TerraformGoat
English | 中文
TerraformGoat is HXSecurity research lab's "Vulnerable by Design" multi cloud deployment tool.
Currently supported cloud vendors include Alibaba Cloud, Tencent Cloud, Huawei Cloud, Amazon Web Services, Google Cloud Platform, Microsoft Azure.
🎯 Scenarios
| ID | Cloud Service Company | Types Of Cloud Services | Vulnerable Environment |
|---|---|---|---|
| 1 | Alibaba Cloud | Networking | VPC Security Group Open All Ports |
| 2 | Alibaba Cloud | Networking | VPC Security Group Open Common Ports |
| 3 | Alibaba Cloud | Object Storage | Bucket HTTP Enable |
| 4 | Alibaba Cloud | Object Storage | Object ACL Writable |
| 5 | Alibaba Cloud | Object Storage | Object ACL Readable |
| 6 | Alibaba Cloud | Object Storage | Special Bucket Policy |
| 7 | Alibaba Cloud | Object Storage | Bucket Public Access |
| 8 | Alibaba Cloud | Object Storage | Object Public Access |
| 9 | Alibaba Cloud | Object Storage | Bucket Logging Disable |
| 10 | Alibaba Cloud | Object Storage | Bucket Policy Readable |
| 11 | Alibaba Cloud | Object Storage | Bucket Object Traversal |
| 12 | Alibaba Cloud | Object Storage | Unrestricted File Upload |
| 13 | Alibaba Cloud | Object Storage | Server Side Encryption No KMS Set |
| 14 | Alibaba Cloud | Object Storage | Server Side Encryption Not Using BYOK |
| 15 | Alibaba Cloud | Elastic Computing Service | ECS SSRF |
| 16 | Alibaba Cloud | Elastic Computing Service | ECS Unattached Disks Are Unencrypted |
| 17 | Alibaba Cloud | Elastic Computing Service | ECS Virtual Machine Disks Are Unencrypted |
| 18 | Tencent Cloud | Networking | VPC Security Group Open All Ports |
| 19 | Tencent Cloud | Networking | VPC Security Group Open Common Ports |
| 20 | Tencent Cloud | Object Storage | Bucket ACL Writable |
| 21 | Tencent Cloud | Object Storage | Bucket ACL Readable |
| 22 | Tencent Cloud | Object Storage | Bucket Public Access |
| 23 | Tencent Cloud | Object Storage | Object Public Access |
| 24 | Tencent Cloud | Object Storage | Unrestricted File Upload |
| 25 | Tencent Cloud | Object Storage | Bucket Object Traversal |
| 26 | Tencent Cloud | Object Storage | Bucket Logging Disable |
| 27 | Tencent Cloud | Object Storage | Server Side Encryption Disable |
| 28 | Tencent Cloud | Elastic Computing Service | CVM SSRF |
| 29 | Tencent Cloud | Elastic Computing Service | CBS Storage Are Not Used |
| 30 | Tencent Cloud | Elastic Computing Service | CVM Virtual Machine Disks Are Unencrypted |
| 31 | Huawei Cloud | Networking | ECS Unsafe Security Group |
| 32 | Huawei Cloud | Object Storage | Object ACL Writable |
| 33 | Huawei Cloud | Object Storage | Special Bucket Policy |
| 34 | Huawei Cloud | Object Storage | Unrestricted File Upload |
| 35 | Huawei Cloud | Object Storage | Bucket Object Traversal |
| 36 | Huawei Cloud | Object Storage | Wrong Policy Causes Arbitrary File Uploads |
| 37 | Huawei Cloud | Elastic Computing Service | ECS SSRF |
| 38 | Huawei Cloud | Relational Database Service | RDS Mysql Baseline Checking Environment |
| 39 | Amazon Web Services | Networking | VPC Security Group Open All Ports |
| 40 | Amazon Web Services | Networking | VPC Security Group Open Common Ports |
| 41 | Amazon Web Services | Object Storage | Object ACL Writable |
| 42 | Amazon Web Services | Object Storage | Bucket ACL Writable |
| 43 | Amazon Web Services | Object Storage | Bucket ACL Readable |
| 44 | Amazon Web Services | Object Storage | MFA Delete Is Disable |
| 45 | Amazon Web Services | Object Storage | Special Bucket Policy |
| 46 | Amazon Web Services | Object Storage | Bucket Object Traversal |
| 47 | Amazon Web Services | Object Storage | Unrestricted File Upload |
| 48 | Amazon Web Services | Object Storage | Bucket Logging Disable |
| 49 | Amazon Web Services | Object Storage | Bucket Allow HTTP Access |
| 50 | Amazon Web Services | Object Storage | Bucket Default Encryption Disable |
| 51 | Amazon Web Services | Elastic Computing Service | EC2 SSRF |
| 52 | Amazon Web Services | Elastic Computing Service | Console Takeover |
| 53 | Amazon Web Services | Elastic Computing Service | EBS Volumes Are Not Used |
| 54 | Amazon Web Services | Elastic Computing Service | EBS Volumes Encryption Is Disabled |
| 55 | Amazon Web Services | Elastic Computing Service | Snapshots Of EBS Volumes Are Unencrypted |
| 56 | Amazon Web Services | Identity and Access Management | IAM Privilege Escalation |
| 57 | Google Cloud Platform | Object Storage | Object ACL Writable |
| 58 | Google Cloud Platform | Object Storage | Bucket ACL Writable |
| 59 | Google Cloud Platform | Object Storage | Bucket Object Traversal |
| 60 | Google Cloud Platform | Object Storage | Unrestricted File Upload |
| 61 | Google Cloud Platform | Elastic Computing Service | VM Command Execution |
| 62 | Microsoft Azure | Object Storage | Blob Public Access |
| 63 | Microsoft Azure | Object Storage | Container Blob Traversal |
| 64 | Microsoft Azure | Elastic Computing Service | VM Command Execution |
💫 Install
TerraformGoat is deployed using Docker images and therefore requires Docker Engine environment support, Docker Engine installation can be found in https://docs.docker.com/engine/install/
Depending on the cloud service provider you are using, choose the corresponding installation command.
