Skip to content

Latest commit

 

History

History
104 lines (53 loc) · 4.06 KB

SCENARIO_README.md

File metadata and controls

104 lines (53 loc) · 4.06 KB
Raw

Example Usage

Below is an example scenario to demonstrate the usage of CCAT.

Starting with compromised AWS credentials, the attacker enumerates and explores ECR repositories. Then, the attacker found that they use NGINX Docker image and pulled that Docker image from ECR. Furthermore, the attacker creates a reverse shell backdoor into the target Docker image. Finally, the attacker pushes the backdoored Docker image to ECR.

Exploitation Route:

CCAT

Exploitation Route Walkthrough with CCAT:

  1. The attacker explores the AWS environment and discovers they are able to list ECR repositories using compromised AWS credentials.

    • Enumerate ECR repositories

      CCAT

      • Configure AWS CLI Profile

        The first time CCAT is launched, the attacker will be prompted to configure their AWS CLI profile. This profile will be used to run the related AWS attack modules.

        CCAT

      • Then the attacker selects target AWS regions

        CCAT

    • Then the attacker lists enumerated ECR repositories with simple table format

      CCAT

      CCAT

  2. The attacker finds that they use the NGINX Docker image and pulls that Docker image from ECR.

    • Pull ECR repository

      CCAT

      • Then there are two options to pull from ECR repositories so the attacker chooses a single repository with multiple tags option

        CCAT

      • Then the attacker will be promoted to provide AWS region, ECR repository URI, repository tags

        CCAT

  3. The attacker decides to create a reverse shell backdoor into the pulled NGINX Docker image.

    • The attacker starts a listener for reverse shell

      CCAT

    • Then the attacker creates a reverse shell backdoor

      This module generates a Dockerfile on the fly and builds new a Docker image.

      CCAT

      • Then the attacker will be promoted to provide repository name, tag and new build tag

        CCAT

      • Then the attacker generates a Dockerfile, adds reverse shell configuration, and overwrites the default CMD command

        "CMD sets default command and/or parameters, which can be overwritten from command line when docker container runs."

        CCAT

      • Then the attacker reviews a Dockerfile and builds new backdoored NGINX Docker image

        CCAT

    • Then the attacker tests the backdoored Docker image

      • Run a backdoored container

        CCAT

      • Test NGINX server

        CCAT

      • Test reverse shell backdoor

        CCAT

  4. Finally, the attacker pushes the backdoored Docker image to ECR.

    • Check AWS Web Console BEFORE pushing the backdoored Docker image

      CCAT

    • Push the backdoored Docker image

      CCAT

      • The attacker will be promoted to provide AWS region, ECR repository URI and repository tag

        CCAT

    • Check AWS Web Console AFTER pushing the backdoored Docker image

      CCAT