fwd:cloudsec 2023

fwd:cloudsec 2023

CloudFox + CloudFoxable: A Powerful Duo for Mastering the Art of Identifying and Exploiting AWS Attack Paths
2023-06-13 , Salon B

CloudFox helps penetration testers and security professionals find exploitable attack paths in cloud infrastructure. However, what if you want to find and exploit services not yet present in your current environment?
What if you lack access to an enterprise AWS environment?

Enter CloudFoxable, an intentionally vulnerable AWS environment created specifically to showcase CloudFox’s capabilities and help you find latent attack paths more effectively. Drawing inspiration from CloudGoat, flaws.cloud, and Metasploitable, CloudFoxable provides a wide array of flags and attack paths in a CTF format.

In this talk, we'll demonstrate some of CloudFoxable's CTF challenges that “blur the lines”, including an IAM role that trusts a GitHub repository via OIDC, an SNS topic with an overly permissive resource policy that leads to remote code execution, and an exploit path that leads from a vulnerable AWS OpenSearch domain to a private GitHub repository with the flag.

Seth Art is a Principal Security Consultant and the Cloud Penetration Testing Lead at Bishop Fox. Before becoming captivated by Cloud Security and Kubernetes, Seth hacked on web applications, mobile applications, wireless networks, internal corporate networks, and even got paid to legally break into a few buildings.

Seth is the author of multiple open-source projects including CloudFox, IAM Vulnerable, Bad Pods, celeryStalk, Nodejs-SSRF-App, and PyCodeInjection. He has presented at security conferences including DerbyCon and BSidesDC, published multiple CVEs, and is the founder of IthacaSec, a security meetup in upstate NY.