caponesim.yaml

AWSTemplateFormatVersion: 2010-09-09
Transform: S3Objects
Mappings: 
  RegionMap: # All regions aside Hong Kong and Bahrein as they're disabled by default 
    us-east-1:      # N. Virginia
      AMI: ami-00f12d3946726387c
    us-east-2:      # Ohio
      AMI: ami-09eda8943319241d7
    us-west-1:      # N. California
      AMI: ami-01845945efeed8235
    us-west-2:      # Oregon
      AMI: ami-04b73a9d3421ab405
    ca-central-1:   # Canada Central
      AMI: ami-0cf94cacf38d9cf0d
    eu-west-1:      # Ireland
      AMI: ami-0391a0496f7db5c1b
    eu-west-2:      # London
      AMI: ami-0776597e89aad16d2
    eu-west-3:      # Paris
      AMI: ami-0f76c3d5a2e14bbb7
    eu-central-1:   # Frankfurt
      AMI: ami-0b4f7b3d27dad4e36
    eu-north-1:     # Stockholm
      AMI: ami-0405b3fb3a785dd01
    ap-northeast-1: # Tokyo
      AMI: ami-0186b82b7d205ce58
    ap-northeast-2: # Seoul
      AMI: ami-0f283f0a20fc1f119
    ap-south-1:     # Mumbai
      AMI: ami-07260f2a6de51bec7
    ap-southeast-1: # Singapore
      AMI: ami-0513adeea888918cd
    ap-southeast-2: # Sydney
      AMI: ami-081b1c529094efe6f
    sa-east-1:      # Sao Paulo
      AMI: ami-02fe2d54b54386279
Resources:
  SSRFS3Role:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            Service:
            - "ec2.amazonaws.com"
          Action:
          - sts:AssumeRole
      Path: "/"
      Policies:
      - PolicyName: SSRFPolicy
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
          - Effect: Allow
            Action:
            - iam:GetRole
            - iam:GetRolePolicy
            - iam:GetPolicy
            - iam:ListRolePolicies
            - iam:ListRoles
            - iam:ListPolicies
            - iam:ListAttachedRolePolicies
            - iam:GetPolicyVersion 
            - iam:ListInstanceProfiles
            Resource: '*' 
          - Effect: Allow
            Action:
            - iam:AttachRolePolicy
            Resource: '*'
            Condition:
              StringEquals:
                iam:PolicyARN: !Ref 'SSRFS3Policy' 
  SSRFS3Policy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      ManagedPolicyName: SSRFS3Policy
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Action:
          - s3:ListAllMyBuckets
          Resource: '*'
        - Effect: Allow
          Action:
          - s3:ListBucket
          Resource:
          - !Sub
            - 'arn:aws:s3:::${SSRFS3Bucket}'
            - { SSRFS3Bucket: !Ref 'SSRFS3Bucket' } 
        - Effect: Allow
          Action:
          - s3:GetObject
          Resource:
          - !Sub
            - 'arn:aws:s3:::${SSRFS3Bucket}/*'
            - { SSRFS3Bucket: !Ref 'SSRFS3Bucket' }  
  SSRFInstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Path: "/"
      Roles:
      - Ref: SSRFS3Role
  SSRFS3SG:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security Group that allows HTTP traffic
      SecurityGroupIngress:
      - IpProtocol: tcp
        CidrIp: !Sub '${IpAddress}/32'
        FromPort: '80'
        ToPort: '80'
  SSRFInstance:
    Type: AWS::EC2::Instance
    Properties:
      InstanceType: t2.micro
      ImageId: !FindInMap [RegionMap, !Ref "AWS::Region", AMI]  # LAMP AMI in the template execution region
      Tags:
        - Key: Name
          Value: My SSRF EC2 Instance
      UserData: !Base64 |
        #!/bin/bash -x
        mv /home/bitnami/htdocs/index.html /home/bitnami/htdocs/index.html.bak
        wget https://raw.githubusercontent.com/osirislab/Giraffe/master/htdocs/ssrf.php -O /home/bitnami/htdocs/index.php
      IamInstanceProfile:
        Ref: SSRFInstanceProfile
      SecurityGroupIds:
        - Ref: SSRFS3SG
  SSRFS3Bucket:
    Type: AWS::S3::Bucket
  SSRFObject:
    Type: AWS::S3::Object
    Properties:
      Target:
        Bucket: !Ref SSRFS3Bucket
        Key: TOP_SECRET.txt
        ContentType: text/plain
      Body: |
        YOU've goat me!

        (_(
        /_/'_____/)
        "  |      |
           |""""""|     
Parameters:
  IpAddress:
    Description: Your computer ip address (Not CIDR notation). You can usually find it by searching "what's my ip" on the internet.
    Type: String
    AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})
    ConstraintDescription: must be a valid IP address of the form x.x.x.x.
Metadata:
  AWS::CloudFormation::Interface: 
    ParameterGroups: 
      - Label: 
          default: "General Configuration"
        Parameters: 
          - IpAddress
    ParameterLabels: 
      IpAddress: 
        default: "IP Address"
Outputs:
  SSRFWebURL:
    Value: !Join [ "", [ "http://", !GetAtt SSRFInstance.PublicIp ] ]
    Description: URL of the vulnerable web server