Home

Awesome

TerraformGoat

License: Apache-2.0 GitHub release Github Stars PRs Welcome tweet

English | 中文

TerraformGoat is HXSecurity research lab's "Vulnerable by Design" multi cloud deployment tool.

Currently supported cloud vendors include Alibaba Cloud, Tencent Cloud, Huawei Cloud, Amazon Web Services, Google Cloud Platform, Microsoft Azure.

:dart: Scenarios

IDCloud Service CompanyTypes Of Cloud ServicesVulnerable Environment
1Alibaba CloudNetworkingVPC Security Group Open All Ports
2Alibaba CloudNetworkingVPC Security Group Open Common Ports
3Alibaba CloudObject StorageBucket HTTP Enable
4Alibaba CloudObject StorageObject ACL Writable
5Alibaba CloudObject StorageObject ACL Readable
6Alibaba CloudObject StorageSpecial Bucket Policy
7Alibaba CloudObject StorageBucket Public Access
8Alibaba CloudObject StorageObject Public Access
9Alibaba CloudObject StorageBucket Logging Disable
10Alibaba CloudObject StorageBucket Policy Readable
11Alibaba CloudObject StorageBucket Object Traversal
12Alibaba CloudObject StorageUnrestricted File Upload
13Alibaba CloudObject StorageServer Side Encryption No KMS Set
14Alibaba CloudObject StorageServer Side Encryption Not Using BYOK
15Alibaba CloudElastic Computing ServiceECS SSRF
16Alibaba CloudElastic Computing ServiceECS Unattached Disks Are Unencrypted
17Alibaba CloudElastic Computing ServiceECS Virtual Machine Disks Are Unencrypted
18Tencent CloudNetworkingVPC Security Group Open All Ports
19Tencent CloudNetworkingVPC Security Group Open Common Ports
20Tencent CloudObject StorageBucket ACL Writable
21Tencent CloudObject StorageBucket ACL Readable
22Tencent CloudObject StorageBucket Public Access
23Tencent CloudObject StorageObject Public Access
24Tencent CloudObject StorageUnrestricted File Upload
25Tencent CloudObject StorageBucket Object Traversal
26Tencent CloudObject StorageBucket Logging Disable
27Tencent CloudObject StorageServer Side Encryption Disable
28Tencent CloudElastic Computing ServiceCVM SSRF
29Tencent CloudElastic Computing ServiceCBS Storage Are Not Used
30Tencent CloudElastic Computing ServiceCVM Virtual Machine Disks Are Unencrypted
31Huawei CloudNetworkingECS Unsafe Security Group
32Huawei CloudObject StorageObject ACL Writable
33Huawei CloudObject StorageSpecial Bucket Policy
34Huawei CloudObject StorageUnrestricted File Upload
35Huawei CloudObject StorageBucket Object Traversal
36Huawei CloudObject StorageWrong Policy Causes Arbitrary File Uploads
37Huawei CloudElastic Computing ServiceECS SSRF
38Huawei CloudRelational Database ServiceRDS Mysql Baseline Checking Environment
39Amazon Web ServicesNetworkingVPC Security Group Open All Ports
40Amazon Web ServicesNetworkingVPC Security Group Open Common Ports
41Amazon Web ServicesObject StorageObject ACL Writable
42Amazon Web ServicesObject StorageBucket ACL Writable
43Amazon Web ServicesObject StorageBucket ACL Readable
44Amazon Web ServicesObject StorageMFA Delete Is Disable
45Amazon Web ServicesObject StorageSpecial Bucket Policy
46Amazon Web ServicesObject StorageBucket Object Traversal
47Amazon Web ServicesObject StorageUnrestricted File Upload
48Amazon Web ServicesObject StorageBucket Logging Disable
49Amazon Web ServicesObject StorageBucket Allow HTTP Access
50Amazon Web ServicesObject StorageBucket Default Encryption Disable
51Amazon Web ServicesElastic Computing ServiceEC2 SSRF
52Amazon Web ServicesElastic Computing ServiceConsole Takeover
53Amazon Web ServicesElastic Computing ServiceEBS Volumes Are Not Used
54Amazon Web ServicesElastic Computing ServiceEBS Volumes Encryption Is Disabled
55Amazon Web ServicesElastic Computing ServiceSnapshots Of EBS Volumes Are Unencrypted
56Amazon Web ServicesIdentity and Access ManagementIAM Privilege Escalation
57Google Cloud PlatformObject StorageObject ACL Writable
58Google Cloud PlatformObject StorageBucket ACL Writable
59Google Cloud PlatformObject StorageBucket Object Traversal
60Google Cloud PlatformObject StorageUnrestricted File Upload
61Google Cloud PlatformElastic Computing ServiceVM Command Execution
62Microsoft AzureObject StorageBlob Public Access
63Microsoft AzureObject StorageContainer Blob Traversal
64Microsoft AzureElastic Computing ServiceVM Command Execution

:dizzy: Install

TerraformGoat is deployed using Docker images and therefore requires Docker Engine environment support, Docker Engine installation can be found in https://docs.docker.com/engine/install/

Depending on the cloud service provider you are using, choose the corresponding installation command.

