Level - 5: Exploiting Exposed Meta-Data

Level - 5: Exploiting Exposed Meta-Data

·

5 min read

Welcome to Level 5. For this level, we are given access to an EC2 instance hosting a simple HTTP proxy. The proxy allows us to access external resources through it. We are tasked with using this proxy to list the contents of the level 6 bucket level6-cc4c404a8a8b876167f5e70a7d8c9880.flaws.cloud and find a hidden directory within it.

💡
From the Hint given as shown below, we were given a magical IP address (169.254.169.254) which is the metadata service for all cloud services including AWS.

Also, check out the AWS documentation

Accessing Metadata Service of flaws.cloud

To accomplish this task, we will utilize the proxy URL as well as append the metadata IP address. http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/*****

There are two ways to access the Metadata Service at flaws.cloud.

  1. Through Browser

  1. Through terminal

Now that we have access to the list Metadata, let's scan for any interesting file.

Navigating Metadata Directory Path

For this lab, we will use the browser to navigate the directory path.
You can do the same on your Linux terminal using the commandcurl http:// . . .

From the list of metadata found, let's check the “latest” path.

Now we get 3 three directory paths from the latest directory/folder. Let's explore meta-data by adding /meta-data to the end of the proxy URL.

From the search, we got a list of file paths we can dig deeper to find credentials.

Let's Explore the iam/ path to know if we can get any access key credentials.

  • To do this, simply /iam to the proxy URL.

  • Let add /security-credentials to the proxy URL. This directory path looks enticing RIGHT!!

  • Now, Add /flaws to the proxy URL, hopefully, we get some Creds

Finally something interesting🎉🥂. From the Result, you will notice there is an AccessKeyId & SecretAccessKeys attached along with a Token.

"AccessKeyId" : "ASIA6GG7PSQGS6CDQ37K",
  "SecretAccessKey" : "4F7v5Y0o2dqXsgCVn5zjW4PQRfFFYyxKy2pBfDC5",
💡
Now that we have obtained new access key credentials, let's accomplish the task for level 5 by using these credentials to create an AWS profile. With the new profile, we can list the contents of the level 6 bucket and also search for a hidden directory within it.

Accessing Level 6 bucket with Discovered Access Credentials

!! RECALL THE INSTRUCTION

  • Navigate to your Linux Terminal and create a profile using the command.

    aws configure - - profile <create-any-name-of-your-choice>

    Next, supply the obtained new access key credentials as shown below.

    NB: For this lab, the created profile name is FlAs-L5

  • Now that we have created a profile, Next, we add the token that was attached to access key credentials to /.aws/credentials/

    Step-1: from your home directory (~), change the directory to /.aws/credentials/ see the image below.

    Step-2: open the credentials file using the command cat credentials as shown below.

    From the image above, you will observe a significant number of profiles already existing. It's important to note that the profile we just created (FlAs-L5) appears at the bottom of the profile list.

    Next, we must incorporate the obtained token, following the instructions mentioned earlier, into the newly created profile (FlAs-L5).

Step-3: Use Nano or Vim to edit the credential file using the command nano credentials

NB: Make sure that the token is already copied.

  • On the nano editor, use the keyboard to navigate to the bottom and add the code to (FlAs-L5) profile. As shown in the image below

    • To confirm that the Token has been added to the FlAs-L5 Profile, use the command

      cat credentials

  • Next, Let's list the content within Level 6 Bucket using the command

aws --profile "your-given-name" s3 ls level6-cc4c404a8a8b876167f5e70a7d8c9880.flaws.cloud

Opening Discovered Directory path in level 6 bucket

Thus, we have two files listed from the content of level 6 bucket.

Let's append the directory path found to the level-6 URL such as the /ddcc78ff

Congratulation 🎉. We finally have access to the Level 6 Challenge after finishing Level 5. Final Challenge here we come 🚀🚀

Lesson learned

The IP address 169.254.169.254 is a magic IP in the cloud world. AWS, Azure, Google, DigitalOcean, and others use this to allow cloud resources to find out metadata about themselves. Some, such as Google, have additional constraints on the requests, such as requiring it to use Metadata-Flavor: Google as an HTTP header and refusing requests with an X-Forwarded-For header. AWS has recently created a new IMDSv2 that requires special headers, a challenge and response, and other protections, but many AWS accounts may not have enforced it. If you can make any sort of HTTP request from an EC2 to that IP, you'll likely get back information the owner would prefer you not see.

Examples of this problem

  • Nicolas Grégoire discovered that Prezi allowed you to point their servers at a URL to include as content in a slide, and this allowed you to point to 169.254.169.254 which provided the access key for the EC2 instance profile (link). He also found issues with accessing that magic IP with Phabricator and Coinbase.

A similar problem to getting access to the IAM profile's access keys is getting access to the EC2's user data, which people sometimes use to pass secrets to the EC2, such as API keys or credentials.

Avoiding this mistake

Ensure your applications do not allow access to 169.254.169.254 or any local private IP ranges. Additionally, ensure that IAM roles are restricted as much as possible.

Level 6🤠😇 Last Ride!

Did you find this article valuable?

Support Everything ~ Cloud Security by becoming a sponsor. Any amount is appreciated!