successfully managed to gain access to all the data of all the users, even sensitive data like passwords, phone, addresses, etc.

However, the password nor the secret answer is part of the response.

{
	"secretQuestion": "",
	"creationDate": "2022-01-25T00:00:00.000Z",
	"address": "Ap #662-2304 Phasellus Ave",
	"secretAnswer": "",
	"email": "[email protected]",
	"country": "Germany",
	"name": "Naida Dotson",
	"authLevel": "0",
	"password": "",
	"username": "naidadotson",
	"id": "1",
	"userStatus": "active",
	"phone": "329938731"
}

Would it be possible to integrate AWSGoat with CICDGoat? The idea is to have a full pipeline for infrastructure as code and software development lifecycle. This way it would be possible to perform more simulations for example intentionally leaving an access key somewhere like web.config and pushing the changes to the main repo, building the web app and publishing it.

The combination of parameters you have specified to create a database instance is not compatible. In particular, the combination of the db.t2.micro instance class with the mysql engine version 5.7.44 and the general-public-license model is not supported by AWS RDS.

Having some installation error.
I created a new aws account with MFA.
then followed the steps. Then I am getting terraform errors 1, 254, 255.

Node.js 16 actions are deprecated. Please update the following actions to use Node.js 20: actions/checkout@v3, actions/setup-python@v2. For more information see: https://github.blog/changelog/2023-09-22-github-actions-transitioning-from-node-16-to-node-20/.

The following actions uses node12 which is deprecated and will be forced to run on node16: actions/setup-python@v2. For more info: https://github.blog/changelog/2023-06-13-github-actions-all-actions-will-run-on-node16-instead-of-node12-by-default/

The set-output command is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/

While performing the AWS Goat Lab, I realized that the initial access provided the AWS session for blog-application-data role. But when I tried to perform the privilege escalation, then I realized that the dev-ec2-lambda-policies is misconfigured to allow AttachRolePolicy to the blog_app_lambda role instead of blog-application-data role.
Is it expected or am I missing anything?

Logo

Readme Images

Manual Images
1

2

3

4

5

6

7

Hi Team,

I have added my aws access key & secret keys in github actions and tried to deploy AWSGoat with the terraform script. But I am facing the below error. Can someone help me in fixing this issue asap.

Thank you :)

The first xss documented on
https://github.com/ine-labs/AWSGoat/blob/master/solutions/module-1/01-Reflected%20XSS.md

<script>alert('1')</script>

with expected behaviour:

An alert box pops up on our screen which confirms that our application is vulnerable to XSS injection attacks

does not work, at least not for me.

The xss using the <image> tag works as expected and documented.

When entering above line, nothing happens.

Environment:
Tested with Brave (Version 1.41.100 Chromium: 103.0.5060.134 (Official Build) (64-bit)) and Chrome (Version 104.0.5112.79 (Official Build) (64-bit)), on 5.18.14-1-MANJARO + xfce. Also tested on Mac OS 12.5 with Chrome, same result.

Hi ine-labs,

I got some error that said permission denied even though i am the owner of the AWS account. Here the error

I think there is a missing ID on line https://github.com/ine-labs/AWSGoat/blob/master/.github/workflows/tf-apply-main.yml#L41

Supposed to be like this:

    - name: Terraform Plan
      id: plan
      run: | 
        terraform plan -input=false
        ls -al
      continue-on-error: false

References
https://docs.github.com/en/actions/learn-github-actions/contexts#steps-context

Hi there,

I am getting this ERROR after running terraform on my local linux machine:

cd modules/module-1
terraform init
terraform apply --auto-approve

│ Error: Error creating S3 bucket: BucketAlreadyExists: The requested bucket name is not available. The bucket namespace is shared by all users of the system. Please select a different name and try again.
│       status code: 409, request id: <snip>, host id: <snip>
│ 
│   with aws_s3_bucket.bucket_temp,
│   on main.tf line 3354, in resource "aws_s3_bucket" "bucket_temp":
│ 3354: resource "aws_s3_bucket" "bucket_temp" {

This is the list of my s3 buckets:

aws s3 ls

dev-blog-awsgoat-bucket-...
do-not-delete-awsgoat-state-files-...
production-blog-awsgoat-bucket-...

Am I missing something? Thanks.