Alibaba Cloud

docker pull registry.cn-hongkong.aliyuncs.com/huoxian_pub/terraformgoat_aliyun:0.0.7
docker run -itd --name terraformgoat_aliyun_0.0.7 registry.cn-hongkong.aliyuncs.com/huoxian_pub/terraformgoat_aliyun:0.0.7
docker exec -it terraformgoat_aliyun_0.0.7 /bin/bash

Tencent Cloud

docker pull registry.cn-hongkong.aliyuncs.com/huoxian_pub/terraformgoat_tencentcloud:0.0.7
docker run -itd --name terraformgoat_tencentcloud_0.0.7 registry.cn-hongkong.aliyuncs.com/huoxian_pub/terraformgoat_tencentcloud:0.0.7
docker exec -it terraformgoat_tencentcloud_0.0.7 /bin/bash

Huawei Cloud

docker pull registry.cn-hongkong.aliyuncs.com/huoxian_pub/terraformgoat_huaweicloud:0.0.7
docker run -itd --name terraformgoat_huaweicloud_0.0.7 registry.cn-hongkong.aliyuncs.com/huoxian_pub/terraformgoat_huaweicloud:0.0.7
docker exec -it terraformgoat_huaweicloud_0.0.7 /bin/bash

Amazon Web Services

docker pull registry.cn-hongkong.aliyuncs.com/huoxian_pub/terraformgoat_aws:0.0.7
docker run -itd --name terraformgoat_aws_0.0.7 registry.cn-hongkong.aliyuncs.com/huoxian_pub/terraformgoat_aws:0.0.7
docker exec -it terraformgoat_aws_0.0.7 /bin/bash

Google Cloud Platform

docker pull registry.cn-hongkong.aliyuncs.com/huoxian_pub/terraformgoat_gcp:0.0.7
docker run -itd --name terraformgoat_gcp_0.0.7 registry.cn-hongkong.aliyuncs.com/huoxian_pub/terraformgoat_gcp:0.0.7
docker exec -it terraformgoat_gcp_0.0.7 /bin/bash

Microsoft Azure

docker pull registry.cn-hongkong.aliyuncs.com/huoxian_pub/terraformgoat_azure:0.0.7
docker run -itd --name terraformgoat_azure_0.0.7 registry.cn-hongkong.aliyuncs.com/huoxian_pub/terraformgoat_azure:0.0.7
docker exec -it terraformgoat_azure_0.0.7 /bin/bash

:page_facing_up: Demo

After entering the container, cd to the corresponding scenario directory and you can start deploying the scenario.

Here is a demonstration of the Alibaba Cloud Bucket Object Traversal scenario build.

docker pull registry.cn-hongkong.aliyuncs.com/huoxian_pub/terraformgoat_aliyun:0.0.7
docker run -itd --name terraformgoat_aliyun_0.0.7 registry.cn-hongkong.aliyuncs.com/huoxian_pub/terraformgoat_aliyun:0.0.7
docker exec -it terraformgoat_aliyun_0.0.7 /bin/bash

img

cd /TerraformGoat/aliyun/oss/bucket_object_traversal/
aliyun configure
terraform init
terraform apply

img

The program prompts Enter a value:, type yes and enter, use curl to access the bucket, you can see the object traversed.

img

To avoid the cloud service from continuing to incur charges, remember to destroy the scenario in time after using it.

terraform destroy

:rocket: Uninstall

If you are in a container, first execute the exit command to exit the container, and then execute the following command under the host.

docker stop $(docker ps -a -q -f "name=terraformgoat*")
docker rm $(docker ps -a -q -f "name=terraformgoat*")
docker rmi $(docker images -a -q -f "reference=registry.cn-hongkong.aliyuncs.com/huoxian_pub/terraformgoat*")

⚠️ Notice

  1. The README of each vulnerable environment is executed within the TerraformGoat container environment, so the TerraformGoat container environment needs to be deployed first.
  2. Due to the horizontal risk of intranet horizontal on the cloud in some scenarios, it is strongly recommended that users use their own test accounts to configure the scenarios, avoid using the cloud account of the production environment, and install TerraformGoat using Dockerfile to isolate the user's local cloud vendor token and the test account token.
  3. TerraformGoat is used for educational purposes only, It is not allowed to use it for illegal and criminal purposes, any consequences arising from TerraformGoat are the responsibility of the person using it, and not the HXSecurity organization.

:confetti_ball: Contributing

Contributions are welcomed and greatly appreciated. Further reading — CONTRIBUTING.md for details on contribution workflow.

🪪 License

TerraformGoat is under the Apache 2.0 license. See the LICENSE file for details.

:crystal_ball: Stats

Alt