Alibaba Cloud
docker pull registry.cn-hongkong.aliyuncs.com/huoxian_pub/terraformgoat_aliyun:0.0.7
docker run -itd --name terraformgoat_aliyun_0.0.7 registry.cn-hongkong.aliyuncs.com/huoxian_pub/terraformgoat_aliyun:0.0.7
docker exec -it terraformgoat_aliyun_0.0.7 /bin/bashTencent Cloud
docker pull registry.cn-hongkong.aliyuncs.com/huoxian_pub/terraformgoat_tencentcloud:0.0.7
docker run -itd --name terraformgoat_tencentcloud_0.0.7 registry.cn-hongkong.aliyuncs.com/huoxian_pub/terraformgoat_tencentcloud:0.0.7
docker exec -it terraformgoat_tencentcloud_0.0.7 /bin/bashHuawei Cloud
docker pull registry.cn-hongkong.aliyuncs.com/huoxian_pub/terraformgoat_huaweicloud:0.0.7
docker run -itd --name terraformgoat_huaweicloud_0.0.7 registry.cn-hongkong.aliyuncs.com/huoxian_pub/terraformgoat_huaweicloud:0.0.7
docker exec -it terraformgoat_huaweicloud_0.0.7 /bin/bashAmazon Web Services
docker pull registry.cn-hongkong.aliyuncs.com/huoxian_pub/terraformgoat_aws:0.0.7
docker run -itd --name terraformgoat_aws_0.0.7 registry.cn-hongkong.aliyuncs.com/huoxian_pub/terraformgoat_aws:0.0.7
docker exec -it terraformgoat_aws_0.0.7 /bin/bashGoogle Cloud Platform
docker pull registry.cn-hongkong.aliyuncs.com/huoxian_pub/terraformgoat_gcp:0.0.7
docker run -itd --name terraformgoat_gcp_0.0.7 registry.cn-hongkong.aliyuncs.com/huoxian_pub/terraformgoat_gcp:0.0.7
docker exec -it terraformgoat_gcp_0.0.7 /bin/bashMicrosoft Azure
docker pull registry.cn-hongkong.aliyuncs.com/huoxian_pub/terraformgoat_azure:0.0.7
docker run -itd --name terraformgoat_azure_0.0.7 registry.cn-hongkong.aliyuncs.com/huoxian_pub/terraformgoat_azure:0.0.7
docker exec -it terraformgoat_azure_0.0.7 /bin/bash📄 Demo
After entering the container, cd to the corresponding scenario directory and you can start deploying the scenario.
Here is a demonstration of the Alibaba Cloud Bucket Object Traversal scenario build.
docker pull registry.cn-hongkong.aliyuncs.com/huoxian_pub/terraformgoat_aliyun:0.0.7
docker run -itd --name terraformgoat_aliyun_0.0.7 registry.cn-hongkong.aliyuncs.com/huoxian_pub/terraformgoat_aliyun:0.0.7
docker exec -it terraformgoat_aliyun_0.0.7 /bin/bash
cd /TerraformGoat/aliyun/oss/bucket_object_traversal/
aliyun configure
terraform init
terraform apply
The program prompts Enter a value:, type yes and enter, use curl to access the bucket, you can see the object traversed.
To avoid the cloud service from continuing to incur charges, remember to destroy the scenario in time after using it.
terraform destroy🚀 Uninstall
If you are in a container, first execute the exit command to exit the container, and then execute the following command under the host.
docker stop $(docker ps -a -q -f "name=terraformgoat*")
docker rm $(docker ps -a -q -f "name=terraformgoat*")
docker rmi $(docker images -a -q -f "reference=registry.cn-hongkong.aliyuncs.com/huoxian_pub/terraformgoat*")⚠️ Notice
- The README of each vulnerable environment is executed within the TerraformGoat container environment, so the TerraformGoat container environment needs to be deployed first.
- Due to the horizontal risk of intranet horizontal on the cloud in some scenarios, it is strongly recommended that users use their own test accounts to configure the scenarios, avoid using the cloud account of the production environment, and install TerraformGoat using Dockerfile to isolate the user's local cloud vendor token and the test account token.
- TerraformGoat is used for educational purposes only, It is not allowed to use it for illegal and criminal purposes, any consequences arising from TerraformGoat are the responsibility of the person using it, and not the HXSecurity organization.
🎊 Contributing
Contributions are welcomed and greatly appreciated. Further reading — CONTRIBUTING.md for details on contribution workflow.
🪪 License
TerraformGoat is under the Apache 2.0 license. See the LICENSE file for details.
