Bucket Walkthrough — Cyberdefenders

Challenge: Bucket

Scenario
Welcome, Defender! As an incident responder, we’re granting you access to the AWS account called “Security” as an IAM user. This account contains a copy of the logs during the time period of the incident and has the ability to assume the “Security” role in the target account so you can look around to spot the misconfigurations that allowed for this attack to happen.

Tools:

• AWS CLI
• JSON Viewer

Set-up:
I used AWS CLI for Linux on this challenge.

1. What is the full AWS CLI command used to configure credentials?
   By reading this article, I found out what AWS CLI command is used to configure credentials.

2. What is the ‘creation’ date of the bucket ‘flaws2-logs’?

We can determine the creation date of the ‘flaws2-logs’ bucket by checking the S3 service in the Management Console.

Make sure to convert the timezone into UTC.

3. What is the name of the first generated event -according to time?

First, I downloaded all the files in the S3 bucket using the command below.

aws s3 sync s3://flaws2-logs

The command below will extract all the .gz files:

gunzip *.gz

Use the command below to install jq in Ubuntu:

sudo apt-get install jq

The command below will print the content of the JSON file using . filter

jq . 653711331788_CloudTrail_us-east-1_20181128T2235Z_cR9ra7OH1rytWyXY.json

The command above produces the following output:

I searched for an alternative tool to view a JSON file and found JSON Viewer on GitHub. JSON Viewer is a Python script that displays a JSON file in GUI.

Running this command inside json viewer folder will display the GUI version of jq.

./json_viewer.py 653711331788_CloudTrail_us-east-1_20181128T2235Z_cR9ra7OH1rytWyXY.json

The command above produces the following output:

JSON Viewer also has Search Bar. Make sure to enter the correct key or value.

Unfortunately, you cannot copy the value using JSON Viewer, but it is useful for visualization purposes. If you want to copy a long string, use jq instead.

I searched using eventName on all the logs and compared their eventTime.

The table above shows the first event on all the CloudTrail logs.

JSON Viewer will highlight the key and value when it matches the string you are looking for.

4. What source IP address generated the event dated 2018–11–28 at 23:03:20 UTC?
Since I already know the time format, I changed it from 2018–11–28 at 23:03:20 UTC to 2018–11–28T23:03:20Z.

Two logs match the time provided, but only the log below has an IP Address.

5. Which IP address does not belong to Amazon AWS infrastructure?

I used sourceIPAddress to search for all the Source IP addresses on all logs.

I identified 2 IP Addresses and used AbuseIPDB to determine the IP Address owner.

The image above shows that the IP address belongs to Akamai Technologies Inc.

6. Which user issued the ‘ListBuckets’ request?

The table in Q.3 shows the log name (653711331788_CloudTrail_us-east-1_20181128T2310Z_jQajCuiobojD8I4y.json) has an event name ‘ListBuckets’.

I used the event name ListBuckets to look for the user on log (653711331788_CloudTrail_us-east-1_20181128T2310Z_jQajCuiobojD8I4y.json)

The image above shows the username that performed the ‘ListBuckets’ request.

7. What was the first request issued by the user ‘level1’?

I checked all the CloudTrail logs with level1 userName and compared their eventTime.

The image above shows the first request made by the user level1.

Security best practices for Amazon S3:

• https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html